From 3c4b7981d61b7a5beb3c38b9d12ce9a155bed9f1 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Mon, 23 Oct 2023 11:37:42 +0000 Subject: [PATCH] Refresh intakes documentation --- .../00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md | 324 +- .../021e9def-5a55-4369-941e-af269b45bef1.md | 1546 +++---- .../02a74ceb-a9b0-467c-97d1-588319e39d71.md | 332 +- .../033cd098-b21b-4c9b-85c4-c8174c307e48.md | 258 +- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 116 +- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 902 ++-- .../0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md | 536 +-- .../064f7e8b-ce5f-474d-802e-e88fe2193365.md | 904 ++-- .../07c0cac8-f68f-11ea-adc1-0242ac120002.md | 268 +- .../07c556c0-0675-478c-9803-e7990afe78b6.md | 2458 +++++----- .../0ba58f32-7dba-4084-ab17-90c0be6b1f10.md | 62 +- .../0de050fb-3f56-4c7a-a9b6-76bf5298a617.md | 270 +- .../10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md | 1140 ++--- .../162064f0-c594-455e-ac24-2d7129137688.md | 262 +- .../16676d72-463e-4b8a-b13a-f8dd48cddc8c.md | 138 +- .../19cd2ed6-f90c-47f7-a46b-974354a107bb.md | 586 +-- .../1d172ee6-cdc0-4713-9cfd-43f7d9595777.md | 1668 +++---- .../20876735-c423-4bbc-9d19-67edc91fb063.md | 568 +-- .../22f2afd2-c858-443d-8e06-7b335e439c29.md | 442 +- .../23b75d0c-2026-4d3e-b916-636c27ba4931.md | 394 +- .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 522 +-- .../270777d7-0c5a-42fb-b901-b7fadfb0ba48.md | 574 +-- .../2815eaab-2425-4eff-8038-3f7d5a3b8b11.md | 1320 +++--- .../2b13307b-7439-4973-900a-2b58303cac90.md | 478 +- .../2ee6048e-8322-4575-8e47-1574946412b6.md | 1326 +++--- .../325369ba-8515-45b4-b750-5db882ea1266.md | 284 +- .../35855de3-0728-4a83-ae19-e38e167432a1.md | 134 +- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 1390 +++--- .../3e060900-4004-4754-a597-d2944a601930.md | 1126 ++--- .../3f330d19-fdea-48ac-96bd-91a447bb26bd.md | 684 +-- .../40bac399-2d8e-40e3-af3b-f73a622c9687.md | 576 +-- .../40deb162-6bb1-4635-9c99-5c2de7e1d340.md | 3136 ++++++------- .../419bd705-fa61-496c-94fa-28d6c1f2e2a8.md | 694 +-- .../41e3ca4e-a714-41aa-ad69-684a0b3835fc.md | 384 +- .../44439212-c2d8-4645-ad60-8fd5e39140b3.md | 1758 +++---- .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 1492 +++--- .../469bd3ae-61c9-4c39-9703-7452882e70da.md | 312 +- .../46ca6fc8-3d30-434c-92ff-0e1cde564161.md | 240 +- .../46e45417-187b-45bb-bf81-30df7b1963a0.md | 422 +- .../46fe3905-9e38-4fb2-be09-44d31626b694.md | 514 +-- .../4a3bb630-951a-40d9-be5e-5c712b37248e.md | 114 +- .../515ed00f-bf70-4fce-96cc-0ca31abd5d24.md | 184 +- .../547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md | 176 +- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 2274 +++++----- .../588a448b-c08d-4139-a746-b2b9f366e34b.md | 54 +- .../591feb54-1d1f-4453-b780-b225c59e9f99.md | 378 +- .../622999fe-d383-4d41-9f2d-eed5013fe463.md | 114 + .../69b52166-b804-4f47-860f-2d3fd0b46987.md | 264 +- .../6b8cb346-6605-4240-ac15-3828627ba899.md | 2776 ++++++------ .../6dbdd199-77ae-4705-a5de-5c2722fa020e.md | 586 +-- .../700f332f-d515-4bc5-8a62-49fa5f2c9206.md | 240 +- .../76d767ed-5431-4db1-b893-a48b6903d871.md | 134 +- .../79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md | 310 +- .../7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md | 404 +- .../7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md | 132 +- .../7b75d498-4a65-4d44-aa81-31090d723a60.md | 100 +- .../80b8382e-0667-4469-bbc9-74be1e0ca1c1.md | 274 +- .../80de6ccb-7246-40de-bcbb-bc830118c1f9.md | 136 +- .../838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md | 40 +- .../8461aabe-6eba-4044-ad7f-a0c39a2b2279.md | 52 +- .../8510051d-c7cf-4b0c-a398-031afe91faa0.md | 474 +- .../864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md | 240 +- .../890207d2-4878-440d-9079-3dd25d472e0a.md | 294 +- .../8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md | 170 +- .../8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md | 962 ++-- .../8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md | 596 +-- .../903ec1b8-f206-4ba5-8563-db21da09cafd.md | 1686 +++---- .../9044ba46-2b5d-4ebd-878a-51d62e84c8df.md | 74 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 4036 ++++++++--------- .../98fa7079-41ae-4033-a93f-bbd70d114188.md | 546 +-- .../995d7daf-4e4a-42ec-b90d-9af2f7be7019.md | 786 ++-- .../99da26fc-bf7b-4e5b-a76c-408472fcfebb.md | 980 ++-- .../9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md | 534 +-- .../9f89b634-0531-437b-b060-a9d9f2d270db.md | 228 +- .../a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md | 530 +-- .../a199fbde-508e-4cb9-ae37-842703494be0.md | 210 +- .../a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md | 550 +-- .../a406a8c1-e1e0-4fe9-835b-3607d01150e6.md | 174 +- .../ab25af2e-4916-40ba-955c-34d2301c1f51.md | 350 +- .../aeb7d407-db57-44b2-90b6-7df6738d5d7f.md | 341 +- .../b23668b2-5716-4432-9af7-bc4f81ad6df3.md | 76 +- .../b2d961ae-0f7e-400b-879a-f97be24cc02d.md | 534 +-- .../ba40ab72-1456-11ee-be56-0242ac120002.md | 88 +- .../bba2bed2-d925-440f-a0ce-dbcae04eaf26.md | 394 +- .../bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md | 56 +- .../bf8867ee-43b7-444c-9475-a7f43754ab6d.md | 384 +- .../c10307ea-5dd1-45c6-85aa-2a6a900df99b.md | 1036 ++--- .../c20528c1-621e-4959-83ba-652eca2e8ed0.md | 54 +- .../c3888137-b34e-4526-ab61-836b2d45a742.md | 120 +- .../caa13404-9243-493b-943e-9848cadb1f99.md | 1918 ++++---- .../ccf942fe-c839-42be-a081-5c3f946e80f5.md | 32 +- .../cf5c916e-fa26-11ed-a844-f7f4d7348199.md | 436 +- .../d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md | 106 +- .../d2725f97-0c7b-4942-a847-983f38efb8ff.md | 346 +- .../d3a813ac-f9b5-451c-a602-a5994544d9ed.md | 1308 +++--- .../d6d15297-e977-4584-9bb3-f0290b99f014.md | 192 +- .../d6f69e04-6ab7-40c0-9723-84060aeb5529.md | 508 +-- .../d719e8b5-85a1-4dad-bf71-46155af56570.md | 964 ++-- .../d9f337a4-1303-47d4-b15f-1f83807ff3cc.md | 912 ++-- .../da3555f9-8213-41b8-8659-4cb814431e29.md | 64 +- .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 520 +-- .../de9ca004-991e-4f5c-89c5-e075f3fb3216.md | 666 +-- .../e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md | 400 +- .../e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md | 18 +- .../e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md | 158 +- .../e6bb2404-8fc8-4124-a785-c1276277b5d7.md | 684 +-- .../e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md | 520 +-- .../ee0b3023-524c-40f6-baf5-b69c7b679887.md | 532 +-- .../ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md | 406 +- .../f0f95532-9928-4cde-a399-ddd992d48472.md | 252 +- .../f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md | 140 +- .../f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md | 3526 +++++++------- 112 files changed, 35257 insertions(+), 35136 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md diff --git a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md index 0aaafcd021..0bc5754a11 100644 --- a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md +++ b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md @@ -35,29 +35,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"mf28fmdkt05bbyjk\",\n \"jsonPayload\": {\n \"_CAP_EFFECTIVE\": \"1ffffffffff\",\n \"_BOOT_ID\": \"e61a95dc40fd44f6ba5c6bfcb18b46a2\",\n \"_SYSTEMD_CGROUP\": \"/system.slice/containerd.service\",\n \"_PID\": \"1478\",\n \"_SYSTEMD_INVOCATION_ID\": \"ebd8a874b9bf4797a358a0403ec7e1e7\",\n \"_EXE\": \"/usr/bin/containerd\",\n \"_TRANSPORT\": \"stdout\",\n \"_SYSTEMD_SLICE\": \"system.slice\",\n \"MESSAGE\": \"time=\\\"2022-06-01T14:01:35.371006269Z\\\" level=info msg=\\\"StopContainer for \\\\\\\"4c2b21624d4488ea8305bec91bb58135e840ab50b779da3db19ddf87864a760e\\\\\\\" with timeout 30 (s)\\\"\",\n \"_CMDLINE\": \"/usr/bin/containerd\",\n \"_STREAM_ID\": \"949cd6779ed34897a1b74883881ddfe8\",\n \"_HOSTNAME\": \"gke-cluster-1-default-pool-476246ab-wnl7\",\n \"_COMM\": \"containerd\",\n \"SYSLOG_IDENTIFIER\": \"containerd\",\n \"_MACHINE_ID\": \"3fa273bf9f602a2286f55eac7ffa6d36\",\n \"_GID\": \"0\",\n \"_SYSTEMD_UNIT\": \"containerd.service\",\n \"PRIORITY\": \"6\",\n \"SYSLOG_FACILITY\": \"3\",\n \"_UID\": \"0\"\n },\n \"resource\": {\n \"type\": \"k8s_node\",\n \"labels\": {\n \"cluster_name\": \"cluster-1\",\n \"project_id\": \"hazel-aria-348413\",\n \"node_name\": \"gke-cluster-1-default-pool-476246ab-wnl7\",\n \"location\": \"europe-west1-c\"\n }\n },\n \"timestamp\": \"2022-06-01T14:01:35.371492Z\",\n \"logName\": \"projects/hazel-aria-348413/logs/container-runtime\",\n \"receiveTimestamp\": \"2022-06-01T14:01:36.219094561Z\"\n}", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", + "reason": "StopContainer for \\\"4c2b21624d4488ea8305bec91bb58135e840ab50b779da3db19ddf87864a760e\\\" with timeout 30 (s)", "type": [ "change" - ], - "reason": "StopContainer for \\\"4c2b21624d4488ea8305bec91bb58135e840ab50b779da3db19ddf87864a760e\\\" with timeout 30 (s)" + ] }, "@timestamp": "2022-06-01T14:01:35.371492Z", - "orchestrator": { - "type": "kubernetes", - "cluster": { - "name": "cluster-1" - }, - "resource": { - "type": "k8s_node" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { "insertId": "mf28fmdkt05bbyjk", - "logName": "projects/hazel-aria-348413/logs/container-runtime", - "receiveTimestamp": "2022-06-01T14:01:36.219094561Z", "jsonPayload": { "MESSAGE": "time=\"2022-06-01T14:01:35.371006269Z\" level=info msg=\"StopContainer for \\\"4c2b21624d4488ea8305bec91bb58135e840ab50b779da3db19ddf87864a760e\\\" with timeout 30 (s)\"", "SYSLOG_IDENTIFIER": "containerd", @@ -72,34 +66,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "_SYSTEMD_UNIT": "containerd.service", "_TRANSPORT": "stdout", "_UID": "0" - } + }, + "logName": "projects/hazel-aria-348413/logs/container-runtime", + "receiveTimestamp": "2022-06-01T14:01:36.219094561Z" + }, + "host": { + "id": "3fa273bf9f602a2286f55eac7ffa6d36", + "name": "gke-cluster-1-default-pool-476246ab-wnl7" }, "log": { "syslog": { - "priority": 6, "facility": { "code": 3 - } + }, + "priority": 6 } }, + "orchestrator": { + "cluster": { + "name": "cluster-1" + }, + "resource": { + "type": "k8s_node" + }, + "type": "kubernetes" + }, "process": { "command_line": "/usr/bin/containerd", "executable": "/usr/bin/containerd", "pid": 1478 }, - "host": { - "name": "gke-cluster-1-default-pool-476246ab-wnl7", - "id": "3fa273bf9f602a2286f55eac7ffa6d36" - }, "server": { "geo": { "name": "europe-west1-c" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } @@ -113,38 +113,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"17ahw8eg29q74y6\",\n \"jsonPayload\": {\n \"reportingComponent\": \"\",\n \"reason\": \"Pulling\",\n \"eventTime\": null,\n \"reportingInstance\": \"\",\n \"kind\": \"Event\",\n \"message\": \"Pulling image \\\"gke.gcr.io/prometheus-to-sd:v0.11.3-gke.0\\\"\",\n \"apiVersion\": \"v1\",\n \"type\": \"Normal\",\n \"source\": {\n \"host\": \"gke-cluster-1-default-pool-476246ab-wnl7\",\n \"component\": \"kubelet\"\n },\n \"metadata\": {\n \"resourceVersion\": \"954\",\n \"creationTimestamp\": \"2022-06-01T14:05:30Z\",\n \"namespace\": \"kube-system\",\n \"managedFields\": [\n {\n \"manager\": \"kubelet\",\n \"apiVersion\": \"v1\",\n \"fieldsV1\": {\n \"f:message\": {},\n \"f:involvedObject\": {},\n \"f:lastTimestamp\": {},\n \"f:source\": {\n \"f:host\": {},\n \"f:component\": {}\n },\n \"f:type\": {},\n \"f:reason\": {},\n \"f:count\": {},\n \"f:firstTimestamp\": {}\n },\n \"operation\": \"Update\",\n \"fieldsType\": \"FieldsV1\",\n \"time\": \"2022-06-01T14:05:30Z\"\n }\n ],\n \"uid\": \"658b3d26-ed26-4d32-a5b4-3bb87bdefa99\",\n \"name\": \"kube-dns-56494768b7-544n6.16f48435f72a4bd9\"\n },\n \"involvedObject\": {\n \"resourceVersion\": \"6551\",\n \"namespace\": \"kube-system\",\n \"fieldPath\": \"spec.containers{prometheus-to-sd}\",\n \"apiVersion\": \"v1\",\n \"name\": \"kube-dns-56494768b7-544n6\",\n \"uid\": \"52017f74-5157-4788-a62e-b83c4eac4acf\",\n \"kind\": \"Pod\"\n }\n },\n \"resource\": {\n \"type\": \"k8s_pod\",\n \"labels\": {\n \"location\": \"europe-west1-c\",\n \"namespace_name\": \"kube-system\",\n \"cluster_name\": \"cluster-1\",\n \"pod_name\": \"kube-dns-56494768b7-544n6\",\n \"project_id\": \"hazel-aria-348413\"\n }\n },\n \"timestamp\": \"2022-06-01T14:05:30Z\",\n \"severity\": \"INFO\",\n \"logName\": \"projects/hazel-aria-348413/logs/events\",\n \"receiveTimestamp\": \"2022-06-01T14:05:39.683992581Z\"\n}", "event": { - "kind": "event", + "action": "Pulling", "category": [ "process" ], + "kind": "event", + "reason": "Pulling image \"gke.gcr.io/prometheus-to-sd:v0.11.3-gke.0\"", "type": [ "change" - ], - "reason": "Pulling image \"gke.gcr.io/prometheus-to-sd:v0.11.3-gke.0\"", - "action": "Pulling" + ] }, "@timestamp": "2022-06-01T14:05:30Z", - "orchestrator": { - "type": "kubernetes", - "api_version": "v1", - "namespace": "kube-system", - "cluster": { - "name": "cluster-1" - }, - "resource": { - "name": "kube-dns-56494768b7-544n6", - "type": "k8s_pod" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { "insertId": "17ahw8eg29q74y6", - "logName": "projects/hazel-aria-348413/logs/events", - "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", - "severity": "INFO", "jsonPayload": { "apiVersion": "v1", - "kind": "Event", - "type": "Normal", "involvedObject": { "fieldPath": "spec.containers{prometheus-to-sd}", "kind": "Pod", @@ -152,27 +140,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "resourceVersion": "6551", "uid": "52017f74-5157-4788-a62e-b83c4eac4acf" }, + "kind": "Event", "metadata": { "creationTimestamp": "2022-06-01T14:05:30Z", "managedFields": [ { - "manager": "kubelet", "apiVersion": "v1", + "fieldsType": "FieldsV1", "fieldsV1": { - "f:message": {}, + "f:count": {}, + "f:firstTimestamp": {}, "f:involvedObject": {}, "f:lastTimestamp": {}, + "f:message": {}, + "f:reason": {}, "f:source": { - "f:host": {}, - "f:component": {} + "f:component": {}, + "f:host": {} }, - "f:type": {}, - "f:reason": {}, - "f:count": {}, - "f:firstTimestamp": {} + "f:type": {} }, + "manager": "kubelet", "operation": "Update", - "fieldsType": "FieldsV1", "time": "2022-06-01T14:05:30Z" } ], @@ -181,21 +170,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "source": { "component": "kubelet" - } - } + }, + "type": "Normal" + }, + "logName": "projects/hazel-aria-348413/logs/events", + "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", + "severity": "INFO" }, "host": { "name": "gke-cluster-1-default-pool-476246ab-wnl7" }, + "orchestrator": { + "api_version": "v1", + "cluster": { + "name": "cluster-1" + }, + "namespace": "kube-system", + "resource": { + "name": "kube-dns-56494768b7-544n6", + "type": "k8s_pod" + }, + "type": "kubernetes" + }, "server": { "geo": { "name": "europe-west1-c" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } @@ -209,64 +209,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"17ahw8eg29q74yc\",\n \"jsonPayload\": {\n \"eventTime\": null,\n \"reportingInstance\": \"\",\n \"type\": \"Warning\",\n \"reportingComponent\": \"\",\n \"metadata\": {\n \"resourceVersion\": \"960\",\n \"name\": \"kube-dns.16f484369d214dae\",\n \"namespace\": \"kube-system\",\n \"uid\": \"828b8cd3-1eec-4093-95fb-907ebeab0efa\",\n \"creationTimestamp\": \"2022-06-01T14:05:33Z\",\n \"managedFields\": [\n {\n \"apiVersion\": \"v1\",\n \"operation\": \"Update\",\n \"fieldsV1\": {\n \"f:firstTimestamp\": {},\n \"f:involvedObject\": {},\n \"f:reason\": {},\n \"f:count\": {},\n \"f:lastTimestamp\": {},\n \"f:type\": {},\n \"f:message\": {},\n \"f:source\": {\n \"f:component\": {}\n }\n },\n \"manager\": \"kube-controller-manager\",\n \"time\": \"2022-06-01T14:05:33Z\",\n \"fieldsType\": \"FieldsV1\"\n }\n ]\n },\n \"apiVersion\": \"v1\",\n \"kind\": \"Event\",\n \"message\": \"Failed to update endpoint kube-system/kube-dns: Operation cannot be fulfilled on endpoints \\\"kube-dns\\\": the object has been modified; please apply your changes to the latest version and try again\",\n \"source\": {\n \"component\": \"endpoint-controller\"\n },\n \"involvedObject\": {\n \"apiVersion\": \"v1\",\n \"uid\": \"75cc3b54-2a5f-42fa-8dd9-1669695113cd\",\n \"kind\": \"Endpoints\",\n \"namespace\": \"kube-system\",\n \"resourceVersion\": \"7416\",\n \"name\": \"kube-dns\"\n },\n \"reason\": \"FailedToUpdateEndpoint\"\n },\n \"resource\": {\n \"type\": \"k8s_cluster\",\n \"labels\": {\n \"cluster_name\": \"cluster-1\",\n \"location\": \"europe-west1-c\",\n \"project_id\": \"hazel-aria-348413\"\n }\n },\n \"timestamp\": \"2022-06-01T14:05:33Z\",\n \"severity\": \"WARNING\",\n \"logName\": \"projects/hazel-aria-348413/logs/events\",\n \"receiveTimestamp\": \"2022-06-01T14:05:39.683992581Z\"\n}", "event": { - "kind": "event", + "action": "FailedToUpdateEndpoint", "category": [ "process" ], + "kind": "event", + "reason": "Failed to update endpoint kube-system/kube-dns: Operation cannot be fulfilled on endpoints \"kube-dns\": the object has been modified; please apply your changes to the latest version and try again", "type": [ "change" - ], - "reason": "Failed to update endpoint kube-system/kube-dns: Operation cannot be fulfilled on endpoints \"kube-dns\": the object has been modified; please apply your changes to the latest version and try again", - "action": "FailedToUpdateEndpoint" + ] }, "@timestamp": "2022-06-01T14:05:33Z", - "orchestrator": { - "type": "kubernetes", - "api_version": "v1", - "namespace": "kube-system", - "cluster": { - "name": "cluster-1" - }, - "resource": { - "type": "k8s_cluster" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { "insertId": "17ahw8eg29q74yc", - "logName": "projects/hazel-aria-348413/logs/events", - "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", - "severity": "WARNING", "jsonPayload": { "apiVersion": "v1", - "kind": "Event", - "type": "Warning", "involvedObject": { "kind": "Endpoints", "name": "kube-dns", "resourceVersion": "7416", "uid": "75cc3b54-2a5f-42fa-8dd9-1669695113cd" }, + "kind": "Event", "metadata": { "creationTimestamp": "2022-06-01T14:05:33Z", "managedFields": [ { "apiVersion": "v1", - "operation": "Update", + "fieldsType": "FieldsV1", "fieldsV1": { + "f:count": {}, "f:firstTimestamp": {}, "f:involvedObject": {}, - "f:reason": {}, - "f:count": {}, "f:lastTimestamp": {}, - "f:type": {}, "f:message": {}, + "f:reason": {}, "f:source": { "f:component": {} - } + }, + "f:type": {} }, "manager": "kube-controller-manager", - "time": "2022-06-01T14:05:33Z", - "fieldsType": "FieldsV1" + "operation": "Update", + "time": "2022-06-01T14:05:33Z" } ], "resourceVersion": "960", @@ -274,21 +264,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "source": { "component": "endpoint-controller" - } - } + }, + "type": "Warning" + }, + "logName": "projects/hazel-aria-348413/logs/events", + "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", + "severity": "WARNING" }, "host": { "name": "kube-dns.16f484369d214dae" }, + "orchestrator": { + "api_version": "v1", + "cluster": { + "name": "cluster-1" + }, + "namespace": "kube-system", + "resource": { + "type": "k8s_cluster" + }, + "type": "kubernetes" + }, "server": { "geo": { "name": "europe-west1-c" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } @@ -302,38 +302,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"17ahw8eg29q74yb\",\n \"jsonPayload\": {\n \"involvedObject\": {\n \"namespace\": \"kube-system\",\n \"uid\": \"52017f74-5157-4788-a62e-b83c4eac4acf\",\n \"kind\": \"Pod\",\n \"resourceVersion\": \"6551\",\n \"fieldPath\": \"spec.containers{prometheus-to-sd}\",\n \"apiVersion\": \"v1\",\n \"name\": \"kube-dns-56494768b7-544n6\"\n },\n \"kind\": \"Event\",\n \"apiVersion\": \"v1\",\n \"eventTime\": null,\n \"reportingInstance\": \"\",\n \"metadata\": {\n \"managedFields\": [\n {\n \"time\": \"2022-06-01T14:05:32Z\",\n \"manager\": \"kubelet\",\n \"fieldsType\": \"FieldsV1\",\n \"operation\": \"Update\",\n \"apiVersion\": \"v1\",\n \"fieldsV1\": {\n \"f:count\": {},\n \"f:type\": {},\n \"f:involvedObject\": {},\n \"f:source\": {\n \"f:component\": {},\n \"f:host\": {}\n },\n \"f:reason\": {},\n \"f:firstTimestamp\": {},\n \"f:message\": {},\n \"f:lastTimestamp\": {}\n }\n }\n ],\n \"namespace\": \"kube-system\",\n \"creationTimestamp\": \"2022-06-01T14:05:32Z\",\n \"name\": \"kube-dns-56494768b7-544n6.16f48436899e3f4a\",\n \"resourceVersion\": \"959\",\n \"uid\": \"2836bb34-8703-4475-a7d8-5cf0ec2232f8\"\n },\n \"message\": \"Created container prometheus-to-sd\",\n \"reason\": \"Created\",\n \"type\": \"Normal\",\n \"source\": {\n \"host\": \"gke-cluster-1-default-pool-476246ab-wnl7\",\n \"component\": \"kubelet\"\n },\n \"reportingComponent\": \"\"\n },\n \"resource\": {\n \"type\": \"k8s_pod\",\n \"labels\": {\n \"project_id\": \"hazel-aria-348413\",\n \"namespace_name\": \"kube-system\",\n \"cluster_name\": \"cluster-1\",\n \"pod_name\": \"kube-dns-56494768b7-544n6\",\n \"location\": \"europe-west1-c\"\n }\n },\n \"timestamp\": \"2022-06-01T14:05:32Z\",\n \"severity\": \"INFO\",\n \"logName\": \"projects/hazel-aria-348413/logs/events\",\n \"receiveTimestamp\": \"2022-06-01T14:05:39.683992581Z\"\n}", "event": { - "kind": "event", + "action": "Created", "category": [ "process" ], + "kind": "event", + "reason": "Created container prometheus-to-sd", "type": [ "change" - ], - "reason": "Created container prometheus-to-sd", - "action": "Created" + ] }, "@timestamp": "2022-06-01T14:05:32Z", - "orchestrator": { - "type": "kubernetes", - "api_version": "v1", - "namespace": "kube-system", - "cluster": { - "name": "cluster-1" - }, - "resource": { - "name": "kube-dns-56494768b7-544n6", - "type": "k8s_pod" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { "insertId": "17ahw8eg29q74yb", - "logName": "projects/hazel-aria-348413/logs/events", - "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", - "severity": "INFO", "jsonPayload": { "apiVersion": "v1", - "kind": "Event", - "type": "Normal", "involvedObject": { "fieldPath": "spec.containers{prometheus-to-sd}", "kind": "Pod", @@ -341,28 +329,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "resourceVersion": "6551", "uid": "52017f74-5157-4788-a62e-b83c4eac4acf" }, + "kind": "Event", "metadata": { "creationTimestamp": "2022-06-01T14:05:32Z", "managedFields": [ { - "time": "2022-06-01T14:05:32Z", - "manager": "kubelet", - "fieldsType": "FieldsV1", - "operation": "Update", "apiVersion": "v1", + "fieldsType": "FieldsV1", "fieldsV1": { "f:count": {}, - "f:type": {}, + "f:firstTimestamp": {}, "f:involvedObject": {}, + "f:lastTimestamp": {}, + "f:message": {}, + "f:reason": {}, "f:source": { "f:component": {}, "f:host": {} }, - "f:reason": {}, - "f:firstTimestamp": {}, - "f:message": {}, - "f:lastTimestamp": {} - } + "f:type": {} + }, + "manager": "kubelet", + "operation": "Update", + "time": "2022-06-01T14:05:32Z" } ], "resourceVersion": "959", @@ -370,21 +359,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "source": { "component": "kubelet" - } - } + }, + "type": "Normal" + }, + "logName": "projects/hazel-aria-348413/logs/events", + "receiveTimestamp": "2022-06-01T14:05:39.683992581Z", + "severity": "INFO" }, "host": { "name": "gke-cluster-1-default-pool-476246ab-wnl7" }, + "orchestrator": { + "api_version": "v1", + "cluster": { + "name": "cluster-1" + }, + "namespace": "kube-system", + "resource": { + "name": "kube-dns-56494768b7-544n6", + "type": "k8s_pod" + }, + "type": "kubernetes" + }, "server": { "geo": { "name": "europe-west1-c" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } @@ -398,41 +398,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"insertId\":\"32ez47f5wz17i\",\"jsonPayload\":{\"apiVersion\":\"v1\",\"eventTime\":null,\"involvedObject\":{\"kind\":\"Node\",\"name\":\"gke-cluster-1-default-pool-eb66079e-k3zf\",\"uid\":\"gke-cluster-1-default-pool-eb66079e-k3zf\"},\"kind\":\"Event\",\"message\":\"{\\\"unmanaged\\\": {\\\"net.netfilter.nf_conntrack_buckets\\\": \\\"32768\\\"}}\",\"metadata\":{\"creationTimestamp\":\"2022-06-15T01:55:51Z\",\"managedFields\":[{\"apiVersion\":\"v1\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:count\":{},\"f:firstTimestamp\":{},\"f:involvedObject\":{},\"f:lastTimestamp\":{},\"f:message\":{},\"f:reason\":{},\"f:source\":{\"f:component\":{},\"f:host\":{}},\"f:type\":{}},\"manager\":\"node-problem-detector\",\"operation\":\"Update\",\"time\":\"2022-06-15T01:55:51Z\"}],\"name\":\"gke-cluster-1-default-pool-eb66079e-k3zf.16f8813a8514b8c0\",\"namespace\":\"default\",\"resourceVersion\":\"894\",\"uid\":\"7e26b736-331a-4896-961f-96688918ba7e\"},\"reason\":\"NodeSysctlChange\",\"reportingComponent\":\"\",\"reportingInstance\":\"\",\"source\":{\"component\":\"sysctl-monitor\",\"host\":\"gke-cluster-1-default-pool-eb66079e-k3zf\"},\"type\":\"Warning\"},\"logName\":\"projects/hazel-aria-348413/logs/events\",\"receiveTimestamp\":\"2022-06-15T01:55:52.012275121Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"node_name\":\"gke-cluster-1-default-pool-eb66079e-k3zf\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_node\"},\"severity\":\"WARNING\",\"timestamp\":\"2022-06-15T01:55:51Z\"}", "event": { - "kind": "event", + "action": "NodeSysctlChange", "category": [ "process" ], + "kind": "event", + "reason": "{\"unmanaged\": {\"net.netfilter.nf_conntrack_buckets\": \"32768\"}}", "type": [ "change" - ], - "reason": "{\"unmanaged\": {\"net.netfilter.nf_conntrack_buckets\": \"32768\"}}", - "action": "NodeSysctlChange" + ] }, "@timestamp": "2022-06-15T01:55:51Z", - "orchestrator": { - "type": "kubernetes", - "namespace": "default", - "cluster": { - "name": "cluster-1" - }, - "resource": { - "type": "k8s_node" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { "insertId": "32ez47f5wz17i", - "logName": "projects/hazel-aria-348413/logs/events", - "receiveTimestamp": "2022-06-15T01:55:52.012275121Z", - "severity": "WARNING", "jsonPayload": { "apiVersion": "v1", - "kind": "Event", - "type": "Warning", "involvedObject": { "kind": "Node", "name": "gke-cluster-1-default-pool-eb66079e-k3zf", "uid": "gke-cluster-1-default-pool-eb66079e-k3zf" }, + "kind": "Event", "metadata": { "creationTimestamp": "2022-06-15T01:55:51Z", "managedFields": [ @@ -462,21 +453,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "source": { "component": "sysctl-monitor" - } - } + }, + "type": "Warning" + }, + "logName": "projects/hazel-aria-348413/logs/events", + "receiveTimestamp": "2022-06-15T01:55:52.012275121Z", + "severity": "WARNING" }, "host": { "name": "gke-cluster-1-default-pool-eb66079e-k3zf" }, + "orchestrator": { + "cluster": { + "name": "cluster-1" + }, + "namespace": "default", + "resource": { + "type": "k8s_node" + }, + "type": "kubernetes" + }, "server": { "geo": { "name": "europe-central2-a" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } @@ -490,20 +490,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"insertId\":\"1wtrhknf2gg14w\",\"logName\":\"projects/hazel-aria-348413/logs/events\",\"receiveTimestamp\":\"2022-06-16T09:42:59.259491841Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"severity\":\"WARNING\",\"textPayload\":\"Event exporter started watching. Some events may have been lost up to this point.\",\"timestamp\":\"2022-06-16T09:42:39.200653463Z\"}", "event": { - "reason": "Event exporter started watching. Some events may have been lost up to this point.", - "kind": "event", "category": [ "process" ], + "kind": "event", + "reason": "Event exporter started watching. Some events may have been lost up to this point.", "type": [ "change" ] }, "@timestamp": "2022-06-16T09:42:39.200653Z", - "orchestrator": { - "type": "kubernetes", - "cluster": { - "name": "cluster-1" + "cloud": { + "project": { + "id": "hazel-aria-348413" } }, "google_kubernetes_engine": { @@ -512,15 +511,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "receiveTimestamp": "2022-06-16T09:42:59.259491841Z", "severity": "WARNING" }, + "orchestrator": { + "cluster": { + "name": "cluster-1" + }, + "type": "kubernetes" + }, "server": { "geo": { "name": "europe-central2-a" } - }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - } } } diff --git a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md index 072edc6a0c..1b2775dfa0 100644 --- a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md +++ b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md @@ -30,45 +30,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2023-06-23T07:55:01.421Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.17.7\"},\"user\":{\"audit\":{\"name\":\"foobar\",\"id\":\"1000\"},\"effective\":{\"id\":\"1000\",\"name\":\"foobar\"}},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"SRVFOOBAR\",\"hostname\":\"SRVFOOBAR\",\"architecture\":\"x86_64\",\"os\":{\"kernel\":\"4.15.0-192-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.5 LTS (Bionic Beaver)\",\"family\":\"debian\",\"name\":\"Ubuntu\"},\"id\":\"a1500a93a08345ce8499645d872ae3b4\",\"containerized\":false,\"ip\":[\"1.1.1.1\",\"fe80::\"],\"mac\":[\"00:00:00:00:00:00\"]},\"event\":{\"module\":\"auditd\",\"category\":[\"authentication\"],\"action\":\"changed-login-id-to\",\"outcome\":\"success\",\"kind\":\"event\",\"type\":[\"start\"]},\"agent\":{\"name\":\"SRVFOOBAR\",\"type\":\"auditbeat\",\"version\":\"7.17.7\",\"hostname\":\"SRVFOOBAR\",\"ephemeral_id\":\"e19079f8-f5eb-4c92-b875-2b8129079220\",\"id\":\"ac023697-7cb3-43f9-95df-2e1ee89b5bfe\"},\"process\":{\"pid\":18267},\"related\":{\"user\":[\"foobar\"]},\"auditd\":{\"result\":\"success\",\"data\":{\"tty\":\"(none)\",\"old-ses\":\"4294967295\"},\"session\":\"550229\",\"summary\":{\"actor\":{\"primary\":\"unset\",\"secondary\":\"root\"},\"object\":{\"type\":\"user-session\",\"primary\":\"1000\"}},\"message_type\":\"login\",\"sequence\":28655980},\"service\":{\"type\":\"auditd\"}}\n", "event": { - "kind": "event", - "module": "auditd", + "action": "changed-login-id-to", "category": [ "authentication" ], + "kind": "event", + "module": "auditd", "type": [ "start" - ], - "action": "changed-login-id-to" + ] }, - "sekoiaio": { - "server": { - "name": "SRVFOOBAR", - "os": { - "type": "linux" - } - }, - "client": { - "name": "SRVFOOBAR", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-23T07:55:01.421000Z", + "action": { + "outcome": "success" }, "agent": { + "ephemeral_id": "e19079f8-f5eb-4c92-b875-2b8129079220", + "hostname": "SRVFOOBAR", + "id": "ac023697-7cb3-43f9-95df-2e1ee89b5bfe", "name": "SRVFOOBAR", "type": "auditbeat", - "version": "7.17.7", - "hostname": "SRVFOOBAR", - "ephemeral_id": "e19079f8-f5eb-4c92-b875-2b8129079220", - "id": "ac023697-7cb3-43f9-95df-2e1ee89b5bfe" + "version": "7.17.7" }, "auditbeat": {}, "auditd": { - "result": "success", "data": { - "tty": "(none)", - "old-ses": "4294967295" + "old-ses": "4294967295", + "tty": "(none)" }, + "message_type": "login", + "result": "success", + "sequence": 28655980, "session": "550229", "summary": { "actor": { @@ -76,36 +68,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "secondary": "root" }, "object": { - "type": "user-session", - "primary": "1000" + "primary": "1000", + "type": "user-session" } }, - "message_type": "login", - "sequence": 28655980, "user": {} }, + "client": { + "address": [ + "1.1.1.1", + "fe80::" + ], + "ip": [ + "1.1.1.1", + "fe80::" + ], + "mac": [ + "00:00:00:00:00:00" + ] + }, "host": { - "name": "SRVFOOBAR", - "hostname": "SRVFOOBAR", "architecture": "x86_64", - "os": { - "kernel": "4.15.0-192-generic", - "codename": "bionic", - "type": "linux", - "platform": "ubuntu", - "version": "18.04.5 LTS (Bionic Beaver)", - "family": "debian", - "name": "Ubuntu" - }, - "id": "a1500a93a08345ce8499645d872ae3b4", "containerized": false, + "hostname": "SRVFOOBAR", + "id": "a1500a93a08345ce8499645d872ae3b4", "ip": [ "1.1.1.1", "fe80::" ], "mac": [ "00:00:00:00:00:00" - ] + ], + "name": "SRVFOOBAR", + "os": { + "codename": "bionic", + "family": "debian", + "kernel": "4.15.0-192-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "18.04.5 LTS (Bionic Beaver)" + } }, "log": { "hostname": "SRVFOOBAR" @@ -114,26 +117,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "pid": 18267 }, "related": { + "hosts": [ + "SRVFOOBAR" + ], "ip": [ "1.1.1.1", "fe80::" - ], - "hosts": [ - "SRVFOOBAR" ] }, - "service": { - "type": "auditd" - }, - "@timestamp": "2023-06-23T07:55:01.421000Z", - "user": { - "audit": { - "name": "foobar", - "id": "1000" + "sekoiaio": { + "client": { + "name": "SRVFOOBAR", + "os": { + "type": "linux" + } }, - "effective": { - "id": "1000", - "name": "foobar" + "server": { + "name": "SRVFOOBAR", + "os": { + "type": "linux" + } } }, "server": { @@ -145,21 +148,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "00:00:00:00:00:00" ] }, - "client": { - "ip": [ - "1.1.1.1", - "fe80::" - ], - "mac": [ - "00:00:00:00:00:00" - ], - "address": [ - "1.1.1.1", - "fe80::" - ] + "service": { + "type": "auditd" }, - "action": { - "outcome": "success" + "user": { + "audit": { + "id": "1000", + "name": "foobar" + }, + "effective": { + "id": "1000", + "name": "foobar" + } } } @@ -173,57 +173,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2023-06-22T08:03:20.160Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.1\"},\"source\":{\"ip\":\"1.1.1.1\"},\"service\":{\"type\":\"auditd\"},\"user\":{\"effective\":{\"id\":\"0\",\"name\":\"root\"},\"selinux\":{\"user\":\"=unconfined\"}},\"host\":{\"name\":\"ext-rp\"},\"agent\":{\"id\":\"5e75ccef-91c4-4dec-9615-d30ac29006d8\",\"name\":\"ext-rp\",\"type\":\"auditbeat\",\"version\":\"7.13.1\",\"hostname\":\"ext-rp\",\"ephemeral_id\":\"2cb57415-6154-41e9-8584-fb412e22c5a7\"},\"process\":{\"pid\":16718,\"executable\":\"/usr/sbin/sshd\"},\"network\":{\"direction\":\"ingress\"},\"related\":{\"user\":[\"root\"]},\"auditd\":{\"message_type\":\"user_login\",\"sequence\":39380335,\"result\":\"fail\",\"data\":{\"op\":\"login\",\"terminal\":\"sshd\",\"acct\":\"root\"},\"summary\":{\"actor\":{\"primary\":\"unset\",\"secondary\":\"root\"},\"object\":{\"secondary\":\"1.1.1.1\",\"type\":\"user-session\",\"primary\":\"sshd\"},\"how\":\"/usr/sbin/sshd\"}},\"event\":{\"action\":\"logged-in\",\"outcome\":\"failure\",\"kind\":\"event\",\"type\":[\"start\",\"authentication_failure\"],\"module\":\"auditd\",\"category\":[\"authentication\"]},\"ecs\":{\"version\":\"1.9.0\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "logged-in", "category": [ "authentication" ], + "kind": "event", + "module": "auditd", "type": [ - "start", - "authentication_failure" - ], - "action": "logged-in" + "authentication_failure", + "start" + ] }, - "sekoiaio": { - "server": { - "name": "ext-rp", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-22T08:03:20.160000Z", + "action": { + "outcome": "failure" }, "agent": { + "ephemeral_id": "2cb57415-6154-41e9-8584-fb412e22c5a7", + "hostname": "ext-rp", "id": "5e75ccef-91c4-4dec-9615-d30ac29006d8", "name": "ext-rp", "type": "auditbeat", - "version": "7.13.1", - "hostname": "ext-rp", - "ephemeral_id": "2cb57415-6154-41e9-8584-fb412e22c5a7" + "version": "7.13.1" }, "auditbeat": {}, "auditd": { - "message_type": "user_login", - "sequence": 39380335, - "result": "fail", "data": { + "acct": "root", "op": "login", - "terminal": "sshd", - "acct": "root" + "terminal": "sshd" }, + "message_type": "user_login", + "result": "fail", + "sequence": 39380335, "summary": { "actor": { "primary": "unset", "secondary": "root" }, + "how": "/usr/sbin/sshd", "object": { + "primary": "sshd", "secondary": "1.1.1.1", - "type": "user-session", - "primary": "sshd" - }, - "how": "/usr/sbin/sshd" + "type": "user-session" + } }, "user": {} }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "host": { "name": "ext-rp", "os": { @@ -237,23 +237,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "ingress" }, "process": { - "pid": 16718, "executable": "/usr/sbin/sshd", - "name": "sshd" + "name": "sshd", + "pid": 16718 }, "related": { "ip": [ "1.1.1.1" ] }, + "sekoiaio": { + "server": { + "name": "ext-rp", + "os": { + "type": "linux" + } + } + }, + "server": {}, "service": { "type": "auditd" }, "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "address": "1.1.1.1", + "ip": "1.1.1.1" }, - "@timestamp": "2023-06-22T08:03:20.160000Z", "user": { "effective": { "id": "0", @@ -262,14 +270,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "selinux": { "user": "=unconfined" } - }, - "client": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "server": {}, - "action": { - "outcome": "failure" } } @@ -283,59 +283,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " {\"@timestamp\":\"2023-06-22T01:32:32.888Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.17.9\"},\"event\":{\"kind\":\"event\",\"type\":[\"start\",\"authentication_success\"],\"module\":\"auditd\",\"category\":[\"authentication\"],\"action\":\"logged-in\",\"outcome\":\"success\"},\"user\":{\"name\":\"linveeam\",\"id\":\"1001\",\"selinux\":{\"user\":\"=unconfined\"},\"audit\":{\"name\":\"linveeam\",\"id\":\"1001\"}},\"process\":{\"executable\":\"/usr/sbin/sshd\",\"pid\":1432775},\"source\":{\"ip\":\"1.1.1.1\"},\"network\":{\"direction\":\"ingress\"},\"auditd\":{\"message_type\":\"user_login\",\"sequence\":968787,\"result\":\"success\",\"data\":{\"terminal\":\"/dev/pts/0\",\"id\":\"1001\",\"hostname\":\"1.1.1.1\",\"op\":\"login\"},\"session\":\"66207\",\"summary\":{\"actor\":{\"primary\":\"linveeam\",\"secondary\":\"linveeam\"},\"object\":{\"secondary\":\"1.1.1.1\",\"type\":\"user-session\",\"primary\":\"/dev/pts/0\"},\"how\":\"/usr/sbin/sshd\"}},\"agent\":{\"id\":\"8e633966-f3f7-4b2e-a58c-eb0a020a4d8c\",\"name\":\"SRVFOOBAR\",\"type\":\"auditbeat\",\"version\":\"7.17.9\",\"hostname\":\"SRVFOOBAR\",\"ephemeral_id\":\"b56f3afe-b449-4d5e-ae91-913589894aae\"},\"host\":{\"name\":\"SRVFOOBAR\"},\"related\":{\"user\":[\"linveeam\"]},\"service\":{\"type\":\"auditd\"},\"ecs\":{\"version\":\"1.12.0\"}}\n", "event": { - "kind": "event", - "module": "auditd", + "action": "logged-in", "category": [ "authentication" ], + "kind": "event", + "module": "auditd", "type": [ - "start", - "authentication_success" - ], - "action": "logged-in" + "authentication_success", + "start" + ] }, - "sekoiaio": { - "server": { - "name": "SRVFOOBAR", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-22T01:32:32.888000Z", + "action": { + "outcome": "success" }, "agent": { + "ephemeral_id": "b56f3afe-b449-4d5e-ae91-913589894aae", + "hostname": "SRVFOOBAR", "id": "8e633966-f3f7-4b2e-a58c-eb0a020a4d8c", "name": "SRVFOOBAR", "type": "auditbeat", - "version": "7.17.9", - "hostname": "SRVFOOBAR", - "ephemeral_id": "b56f3afe-b449-4d5e-ae91-913589894aae" + "version": "7.17.9" }, "auditbeat": {}, "auditd": { - "message_type": "user_login", - "sequence": 968787, - "result": "success", "data": { - "terminal": "/dev/pts/0", - "id": "1001", "hostname": "1.1.1.1", - "op": "login" + "id": "1001", + "op": "login", + "terminal": "/dev/pts/0" }, + "message_type": "user_login", + "result": "success", + "sequence": 968787, "session": "66207", "summary": { "actor": { "primary": "linveeam", "secondary": "linveeam" }, + "how": "/usr/sbin/sshd", "object": { + "primary": "/dev/pts/0", "secondary": "1.1.1.1", - "type": "user-session", - "primary": "/dev/pts/0" - }, - "how": "/usr/sbin/sshd" + "type": "user-session" + } }, "user": {} }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "host": { "name": "SRVFOOBAR", "os": { @@ -350,8 +350,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "/usr/sbin/sshd", - "pid": 1432775, - "name": "sshd" + "name": "sshd", + "pid": 1432775 }, "related": { "ip": [ @@ -361,32 +361,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "linveeam" ] }, + "sekoiaio": { + "server": { + "name": "SRVFOOBAR", + "os": { + "type": "linux" + } + } + }, + "server": {}, "service": { "type": "auditd" }, "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "address": "1.1.1.1", + "ip": "1.1.1.1" }, - "@timestamp": "2023-06-22T01:32:32.888000Z", "user": { - "name": "linveeam", + "audit": { + "id": "1001", + "name": "linveeam" + }, "id": "1001", + "name": "linveeam", "selinux": { "user": "=unconfined" - }, - "audit": { - "name": "linveeam", - "id": "1001" } - }, - "client": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "server": {}, - "action": { - "outcome": "success" } } @@ -400,32 +400,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " {\"@timestamp\":\"2023-06-22T12:15:59.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.17.9\"},\"related\":{\"user\":[\"USER_NAME1\"],\"ip\":[\"1.1.1.1\"]},\"message\":\"Login by user USER_NAME1 (UID: 10350) on ftpd12345 (PID: 37966) from 1.1.1.1 (IP: 1.1.1.1)\",\"agent\":{\"id\":\"03bea9ee-1954-4a31-900d-138c080e723b\",\"name\":\"foo.net\",\"type\":\"auditbeat\",\"version\":\"7.17.9\",\"hostname\":\"foo.net\",\"ephemeral_id\":\"aa3e9fe0-3a6f-4d78-8b40-6063a934018a\"},\"ecs\":{\"version\":\"1.12.0\"},\"user\":{\"id\":10350,\"terminal\":\"ftpd12345\",\"name\":\"USER_NAME1\"},\"process\":{\"pid\":37966},\"source\":{\"ip\":\"1.1.1.1\"},\"service\":{\"type\":\"system\"},\"event\":{\"action\":\"user_login\",\"origin\":\"/var/log/wtmp\",\"category\":[\"authentication\"],\"outcome\":\"success\",\"type\":[\"start\",\"authentication_success\"],\"module\":\"system\",\"dataset\":\"login\",\"kind\":\"event\"},\"host\":{\"name\":\"foo.net\"}}\n", "event": { - "kind": "event", - "module": "system", + "action": "user_login", "category": [ "authentication" ], + "kind": "event", + "module": "system", "type": [ - "start", - "authentication_success" - ], - "action": "user_login" + "authentication_success", + "start" + ] }, - "sekoiaio": { - "server": { - "name": "foo.net", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-22T12:15:59Z", + "action": { + "outcome": "success" }, "agent": { + "ephemeral_id": "aa3e9fe0-3a6f-4d78-8b40-6063a934018a", + "hostname": "foo.net", "id": "03bea9ee-1954-4a31-900d-138c080e723b", "name": "foo.net", "type": "auditbeat", - "version": "7.17.9", - "hostname": "foo.net", - "ephemeral_id": "aa3e9fe0-3a6f-4d78-8b40-6063a934018a" + "version": "7.17.9" }, "auditbeat": { "message": "Login by user USER_NAME1 (UID: 10350) on ftpd12345 (PID: 37966) from 1.1.1.1 (IP: 1.1.1.1)" @@ -433,6 +429,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "auditd": { "user": {} }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "host": { "name": "foo.net", "os": { @@ -453,26 +453,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "USER_NAME1" ] }, - "service": { - "type": "system" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "@timestamp": "2023-06-22T12:15:59Z", - "user": { - "id": "10350", - "terminal": "ftpd12345", - "name": "USER_NAME1" - }, - "client": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "sekoiaio": { + "server": { + "name": "foo.net", + "os": { + "type": "linux" + } + } }, "server": {}, - "action": { - "outcome": "success" + "service": { + "type": "system" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "id": "10350", + "name": "USER_NAME1", + "terminal": "ftpd12345" } } @@ -486,32 +486,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " {\"@timestamp\":\"2023-06-22T15:59:33.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.1\"},\"user\":{\"name\":\"root\",\"id\":0,\"terminal\":\"ssh:notty\"},\"process\":{\"pid\":1999},\"agent\":{\"type\":\"auditbeat\",\"version\":\"7.13.1\",\"hostname\":\"ext-rp\",\"ephemeral_id\":\"2cb57415-6154-41e9-8584-fb412e22c5a7\",\"id\":\"5e75ccef-91c4-4dec-9615-d30ac29006d8\",\"name\":\"ext-rp\"},\"service\":{\"type\":\"system\"},\"event\":{\"dataset\":\"login\",\"kind\":\"event\",\"action\":\"user_login\",\"origin\":\"/var/log/btmp\",\"category\":[\"authentication\"],\"outcome\":\"failure\",\"type\":[\"start\",\"authentication_failure\"],\"module\":\"system\"},\"message\":\"Failed login by user root (UID: 0) on ssh:notty (PID: 1999) from 1.1.1.1 (IP: 1.1.1.1)\",\"host\":{\"name\":\"ext-rp\"},\"source\":{\"ip\":\"1.1.1.1\"},\"related\":{\"user\":[\"root\"],\"ip\":[\"1.1.1.1\"]},\"ecs\":{\"version\":\"1.9.0\"}}\n", "event": { - "kind": "event", - "module": "system", + "action": "user_login", "category": [ "authentication" ], + "kind": "event", + "module": "system", "type": [ - "start", - "authentication_failure" - ], - "action": "user_login" + "authentication_failure", + "start" + ] }, - "sekoiaio": { - "server": { - "name": "ext-rp", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-22T15:59:33Z", + "action": { + "outcome": "failure" }, "agent": { - "type": "auditbeat", - "version": "7.13.1", - "hostname": "ext-rp", "ephemeral_id": "2cb57415-6154-41e9-8584-fb412e22c5a7", + "hostname": "ext-rp", "id": "5e75ccef-91c4-4dec-9615-d30ac29006d8", - "name": "ext-rp" + "name": "ext-rp", + "type": "auditbeat", + "version": "7.13.1" }, "auditbeat": { "message": "Failed login by user root (UID: 0) on ssh:notty (PID: 1999) from 1.1.1.1 (IP: 1.1.1.1)" @@ -519,6 +515,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "auditd": { "user": {} }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "host": { "name": "ext-rp", "os": { @@ -539,26 +539,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "root" ] }, + "sekoiaio": { + "server": { + "name": "ext-rp", + "os": { + "type": "linux" + } + } + }, + "server": {}, "service": { "type": "system" }, "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "address": "1.1.1.1", + "ip": "1.1.1.1" }, - "@timestamp": "2023-06-22T15:59:33Z", "user": { - "name": "root", "id": "0", + "name": "root", "terminal": "ssh:notty" - }, - "client": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "server": {}, - "action": { - "outcome": "failure" } } @@ -572,32 +572,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2023-06-23T08:03:25.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.17.9\"},\"source\":{\"ip\":\"1.1.1.1\",\"domain\":\"host-1-1-1-1.foo.bar.net\"},\"agent\":{\"name\":\"baz.bar.net\",\"type\":\"auditbeat\",\"version\":\"7.17.9\",\"hostname\":\"baz.bar.net\",\"ephemeral_id\":\"aa3e9fe0-3a6f-4d78-8b40-6063a934018a\",\"id\":\"03bea9ee-1954-4a31-900d-138c080e723b\"},\"ecs\":{\"version\":\"1.12.0\"},\"service\":{\"type\":\"system\"},\"message\":\"Failed login by user cs (UID: -1) on ssh:notty (PID: 65003) from host-1-1-1-1.foo.bar.net (IP: 1.1.1.1)\",\"user\":{\"name\":\"cs\",\"terminal\":\"ssh:notty\"},\"related\":{\"user\":[\"cs\"],\"ip\":[\"1.1.1.1\"]},\"process\":{\"pid\":65003},\"host\":{\"name\":\"baz.bar.net\"},\"event\":{\"kind\":\"event\",\"action\":\"user_login\",\"origin\":\"/var/log/btmp\",\"category\":[\"authentication\"],\"outcome\":\"failure\",\"type\":[\"start\",\"authentication_failure\"],\"module\":\"system\",\"dataset\":\"login\"}}", "event": { - "kind": "event", - "module": "system", + "action": "user_login", "category": [ "authentication" ], + "kind": "event", + "module": "system", "type": [ - "start", - "authentication_failure" - ], - "action": "user_login" + "authentication_failure", + "start" + ] }, - "sekoiaio": { - "server": { - "name": "baz.bar.net", - "os": { - "type": "linux" - } - } + "@timestamp": "2023-06-23T08:03:25Z", + "action": { + "outcome": "failure" }, "agent": { + "ephemeral_id": "aa3e9fe0-3a6f-4d78-8b40-6063a934018a", + "hostname": "baz.bar.net", + "id": "03bea9ee-1954-4a31-900d-138c080e723b", "name": "baz.bar.net", "type": "auditbeat", - "version": "7.17.9", - "hostname": "baz.bar.net", - "ephemeral_id": "aa3e9fe0-3a6f-4d78-8b40-6063a934018a", - "id": "03bea9ee-1954-4a31-900d-138c080e723b" + "version": "7.17.9" }, "auditbeat": { "message": "Failed login by user cs (UID: -1) on ssh:notty (PID: 65003) from host-1-1-1-1.foo.bar.net (IP: 1.1.1.1)" @@ -605,6 +601,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "auditd": { "user": {} }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "host": { "name": "baz.bar.net", "os": { @@ -618,39 +618,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "pid": 65003 }, "related": { - "ip": [ - "1.1.1.1" - ], "hosts": [ "host-1-1-1-1.foo.bar.net" ], + "ip": [ + "1.1.1.1" + ], "user": [ "cs" ] }, + "sekoiaio": { + "server": { + "name": "baz.bar.net", + "os": { + "type": "linux" + } + } + }, + "server": {}, "service": { "type": "system" }, "source": { - "ip": "1.1.1.1", - "domain": "host-1-1-1-1.foo.bar.net", "address": "host-1-1-1-1.foo.bar.net", - "top_level_domain": "net", + "domain": "host-1-1-1-1.foo.bar.net", + "ip": "1.1.1.1", + "registered_domain": "bar.net", "subdomain": "host-1-1-1-1.foo", - "registered_domain": "bar.net" + "top_level_domain": "net" }, - "@timestamp": "2023-06-23T08:03:25Z", "user": { "name": "cs", "terminal": "ssh:notty" - }, - "client": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "server": {}, - "action": { - "outcome": "failure" } } @@ -664,19 +664,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"event\":{\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"event\",\"category\":[\"process\"],\"type\":[\"end\"],\"action\":\"process_stopped\"},\"process\":{\"working_directory\":\"/my/directory\",\"start\":\"2021-01-01T00:01:01.000Z\",\"name\":\"smtp\",\"entity_id\":\"AZERTY123456789\",\"ppid\":1457,\"executable\":\"/usr/lib/postfix/sbin/smtp\",\"pid\":123123,\"args\":[\"smtp\",\"-t\",\"unix\",\"-u\",\"-c\"],\"hash\":{\"sha1\":\"53fe0c00019fb177e43c7ac214f466f01158384e\"}},\"message\":\"Process smtp (PID: 123123) by user postfix STOPPED\",\"user\":{\"effective\":{\"id\":\"999\",\"group\":{\"id\":\"222\"}},\"saved\":{\"id\":\"999\",\"group\":{\"id\":\"222\"}},\"name\":\"postfix\",\"id\":\"999\",\"group\":{\"id\":\"222\",\"name\":\"postfix\"}},\"service\":{\"type\":\"system\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"hostname\":\"fame\",\"ephemeral_id\":\"qsdfghjklm-1111-2222-3333-azertyuiop\",\"id\":\"wxcvbn-010101-121212-4444-azertyuiop\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\"}}", "event": { - "kind": "event", - "module": "system", + "action": "process_stopped", "category": [ "process" ], + "kind": "event", + "module": "system", "type": [ "end" - ], - "action": "process_stopped" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "hostname": "fame", "ephemeral_id": "qsdfghjklm-1111-2222-3333-azertyuiop", + "hostname": "fame", "id": "wxcvbn-010101-121212-4444-azertyuiop", "name": "fame", "type": "auditbeat", @@ -687,14 +688,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "auditd": { "user": { + "group": { + "id": "222" + }, "saved": { - "id": "999", "group": { "id": "222" - } - }, - "group": { - "id": "222" + }, + "id": "999" } } }, @@ -705,57 +706,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "fame" }, "process": { - "working_directory": "/my/directory", - "start": "2021-01-01T00:01:01Z", - "name": "smtp", - "entity_id": "AZERTY123456789", - "executable": "/usr/lib/postfix/sbin/smtp", - "pid": 123123, "args": [ - "smtp", + "-c", "-t", - "unix", "-u", - "-c" + "smtp", + "unix" ], + "command_line": "smtp -t unix -u -c", + "entity_id": "AZERTY123456789", + "executable": "/usr/lib/postfix/sbin/smtp", "hash": { "sha1": "53fe0c00019fb177e43c7ac214f466f01158384e" }, + "name": "smtp", "parent": { "pid": 1457 }, - "command_line": "smtp -t unix -u -c" + "pid": 123123, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/my/directory" + }, + "related": { + "hash": [ + "53fe0c00019fb177e43c7ac214f466f01158384e" + ], + "user": [ + "postfix" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { "effective": { - "id": "999", "group": { "id": "222" - } + }, + "id": "999" + }, + "group": { + "id": "222", + "name": "postfix" }, + "id": "999", + "name": "postfix", "saved": { "group": { "id": "222" } - }, - "name": "postfix", - "id": "999", - "group": { - "id": "222", - "name": "postfix" } - }, - "related": { - "hash": [ - "53fe0c00019fb177e43c7ac214f466f01158384e" - ], - "user": [ - "postfix" - ] } } @@ -769,23 +769,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-11-09T17:39:26.389Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"process\":{\"ppid\":18470,\"title\":\"/opt/google/chrome/chrome --type=zygote --enable-crashpad --crashpad-handler-pid=18479 --enable-crash-reporter=, --change-stack-\",\"name\":\"chrome\",\"executable\":\"/opt/google/chrome/chrome\",\"working_directory\":\"/home/housetodd\",\"pid\":18488},\"auditd\":{\"session\":\"3\",\"summary\":{\"actor\":{\"primary\":\"housetodd\",\"secondary\":\"housetodd\"},\"object\":{\"primary\":\"/proc/1/oom_score_adj\",\"type\":\"file\"},\"how\":\"/opt/google/chrome/chrome\"},\"paths\":[{\"cap_fe\":\"0\",\"cap_fver\":\"0\",\"inode\":\"16064\",\"name\":\"/proc/1/\",\"ogid\":\"0\",\"ouid\":\"0\",\"rdev\":\"00:00\",\"cap_fi\":\"0000000000000000\",\"cap_fp\":\"0000000000000000\",\"dev\":\"00:04\",\"item\":\"0\",\"mode\":\"040555\",\"nametype\":\"PARENT\"},{\"nametype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"cap_fe\":\"0\",\"dev\":\"00:04\",\"item\":\"1\",\"mode\":\"0100644\",\"name\":\"/proc/1/oom_score_adj\",\"rdev\":\"00:00\",\"cap_fi\":\"0000000000000000\",\"cap_fp\":\"0000000000000000\",\"cap_fver\":\"0\",\"inode\":\"25973\"}],\"message_type\":\"syscall\",\"sequence\":9052,\"result\":\"fail\",\"data\":{\"tty\":\"(none)\",\"exit\":\"EACCES\",\"a0\":\"7ffc1bfcdfa0\",\"a3\":\"7ffc1bfcde00\",\"a2\":\"55881de610b8\",\"a1\":\"1b6\",\"arch\":\"x86_64\",\"syscall\":\"creat\"}},\"event\":{\"module\":\"auditd\",\"category\":[\"file\"],\"action\":\"opened-file\",\"outcome\":\"failure\",\"kind\":\"event\",\"type\":[\"creation\"]},\"user\":{\"filesystem\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"name\":\"housetodd\"},\"name\":\"housetodd\",\"audit\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"saved\":{\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"group\":{\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\",\"name\":\"housetodd\"},\"id\":\"5511617b-5ca7-4dd5-bb80-d8590dff4430\"},\"host\":{\"name\":\"xps-housetodd\",\"ip\":[\"144.1.237.149\"],\"mac\":[\"22:69:ae:27:fe:66\"],\"hostname\":\"xps-housetodd\",\"architecture\":\"x86_64\",\"os\":{\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false},\"file\":{\"gid\":\"0\",\"owner\":\"housetodd\",\"group\":\"housetodd\",\"path\":\"/proc/1/oom_score_adj\",\"device\":\"00:00\",\"inode\":\"25973\",\"mode\":\"0644\",\"uid\":\"0\"},\"tags\":[\"access\"],\"service\":{\"type\":\"auditd\"},\"ecs\":{\"version\":\"1.11.0\"},\"agent\":{\"version\":\"7.15.1\",\"hostname\":\"xps-housetodd\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"xps-housetodd\",\"type\":\"auditbeat\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "opened-file", "category": [ "file" ], + "kind": "event", + "module": "auditd", "type": [ "creation" - ], - "action": "opened-file" + ] }, + "@timestamp": "2021-11-09T17:39:26.389000Z", "agent": { - "version": "7.15.1", - "hostname": "xps-housetodd", "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a", + "hostname": "xps-housetodd", "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81", "name": "xps-housetodd", - "type": "auditbeat" + "type": "auditbeat", + "version": "7.15.1" }, "auditbeat": { "auditd": { @@ -799,64 +800,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "auditd": { - "session": "3", - "summary": { - "actor": { - "primary": "housetodd", - "secondary": "housetodd" - }, - "object": { - "primary": "/proc/1/oom_score_adj", - "type": "file" - }, - "how": "/opt/google/chrome/chrome" + "data": { + "a0": "7ffc1bfcdfa0", + "a1": "1b6", + "a2": "55881de610b8", + "a3": "7ffc1bfcde00", + "arch": "x86_64", + "exit": "EACCES", + "syscall": "creat", + "tty": "(none)" }, + "message_type": "syscall", "paths": [ { "cap_fe": "0", - "cap_fver": "0", - "inode": "16064", - "name": "/proc/1/", - "ogid": "0", - "ouid": "0", - "rdev": "00:00", "cap_fi": "0000000000000000", "cap_fp": "0000000000000000", + "cap_fver": "0", "dev": "00:04", + "inode": "16064", "item": "0", "mode": "040555", - "nametype": "PARENT" - }, - { - "nametype": "NORMAL", + "name": "/proc/1/", + "nametype": "PARENT", "ogid": "0", "ouid": "0", + "rdev": "00:00" + }, + { "cap_fe": "0", + "cap_fi": "0000000000000000", + "cap_fp": "0000000000000000", + "cap_fver": "0", "dev": "00:04", + "inode": "25973", "item": "1", "mode": "0100644", "name": "/proc/1/oom_score_adj", - "rdev": "00:00", - "cap_fi": "0000000000000000", - "cap_fp": "0000000000000000", - "cap_fver": "0", - "inode": "25973" + "nametype": "NORMAL", + "ogid": "0", + "ouid": "0", + "rdev": "00:00" } ], - "message_type": "syscall", - "sequence": 9052, "result": "fail", - "data": { - "tty": "(none)", - "exit": "EACCES", - "a0": "7ffc1bfcdfa0", - "a3": "7ffc1bfcde00", - "a2": "55881de610b8", - "a1": "1b6", - "arch": "x86_64", - "syscall": "creat" + "sequence": 9052, + "session": "3", + "summary": { + "actor": { + "primary": "housetodd", + "secondary": "housetodd" + }, + "how": "/opt/google/chrome/chrome", + "object": { + "primary": "/proc/1/oom_score_adj", + "type": "file" + } }, "user": { + "group": { + "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430" + }, "saved": { "group": { "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", @@ -864,98 +868,94 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", "name": "housetodd" - }, - "group": { - "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430" } } }, "file": { + "device": "00:00", + "directory": "/proc/1", "gid": "0", - "owner": "housetodd", "group": "housetodd", - "path": "/proc/1/oom_score_adj", - "device": "00:00", "inode": "25973", "mode": "0644", - "uid": "0", "name": "oom_score_adj", - "directory": "/proc/1" + "owner": "housetodd", + "path": "/proc/1/oom_score_adj", + "uid": "0" }, "host": { - "name": "xps-housetodd", + "architecture": "x86_64", + "containerized": false, + "hostname": "xps-housetodd", + "id": "7dd912136af040e4a6ea4f683010b824", "ip": [ "144.1.237.149" ], "mac": [ "22:69:ae:27:fe:66" ], - "hostname": "xps-housetodd", - "architecture": "x86_64", + "name": "xps-housetodd", "os": { + "codename": "bionic", "family": "debian", - "name": "Ubuntu", "kernel": "4.15.0-161-generic", - "codename": "bionic", - "type": "linux", + "name": "Ubuntu", "platform": "ubuntu", + "type": "linux", "version": "18.04.6 LTS (Bionic Beaver)" - }, - "id": "7dd912136af040e4a6ea4f683010b824", - "containerized": false + } }, "log": { "hostname": "xps-housetodd" }, "process": { - "title": "/opt/google/chrome/chrome --type=zygote --enable-crashpad --crashpad-handler-pid=18479 --enable-crash-reporter=, --change-stack-", - "name": "chrome", "executable": "/opt/google/chrome/chrome", - "working_directory": "/home/housetodd", - "pid": 18488, + "name": "chrome", "parent": { "pid": 18470 - } + }, + "pid": 18488, + "title": "/opt/google/chrome/chrome --type=zygote --enable-crashpad --crashpad-handler-pid=18479 --enable-crash-reporter=, --change-stack-", + "working_directory": "/home/housetodd" + }, + "related": { + "hosts": [ + "xps-housetodd" + ], + "ip": [ + "144.1.237.149" + ], + "user": [ + "housetodd" + ] }, "service": { "type": "auditd" }, - "@timestamp": "2021-11-09T17:39:26.389000Z", "user": { - "filesystem": { + "audit": { "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", + "name": "housetodd" + }, + "filesystem": { "group": { "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", "name": "housetodd" }, + "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", "name": "housetodd" }, - "name": "housetodd", - "audit": { + "group": { "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", "name": "housetodd" }, + "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", + "name": "housetodd", "saved": { "group": { "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430" } - }, - "group": { - "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430", - "name": "housetodd" - }, - "id": "5511617b-5ca7-4dd5-bb80-d8590dff4430" - }, - "related": { - "user": [ - "housetodd" - ], - "ip": [ - "144.1.237.149" - ], - "hosts": [ - "xps-housetodd" - ] + } } } @@ -969,49 +969,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-11-09T19:07:37.325Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"outcome\":\"unknown\",\"kind\":\"event\",\"type\":[\"info\"],\"module\":\"auditd\",\"category\":[\"file\"],\"action\":\"violated-seccomp-policy\"},\"user\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"audit\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"name\":\"UWWL21LVdEVmqrbT\"},\"group\":{\"id\":\"56d2c11c-9371-4617-bac3-2c18e86042c6\",\"name\":\"UWWL21LVdEVmqrbT\"},\"name\":\"UWWL21LVdEVmqrbT\"},\"process\":{\"name\":\"ThreadPoolSingl\",\"executable\":\"/opt/google/chrome/chrome\",\"pid\":2720},\"host\":{\"mac\":[\"0c:5d:c0:dc:1f:3f\"],\"hostname\":\"xps-UWWL21LVdEVmqrbT\",\"architecture\":\"x86_64\",\"os\":{\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"43.161.42.208\"],\"name\":\"xps-UWWL21LVdEVmqrbT\"},\"agent\":{\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"xps-UWWL21LVdEVmqrbT\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"xps-UWWL21LVdEVmqrbT\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\"},\"ecs\":{\"version\":\"1.11.0\"},\"auditd\":{\"session\":\"2\",\"summary\":{\"how\":\"/opt/google/chrome/chrome\",\"actor\":{\"primary\":\"UWWL21LVdEVmqrbT\",\"secondary\":\"UWWL21LVdEVmqrbT\"},\"object\":{\"primary\":\"stat\",\"type\":\"process\"}},\"message_type\":\"seccomp\",\"sequence\":12522,\"result\":\"unknown\",\"data\":{\"code\":\"0x50000\",\"syscall\":\"stat\",\"compat\":\"0\",\"ip\":\"0x7fe0a0df1845\",\"arch\":\"x86_64\",\"sig\":\"0\"}},\"service\":{\"type\":\"auditd\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "violated-seccomp-policy", "category": [ "file" ], + "kind": "event", + "module": "auditd", "type": [ "info" - ], - "action": "violated-seccomp-policy" + ] }, + "@timestamp": "2021-11-09T19:07:37.325000Z", "agent": { + "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a", + "hostname": "xps-UWWL21LVdEVmqrbT", "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81", "name": "xps-UWWL21LVdEVmqrbT", "type": "auditbeat", - "version": "7.15.1", - "hostname": "xps-UWWL21LVdEVmqrbT", - "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a" + "version": "7.15.1" }, "auditbeat": {}, "auditd": { + "data": { + "arch": "x86_64", + "code": "0x50000", + "compat": "0", + "ip": "0x7fe0a0df1845", + "sig": "0", + "syscall": "stat" + }, + "message_type": "seccomp", + "result": "unknown", + "sequence": 12522, "session": "2", "summary": { - "how": "/opt/google/chrome/chrome", "actor": { "primary": "UWWL21LVdEVmqrbT", "secondary": "UWWL21LVdEVmqrbT" }, + "how": "/opt/google/chrome/chrome", "object": { "primary": "stat", "type": "process" } }, - "message_type": "seccomp", - "sequence": 12522, - "result": "unknown", - "data": { - "code": "0x50000", - "syscall": "stat", - "compat": "0", - "ip": "0x7fe0a0df1845", - "arch": "x86_64", - "sig": "0" - }, "user": { "group": { "id": "56d2c11c-9371-4617-bac3-2c18e86042c6" @@ -1019,41 +1020,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "xps-UWWL21LVdEVmqrbT", + "id": "7dd912136af040e4a6ea4f683010b824", + "ip": [ + "43.161.42.208" + ], "mac": [ "0c:5d:c0:dc:1f:3f" ], - "hostname": "xps-UWWL21LVdEVmqrbT", - "architecture": "x86_64", + "name": "xps-UWWL21LVdEVmqrbT", "os": { + "codename": "bionic", "family": "debian", - "name": "Ubuntu", "kernel": "4.15.0-161-generic", - "codename": "bionic", - "type": "linux", + "name": "Ubuntu", "platform": "ubuntu", + "type": "linux", "version": "18.04.6 LTS (Bionic Beaver)" - }, - "id": "7dd912136af040e4a6ea4f683010b824", - "containerized": false, - "ip": [ - "43.161.42.208" - ], - "name": "xps-UWWL21LVdEVmqrbT" + } }, "log": { "hostname": "xps-UWWL21LVdEVmqrbT" }, "process": { - "name": "ThreadPoolSingl", "executable": "/opt/google/chrome/chrome", + "name": "ThreadPoolSingl", "pid": 2720 }, + "related": { + "hosts": [ + "xps-UWWL21LVdEVmqrbT" + ], + "ip": [ + "43.161.42.208" + ], + "user": [ + "UWWL21LVdEVmqrbT" + ] + }, "service": { "type": "auditd" }, - "@timestamp": "2021-11-09T19:07:37.325000Z", "user": { - "id": "56d2c11c-9371-4617-bac3-2c18e86042c6", "audit": { "id": "56d2c11c-9371-4617-bac3-2c18e86042c6", "name": "UWWL21LVdEVmqrbT" @@ -1062,18 +1072,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "56d2c11c-9371-4617-bac3-2c18e86042c6", "name": "UWWL21LVdEVmqrbT" }, + "id": "56d2c11c-9371-4617-bac3-2c18e86042c6", "name": "UWWL21LVdEVmqrbT" - }, - "related": { - "ip": [ - "43.161.42.208" - ], - "hosts": [ - "xps-UWWL21LVdEVmqrbT" - ], - "user": [ - "UWWL21LVdEVmqrbT" - ] } } @@ -1087,44 +1087,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-11-09T18:35:01.754Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"related\":{\"user\":[\"root\"]},\"service\":{\"type\":\"auditd\"},\"event\":{\"module\":\"auditd\",\"category\":[\"authentication\"],\"action\":\"changed-login-id-to\",\"outcome\":\"success\",\"kind\":\"event\",\"type\":[\"start\"]},\"user\":{\"audit\":{\"id\":\"0\",\"name\":\"root\"},\"effective\":{\"id\":\"0\",\"name\":\"root\"}},\"ecs\":{\"version\":\"1.11.0\"},\"host\":{\"containerized\":false,\"ip\":[\"66.253.230.251\"],\"mac\":[\"5e:55:38:73:40:a4\"],\"hostname\":\"web-65\",\"architecture\":\"x86_64\",\"os\":{\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\"},\"name\":\"web-65\",\"id\":\"7dd912136af040e4a6ea4f683010b824\"},\"agent\":{\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"web-65\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"web-65\"},\"process\":{\"pid\":20899},\"auditd\":{\"data\":{\"tty\":\"(none)\",\"old-ses\":\"4294967295\"},\"session\":\"436\",\"summary\":{\"actor\":{\"primary\":\"unset\",\"secondary\":\"root\"},\"object\":{\"primary\":\"0\",\"type\":\"user-session\"}},\"message_type\":\"login\",\"sequence\":11578,\"result\":\"success\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "changed-login-id-to", "category": [ "authentication" ], + "kind": "event", + "module": "auditd", "type": [ "start" - ], - "action": "changed-login-id-to" + ] }, - "sekoiaio": { - "server": { - "os": { - "type": "linux" - }, - "name": "web-65" - }, - "client": { - "os": { - "type": "linux" - }, - "name": "web-65" - } + "@timestamp": "2021-11-09T18:35:01.754000Z", + "action": { + "outcome": "success" }, "agent": { "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a", + "hostname": "web-65", "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81", "name": "web-65", "type": "auditbeat", - "version": "7.15.1", - "hostname": "web-65" + "version": "7.15.1" }, "auditbeat": {}, "auditd": { "data": { - "tty": "(none)", - "old-ses": "4294967295" + "old-ses": "4294967295", + "tty": "(none)" }, + "message_type": "login", + "result": "success", + "sequence": 11578, "session": "436", "summary": { "actor": { @@ -1136,32 +1129,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "user-session" } }, - "message_type": "login", - "sequence": 11578, - "result": "success", "user": {} }, + "client": { + "address": [ + "66.253.230.251" + ], + "ip": [ + "66.253.230.251" + ], + "mac": [ + "5e:55:38:73:40:a4" + ] + }, "host": { + "architecture": "x86_64", "containerized": false, + "hostname": "web-65", + "id": "7dd912136af040e4a6ea4f683010b824", "ip": [ "66.253.230.251" ], "mac": [ "5e:55:38:73:40:a4" ], - "hostname": "web-65", - "architecture": "x86_64", + "name": "web-65", "os": { "codename": "bionic", - "type": "linux", - "platform": "ubuntu", - "version": "18.04.6 LTS (Bionic Beaver)", "family": "debian", - "name": "Ubuntu", - "kernel": "4.15.0-161-generic" - }, - "name": "web-65", - "id": "7dd912136af040e4a6ea4f683010b824" + "kernel": "4.15.0-161-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "18.04.6 LTS (Bionic Beaver)" + } }, "log": { "hostname": "web-65" @@ -1170,17 +1171,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "pid": 20899 }, "related": { + "hosts": [ + "web-65" + ], + "ip": [ + "66.253.230.251" + ] + }, + "sekoiaio": { + "client": { + "name": "web-65", + "os": { + "type": "linux" + } + }, + "server": { + "name": "web-65", + "os": { + "type": "linux" + } + } + }, + "server": { "ip": [ "66.253.230.251" ], - "hosts": [ - "web-65" + "mac": [ + "5e:55:38:73:40:a4" ] }, "service": { "type": "auditd" }, - "@timestamp": "2021-11-09T18:35:01.754000Z", "user": { "audit": { "id": "0", @@ -1190,28 +1212,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "0", "name": "root" } - }, - "server": { - "ip": [ - "66.253.230.251" - ], - "mac": [ - "5e:55:38:73:40:a4" - ] - }, - "client": { - "ip": [ - "66.253.230.251" - ], - "mac": [ - "5e:55:38:73:40:a4" - ], - "address": [ - "66.253.230.251" - ] - }, - "action": { - "outcome": "success" } } @@ -1225,19 +1225,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-11-09T19:02:33.866Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"kind\":\"event\",\"type\":[\"start\"],\"module\":\"auditd\",\"category\":[\"process\"],\"action\":\"started-service\",\"outcome\":\"success\"},\"user\":{\"id\":\"16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e\",\"name\":\"X9PzJKityWAFaA5i\"},\"process\":{\"pid\":1,\"name\":\"systemd\",\"executable\":\"/lib/systemd/systemd\"},\"auditd\":{\"result\":\"success\",\"data\":{\"unit\":\"anacron\"},\"summary\":{\"how\":\"/lib/systemd/systemd\",\"actor\":{\"primary\":\"unset\",\"secondary\":\"X9PzJKityWAFaA5i\"},\"object\":{\"primary\":\"anacron\",\"type\":\"service\"}},\"message_type\":\"service_start\",\"sequence\":12295},\"service\":{\"type\":\"auditd\"},\"ecs\":{\"version\":\"1.11.16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e\"},\"host\":{\"hostname\":\"LCPmbaxBgGyJj8VH\",\"architecture\":\"x86_64\",\"os\":{\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\",\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\"},\"name\":\"LCPmbaxBgGyJj8VH\",\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"87.138.107.154\"],\"mac\":[\"09:d0:5f:99:43:f6\"]},\"agent\":{\"hostname\":\"LCPmbaxBgGyJj8VH\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\",\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"LCPmbaxBgGyJj8VH\",\"type\":\"auditbeat\",\"version\":\"7.15.1\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "started-service", "category": [ "process" ], + "kind": "event", + "module": "auditd", "type": [ "start" - ], - "action": "started-service" + ] }, + "@timestamp": "2021-11-09T19:02:33.866000Z", "agent": { - "hostname": "LCPmbaxBgGyJj8VH", "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a", + "hostname": "LCPmbaxBgGyJj8VH", "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81", "name": "LCPmbaxBgGyJj8VH", "type": "auditbeat", @@ -1245,73 +1246,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "auditbeat": {}, "auditd": { - "result": "success", "data": { "unit": "anacron" }, + "message_type": "service_start", + "result": "success", + "sequence": 12295, "summary": { - "how": "/lib/systemd/systemd", "actor": { "primary": "unset", "secondary": "X9PzJKityWAFaA5i" }, + "how": "/lib/systemd/systemd", "object": { "primary": "anacron", "type": "service" } }, - "message_type": "service_start", - "sequence": 12295, "user": {} }, "host": { - "hostname": "LCPmbaxBgGyJj8VH", "architecture": "x86_64", - "os": { - "name": "Ubuntu", - "kernel": "4.15.0-161-generic", - "codename": "bionic", - "type": "linux", - "platform": "ubuntu", - "version": "18.04.6 LTS (Bionic Beaver)", - "family": "debian" - }, - "name": "LCPmbaxBgGyJj8VH", - "id": "7dd912136af040e4a6ea4f683010b824", "containerized": false, + "hostname": "LCPmbaxBgGyJj8VH", + "id": "7dd912136af040e4a6ea4f683010b824", "ip": [ "87.138.107.154" ], "mac": [ "09:d0:5f:99:43:f6" - ] + ], + "name": "LCPmbaxBgGyJj8VH", + "os": { + "codename": "bionic", + "family": "debian", + "kernel": "4.15.0-161-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "18.04.6 LTS (Bionic Beaver)" + } }, "log": { "hostname": "LCPmbaxBgGyJj8VH" }, "process": { - "pid": 1, + "executable": "/lib/systemd/systemd", "name": "systemd", - "executable": "/lib/systemd/systemd" - }, - "service": { - "type": "auditd" - }, - "@timestamp": "2021-11-09T19:02:33.866000Z", - "user": { - "id": "16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e", - "name": "X9PzJKityWAFaA5i" + "pid": 1 }, "related": { - "ip": [ - "87.138.107.154" - ], "hosts": [ "LCPmbaxBgGyJj8VH" ], + "ip": [ + "87.138.107.154" + ], "user": [ "X9PzJKityWAFaA5i" ] + }, + "service": { + "type": "auditd" + }, + "user": { + "id": "16bb03ba-2e90-4c98-a5c8-c3d8b8b52c1e", + "name": "X9PzJKityWAFaA5i" } } @@ -1325,19 +1325,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"message\":\"Process containerd (PID: 1197) by user root is RUNNING\",\"user\":{\"group\":{\"name\":\"root\",\"id\":\"0\"},\"effective\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}},\"saved\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}},\"name\":\"root\",\"id\":\"0\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"],\"type\":[\"info\"]},\"process\":{\"args\":[\"containerd\"],\"pid\":1197,\"ppid\":1,\"working_directory\":\"/\",\"entity_id\":\"AZERTYqsdfghjklm\",\"name\":\"containerd\",\"executable\":\"/usr/bin/containerd\",\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"}, \"command_line\": \"/usr/bin/containerd\"}}", "event": { - "kind": "state", - "module": "system", + "action": "existing_process", "category": [ "process" ], + "kind": "state", + "module": "system", "type": [ "info" - ], - "action": "existing_process" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "hostname": "fame", "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm", + "hostname": "fame", "id": "12345678-azer-1234-a1z2-12qsdfghjklm", "name": "fame", "type": "auditbeat", @@ -1352,10 +1353,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "0" }, "saved": { - "id": "0", "group": { "id": "0" - } + }, + "id": "0" } } }, @@ -1369,50 +1370,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "args": [ "containerd" ], - "pid": 1197, - "working_directory": "/", + "command_line": "/usr/bin/containerd", "entity_id": "AZERTYqsdfghjklm", - "name": "containerd", "executable": "/usr/bin/containerd", - "start": "2021-01-01T00:01:01Z", "hash": { "sha1": "azertyuiop1234567890" }, - "command_line": "/usr/bin/containerd", + "name": "containerd", "parent": { "pid": 1 - } + }, + "pid": 1197, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/" + }, + "related": { + "hash": [ + "azertyuiop1234567890" + ], + "user": [ + "root" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { - "group": { - "name": "root", - "id": "0" - }, "effective": { - "id": "0", "group": { "id": "0" - } + }, + "id": "0" + }, + "group": { + "id": "0", + "name": "root" }, + "id": "0", + "name": "root", "saved": { "group": { "id": "0" } - }, - "name": "root", - "id": "0" - }, - "related": { - "hash": [ - "azertyuiop1234567890" - ], - "user": [ - "root" - ] + } } } @@ -1426,23 +1426,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"message\":\"Process unattended-upgr (PID: 1195) by user root is RUNNING\",\"user\":{\"name\":\"root\",\"id\":\"0\",\"group\":{\"id\":\"0\",\"name\":\"root\"},\"effective\":{\"group\":{\"id\":\"0\"},\"id\":\"0\"},\"saved\":{\"id\":\"0\",\"group\":{\"id\":\"0\"}}},\"service\":{\"type\":\"system\"},\"event\":{\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"]},\"process\":{\"args\":[\"/usr/bin/python3\",\"/usr/share/unattended-upgrades/unattended-upgrade-shutdown\",\"--wait-for-signal\"],\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"name\":\"unattended-upgr\",\"entity_id\":\"rvSkGilnHCy6yuIZ\",\"pid\":1195,\"ppid\":1,\"executable\":\"/usr/bin/python3.8\",\"working_directory\":\"/\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"}}", "event": { - "kind": "state", - "module": "system", + "action": "existing_process", "category": [ "process" ], + "kind": "state", + "module": "system", "type": [ "info" - ], - "action": "existing_process" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "version": "7.13.0", - "hostname": "fame", "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm", + "hostname": "fame", "id": "12345678-azer-1234-a1z2-12qsdfghjklm", "name": "fame", - "type": "auditbeat" + "type": "auditbeat", + "version": "7.13.0" }, "auditbeat": { "message": "Process unattended-upgr (PID: 1195) by user root is RUNNING" @@ -1453,10 +1454,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "0" }, "saved": { - "id": "0", "group": { "id": "0" - } + }, + "id": "0" } } }, @@ -1468,54 +1469,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "args": [ + "--wait-for-signal", "/usr/bin/python3", - "/usr/share/unattended-upgrades/unattended-upgrade-shutdown", - "--wait-for-signal" + "/usr/share/unattended-upgrades/unattended-upgrade-shutdown" ], - "start": "2021-01-01T00:01:01Z", + "command_line": "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal", + "entity_id": "rvSkGilnHCy6yuIZ", + "executable": "/usr/bin/python3.8", "hash": { "sha1": "azertyuiop1234567890" }, "name": "unattended-upgr", - "entity_id": "rvSkGilnHCy6yuIZ", - "pid": 1195, - "executable": "/usr/bin/python3.8", - "working_directory": "/", "parent": { "pid": 1 }, - "command_line": "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal" + "pid": 1195, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/" + }, + "related": { + "hash": [ + "azertyuiop1234567890" + ], + "user": [ + "root" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { - "name": "root", - "id": "0", - "group": { - "id": "0", - "name": "root" - }, "effective": { "group": { "id": "0" }, "id": "0" }, + "group": { + "id": "0", + "name": "root" + }, + "id": "0", + "name": "root", "saved": { "group": { "id": "0" } } - }, - "related": { - "hash": [ - "azertyuiop1234567890" - ], - "user": [ - "root" - ] } } @@ -1529,37 +1529,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"},\"user\":{\"effective\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"saved\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"name\":\"postgres\",\"id\":\"114\",\"group\":{\"name\":\"postgres\",\"id\":\"121\"}},\"service\":{\"type\":\"system\"},\"event\":{\"category\":[\"process\"],\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\"},\"process\":{\"executable\":\"/usr/lib/postgresql/9.5/bin/postgres\",\"ppid\":1231,\"start\":\"2021-01-01T00:01:01.000Z\",\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"name\":\"postgres\",\"args\":[\"postgres: cuckoo cuckoo 127.0.0.1(45786) idle\"],\"entity_id\":\"azertyuiop\",\"working_directory\":\"/var/lib/postgresql/9.5/main\",\"pid\":207706},\"message\":\"Process postgres (PID: 207706) by user postgres is RUNNING\"}", "event": { - "kind": "state", - "module": "system", + "action": "existing_process", "category": [ "process" ], + "kind": "state", + "module": "system", "type": [ "info" - ], - "action": "existing_process" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "version": "7.13.0", - "hostname": "fame", "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm", + "hostname": "fame", "id": "12345678-azer-1234-a1z2-12qsdfghjklm", "name": "fame", - "type": "auditbeat" + "type": "auditbeat", + "version": "7.13.0" }, "auditbeat": { "message": "Process postgres (PID: 207706) by user postgres is RUNNING" }, "auditd": { "user": { + "group": { + "id": "121" + }, "saved": { - "id": "114", "group": { "id": "121" - } - }, - "group": { - "id": "121" + }, + "id": "114" } } }, @@ -1570,52 +1571,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "fame" }, "process": { + "args": [ + "postgres: cuckoo cuckoo 127.0.0.1(45786) idle" + ], + "entity_id": "azertyuiop", "executable": "/usr/lib/postgresql/9.5/bin/postgres", - "start": "2021-01-01T00:01:01Z", "hash": { "sha1": "azertyuiop1234567890" }, "name": "postgres", - "args": [ - "postgres: cuckoo cuckoo 127.0.0.1(45786) idle" - ], - "entity_id": "azertyuiop", - "working_directory": "/var/lib/postgresql/9.5/main", - "pid": 207706, "parent": { "pid": 1231 - } + }, + "pid": 207706, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/var/lib/postgresql/9.5/main" + }, + "related": { + "hash": [ + "azertyuiop1234567890" + ], + "user": [ + "postgres" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { "effective": { - "id": "114", "group": { "id": "121" - } + }, + "id": "114" + }, + "group": { + "id": "121", + "name": "postgres" }, + "id": "114", + "name": "postgres", "saved": { "group": { "id": "121" } - }, - "name": "postgres", - "id": "114", - "group": { - "name": "postgres", - "id": "121" } - }, - "related": { - "hash": [ - "azertyuiop1234567890" - ], - "user": [ - "postgres" - ] } } @@ -1629,40 +1629,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"related\":{\"ip\":[\"127.0.0.1\",\"127.0.0.1\"]},\"service\":{\"type\":\"system\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"client\":{\"port\":88888,\"packets\":1,\"bytes\":52,\"ip\":\"127.0.0.1\"},\"system\":{\"audit\":{\"socket\":{\"kernel_sock_address\":\"0xffff8e9955b02300\"}}},\"network\":{\"direction\":\"unknown\",\"type\":\"ipv4\",\"transport\":\"tcp\",\"packets\":2,\"bytes\":84,\"community_id\":\"12345678901234567891234567890\"},\"event\":{\"duration\":116168,\"module\":\"system\",\"kind\":\"event\",\"action\":\"network_flow\",\"type\":[\"info\",\"connection\"],\"dataset\":\"socket\",\"end\":\"2021-01-01T00:01:01.000Z\",\"category\":[\"network\",\"network_traffic\"],\"start\":\"2021-01-01T00:01:01.000Z\"},\"flow\":{\"complete\":false,\"final\":true},\"agent\":{\"version\":\"7.13.0\",\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\"},\"source\":{\"packets\":1,\"bytes\":52,\"ip\":\"127.0.0.1\",\"port\":88888},\"destination\":{\"port\":11111,\"packets\":1,\"bytes\":32,\"ip\":\"127.0.0.1\"},\"server\":{\"ip\":\"127.0.0.1\",\"port\":11111,\"packets\":1,\"bytes\":32}}", "event": { - "kind": "event", - "module": "system", + "action": "network_flow", "category": [ "network", "network_traffic" ], + "kind": "event", + "module": "system", "type": [ - "info", - "connection" - ], - "action": "network_flow" + "connection", + "info" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "version": "7.13.0", - "hostname": "fame", "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm", + "hostname": "fame", "id": "12345678-azer-1234-a1z2-12qsdfghjklm", "name": "fame", - "type": "auditbeat" + "type": "auditbeat", + "version": "7.13.0" }, "auditbeat": {}, "client": { - "port": 88888, - "packets": 1, + "address": "127.0.0.1", "bytes": 52, "ip": "127.0.0.1", - "address": "127.0.0.1" + "packets": 1, + "port": 88888 }, "destination": { - "port": 11111, - "packets": 1, + "address": "127.0.0.1", "bytes": 32, "ip": "127.0.0.1", - "address": "127.0.0.1" + "packets": 1, + "port": 11111 }, "host": { "name": "fame" @@ -1671,12 +1672,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "fame" }, "network": { + "bytes": 84, + "community_id": "12345678901234567891234567890", "direction": "unknown", - "type": "ipv4", - "transport": "tcp", "packets": 2, - "bytes": 84, - "community_id": "12345678901234567891234567890" + "transport": "tcp", + "type": "ipv4" }, "related": { "ip": [ @@ -1684,23 +1685,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "server": { + "bytes": 32, "ip": "127.0.0.1", - "port": 11111, "packets": 1, - "bytes": 32 + "port": 11111 }, "service": { "type": "system" }, "source": { - "packets": 1, + "address": "127.0.0.1", "bytes": 52, "ip": "127.0.0.1", - "port": 88888, - "address": "127.0.0.1" + "packets": 1, + "port": 88888 }, - "system": {}, - "@timestamp": "2021-01-01T00:01:01Z" + "system": {} } ``` @@ -1713,19 +1713,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"user\":{\"group\":{\"name\":\"messagebus\",\"id\":\"110\"},\"effective\":{\"id\":\"106\",\"group\":{\"id\":\"110\"}},\"saved\":{\"group\":{\"id\":\"110\"},\"id\":\"106\"},\"name\":\"messagebus\",\"id\":\"106\"},\"ecs\":{\"version\":\"1.9.0\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"hostname\":\"fame\",\"ephemeral_id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"category\":[\"process\"],\"type\":[\"info\"],\"action\":\"existing_process\",\"id\":\"12345678-azer-1234-a1z2-12qsdfghjklm\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\"},\"process\":{\"args\":[\"/usr/bin/dbus-daemon\",\"--system\",\"--address=systemd:\",\"--nofork\",\"--nopidfile\",\"--systemd-activation\",\"--syslog-only\"],\"hash\":{\"sha1\":\"azertyuiop1234567890\"},\"entity_id\":\"azertyuiop\",\"working_directory\":\"/\",\"ppid\":1,\"pid\":645,\"start\":\"2021-01-01T00:01:01.000Z\",\"executable\":\"/usr/bin/dbus-daemon\",\"name\":\"dbus-daemon\"},\"message\":\"Process dbus-daemon (PID: 645) by user messagebus is RUNNING\"}", "event": { - "kind": "state", - "module": "system", + "action": "existing_process", "category": [ "process" ], + "kind": "state", + "module": "system", "type": [ "info" - ], - "action": "existing_process" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { - "hostname": "fame", "ephemeral_id": "12345678-azer-1234-a1z2-12qsdfghjklm", + "hostname": "fame", "id": "12345678-azer-1234-a1z2-12qsdfghjklm", "name": "fame", "type": "auditbeat", @@ -1755,58 +1756,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "args": [ - "/usr/bin/dbus-daemon", - "--system", "--address=systemd:", "--nofork", "--nopidfile", + "--syslog-only", + "--system", "--systemd-activation", - "--syslog-only" + "/usr/bin/dbus-daemon" ], + "command_line": "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", + "entity_id": "azertyuiop", + "executable": "/usr/bin/dbus-daemon", "hash": { "sha1": "azertyuiop1234567890" }, - "entity_id": "azertyuiop", - "working_directory": "/", - "pid": 645, - "start": "2021-01-01T00:01:01Z", - "executable": "/usr/bin/dbus-daemon", "name": "dbus-daemon", "parent": { "pid": 1 }, - "command_line": "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only" + "pid": 645, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/" + }, + "related": { + "hash": [ + "azertyuiop1234567890" + ], + "user": [ + "messagebus" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { - "group": { - "name": "messagebus", - "id": "110" - }, "effective": { - "id": "106", "group": { "id": "110" - } + }, + "id": "106" + }, + "group": { + "id": "110", + "name": "messagebus" }, + "id": "106", + "name": "messagebus", "saved": { "group": { "id": "110" } - }, - "name": "messagebus", - "id": "106" - }, - "related": { - "hash": [ - "azertyuiop1234567890" - ], - "user": [ - "messagebus" - ] + } } } @@ -1820,37 +1820,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"service\":{\"type\":\"system\"},\"event\":{\"action\":\"existing_process\",\"id\":\"e9c16612-2053-4bc6-86aa-7e04c6114ecc\",\"module\":\"system\",\"dataset\":\"process\",\"kind\":\"state\",\"category\":[\"process\"],\"type\":[\"info\"]},\"process\":{\"executable\":\"/usr/lib/postgresql/9.5/bin/postgres\",\"entity_id\":\"1234zertyui\",\"ppid\":1231,\"start\":\"2021-01-01T00:01:01.000Z\",\"name\":\"postgres\",\"pid\":1234,\"working_directory\":\"/var/lib/postgresql/9.5/main\",\"hash\":{\"sha1\":\"12345678901234567891234567890\"},\"args\":[\"postgres: wal writer process \"]},\"host\":{\"name\":\"fame\"},\"agent\":{\"ephemeral_id\":\"0101010-abcd-1234-a1b2c3d4e5f6g7h8\",\"id\":\"0101010-abcd-1234-a1b2c3d4e5f6g7h8\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\",\"hostname\":\"fame\"},\"ecs\":{\"version\":\"1.9.0\"},\"message\":\"Process postgres (PID: 1234) by user postgres is RUNNING\",\"user\":{\"effective\":{\"group\":{\"id\":\"121\"},\"id\":\"114\"},\"saved\":{\"id\":\"114\",\"group\":{\"id\":\"121\"}},\"name\":\"postgres\",\"id\":\"114\",\"group\":{\"id\":\"121\",\"name\":\"postgres\"}}}", "event": { - "kind": "state", - "module": "system", + "action": "existing_process", "category": [ "process" ], + "kind": "state", + "module": "system", "type": [ "info" - ], - "action": "existing_process" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { "ephemeral_id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8", + "hostname": "fame", "id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8", "name": "fame", "type": "auditbeat", - "version": "7.13.0", - "hostname": "fame" + "version": "7.13.0" }, "auditbeat": { "message": "Process postgres (PID: 1234) by user postgres is RUNNING" }, "auditd": { "user": { + "group": { + "id": "121" + }, "saved": { - "id": "114", "group": { "id": "121" - } - }, - "group": { - "id": "121" + }, + "id": "114" } } }, @@ -1861,26 +1862,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "fame" }, "process": { - "executable": "/usr/lib/postgresql/9.5/bin/postgres", + "args": [ + "postgres: wal writer process " + ], "entity_id": "1234zertyui", - "start": "2021-01-01T00:01:01Z", - "name": "postgres", - "pid": 1234, - "working_directory": "/var/lib/postgresql/9.5/main", + "executable": "/usr/lib/postgresql/9.5/bin/postgres", "hash": { "sha1": "12345678901234567891234567890" }, - "args": [ - "postgres: wal writer process " - ], + "name": "postgres", "parent": { "pid": 1231 - } + }, + "pid": 1234, + "start": "2021-01-01T00:01:01Z", + "working_directory": "/var/lib/postgresql/9.5/main" + }, + "related": { + "hash": [ + "12345678901234567891234567890" + ], + "user": [ + "postgres" + ] }, "service": { "type": "system" }, - "@timestamp": "2021-01-01T00:01:01Z", "user": { "effective": { "group": { @@ -1888,25 +1896,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "id": "114" }, + "group": { + "id": "121", + "name": "postgres" + }, + "id": "114", + "name": "postgres", "saved": { "group": { "id": "121" } - }, - "name": "postgres", - "id": "114", - "group": { - "id": "121", - "name": "postgres" } - }, - "related": { - "hash": [ - "12345678901234567891234567890" - ], - "user": [ - "postgres" - ] } } @@ -1920,47 +1920,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-01-01T00:01:01.000Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.13.0\"},\"destination\":{\"bytes\":123,\"ip\":\"8.8.8.8\",\"port\":53,\"packets\":1},\"event\":{\"end\":\"2021-01-01T00:01:01.000Z\",\"type\":[\"info\",\"connection\"],\"action\":\"network_flow\",\"dataset\":\"socket\",\"kind\":\"event\",\"category\":[\"network\",\"network_traffic\"],\"start\":\"2021-01-01T00:01:01.000Z\",\"duration\":12345,\"module\":\"system\"},\"process\":{\"pid\":9876543,\"name\":\"smtp\",\"args\":[\"smtp\",\"-t\",\"unix\",\"-u\",\"-c\"],\"executable\":\"/usr/lib/postfix/sbin/smtp\",\"created\":\"2021-01-01T00:01:01.000Z\"},\"client\":{\"bytes\":70,\"domain\":\"malware1.viralstudio.org\",\"ip\":\"255.255.255.1\",\"port\":58855,\"packets\":1},\"ecs\":{\"version\":\"1.9.0\"},\"server\":{\"bytes\":123,\"ip\":\"8.8.8.8\",\"port\":53,\"packets\":1},\"source\":{\"domain\":\"malware1.viralstudio.org\",\"ip\":\"255.255.255.1\",\"port\":58855,\"packets\":1,\"bytes\":70},\"network\":{\"transport\":\"udp\",\"packets\":2,\"bytes\":210,\"community_id\":\"azertyuiopsdfghjklm\",\"direction\":\"egress\",\"type\":\"ipv4\"},\"group\":{\"id\":\"0\",\"name\":\"root\"},\"service\":{\"type\":\"system\"},\"host\":{\"name\":\"fame\"},\"agent\":{\"ephemeral_id\":\"0101010-abcd-1234-a1b2c3d4e5f6g7h8\",\"id\":\"123poi-99zz-4qzds099-qsd-azerty\",\"name\":\"fame\",\"type\":\"auditbeat\",\"version\":\"7.13.0\",\"hostname\":\"fame\"},\"flow\":{\"final\":true,\"complete\":false},\"related\":{\"ip\":[\"255.255.255.1\",\"8.8.8.8\"],\"user\":[\"root\"]},\"user\":{\"id\":\"0\",\"name\":\"root\"},\"system\":{\"audit\":{\"socket\":{\"gid\":0,\"euid\":0,\"egid\":0,\"kernel_sock_address\":\"0xffffffffffffff\",\"uid\":0}}}}", "event": { - "kind": "event", - "module": "system", + "action": "network_flow", "category": [ "network", "network_traffic" ], + "kind": "event", + "module": "system", "type": [ - "info", - "connection" - ], - "action": "network_flow" + "connection", + "info" + ] }, + "@timestamp": "2021-01-01T00:01:01Z", "agent": { "ephemeral_id": "0101010-abcd-1234-a1b2c3d4e5f6g7h8", + "hostname": "fame", "id": "123poi-99zz-4qzds099-qsd-azerty", "name": "fame", "type": "auditbeat", - "version": "7.13.0", - "hostname": "fame" + "version": "7.13.0" }, "auditbeat": {}, "auditd": { "user": {} }, "client": { + "address": "malware1.viralstudio.org", "bytes": 70, "domain": "malware1.viralstudio.org", "ip": "255.255.255.1", - "port": 58855, "packets": 1, - "address": "malware1.viralstudio.org", - "top_level_domain": "org", + "port": 58855, + "registered_domain": "viralstudio.org", "subdomain": "malware1", - "registered_domain": "viralstudio.org" + "top_level_domain": "org" }, "destination": { + "address": "8.8.8.8", "bytes": 123, "ip": "8.8.8.8", - "port": 53, "packets": 1, - "address": "8.8.8.8" + "port": 53 }, "group": { "id": "0", @@ -1973,25 +1974,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "fame" }, "network": { - "transport": "udp", - "packets": 2, "bytes": 210, "community_id": "azertyuiopsdfghjklm", "direction": "egress", + "packets": 2, + "transport": "udp", "type": "ipv4" }, "process": { - "pid": 9876543, - "name": "smtp", "args": [ - "smtp", + "-c", "-t", - "unix", "-u", - "-c" + "smtp", + "unix" ], + "command_line": "smtp -t unix -u -c", "executable": "/usr/lib/postfix/sbin/smtp", - "command_line": "smtp -t unix -u -c" + "name": "smtp", + "pid": 9876543 }, "related": { "hosts": [ @@ -2008,25 +2009,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "server": { "bytes": 123, "ip": "8.8.8.8", - "port": 53, - "packets": 1 + "packets": 1, + "port": 53 }, "service": { "type": "system" }, "source": { + "address": "malware1.viralstudio.org", + "bytes": 70, "domain": "malware1.viralstudio.org", "ip": "255.255.255.1", - "port": 58855, "packets": 1, - "bytes": 70, - "address": "malware1.viralstudio.org", - "top_level_domain": "org", + "port": 58855, + "registered_domain": "viralstudio.org", "subdomain": "malware1", - "registered_domain": "viralstudio.org" + "top_level_domain": "org" }, "system": {}, - "@timestamp": "2021-01-01T00:01:01Z", "user": { "id": "0", "name": "root" @@ -2043,30 +2043,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2021-11-09T16:17:55.149Z\",\"@metadata\":{\"beat\":\"auditbeat\",\"type\":\"_doc\",\"version\":\"7.15.1\"},\"event\":{\"kind\":\"event\",\"type\":[\"start\"],\"module\":\"auditd\",\"category\":[\"process\"],\"action\":\"ran-command\",\"outcome\":\"success\"},\"user\":{\"id\":\"4e8ff660-f139-4248-8b64-ad29495fca9e\",\"name\":\"NElD74Hc4MX8PjLF\",\"audit\":{\"id\":\"4e8ff660-f139-4248-8b64-ad29495fca9e\",\"name\":\"NElD74Hc4MX8PjLF\"}},\"host\":{\"hostname\":\"web-66\",\"architecture\":\"x86_64\",\"os\":{\"type\":\"linux\",\"platform\":\"ubuntu\",\"version\":\"18.04.6 LTS (Bionic Beaver)\",\"family\":\"debian\",\"name\":\"Ubuntu\",\"kernel\":\"4.15.0-161-generic\",\"codename\":\"bionic\"},\"id\":\"7dd912136af040e4a6ea4f683010b824\",\"containerized\":false,\"ip\":[\"173.8.126.146\"],\"name\":\"web-66\",\"mac\":[\"57:4c:ff:5d:1e:41\"]},\"agent\":{\"id\":\"e9872892-b999-4ad5-83da-d6ec9dbc1f81\",\"name\":\"web-66\",\"type\":\"auditbeat\",\"version\":\"7.15.1\",\"hostname\":\"web-66\",\"ephemeral_id\":\"f1ac5b09-4f0c-42cf-b9f7-f854eeae073a\"},\"ecs\":{\"version\":\"1.11.0\"},\"process\":{\"pid\":12416,\"working_directory\":\"/home/NElD74Hc4MX8PjLF/Documents/Projets/Qh1HoDnBg4mYfHhi\"},\"auditd\":{\"data\":{\"terminal\":\"pts/3\",\"cmd\":\"systemctl status auditbeat\"},\"session\":\"2\",\"summary\":{\"actor\":{\"primary\":\"NElD74Hc4MX8PjLF\",\"secondary\":\"NElD74Hc4MX8PjLF\"},\"object\":{\"primary\":\"systemctl status auditbeat\",\"type\":\"process\"}},\"message_type\":\"user_cmd\",\"sequence\":465,\"result\":\"success\"},\"service\":{\"type\":\"auditd\"}}", "event": { - "kind": "event", - "module": "auditd", + "action": "ran-command", "category": [ "process" ], + "kind": "event", + "module": "auditd", "type": [ "start" - ], - "action": "ran-command" + ] }, + "@timestamp": "2021-11-09T16:17:55.149000Z", "agent": { + "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a", + "hostname": "web-66", "id": "e9872892-b999-4ad5-83da-d6ec9dbc1f81", "name": "web-66", "type": "auditbeat", - "version": "7.15.1", - "hostname": "web-66", - "ephemeral_id": "f1ac5b09-4f0c-42cf-b9f7-f854eeae073a" + "version": "7.15.1" }, "auditbeat": {}, "auditd": { "data": { - "terminal": "pts/3", - "cmd": "systemctl status auditbeat" + "cmd": "systemctl status auditbeat", + "terminal": "pts/3" }, + "message_type": "user_cmd", + "result": "success", + "sequence": 465, "session": "2", "summary": { "actor": { @@ -2078,32 +2082,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "process" } }, - "message_type": "user_cmd", - "sequence": 465, - "result": "success", "user": {} }, "host": { - "hostname": "web-66", "architecture": "x86_64", - "os": { - "type": "linux", - "platform": "ubuntu", - "version": "18.04.6 LTS (Bionic Beaver)", - "family": "debian", - "name": "Ubuntu", - "kernel": "4.15.0-161-generic", - "codename": "bionic" - }, - "id": "7dd912136af040e4a6ea4f683010b824", "containerized": false, + "hostname": "web-66", + "id": "7dd912136af040e4a6ea4f683010b824", "ip": [ "173.8.126.146" ], - "name": "web-66", "mac": [ "57:4c:ff:5d:1e:41" - ] + ], + "name": "web-66", + "os": { + "codename": "bionic", + "family": "debian", + "kernel": "4.15.0-161-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "18.04.6 LTS (Bionic Beaver)" + } }, "log": { "hostname": "web-66" @@ -2112,28 +2113,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "pid": 12416, "working_directory": "/home/NElD74Hc4MX8PjLF/Documents/Projets/Qh1HoDnBg4mYfHhi" }, - "service": { - "type": "auditd" - }, - "@timestamp": "2021-11-09T16:17:55.149000Z", - "user": { - "id": "4e8ff660-f139-4248-8b64-ad29495fca9e", - "name": "NElD74Hc4MX8PjLF", - "audit": { - "id": "4e8ff660-f139-4248-8b64-ad29495fca9e", - "name": "NElD74Hc4MX8PjLF" - } - }, "related": { - "ip": [ - "173.8.126.146" - ], "hosts": [ "web-66" ], + "ip": [ + "173.8.126.146" + ], "user": [ "NElD74Hc4MX8PjLF" ] + }, + "service": { + "type": "auditd" + }, + "user": { + "audit": { + "id": "4e8ff660-f139-4248-8b64-ad29495fca9e", + "name": "NElD74Hc4MX8PjLF" + }, + "id": "4e8ff660-f139-4248-8b64-ad29495fca9e", + "name": "NElD74Hc4MX8PjLF" } } diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index e480276b68..1f5faa8f6d 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -36,21 +36,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "09/29/2023:07:40:56 GMT ADC-WEB1 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", "event": { - "kind": "event", "category": [ "network" ], - "type": [ - "connection" - ], "code": "Message", "dataset": "audit_aaatm", - "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"" + "kind": "event", + "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", + "type": [ + "connection" + ] }, + "@timestamp": "2023-09-29T07:40:56Z", "observer": { "name": "ADC-WEB1" - }, - "@timestamp": "2023-09-29T07:40:56Z" + } } ``` @@ -63,40 +63,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_MULTIPLE_HEADER|6|src=1.2.3.4 geolocation=Unknown spt=61903 method=GET request=https://www.example.org/services msg=Multiple headers in request cn1=3755128 cn2=1636674 cs1=WAF_PRF_RULE1 cs2=PPE1 cs4=ALERT cs5=2023 act=blocked", "event": { - "kind": "alert", - "dataset": "alert", - "reason": "Multiple headers in request", "action": "blocked", "category": [ "network" ], + "dataset": "alert", + "kind": "alert", + "reason": "Multiple headers in request", "type": [ "denied" ] }, - "observer": { - "vendor": "Citrix", - "product": "NetScaler", - "version": "NS13.1" - }, - "source": { - "ip": "1.2.3.4", - "port": 61903, - "address": "1.2.3.4" - }, - "url": { - "original": "https://www.example.org/services", - "domain": "www.example.org", - "top_level_domain": "org", - "subdomain": "www", - "registered_domain": "example.org", - "path": "/services", - "scheme": "https", - "port": 443 - }, - "rule": { - "name": "WAF_PRF_RULE1" - }, "citrix": { "adc": { "alert": { @@ -109,10 +86,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "NetScaler", + "vendor": "Citrix", + "version": "NS13.1" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "rule": { + "name": "WAF_PRF_RULE1" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 61903 + }, + "url": { + "domain": "www.example.org", + "original": "https://www.example.org/services", + "path": "/services", + "port": 443, + "registered_domain": "example.org", + "scheme": "https", + "subdomain": "www", + "top_level_domain": "org" } } @@ -126,28 +126,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023/07/04:09:03:46 ADC-WEB1 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1", "event": { - "kind": "event", "category": [ "network" ], + "code": "CONN_TERMINATE", + "dataset": "audit_connection", + "kind": "event", "type": [ "connection" - ], - "code": "CONN_TERMINATE", - "dataset": "audit_connection" + ] }, "@timestamp": "2023-07-04T09:03:46Z", - "observer": { - "name": "ADC-WEB1" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "citrix": { "adc": { "bytes": { @@ -156,11 +145,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "name": "ADC-WEB1" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -174,28 +174,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1", "event": { - "kind": "event", "category": [ "network" ], + "code": "CONN_TERMINATE", + "dataset": "audit_connection", + "kind": "event", "type": [ "connection" - ], - "code": "CONN_TERMINATE", - "dataset": "audit_connection" + ] }, "@timestamp": "2023-07-04T09:03:46Z", - "observer": { - "name": "ADC-VPN" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "citrix": { "adc": { "bytes": { @@ -204,11 +193,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "name": "ADC-VPN" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -222,31 +222,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023/07/04:09:03:45 ADC-WEB1 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762", "event": { - "kind": "event", "category": [ "network" ], + "code": "CONN_DELINK", + "dataset": "audit_connection", + "kind": "event", "type": [ "connection" - ], - "code": "CONN_DELINK", - "dataset": "audit_connection" + ] }, "@timestamp": "2023-07-04T09:03:45Z", - "observer": { - "name": "ADC-WEB1" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "4.3.2.1" - }, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "citrix": { "adc": { "bytes": { @@ -259,12 +245,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "name": "ADC-WEB1" + }, "related": { "ip": [ "1.2.3.4", "4.3.2.1", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1" + } } } @@ -278,40 +278,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLICY_HIT|6|src=1.2.3.4 geolocation=Unknown spt=62919 method=GET request=https://www.example.org/services msg=Application Firewall profile invoked cn1=3864530 cn2=1644557 cs1=WAF_PRF_RULE1 cs2=PPE2 cs4=ALERT cs5=2023 act=not blocked", "event": { - "kind": "alert", - "dataset": "alert", - "reason": "Application Firewall profile invoked", "action": "not blocked", "category": [ "network" ], + "dataset": "alert", + "kind": "alert", + "reason": "Application Firewall profile invoked", "type": [ "allowed" ] }, - "observer": { - "vendor": "Citrix", - "product": "NetScaler", - "version": "NS13.1" - }, - "source": { - "ip": "1.2.3.4", - "port": 62919, - "address": "1.2.3.4" - }, - "url": { - "original": "https://www.example.org/services", - "domain": "www.example.org", - "top_level_domain": "org", - "subdomain": "www", - "registered_domain": "example.org", - "path": "/services", - "scheme": "https", - "port": 443 - }, - "rule": { - "name": "WAF_PRF_RULE1" - }, "citrix": { "adc": { "alert": { @@ -324,10 +301,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "NetScaler", + "vendor": "Citrix", + "version": "NS13.1" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "rule": { + "name": "WAF_PRF_RULE1" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 62919 + }, + "url": { + "domain": "www.example.org", + "original": "https://www.example.org/services", + "path": "/services", + "port": 443, + "registered_domain": "example.org", + "scheme": "https", + "subdomain": "www", + "top_level_domain": "org" } } @@ -341,16 +341,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"2023/07/04:09:03:41 ADC-WEB1 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"", "event": { - "kind": "event", "category": [ "network" ], - "type": [ - "connection" - ], "code": "TRAP_SENT", "dataset": "audit_snmp", - "reason": "appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"" + "kind": "event", + "reason": "appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"", + "type": [ + "connection" + ] }, "@timestamp": "2023-07-04T09:03:41Z", "observer": { @@ -368,25 +368,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"", "event": { - "kind": "event", "category": [ "network" ], + "code": "SSL_HANDSHAKE_SUCCESS", + "dataset": "audit_ssl", + "kind": "event", "type": [ "connection" - ], - "code": "SSL_HANDSHAKE_SUCCESS", - "dataset": "audit_ssl" + ] }, "@timestamp": "2023-07-04T09:03:39Z", - "observer": { - "name": "ADC-VPN" - }, - "source": { - "ip": "1.2.3.4", - "port": 50130, - "address": "1.2.3.4" - }, "citrix": { "adc": { "virtual_server": { @@ -395,14 +387,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "tls": { - "version": "TLSv1", - "cipher": "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384" + "observer": { + "name": "ADC-VPN" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50130 + }, + "tls": { + "cipher": "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", + "version": "TLSv1" } } @@ -416,18 +416,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User , Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"", "event": { - "kind": "event", "category": [ "network" ], + "code": "Message", + "dataset": "audit_sslvpn", + "kind": "event", "type": [ "connection" - ], - "code": "Message", - "dataset": "audit_sslvpn" - }, - "observer": { - "name": "ADC-VPN" + ] }, "@timestamp": "2023-07-04T09:03:46Z", "citrix": { @@ -436,21 +433,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" }, - "rule": { - "name": "SESSPOL_VPN_Remoteadmin" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "name": "ADC-VPN" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "SESSPOL_VPN_Remoteadmin" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -464,37 +464,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context vpn35939@91.170.235.67 - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"", "event": { - "kind": "event", "category": [ "network" ], + "code": "NONHTTP_RESOURCEACCESS_DENIED", + "dataset": "audit_sslvpn", + "kind": "event", "type": [ "connection" - ], - "code": "NONHTTP_RESOURCEACCESS_DENIED", - "dataset": "audit_sslvpn" + ] }, "@timestamp": "2023-07-04T09:03:39Z", - "observer": { - "name": "ADC-VPN" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "4.3.2.1" - }, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "user": { - "name": "vpn35939" - }, - "rule": { - "name": "AUTHZ_DENY" - }, "citrix": { "adc": { "virtual_server": { @@ -503,6 +483,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "name": "ADC-VPN" + }, "related": { "ip": [ "1.2.3.4", @@ -512,6 +499,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "vpn35939" ] + }, + "rule": { + "name": "AUTHZ_DENY" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "name": "vpn35939" } } diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md index fc0ea81b7f..879bd0cb6d 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md @@ -37,12 +37,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"warning\",\n \"serverTimestamp\": 1678195081729,\n \"txId\": \"0000-153e807091c80268\",\n \"persistenceTimestamp\": 1678195082974,\n \"source\": \"JScript\",\n \"subscription\": {\n \"id\": \"b53a169f-ccf2-4390-acf4-73ba063f67a8\"\n },\n \"engine\": \"AMSI\",\n \"action\": \"blocked\",\n \"details\": {\n \"alertType\": \"amsi.infection.block\",\n \"appName\": \"JScript\",\n \"clientTimestamp\": \"1678195078575\",\n \"contentName\": \"C:\\\\Temp-Scan-AMSI\\\\infected.js\",\n \"hostIpAddress\": \"10.61.40.32/22\",\n \"infectionName\": \"Testfile:JS/F-Secure_testfile.D\",\n \"path\": \"C:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"profileId\": \"910739\",\n \"profileName\": \"TA_TEST_2\",\n \"profileVersion\": \"1675782455\",\n \"sha1\": \"1aef59dac1e2328b402d6fee5b5f76439ce98f43\",\n \"throttledCount\": \"0\",\n \"userName\": \"DESKTOP-1FHRKR9\\\\tadmin\"\n },\n \"id\": \"f9df27ec-ead4-3d55-87b9-4b9d59c48091_0\",\n \"device\": {\n \"agentId\": \"c07b9280-f878-47e8-9222-cc4dee1c224d\",\n \"clientType\": \"computerProtectionPremium\",\n \"id\": 0,\n \"name\": \"ta_test3235\"\n },\n \"account\": {\n \"name\": \"ta-ccf-psb-company\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/e2675985-4c4d-4467-ac60-87f075075b92/6b76acd1-95d5-45c9-aa70-1b4e3c27931c/\",\n \"uuid\": \"6b76acd1-95d5-45c9-aa70-1b4e3c27931c\"\n },\n \"tenant\": \"478444\"\n}\n", "event": { - "kind": "event", - "dataset": "AMSI", "action": "blocked", "category": [ "malware" ], + "dataset": "AMSI", + "kind": "event", "type": [ "info" ] @@ -52,28 +52,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ta_test3235", "type": "WithSecure Agent" }, - "host": { - "hostname": "ta_test3235", - "name": "ta_test3235" - }, - "user": { - "name": "DESKTOP-1FHRKR9\\tadmin" - }, "file": { "hash": { "sha1": "1aef59dac1e2328b402d6fee5b5f76439ce98f43" }, - "path": "C:\\Windows\\SysWOW64\\cscript.exe", - "name": "cscript.exe" + "name": "cscript.exe", + "path": "C:\\Windows\\SysWOW64\\cscript.exe" }, - "withsecure": { - "severity": "warning", - "infection": { - "name": "Testfile:JS/F-Secure_testfile.D" - }, - "amsi": { - "content_name": "C:\\Temp-Scan-AMSI\\infected.js" - } + "host": { + "hostname": "ta_test3235", + "name": "ta_test3235" }, "package": { "name": "JScript" @@ -88,6 +76,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "DESKTOP-1FHRKR9\\tadmin" ] + }, + "user": { + "name": "DESKTOP-1FHRKR9\\tadmin" + }, + "withsecure": { + "amsi": { + "content_name": "C:\\Temp-Scan-AMSI\\infected.js" + }, + "infection": { + "name": "Testfile:JS/F-Secure_testfile.D" + }, + "severity": "warning" } } @@ -101,13 +101,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"warning\",\n \"serverTimestamp\": 1677506888211,\n \"txId\": \"0000-bd779a8b0fb23d1b\",\n \"persistenceTimestamp\": 1677506888507,\n \"source\": \"\",\n \"subscription\": {\n \"id\": \"8ff722e2-b018-4ea7-b398-ad00aa7a09fa\"\n },\n \"engine\": \"browsingProtection\",\n \"action\": \"blocked\",\n \"details\": {\n \"alertType\": \"online_safety.denied_page.block\",\n \"clientTimestamp\": \"1677506887736\",\n \"hostIpAddress\": \"10.61.33.187/25\",\n \"process\": \"firefox.exe\",\n \"profileId\": \"56358066\",\n \"profileName\": \"test profile\",\n \"profileVersion\": \"1677506759\",\n \"reason\": \"WF_Denied\",\n \"throttledCount\": \"0\",\n \"userName\": \"win10-21h1\\\\tadmin\"\n },\n \"id\": \"e2c19e28-e246-3f99-a053-7dd2b28504f6_0\",\n \"device\": {\n \"agentId\": \"5398f1dd-1ce5-4e48-81b8-67ecc63f4232\",\n \"clientType\": \"computerProtectionPremium\",\n \"id\": 0,\n \"name\": \"win10-21h1\"\n },\n \"account\": {\n \"name\": \"test\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2/\",\n \"uuid\": \"0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2\"\n },\n \"tenant\": \"478444\"\n}\n", "event": { - "kind": "event", - "dataset": "browsingProtection", "action": "blocked", - "reason": "WF_Denied", "category": [ "web" ], + "dataset": "browsingProtection", + "kind": "event", + "reason": "WF_Denied", "type": [ "denied" ] @@ -124,12 +124,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "name": "firefox.exe" }, - "user": { - "name": "win10-21h1\\tadmin" - }, - "withsecure": { - "severity": "warning" - }, "related": { "hosts": [ "win10-21h1" @@ -137,6 +131,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "win10-21h1\\tadmin" ] + }, + "user": { + "name": "win10-21h1\\tadmin" + }, + "withsecure": { + "severity": "warning" } } @@ -150,13 +150,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"warning\",\n \"serverTimestamp\": 1677851790806,\n \"txId\": \"0000-7b5c8de7f4faed29\",\n \"persistenceTimestamp\": 1677851791765,\n \"source\": \"hxxp://unsafe.fstestdomain.com\",\n \"subscription\": {\n \"id\": \"8ff722e2-b018-4ea7-b398-ad00aa7a09fa\"\n },\n \"engine\": \"reputationBasedBrowsing\",\n \"action\": \"blocked\",\n \"details\": {\n \"alertType\": \"online_safety.harmful_page.block\",\n \"clientTimestamp\": \"1677848190005\",\n \"hostIpAddress\": \"10.61.33.187/25\",\n \"process\": \"firefox.exe\",\n \"profileId\": \"56358066\",\n \"profileName\": \"test profile\",\n \"profileVersion\": \"1677506873\",\n \"reason\": \"BP_Harmful\",\n \"throttledCount\": \"6\",\n \"url\": \"hxxp://unsafe.fstestdomain.com\",\n \"userName\": \"win10-21h1\\\\tadmin\"\n },\n \"id\": \"51b83b32-22d9-33f5-bbe0-a803c5bf684a_0\",\n \"device\": {\n \"agentId\": \"7dc63df2-636c-4939-8e67-dc7c7be09048\",\n \"clientType\": \"computerProtectionPremium\",\n \"id\": 0,\n \"name\": \"win10-21h1\"\n },\n \"account\": {\n \"name\": \"test\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2/\",\n \"uuid\": \"0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2\"\n },\n \"tenant\": \"478444\"\n}\n", "event": { - "kind": "event", - "dataset": "reputationBasedBrowsing", "action": "blocked", - "reason": "BP_Harmful", "category": [ "web" ], + "dataset": "reputationBasedBrowsing", + "kind": "event", + "reason": "BP_Harmful", "type": [ "denied" ] @@ -173,15 +173,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "name": "firefox.exe" }, - "user": { - "name": "win10-21h1\\tadmin" - }, - "url": { - "full": "hxxp://unsafe.fstestdomain.com" - }, - "withsecure": { - "severity": "warning" - }, "related": { "hosts": [ "win10-21h1" @@ -189,6 +180,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "win10-21h1\\tadmin" ] + }, + "url": { + "full": "hxxp://unsafe.fstestdomain.com" + }, + "user": { + "name": "win10-21h1\\tadmin" + }, + "withsecure": { + "severity": "warning" } } @@ -202,43 +202,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"warning\",\n \"serverTimestamp\": 1662980091208,\n \"txId\": \"0000-88cd1561f3bf0112\",\n \"persistenceTimestamp\": 1662980091703,\n \"source\": \"python.exe\",\n \"subscription\": {\n \"id\": \"4b36dd49-76b7-43e3-a3bb-db42b1abd49e\"\n },\n \"engine\": \"deepGuard\",\n \"action\": \"blocked\",\n \"details\": {\n \"alertType\": \"file\",\n \"clientTimestamp\": \"1662980088000\",\n \"filePath\": \"C:\\\\Users\\\\gtn-admin\\\\miniconda3\\\\envs\\\\change_analyzer\\\\python.exe\",\n \"hostIpAddress\": \"192.168.157.141/24\",\n \"name\": \"DeepGuard blocks a rare application\",\n \"profileId\": \"6938825\",\n \"profileName\": \"test-sop-own-profile\",\n \"profileVersion\": \"1618492209\",\n \"rarity\": \"common\",\n \"reputation\": \"unknown\",\n \"sha1\": \"88d299350caa965e995fa10e287342d846e4c470\",\n \"size\": \"95232\",\n \"userName\": \"ta_test8015\\\\gtn-admin\"\n },\n \"id\": \"09448f91-8bc4-3a11-8666-a58483932a7a_0\",\n \"device\": {\n \"agentId\": \"3fef9b44-fb25-4b58-b7d7-eb17ad691523\",\n \"clientType\": \"computerProtection\",\n \"id\": 18428086,\n \"name\": \"ta_test8015\"\n },\n \"account\": {\n \"name\": \"test\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2/\",\n \"uuid\": \"0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2\"\n },\n \"tenant\": \"478444\"\n}\n\n", "event": { - "kind": "event", - "dataset": "deepGuard", "action": "blocked", "category": [ "malware" ], + "dataset": "deepGuard", + "kind": "event", + "reason": "DeepGuard blocks a rare application", "type": [ "info" - ], - "reason": "DeepGuard blocks a rare application" + ] }, "agent": { "id": "18428086", "name": "ta_test8015", "type": "WithSecure Agent" }, - "host": { - "hostname": "ta_test8015", - "name": "ta_test8015" - }, - "user": { - "name": "ta_test8015\\gtn-admin" - }, "file": { "hash": { "sha1": "88d299350caa965e995fa10e287342d846e4c470" }, - "size": 95232, + "name": "python.exe", "path": "C:\\Users\\gtn-admin\\miniconda3\\envs\\change_analyzer\\python.exe", - "name": "python.exe" + "size": 95232 }, - "withsecure": { - "severity": "warning", - "file": { - "reputation": "unknown", - "rarity": "common" - } + "host": { + "hostname": "ta_test8015", + "name": "ta_test8015" }, "related": { "hash": [ @@ -250,6 +240,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "ta_test8015\\gtn-admin" ] + }, + "user": { + "name": "ta_test8015\\gtn-admin" + }, + "withsecure": { + "file": { + "rarity": "common", + "reputation": "unknown" + }, + "severity": "warning" } } @@ -263,12 +263,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"critical\",\n \"engine\": \"edr\",\n \"serverTimestamp\": 1651578141192,\n \"action\": \"created\",\n \"txId\": \"0000-21d24f9cff1145c5-9bd77204-ac47-4754-aa16-18f900fb4440\",\n \"details\": {\n \"categories\": \"PERSISTENCE\",\n \"clientTimestamp\": \"1651578140970\",\n \"fingerprint\": \"aa77e49047798bd8efe373fdcf7bb65954083664\",\n \"incidentId\": \"9f003dcb-528b-43e2-8ea5-f09d7eda2fe9\",\n \"incidentPublicId\": \"11355-92710\",\n \"initialDetectionTimestamp\": \"1651574700000\",\n \"resolution\": \"UNCONFIRMED\",\n \"risk\": \"MEDIUM\"\n },\n \"id\": \"7482f9eb-e9ba-3953-a099-f24672a64d37_0\",\n \"source\": \"\",\n \"device\": {\n \"agentId\": \"f4aaba09-804c-45b5-b4c7-1600c27389c7\",\n \"clientType\": \"computerProtectionPremiumPlusRdr\",\n \"id\": 17589954,\n \"name\": \"DESKTOP-L37F6GG\"\n },\n \"account\": {\n \"name\": \"test\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2/\",\n \"uuid\": \"0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2\"\n },\n \"tenant\": \"478444\"\n}\n", "event": { - "kind": "event", - "dataset": "edr", "action": "created", "category": [ "intrusion_detection" ], + "dataset": "edr", + "kind": "event", "type": [ "info" ] @@ -282,20 +282,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "DESKTOP-L37F6GG", "name": "DESKTOP-L37F6GG" }, + "related": { + "hosts": [ + "DESKTOP-L37F6GG" + ] + }, "withsecure": { - "severity": "critical", "incident": { - "id": "9f003dcb-528b-43e2-8ea5-f09d7eda2fe9", "categories": [ "PERSISTENCE" ], - "fingerprint": "aa77e49047798bd8efe373fdcf7bb65954083664" - } - }, - "related": { - "hosts": [ - "DESKTOP-L37F6GG" - ] + "fingerprint": "aa77e49047798bd8efe373fdcf7bb65954083664", + "id": "9f003dcb-528b-43e2-8ea5-f09d7eda2fe9" + }, + "severity": "critical" } } @@ -309,12 +309,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"info\",\n \"serverTimestamp\": 1678195021795,\n \"txId\": \"0000-281f2fc480f64ce2\",\n \"persistenceTimestamp\": 1678195022366,\n \"source\": \"BlockWgetUserProfile\",\n \"subscription\": {\n \"id\": \"5c80979b-1795-418b-850b-4a3af9f53def\"\n },\n \"engine\": \"firewall\",\n \"action\": \"blocked\",\n \"details\": {\n \"alertType\": \"firewall.fs_rule_triggered.block\",\n \"clientTimestamp\": \"1678195020864\",\n \"hostIpAddress\": \"10.61.40.132/22\",\n \"ipProtocol\": \"TCP(6)\",\n \"layerName\": \"ALE Connect v4 Layer\",\n \"localAddress\": \"10.61.40.132\",\n \"localPort\": \"50021\",\n \"process\": \"\\\\device\\\\harddiskvolume2\\\\users\\\\tadmin\\\\wget.exe\",\n \"profileId\": \"910739\",\n \"profileName\": \"TA_TEST_2\",\n \"profileVersion\": \"1675782455\",\n \"remoteAddress\": \"10.133.0.23\",\n \"remotePort\": \"80\",\n \"ruleDirection\": \"outbound\",\n \"ruleGroupName\": \"WithSecure Firewall\",\n \"ruleName\": \"BlockWgetUserProfile\",\n \"throttledCount\": \"0\",\n \"userName\": \"win10-21h1\\\\tadmin\"\n },\n \"id\": \"afaa691e-79e7-3106-a4bb-0b27ec9b851c_0\",\n \"device\": {\n \"agentId\": \"b8b8b57d-d9d9-4449-8fc4-8277370da283\",\n \"clientType\": \"computerProtectionPremiumPlusRdr\",\n \"id\": 0,\n \"name\": \"ta_iqamppz3626\"\n },\n \"account\": {\n \"name\": \"ta-ccf-psb-company\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/e2675985-4c4d-4467-ac60-87f075075b92/6b76acd1-95d5-45c9-aa70-1b4e3c27931c/\",\n \"uuid\": \"6b76acd1-95d5-45c9-aa70-1b4e3c27931c\"\n },\n \"tenant\": \"478444\"\n}\n", "event": { - "kind": "event", - "dataset": "firewall", "action": "blocked", "category": [ "network" ], + "dataset": "firewall", + "kind": "event", "type": [ "denied" ] @@ -324,36 +324,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "ta_iqamppz3626", "type": "WithSecure Agent" }, + "destination": { + "address": "10.133.0.23", + "ip": "10.133.0.23", + "port": 80 + }, "host": { "hostname": "ta_iqamppz3626", "name": "ta_iqamppz3626" }, - "process": { - "name": "\\device\\harddiskvolume2\\users\\tadmin\\wget.exe", - "executable": "\\device\\harddiskvolume2\\users\\tadmin\\wget.exe" - }, - "user": { - "name": "win10-21h1\\tadmin" - }, - "withsecure": { - "severity": "info" - }, "network": { - "type": "TCP(6)", - "direction": "outbound" - }, - "rule": { - "name": "BlockWgetUserProfile" - }, - "source": { - "address": "10.61.40.132", - "port": 50021, - "ip": "10.61.40.132" + "direction": "outbound", + "type": "TCP(6)" }, - "destination": { - "port": 80, - "ip": "10.133.0.23", - "address": "10.133.0.23" + "process": { + "executable": "\\device\\harddiskvolume2\\users\\tadmin\\wget.exe", + "name": "\\device\\harddiskvolume2\\users\\tadmin\\wget.exe" }, "related": { "hosts": [ @@ -366,6 +352,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "win10-21h1\\tadmin" ] + }, + "rule": { + "name": "BlockWgetUserProfile" + }, + "source": { + "address": "10.61.40.132", + "ip": "10.61.40.132", + "port": 50021 + }, + "user": { + "name": "win10-21h1\\tadmin" + }, + "withsecure": { + "severity": "info" } } @@ -379,13 +379,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\": \"warning\", \"serverTimestamp\": \"2023-04-22T12:12:29.959Z\", \"engine\": \"reputationBasedBrowsing\", \"organization\": {\"name\": \"Sekoia company\", \"id\": \"c4713fad-2d74-438e-bb85-cfbeae4fabb9\"}, \"action\": \"blocked\", \"details\": {\"profileName\": \"WithSecure\u2122 Server\", \"reason\": \"BP_Harmful\", \"process\": \"msedge.exe\", \"alertType\": \"online_safety.harmful_page.block\", \"throttledCount\": \"0\", \"profileId\": \"814237\", \"profileVersion\": \"1649234345\", \"hostIpAddress\": \"172.31.27.64/20\", \"userName\": \"EC2AMAZ-DFCA28R\\\\Administrator\", \"clientTimestamp\": \"1682165548528\", \"url\": \"hxxps://secure.eicar.org/eicar.com\"}, \"id\": \"33173bcb-a4bf-35e9-b21c-35de08d25c03_0\", \"persistenceTimestamp\": \"2023-04-22T12:12:33.304Z\", \"device\": {\"name\": \"EC2AMAZ-DFCA28R\", \"id\": \"bf351662-7adc-4611-a0cb-50bf50d1bcca\"}, \"clientTimestamp\": \"2023-04-22T12:12:28.528Z\"}", "event": { - "kind": "event", - "dataset": "reputationBasedBrowsing", "action": "blocked", - "reason": "BP_Harmful", "category": [ "web" ], + "dataset": "reputationBasedBrowsing", + "kind": "event", + "reason": "BP_Harmful", "type": [ "denied" ] @@ -407,15 +407,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "name": "msedge.exe" }, - "user": { - "name": "EC2AMAZ-DFCA28R\\Administrator" - }, - "url": { - "full": "hxxps://secure.eicar.org/eicar.com" - }, - "withsecure": { - "severity": "warning" - }, "related": { "hosts": [ "EC2AMAZ-DFCA28R" @@ -423,6 +414,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "EC2AMAZ-DFCA28R\\Administrator" ] + }, + "url": { + "full": "hxxps://secure.eicar.org/eicar.com" + }, + "user": { + "name": "EC2AMAZ-DFCA28R\\Administrator" + }, + "withsecure": { + "severity": "warning" } } @@ -436,12 +436,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"severity\": \"critical\",\n \"serverTimestamp\": 1677670865589,\n \"txId\": \"0000-97df3b0443296390\",\n \"persistenceTimestamp\": 1677670866082,\n \"source\": \"eicar(1).com\",\n \"subscription\": {\n \"id\": \"8ff722e2-b018-4ea7-b398-ad00aa7a09fa\"\n },\n \"engine\": \"manualScanning\",\n \"action\": \"none\",\n \"details\": {\n \"alertType\": \"on_demand_scanner.file_infection.nothing\",\n \"availableActions\": \"disinfect,delete,rename,quarantine\",\n \"clientTimestamp\": \"1677670865302\",\n \"created\": \"1677670492\",\n \"fileScanningType\": \"fileInfection\",\n \"hostIpAddress\": \"10.133.36.253/24\",\n \"infectionName\": \"EICAR_Test_File\",\n \"modified\": \"1677670472\",\n \"path\": \"C:\\\\ProgramData\\\\eicar(1).com\",\n \"prevalence\": \"60\",\n \"profileId\": \"73633559\",\n \"profileName\": \"test_test\",\n \"profileVersion\": \"1677670386\",\n \"recommendedAction\": \"disinfect\",\n \"reputation\": \"99\",\n \"sha1\": \"3395856ce81f2b7382dee72602f798b642f14140\",\n \"size\": \"68\",\n \"throttledCount\": \"0\",\n \"userName\": \"WIN10ENT-X64\\\\Administrator\"\n },\n \"id\": \"4155e71e-0cbb-3cac-ab46-24855d55340a_0\",\n \"device\": {\n \"agentId\": \"48f4edb3-911b-46b7-8566-fd4e1a2ff757\",\n \"clientType\": \"computerProtectionPremium\",\n \"id\": 0,\n \"name\": \"WIN10ENT-X64\"\n },\n \"account\": {\n \"name\": \"test\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2/\",\n \"uuid\": \"0c75c79d-88af-4bfd-9c00-e1f87ce7a5f2\"\n },\n \"tenant\": \"478444\"\n}\n\n", "event": { - "kind": "event", - "dataset": "manualScanning", "action": "none", "category": [ "malware" ], + "dataset": "manualScanning", + "kind": "event", "type": [ "info" ] @@ -451,32 +451,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "WIN10ENT-X64", "type": "WithSecure Agent" }, - "host": { - "hostname": "WIN10ENT-X64", - "name": "WIN10ENT-X64" - }, - "user": { - "name": "WIN10ENT-X64\\Administrator" - }, "file": { + "created": "2023-03-01T11:34:52Z", "hash": { "sha1": "3395856ce81f2b7382dee72602f798b642f14140" }, - "path": "C:\\ProgramData\\eicar(1).com", - "name": "eicar(1).com", - "created": "2023-03-01T11:34:52Z", "mtime": "2023-03-01T11:34:32Z", + "name": "eicar(1).com", + "path": "C:\\ProgramData\\eicar(1).com", "size": 68 }, - "withsecure": { - "severity": "critical", - "infection": { - "name": "EICAR_Test_File" - }, - "file": { - "prevalence": "60", - "reputation": "99" - } + "host": { + "hostname": "WIN10ENT-X64", + "name": "WIN10ENT-X64" }, "related": { "hash": [ @@ -488,6 +475,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "WIN10ENT-X64\\Administrator" ] + }, + "user": { + "name": "WIN10ENT-X64\\Administrator" + }, + "withsecure": { + "file": { + "prevalence": "60", + "reputation": "99" + }, + "infection": { + "name": "EICAR_Test_File" + }, + "severity": "critical" } } diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 4340e3af16..7eb1013f21 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -35,20 +35,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}", "event": { - "kind": "event", + "action": "edit", "category": [ "file" ], + "dataset": "audit#activity", + "kind": "event", "type": [ "change" - ], - "action": "edit", - "dataset": "audit#activity" + ] }, "@timestamp": "2014-03-17T15:39:18.460000Z", - "user": { - "id": "ABC123xyz", - "email": "kim@example.com" + "file": { + "gid": "AAAAAALLLLLL", + "name": "Divers", + "owner": "RH ", + "type": "folder" }, "google": { "report": { @@ -63,23 +65,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "application": "drive" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "file": { - "gid": "AAAAAALLLLLL", - "owner": "RH ", - "type": "folder", - "name": "Divers" - }, "related": { - "user": [ - "RH " - ], "ip": [ "1.2.3.4" + ], + "user": [ + "RH " ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "kim@example.com", + "id": "ABC123xyz" } } @@ -93,20 +93,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}", "event": { - "kind": "event", + "action": "edit", "category": [ "file" ], + "dataset": "audit#activity", + "kind": "event", "type": [ "change" - ], - "action": "edit", - "dataset": "audit#activity" + ] }, "@timestamp": "2014-03-17T15:39:18.460000Z", - "user": { - "id": "ABC123xyz", - "email": "kim@example.com" + "file": { + "name": "Meeting notes", + "owner": "mary@example.com", + "type": "document" }, "google": { "report": { @@ -118,22 +119,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "application": "drive" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "file": { - "owner": "mary@example.com", - "type": "document", - "name": "Meeting notes" - }, "related": { - "user": [ - "mary@example.com" - ], "ip": [ "1.2.3.4" + ], + "user": [ + "mary@example.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "kim@example.com", + "id": "ABC123xyz" } } @@ -147,19 +147,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"john.doe@example.org\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n", "event": { - "kind": "event", + "action": "view", "category": [ "file" ], + "dataset": "admin#reports#activity", + "kind": "event", "type": [ "access" - ], - "action": "view", - "dataset": "admin#reports#activity" + ] }, "@timestamp": "2023-09-04T08:42:51.615000Z", - "user": { - "id": "111111111" + "file": { + "gid": "DDD_111111111111111", + "name": "MyDocs", + "owner": "J.DOE", + "type": "folder" }, "google": { "report": { @@ -174,23 +177,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "application": "drive" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "file": { - "gid": "DDD_111111111111111", - "owner": "J.DOE", - "type": "folder", - "name": "MyDocs" - }, "related": { - "user": [ - "J.DOE" - ], "ip": [ "1.2.3.4" + ], + "user": [ + "J.DOE" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "111111111" } } diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 3ea3985405..0e87eb74a5 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -53,20 +53,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-02T22:06:00.6652718Z\",\"tenantId\":\"16ed4fbf-027f-47b3-8d1a-a342781dd2d2\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-AlertInfo\",\"properties\":{\"AlertId\":\"da637977531594995313_968283104\",\"Timestamp\":\"2022-09-02T22:04:16.134644Z\",\"Title\":\"'Lodi' unwanted software was prevented\",\"ServiceSource\":\"Microsoft Defender for Endpoint\",\"Category\":\"DefenseEvasion\",\"Severity\":\"Informational\",\"DetectionSource\":\"Antivirus\",\"MachineGroup\":\"Windows 10 - remediate threats automatically\",\"AttackTechniques\":\"\"}}", "event": { + "category": [ + "threat" + ], + "dataset": "alert_info", "kind": "alert", "type": [ "info" - ], - "dataset": "alert_info", - "category": [ - "threat" ] }, "@timestamp": "2022-09-02T22:04:16.134644Z", - "service": { - "name": "Microsoft Defender for Endpoint", - "type": "Antivirus" - }, "action": { "properties": { "ServiceSource": "Microsoft Defender for Endpoint" @@ -83,6 +79,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": "Informational" } } + }, + "service": { + "name": "Microsoft Defender for Endpoint", + "type": "Antivirus" } } @@ -96,53 +96,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", "event": { + "category": [ + "host" + ], + "dataset": "device_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_events", - "category": [ - "host" ] }, "@timestamp": "2022-09-01T07:09:47.498056Z", - "host": { - "id": "1111111111111111111111111111111111111111", - "name": "test.lab" - }, - "process": { - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" - }, - "pid": 1664, - "start": "2022-09-01T06:56:23.788784Z", - "name": "software_reporter_tool.exe", - "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200", - "user": { - "domain": "intranet", - "name": "group1", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "email": "user@example.org" - }, - "parent": { - "pid": 15532, - "name": "software_reporter_tool.exe", - "start": "2022-09-01T06:56:23.595229Z" - }, - "args": [ - "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"", - "--sandboxed-process-id=2", - "--init-done-notifier=804", - "--sandbox-mojo-pipe-token=**********", - "--mojo-platform-channel-handle=780", - "--engine=2" - ] - }, "action": { - "type": "NtAllocateVirtualMemoryApiCall", "properties": { "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", @@ -154,7 +118,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", "InitiatingProcessVersionInfoProductVersion": "102.286.200" - } + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" }, "microsoft": { "defender": { @@ -163,13 +136,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" }, "related": { "hash": [ @@ -181,6 +177,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -194,13 +194,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-02T13:12:14.2082552Z\",\"tenantId\":\"16ed4fbf-027f-47b3-8d1a-a342781dd2d2\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileCertificateInfo\",\"properties\":{\"SHA1\":\"4334f41d684200d1a52c977417f5ba1eba4969b5\",\"IsSigned\":true,\"IsRootSignerMicrosoft\":true,\"Signer\":\"Microsoft Windows\",\"SignerHash\":\"fe51e838a087bb561bbb2dd9ba20143384a03b3f\",\"Issuer\":\"Microsoft Windows Production PCA 2011\",\"IssuerHash\":\"580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d\",\"SignatureType\":\"Catalog\",\"IsTrusted\":true,\"CertificateCreationTime\":\"2021-09-02T18:23:41Z\",\"CertificateExpirationTime\":\"2022-09-01T18:23:41Z\",\"CertificateCountersignatureTime\":\"2022-07-06T05:55:26.23Z\",\"CrlDistributionPointUrls\":\"[\\\"http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl\\\"]\",\"CertificateSerialNumber\":\"330000033c89c66a7b45bb1fbd00000000033c\",\"DeviceId\":\"db1b7a6a38796c8d49f7746d3ab2252b53b45c80\",\"MachineGroup\":\"Windows 10 - remediate threats automatically\",\"Timestamp\":\"2022-09-02T13:10:10.7177Z\",\"DeviceName\":\"test.lab\",\"ReportId\":20370}}\n", "event": { + "category": [ + "file" + ], + "dataset": "device_file_certificate_info", "kind": "event", "type": [ "info" - ], - "dataset": "device_file_certificate_info", - "category": [ - "file" ] }, "@timestamp": "2022-09-02T13:10:10.717700Z", @@ -209,8 +209,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha1": "4334f41d684200d1a52c977417f5ba1eba4969b5" }, "x509": { - "serial_number": "330000033c89c66a7b45bb1fbd00000000033c", - "not_after": "2022-09-01T18:23:41Z" + "not_after": "2022-09-01T18:23:41Z", + "serial_number": "330000033c89c66a7b45bb1fbd00000000033c" } }, "host": { @@ -219,29 +219,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "microsoft": { "defender": { - "report": { - "id": "20370" - }, "certificate": { - "is_signed": true, - "is_trusted": true, - "is_root_signer_microsort": true, - "signature_type": "Catalog", - "issuer": { - "name": "Microsoft Windows Production PCA 2011", - "hash": "580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d" - }, - "signer": { - "name": "Microsoft Windows", - "hash": "fe51e838a087bb561bbb2dd9ba20143384a03b3f" - }, + "counter_signed_at": "2022-07-06T05:55:26.23Z", + "created_at": "2021-09-02T18:23:41Z", "crl": { "urls": [ "http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl" ] }, - "created_at": "2021-09-02T18:23:41Z", - "counter_signed_at": "2022-07-06T05:55:26.23Z" + "is_root_signer_microsort": true, + "is_signed": true, + "is_trusted": true, + "issuer": { + "hash": "580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d", + "name": "Microsoft Windows Production PCA 2011" + }, + "signature_type": "Catalog", + "signer": { + "hash": "fe51e838a087bb561bbb2dd9ba20143384a03b3f", + "name": "Microsoft Windows" + } + }, + "report": { + "id": "20370" } } }, @@ -262,62 +262,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-01T07:49:40.4279379Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"properties\":{\"PreviousFileName\":null,\"FileName\":\"OneDriveFileLauncher.exe\",\"FolderPath\":\"C:\\\\Users\\\\USER\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\22.161.0731.0002\",\"PreviousFolderPath\":null,\"SHA1\":null,\"SHA256\":null,\"MD5\":null,\"FileSize\":null,\"FileOriginReferrerUrl\":null,\"FileOriginUrl\":null,\"FileOriginIP\":null,\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestProtocol\":null,\"RequestAccountName\":null,\"RequestAccountDomain\":null,\"RequestAccountSid\":null,\"AdditionalFields\":null,\"ActionType\":\"FileDeleted\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft OneDrive\",\"InitiatingProcessVersionInfoProductVersion\":\"22.166.0807.0002\",\"InitiatingProcessVersionInfoInternalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft OneDrive (64 bit) Setup\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\microsoft\\\\onedrive\\\\update\\\\onedrivesetup.exe\",\"InitiatingProcessFileSize\":56824728,\"InitiatingProcessMD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"InitiatingProcessSHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessSHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T07:46:34.0214941Z\",\"InitiatingProcessId\":27512,\"InitiatingProcessFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessCommandLine\":\"OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode \",\"InitiatingProcessParentCreationTime\":\"2022-09-01T07:46:33.5858992Z\",\"InitiatingProcessParentId\":588,\"InitiatingProcessParentFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessIntegrityLevel\":\"Medium\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:46:42.4684081Z\",\"DeviceName\":\"test.lab\",\"ReportId\":152059}}", "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_file_events", - "category": [ - "file" ] }, "@timestamp": "2022-09-01T07:46:42.468408Z", - "file": { - "directory": "C:\\Users\\USER\\AppData\\Local\\Microsoft\\OneDrive\\22.161.0731.0002", - "name": "OneDriveFileLauncher.exe" - }, - "host": { - "id": "1111111111111111111111111111111111111111", - "name": "test.lab" - }, - "process": { - "hash": { - "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", - "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", - "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" - }, - "pid": 27512, - "start": "2022-09-01T07:46:34.021494Z", - "name": "OneDriveSetup.exe", - "command_line": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "working_directory": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update", - "user": { - "domain": "intranet", - "name": "group1", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "email": "user@example.org" - }, - "parent": { - "pid": 588, - "name": "OneDriveSetup.exe", - "start": "2022-09-01T07:46:33.585899Z" - }, - "args": [ - "/update", - "/restart", - "/updateSource:ODU", - "/peruser", - "/childprocess", - "/extractFilesWithLessThreadCount", - "/renameReplaceOneDriveExe", - "/renameReplaceODSUExe", - "/removeNonCurrentVersions", - "/enableODSUReportingMode", - "" - ] - }, "action": { - "type": "FileDeleted", "properties": { "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", @@ -330,7 +285,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" - } + }, + "type": "FileDeleted" + }, + "file": { + "directory": "C:\\Users\\USER\\AppData\\Local\\Microsoft\\OneDrive\\22.161.0731.0002", + "name": "OneDriveFileLauncher.exe" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" }, "microsoft": { "defender": { @@ -339,6 +303,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "process": { + "args": [ + "", + "/childprocess", + "/enableODSUReportingMode", + "/extractFilesWithLessThreadCount", + "/peruser", + "/removeNonCurrentVersions", + "/renameReplaceODSUExe", + "/renameReplaceOneDriveExe", + "/restart", + "/update", + "/updateSource:ODU" + ], + "command_line": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "OneDriveSetup.exe", + "parent": { + "name": "OneDriveSetup.exe", + "pid": 588, + "start": "2022-09-01T07:46:33.585899Z" + }, + "pid": 27512, + "start": "2022-09-01T07:46:34.021494Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update" + }, "related": { "hash": [ "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", @@ -358,16 +358,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-01T07:49:37.5372014Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceImageLoadEvents\",\"properties\":{\"FolderPath\":\"C:\\\\Program Files (x86)\\\\Adobe\\\\8.1\\\\Client\\\\BIN\\\\sscfom.dll\",\"FileSize\":1048576,\"FileName\":\"sscfom.dll\",\"MD5\":\"83fd76962ba443b3d6e317ad73126843\",\"SHA256\":\"14c0592339b02885a8e4cf9724c607afe2a0187348c1aa084db3875ce93be0fe\",\"SHA1\":\"742ef984a8f759090f44838f737d575e283942be\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\adobe\\\\8.1\\\\client\\\\bin\\\\autosync.exe\",\"InitiatingProcessFileName\":\"autosync.exe\",\"InitiatingProcessFileSize\":66560,\"InitiatingProcessMD5\":\"4617605c67d2a4f8ff7f86042d40011d\",\"InitiatingProcessSHA256\":\"9ff12db8e1aa2bc6781d1e399ec7a0fd38278dee8f2b5ece7403f2bab009dbe7\",\"InitiatingProcessSHA1\":\"1181891a21a785f05de6f40a3c635534ade13262\",\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessCreationTime\":\"2022-09-01T07:47:58.182445Z\",\"InitiatingProcessId\":15584,\"InitiatingProcessCommandLine\":\"\\\"autosync.exe\\\" /c C:\\\\PROGRA~2\\\\adobe\\\\8.1\\\\Client\\\\bin\\\\fra\\\\adobe.cfg /c \\\" usa\\\"\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T07:47:17.01345Z\",\"InitiatingProcessParentId\":2548,\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessIntegrityLevel\":\"Medium\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"DeviceId\":\"4b35a092f1578f0a6f1b7dbf9e90465563781043\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"Windows 10 - remediate threats automatically\",\"Timestamp\":\"2022-09-01T07:47:58.6161271Z\",\"DeviceName\":\"test.lab\",\"ReportId\":3758,\"ActionType\":\"ImageLoaded\"}}", "event": { + "category": [ + "process" + ], + "dataset": "device_image_load_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_image_load_events", - "category": [ - "process" ] }, "@timestamp": "2022-09-01T07:47:58.616127Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "InitiatingProcessFileSize": 66560, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" + }, + "type": "ImageLoaded" + }, "file": { "directory": "C:\\Program Files (x86)\\Adobe\\8.1\\Client\\BIN\\sscfom.dll", "hash": { @@ -382,51 +391,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "4b35a092f1578f0a6f1b7dbf9e90465563781043", "name": "test.lab" }, + "microsoft": { + "defender": { + "report": { + "id": "3758" + } + } + }, "process": { + "args": [ + "\"", + "/c", + "/c", + "C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg", + "usa\"" + ], + "command_line": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", "hash": { "md5": "4617605c67d2a4f8ff7f86042d40011d", "sha1": "1181891a21a785f05de6f40a3c635534ade13262", "sha256": "9ff12db8e1aa2bc6781d1e399ec7a0fd38278dee8f2b5ece7403f2bab009dbe7" }, + "name": "autosync.exe", + "parent": { + "name": "explorer.exe", + "pid": 2548, + "start": "2022-09-01T07:47:17.013450Z" + }, "pid": 15584, "start": "2022-09-01T07:47:58.182445Z", - "name": "autosync.exe", - "command_line": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "working_directory": "c:\\program files (x86)\\adobe\\8.1\\client\\bin", "user": { "domain": "intranet", - "name": "group1", + "email": "user@example.org", "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "email": "user@example.org" + "name": "group1" }, - "parent": { - "pid": 2548, - "name": "explorer.exe", - "start": "2022-09-01T07:47:17.013450Z" - }, - "args": [ - "/c", - "C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg", - "/c", - "\"", - "usa\"" - ] - }, - "action": { - "type": "ImageLoaded", - "properties": { - "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "InitiatingProcessFileSize": 66560, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" - } - }, - "microsoft": { - "defender": { - "report": { - "id": "3758" - } - } + "working_directory": "c:\\program files (x86)\\adobe\\8.1\\client\\bin" }, "related": { "hash": [ @@ -450,16 +450,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-02T17:21:10.6891411Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceInfo\",\"properties\":{\"ClientVersion\":\"10.8295.19041.2311\",\"PublicIP\":\"4.3.2.1\",\"DeviceName\":\"ml-002\",\"DeviceId\":\"9766ea323abe48f9b9d86b4fb3dc6c14\",\"ReportId\":11111,\"Timestamp\":\"2023-01-02T17:18:18.4028562Z\",\"OSArchitecture\":null,\"OSPlatform\":null,\"OSBuild\":null,\"IsAzureADJoined\":true,\"LoggedOnUsers\":\"[{\\\"UserName\\\":\\\"JOHNDOE\\\",\\\"DomainName\\\":\\\"INTRANET\\\",\\\"Sid\\\":\\\"S-1-11-1-1111111111-1111111111-1111111111-1111111111\\\"}]\",\"RegistryDeviceTag\":null,\"OSVersion\":null,\"AdditionalFields\":\"[]\",\"AadDeviceId\":\"cc8601ad-6446-4277-b110-9f01e636b653\",\"MergedDeviceIds\":\"\",\"MergedToDeviceId\":\"\",\"Vendor\":\"\",\"Model\":\"\",\"OnboardingStatus\":\"Onboarded\",\"DeviceCategory\":\"Endpoint\",\"DeviceType\":\"Workstation\",\"DeviceSubtype\":null,\"OSVersionInfo\":\"\",\"OSDistribution\":\"\",\"JoinType\":\"AAD Joined\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "host" + ], + "dataset": "device_info_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_info_events", - "category": [ - "host" ] }, "@timestamp": "2023-01-02T17:18:18.402856Z", + "action": { + "properties": { + "AadDeviceId": "cc8601ad-6446-4277-b110-9f01e636b653", + "IsAzureADJoined": true, + "JoinType": "AAD Joined", + "LoggedOnUsers": [ + "{\"DomainName\": \"INTRANET\", \"Sid\": \"S-1-11-1-1111111111-1111111111-1111111111-1111111111\", \"UserName\": \"JOHNDOE\"}" + ], + "MachineGroup": "UnassignedGroup", + "OnboardingStatus": "Onboarded" + } + }, "agent": { "version": "10.8295.19041.2311" }, @@ -470,35 +482,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "microsoft": { "defender": { - "report": { - "id": "11111" - }, "host": { "category": "Endpoint" + }, + "report": { + "id": "11111" } } }, - "source": { - "ip": "4.3.2.1", - "address": "4.3.2.1" - }, - "action": { - "properties": { - "IsAzureADJoined": true, - "AadDeviceId": "cc8601ad-6446-4277-b110-9f01e636b653", - "LoggedOnUsers": [ - "{\"DomainName\": \"INTRANET\", \"Sid\": \"S-1-11-1-1111111111-1111111111-1111111111-1111111111\", \"UserName\": \"JOHNDOE\"}" - ], - "MachineGroup": "UnassignedGroup", - "OnboardingStatus": "Onboarded", - "JoinType": "AAD Joined" - } - }, - "user": { - "name": "JOHNDOE", - "domain": "INTRANET", - "id": "S-1-11-1-1111111111-1111111111-1111111111-1111111111" - }, "related": { "ip": [ "4.3.2.1" @@ -506,6 +497,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JOHNDOE" ] + }, + "source": { + "address": "4.3.2.1", + "ip": "4.3.2.1" + }, + "user": { + "domain": "INTRANET", + "id": "S-1-11-1-1111111111-1111111111-1111111111-1111111111", + "name": "JOHNDOE" } } @@ -519,16 +519,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-02T17:21:10.6890829Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceInfo\",\"properties\":{\"ClientVersion\":\"10.8295.19041.2311\",\"PublicIP\":\"4.3.2.1\",\"DeviceName\":\"ml-002\",\"DeviceId\":\"9766ea323abe48f9b9d86b4fb3dc6c14\",\"ReportId\":22222,\"Timestamp\":\"2023-01-02T17:16:49.4177838Z\",\"OSArchitecture\":null,\"OSPlatform\":null,\"OSBuild\":null,\"IsAzureADJoined\":true,\"LoggedOnUsers\":\"[]\",\"RegistryDeviceTag\":null,\"OSVersion\":null,\"AdditionalFields\":\"[]\",\"AadDeviceId\":\"cc8601ad-6446-4277-b110-9f01e636b653\",\"MergedDeviceIds\":\"\",\"MergedToDeviceId\":\"\",\"Vendor\":\"\",\"Model\":\"\",\"OnboardingStatus\":\"Onboarded\",\"DeviceCategory\":\"Endpoint\",\"DeviceType\":\"Workstation\",\"DeviceSubtype\":null,\"OSVersionInfo\":\"\",\"OSDistribution\":\"\",\"JoinType\":\"Hybrid Azure AD Join\",\"MachineGroup\":\"Windows 10 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "host" + ], + "dataset": "device_info_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_info_events", - "category": [ - "host" ] }, "@timestamp": "2023-01-02T17:16:49.417783Z", + "action": { + "properties": { + "AadDeviceId": "cc8601ad-6446-4277-b110-9f01e636b653", + "IsAzureADJoined": true, + "JoinType": "Hybrid Azure AD Join", + "LoggedOnUsers": [], + "MachineGroup": "Windows 10 - remediate threats automatically", + "OnboardingStatus": "Onboarded" + } + }, "agent": { "version": "10.8295.19041.2311" }, @@ -539,32 +549,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "microsoft": { "defender": { - "report": { - "id": "22222" - }, "host": { "category": "Endpoint" + }, + "report": { + "id": "22222" } } }, - "source": { - "ip": "4.3.2.1", - "address": "4.3.2.1" - }, - "action": { - "properties": { - "IsAzureADJoined": true, - "AadDeviceId": "cc8601ad-6446-4277-b110-9f01e636b653", - "LoggedOnUsers": [], - "MachineGroup": "Windows 10 - remediate threats automatically", - "OnboardingStatus": "Onboarded", - "JoinType": "Hybrid Azure AD Join" - } - }, "related": { "ip": [ "4.3.2.1" ] + }, + "source": { + "address": "4.3.2.1", + "ip": "4.3.2.1" } } @@ -578,63 +578,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-04T14:26:25.0567375Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceLogonEvents\",\"properties\":{\"AccountName\":\"dwm-3\",\"AccountDomain\":\"window manager\",\"LogonType\":\"Interactive\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"DeviceName\":\"ml022\",\"ReportId\":21833,\"Timestamp\":\"2023-01-04T13:25:36.1936997Z\",\"AccountSid\":\"S-1-1-11-1-1\",\"AppGuardContainerId\":\"\",\"LogonId\":111111,\"RemoteIP\":\"\",\"RemotePort\":null,\"RemoteDeviceName\":\"\",\"ActionType\":\"LogonSuccess\",\"InitiatingProcessId\":3660,\"InitiatingProcessCreationTime\":\"2023-01-04T13:25:35.9877068Z\",\"InitiatingProcessFileName\":\"winlogon.exe\",\"InitiatingProcessFolderPath\":\"C:\\\\Windows\\\\System32\",\"InitiatingProcessSHA1\":\"0c8b6c1f8c1d248000192e2569735848051b3ce1\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":\"f597fa958fd63accc90cb469e7ddc2a5\",\"InitiatingProcessCommandLine\":\"WinLogon.exe -SpecialSession\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountDomain\":\"NT\",\"InitiatingProcessAccountSid\":\"S-1-1-11\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessParentId\":12776,\"InitiatingProcessParentCreationTime\":\"2023-01-04T13:25:35.9028371Z\",\"InitiatingProcessParentFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\smss.exe\",\"AdditionalFields\":\"{\\\"IsLocalLogon\\\":true}\",\"RemoteIPType\":null,\"IsLocalAdmin\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"Protocol\":\"Negotiate\",\"FailureReason\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_logon_events", - "category": [ - "authentication" ] }, "@timestamp": "2023-01-04T13:25:36.193699Z", + "action": { + "properties": { + "AccountSid": "S-1-1-11-1-1", + "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", + "LogonId": "111111", + "LogonType": "Interactive" + }, + "type": "LogonSuccess" + }, "host": { "id": "dbe5c34434fb4792bea6874dd0b1f107", "name": "ml022" }, + "microsoft": { + "defender": { + "report": { + "id": "21833" + } + } + }, "process": { + "args": [ + "-SpecialSession" + ], + "command_line": "WinLogon.exe -SpecialSession", "hash": { "md5": "f597fa958fd63accc90cb469e7ddc2a5", "sha1": "0c8b6c1f8c1d248000192e2569735848051b3ce1" }, - "pid": 3660, - "start": "2023-01-04T13:25:35.987706Z", "name": "winlogon.exe", - "command_line": "WinLogon.exe -SpecialSession", - "working_directory": "C:\\Windows", - "user": { - "domain": "NT", - "name": "system", - "id": "S-1-1-11" - }, "parent": { - "pid": 12776, "name": "smss.exe", + "pid": 12776, "start": "2023-01-04T13:25:35.902837Z" }, - "args": [ - "-SpecialSession" - ] - }, - "user": { - "domain": "window manager", - "name": "dwm-3" - }, - "action": { - "type": "LogonSuccess", - "properties": { - "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", - "LogonId": "111111", - "LogonType": "Interactive", - "AccountSid": "S-1-1-11-1-1" - } - }, - "microsoft": { - "defender": { - "report": { - "id": "21833" - } - } + "pid": 3660, + "start": "2023-01-04T13:25:35.987706Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "system" + }, + "working_directory": "C:\\Windows" }, "related": { "hash": [ @@ -644,6 +640,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "dwm-3" ] + }, + "user": { + "domain": "window manager", + "name": "dwm-3" } } @@ -657,58 +657,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-04T14:07:32.6213639Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"properties\":{\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"DeviceName\":\"ml022\",\"ReportId\":37827,\"Timestamp\":\"2023-01-04T14:05:32.3148625Z\",\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":443,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":59985,\"Protocol\":\"Tcp\",\"RemoteUrl\":\"www.example.org\",\"InitiatingProcessCreationTime\":\"2023-01-04T14:05:22.8079798Z\",\"InitiatingProcessId\":18288,\"InitiatingProcessCommandLine\":\"\\\"EXCEL.EXE\\\" \\\"C:\\\\Users\\\\USER\\\\MyDocument.xslx\",\"InitiatingProcessParentCreationTime\":\"2023-01-04T14:04:35.708037Z\",\"InitiatingProcessParentId\":23332,\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessSHA1\":\"2b684979d6174bad69d895c7d8a852e7b206b95f\",\"InitiatingProcessMD5\":\"4d5b7b6c06159d6b967f2c2c73f10145\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\office16\\\\excel.exe\",\"InitiatingProcessAccountName\":\"USER\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountSid\":\"S-1-11-1-11111111-1111111111-111111111-111111111\",\"InitiatingProcessFileName\":\"EXCEL.EXE\",\"InitiatingProcessIntegrityLevel\":\"Medium\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"AppGuardContainerId\":\"\",\"LocalIPType\":\"Private\",\"RemoteIPType\":\"Public\",\"ActionType\":\"ConnectionSuccess\",\"InitiatingProcessSHA256\":\"1e22c9b2e6562fa32d410bc4957279a46b614eed4cd5f45c200b4a24237bd095\",\"InitiatingProcessAccountUpn\":\"john.doe@example.org\",\"InitiatingProcessAccountObjectId\":\"e0e5e759-c1e1-4cf9-91d5-c1099ef74614\",\"AdditionalFields\":null,\"InitiatingProcessFileSize\":63984520,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.15601.20538\",\"InitiatingProcessVersionInfoInternalFileName\":\"Excel\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Excel.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Excel\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "network" + ], + "dataset": "device_network_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_network_events", - "category": [ - "network" ] }, "@timestamp": "2023-01-04T14:05:32.314862Z", - "destination": { - "port": 443, - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "host": { - "id": "dbe5c34434fb4792bea6874dd0b1f107", - "name": "ml022" - }, - "process": { - "hash": { - "md5": "4d5b7b6c06159d6b967f2c2c73f10145", - "sha1": "2b684979d6174bad69d895c7d8a852e7b206b95f", - "sha256": "1e22c9b2e6562fa32d410bc4957279a46b614eed4cd5f45c200b4a24237bd095" - }, - "pid": 18288, - "start": "2023-01-04T14:05:22.807979Z", - "name": "EXCEL.EXE", - "command_line": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "working_directory": "c:\\program files\\microsoft office\\root\\office16", - "user": { - "domain": "intranet", - "name": "USER", - "id": "S-1-11-1-11111111-1111111111-111111111-111111111", - "email": "john.doe@example.org" - }, - "parent": { - "pid": 23332, - "name": "explorer.exe", - "start": "2023-01-04T14:04:35.708037Z" - }, - "args": [ - "\"C:\\Users\\USER\\MyDocument.xslx" - ] - }, - "source": { - "port": 59985, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "action": { - "type": "ConnectionSuccess", "properties": { "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", @@ -723,7 +682,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", "RemoteIPType": "Public" - } + }, + "type": "ConnectionSuccess" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "host": { + "id": "dbe5c34434fb4792bea6874dd0b1f107", + "name": "ml022" }, "microsoft": { "defender": { @@ -735,6 +704,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "Tcp" }, + "process": { + "args": [ + "\"C:\\Users\\USER\\MyDocument.xslx" + ], + "command_line": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "hash": { + "md5": "4d5b7b6c06159d6b967f2c2c73f10145", + "sha1": "2b684979d6174bad69d895c7d8a852e7b206b95f", + "sha256": "1e22c9b2e6562fa32d410bc4957279a46b614eed4cd5f45c200b4a24237bd095" + }, + "name": "EXCEL.EXE", + "parent": { + "name": "explorer.exe", + "pid": 23332, + "start": "2023-01-04T14:04:35.708037Z" + }, + "pid": 18288, + "start": "2023-01-04T14:05:22.807979Z", + "user": { + "domain": "intranet", + "email": "john.doe@example.org", + "id": "S-1-11-1-11111111-1111111111-111111111-111111111", + "name": "USER" + }, + "working_directory": "c:\\program files\\microsoft office\\root\\office16" + }, "related": { "hash": [ "1e22c9b2e6562fa32d410bc4957279a46b614eed4cd5f45c200b4a24237bd095", @@ -745,6 +740,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 59985 } } @@ -758,33 +758,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-04T14:07:34.1999095Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkInfo\",\"properties\":{\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"DeviceName\":\"ml022\",\"Timestamp\":\"2023-01-04T14:04:35.622431Z\",\"ReportId\":13489,\"NetworkAdapterName\":\"{B844C2B6-E379-47C8-A28B-784DF7D3D731}\",\"NetworkAdapterType\":\"Guest\",\"NetworkAdapterStatus\":\"Down\",\"TunnelType\":\"None\",\"ConnectedNetworks\":null,\"DnsAddresses\":\"[\\\"fff0:0:0:ffff::1\\\",\\\"fff0:0:0:ffff::2\\\",\\\"fff0:0:0:ffff::3\\\"]\",\"DefaultGateways\":null,\"MacAddress\":\"C8B29B8AEAAE\",\"IPv4Dhcp\":\"\",\"IPv6Dhcp\":\"\",\"IPAddresses\":\"[{\\\"IPAddress\\\":\\\"1.2.3.4\\\",\\\"SubnetPrefix\\\":16,\\\"AddressType\\\":\\\"LinkLocal\\\"},{\\\"IPAddress\\\":\\\"ffff::fff:fff:aaa:ccc\\\",\\\"SubnetPrefix\\\":64,\\\"AddressType\\\":\\\"Private\\\"}]\",\"NetworkAdapterVendor\":null,\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "host" + ], + "dataset": "device_network_info", "kind": "event", "type": [ "info" - ], - "dataset": "device_network_info", - "category": [ - "host" ] }, "@timestamp": "2023-01-04T14:04:35.622431Z", "host": { "id": "dbe5c34434fb4792bea6874dd0b1f107", - "name": "ml022", "mac": [ "C8B29B8AEAAE" - ] + ], + "name": "ml022" }, "microsoft": { "defender": { - "report": { - "id": "13489" - }, "observer": { "interface": { - "name": "{B844C2B6-E379-47C8-A28B-784DF7D3D731}", - "type": "Guest", - "status": "Down", "dns": [ "fff0:0:0:ffff::1", "fff0:0:0:ffff::2", @@ -793,8 +787,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ips": [ "{\"AddressType\": \"LinkLocal\", \"IPAddress\": \"1.2.3.4\", \"SubnetPrefix\": 16}", "{\"AddressType\": \"Private\", \"IPAddress\": \"ffff::fff:fff:aaa:ccc\", \"SubnetPrefix\": 64}" - ] + ], + "name": "{B844C2B6-E379-47C8-A28B-784DF7D3D731}", + "status": "Down", + "type": "Guest" } + }, + "report": { + "id": "13489" } } } @@ -810,71 +810,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-04T14:16:55.5041166Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"properties\":{\"InitiatingProcessSHA1\":\"5bfbb0f965e2761d75a51faacc9db6a146a7c5ae\",\"InitiatingProcessFileSize\":133576,\"InitiatingProcessMD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"InitiatingProcessFileName\":\"MsMpEng.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\programdata\\\\microsoft\\\\windows defender\\\\platform\\\\4.18.2301.6-0\\\\msmpeng.exe\",\"InitiatingProcessCommandLine\":\"\\\"MsMpEng.exe\\\"\",\"SHA1\":\"81ea1283c9c328fef3ea93e92dc827f1280b32aa\",\"FileSize\":1592184,\"MD5\":\"17bd5d291205f95eb9ede9e75d5641d7\",\"FolderPath\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.2301.6-0\\\\MpCmdRun.exe\",\"ProcessCommandLine\":\"\\\"MpCmdRun.exe\\\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54\",\"FileName\":\"MpCmdRun.exe\",\"ProcessId\":37788,\"InitiatingProcessId\":5456,\"ProcessCreationTime\":\"2023-01-04T14:15:10.3550336Z\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"DeviceName\":\"ml022\",\"InitiatingProcessCreationTime\":\"2023-01-03T08:51:29.2692792Z\",\"InitiatingProcessAccountName\":\"System\",\"InitiatingProcessAccountDomain\":\"NT\",\"InitiatingProcessAccountSid\":\"S-1-1-11\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":1032,\"ReportId\":104118,\"Timestamp\":\"2023-01-04T14:15:10.4684522Z\",\"InitiatingProcessParentCreationTime\":\"2023-01-03T08:51:26.7402415Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"NT\",\"AccountName\":\"system\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-1-11\",\"AppGuardContainerId\":\"\",\"SHA256\":\"60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf\",\"InitiatingProcessSHA256\":\"52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":null,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"4.18.2301.6\",\"InitiatingProcessVersionInfoInternalFileName\":\"MsMpEng.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"MsMpEng.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Antimalware Service Executable\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"4.18.2301.6\",\"ProcessVersionInfoInternalFileName\":\"MpCmdRun\",\"ProcessVersionInfoOriginalFileName\":\"MpCmdRun.exe\",\"ProcessVersionInfoFileDescription\":\"Microsoft Malware Protection Command Line Utility\",\"MachineGroup\":\"UnassignedGroup\",\"ActionType\":\"ProcessCreated\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "process" + ], + "dataset": "device_process_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_process_events", - "category": [ - "process" ] }, "@timestamp": "2023-01-04T14:15:10.468452Z", - "file": { - "directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0\\MpCmdRun.exe", - "hash": { - "md5": "17bd5d291205f95eb9ede9e75d5641d7", - "sha1": "81ea1283c9c328fef3ea93e92dc827f1280b32aa", - "sha256": "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf" - }, - "name": "MpCmdRun.exe", - "size": 1592184 - }, - "host": { - "id": "dbe5c34434fb4792bea6874dd0b1f107", - "name": "ml022" - }, - "process": { - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "pid": 37788, - "start": "2023-01-04T14:15:10.355033Z", - "name": "MsMpEng.exe", - "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0", - "user": { - "domain": "NT", - "name": "System", - "id": "S-1-1-11" - }, - "parent": { - "pid": 1032, - "name": "services.exe", - "start": "2023-01-03T08:51:26.740241Z" - }, - "args": [ - "Scan", - "-ScheduleJob", - "-RestrictPrivileges", - "-DailyScan", - "-ScanTrigger", - "54" - ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - } - }, - "user": { - "domain": "NT", - "name": "system" - }, "action": { - "type": "ProcessCreated", "properties": { + "AccountSid": "S-1-1-11", "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", "InitiatingProcessFileSize": 133576, "InitiatingProcessIntegrityLevel": "System", @@ -887,7 +835,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "AccountSid": "S-1-1-11", "ProcessIntegrityLevel": "System", "ProcessVersionInfoCompanyName": "Microsoft Corporation", "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", @@ -895,7 +842,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", "ProcessVersionInfoProductVersion": "4.18.2301.6" - } + }, + "type": "ProcessCreated" + }, + "file": { + "directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0\\MpCmdRun.exe", + "hash": { + "md5": "17bd5d291205f95eb9ede9e75d5641d7", + "sha1": "81ea1283c9c328fef3ea93e92dc827f1280b32aa", + "sha256": "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf" + }, + "name": "MpCmdRun.exe", + "size": 1592184 + }, + "host": { + "id": "dbe5c34434fb4792bea6874dd0b1f107", + "name": "ml022" }, "microsoft": { "defender": { @@ -904,6 +866,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "process": { + "args": [ + "-DailyScan", + "-RestrictPrivileges", + "-ScanTrigger", + "-ScheduleJob", + "54", + "Scan" + ], + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "parent": { + "name": "services.exe", + "pid": 1032, + "start": "2023-01-03T08:51:26.740241Z" + }, + "pid": 37788, + "start": "2023-01-04T14:15:10.355033Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + }, "related": { "hash": [ "17bd5d291205f95eb9ede9e75d5641d7", @@ -916,6 +912,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "system" ] + }, + "user": { + "domain": "NT", + "name": "system" } } @@ -929,52 +929,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-01-04T14:37:14.9238631Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceRegistryEvents\",\"properties\":{\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"DeviceName\":\"ml022\",\"ReportId\":19168,\"Timestamp\":\"2023-01-04T14:35:20.6161937Z\",\"RegistryKey\":\"\",\"RegistryValueName\":null,\"RegistryValueType\":\"None\",\"RegistryValueData\":null,\"PreviousRegistryValueData\":null,\"InitiatingProcessSHA1\":\"9df2bc8901233492b2488de8742a35d3d5c46c12\",\"InitiatingProcessFileSize\":445440,\"InitiatingProcessMD5\":\"655381bd34fa7f6421e3740f1fc3c1b1\",\"InitiatingProcessFileName\":\"omadmclient.exe\",\"InitiatingProcessParentFileName\":\"svchost.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\omadmclient.exe\",\"InitiatingProcessCommandLine\":\"\\\"omadmclient.exe\\\" /serverid \\\"1F2E9005-CEAB-4280-83A7-8429D26DE773\\\" /lookuptype 1 /initiator 0\",\"InitiatingProcessCreationTime\":\"2023-03-01T14:34:55.9883418Z\",\"InitiatingProcessParentCreationTime\":\"2023-03-01T09:01:41.8134369Z\",\"InitiatingProcessAccountName\":\"system\",\"InitiatingProcessAccountDomain\":\"NT\",\"InitiatingProcessAccountSid\":\"S-1-1-11\",\"InitiatingProcessParentId\":2196,\"InitiatingProcessId\":25072,\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"PreviousRegistryKey\":\"HKEY_LOCAL_MACHINE\\\\BCD00000000\\\\Objects\\\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\\\Elements\",\"PreviousRegistryValueName\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"RegistryKeyDeleted\",\"InitiatingProcessSHA256\":\"5e7dfefc195fb0286fda79b22d9c9334ed0162d0d3774ca342343df2e4e5df50\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.19041.2193\",\"InitiatingProcessVersionInfoInternalFileName\":\"omadmclient\",\"InitiatingProcessVersionInfoOriginalFileName\":\"omadmclient.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Host Process for OMA-DM Client\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}\n", "event": { + "category": [ + "process" + ], + "dataset": "device_registry_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_registry_events", - "category": [ - "process" ] }, "@timestamp": "2023-01-04T14:35:20.616193Z", - "host": { - "id": "dbe5c34434fb4792bea6874dd0b1f107", - "name": "ml022" - }, - "process": { - "hash": { - "md5": "655381bd34fa7f6421e3740f1fc3c1b1", - "sha1": "9df2bc8901233492b2488de8742a35d3d5c46c12", - "sha256": "5e7dfefc195fb0286fda79b22d9c9334ed0162d0d3774ca342343df2e4e5df50" - }, - "pid": 25072, - "start": "2023-03-01T14:34:55.988341Z", - "name": "omadmclient.exe", - "command_line": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "working_directory": "c:\\windows\\system32", - "user": { - "domain": "NT", - "name": "system", - "id": "S-1-1-11" - }, - "parent": { - "pid": 2196, - "name": "svchost.exe", - "start": "2023-03-01T09:01:41.813436Z" - }, - "args": [ - "/serverid", - "\"1F2E9005-CEAB-4280-83A7-8429D26DE773\"", - "/lookuptype", - "1", - "/initiator", - "0" - ] - }, "action": { - "type": "RegistryKeyDeleted", "properties": { "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", "InitiatingProcessFileSize": 445440, @@ -987,7 +952,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" - } + }, + "type": "RegistryKeyDeleted" + }, + "host": { + "id": "dbe5c34434fb4792bea6874dd0b1f107", + "name": "ml022" }, "microsoft": { "defender": { @@ -996,6 +966,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "process": { + "args": [ + "\"1F2E9005-CEAB-4280-83A7-8429D26DE773\"", + "/initiator", + "/lookuptype", + "/serverid", + "0", + "1" + ], + "command_line": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "hash": { + "md5": "655381bd34fa7f6421e3740f1fc3c1b1", + "sha1": "9df2bc8901233492b2488de8742a35d3d5c46c12", + "sha256": "5e7dfefc195fb0286fda79b22d9c9334ed0162d0d3774ca342343df2e4e5df50" + }, + "name": "omadmclient.exe", + "parent": { + "name": "svchost.exe", + "pid": 2196, + "start": "2023-03-01T09:01:41.813436Z" + }, + "pid": 25072, + "start": "2023-03-01T14:34:55.988341Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "system" + }, + "working_directory": "c:\\windows\\system32" + }, "related": { "hash": [ "5e7dfefc195fb0286fda79b22d9c9334ed0162d0d3774ca342343df2e4e5df50", @@ -1015,53 +1015,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"-\",\"LocalPort\":null,\"RemoteIP\":\"-\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", "event": { + "category": [ + "host" + ], + "dataset": "device_events", "kind": "event", "type": [ "info" - ], - "dataset": "device_events", - "category": [ - "host" ] }, "@timestamp": "2022-09-01T07:09:47.498056Z", - "host": { - "id": "1111111111111111111111111111111111111111", - "name": "test.lab" - }, - "process": { - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" - }, - "pid": 1664, - "start": "2022-09-01T06:56:23.788784Z", - "name": "software_reporter_tool.exe", - "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200", - "user": { - "domain": "intranet", - "name": "group1", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "email": "user@example.org" - }, - "parent": { - "pid": 15532, - "name": "software_reporter_tool.exe", - "start": "2022-09-01T06:56:23.595229Z" - }, - "args": [ - "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"", - "--sandboxed-process-id=2", - "--init-done-notifier=804", - "--sandbox-mojo-pipe-token=**********", - "--mojo-platform-channel-handle=780", - "--engine=2" - ] - }, "action": { - "type": "NtAllocateVirtualMemoryApiCall", "properties": { "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", @@ -1073,7 +1037,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", "InitiatingProcessVersionInfoProductVersion": "102.286.200" - } + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" }, "microsoft": { "defender": { @@ -1082,6 +1051,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, "related": { "hash": [ "44543e0c6f30415c670c1322e61ca68602d58708", diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md index bd53bb3456..8c7fd3d9cd 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md @@ -39,13 +39,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-09T19:48:15.335088Z] [vim.event.HostConnectedEvent] [info] [] [hostname] [11111111] [Connected to test.example.org in hostname]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.HostConnectedEvent", "kind": "event", "type": [ "start" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-09T19:48:15.335088Z", @@ -55,15 +55,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111" + "observer": { + "product": "VCenter", + "vendor": "VMWare" }, "source": { "address": "test.example.org" }, - "observer": { - "vendor": "VMWare", - "product": "VCenter" + "vmware_vcenter": { + "event_id": "11111111" } } @@ -77,27 +77,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-02-14T13:54:34.390Z warning vpxd[07879] [Originator@6876 sub=Vmomi opID=60f13d6c] VMOMI activation LRO failed; <<2f06ebe1-8af5-4b00-85a2-afe4bf740b0d, , >, SessionManager, vim.SessionManager.login>, N3Vim5Fault12InvalidLogin9ExceptionE(Fault cause: vim.fault.InvalidLogin\\n--> )\\n--> [context]YmU2ODg4MzhjYTg2ODZlNWM5MDY4OWJmMmFiNTg1Y2VmMTEzN2M5OTliNDhjNzBiOTJmNjdhNWMzNGRjMTU2OTdiNWQxMWM5ODJlZDZkNzFiZTFlMWU3ZjdiNGUwNzMzODg0YWE5N2MzZjdhMzM5YThlZDAzNTc3Y2Y3NGJlMDkgIC0K[/context]", "event": { - "reason": "VMOMI activation LRO failed", + "category": [ + "network" + ], "code": "vim.fault.InvalidLogin", "kind": "event", + "reason": "VMOMI activation LRO failed", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-02-14T13:54:34.390000Z", "log": { "level": "warning" }, - "process": { - "pid": 7879, - "name": "vpxd" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" + }, + "process": { + "name": "vpxd", + "pid": 7879 } } @@ -111,40 +111,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-02-14T13:54:34.394Z info vpxd[07879] [Originator@6876 sub=Default opID=60f13d6c] [VpxLRO] -- ERROR lro-1926720284 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin:\\\\n--> Result:\\\\n--> (vim.fault.InvalidLogin) {\\\\n--> faultCause = (vmodl.MethodFault) null, \\\\n--> faultMessage = \\\\n--> msg = \\\"\\\"\\\\n--> }\\\\n--> Args:\\\\n--> \\\\n--> Arg userName:\\\\n--> \\\"username\\\"\\\\n--> Arg password:\\\\n--> (not shown)\\\\n--> \\\\n--> Arg locale:\\\\n--> \\\"en_US\\\"", "event": { - "reason": "[VpxLRO] -- ERROR lro-1926720284 -- SessionManager -- vim.SessionManager.login", + "category": [ + "network" + ], "code": "vim.fault.InvalidLogin", "kind": "event", + "reason": "[VpxLRO] -- ERROR lro-1926720284 -- SessionManager -- vim.SessionManager.login", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-02-14T13:54:34.394000Z", - "user": { - "name": "username" - }, - "log": { - "level": "info" - }, - "process": { - "pid": 7879, - "name": "vpxd" - }, "client": { "geo": { "country_iso_code": "en_US" } }, + "log": { + "level": "info" + }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" + }, + "process": { + "name": "vpxd", + "pid": 7879 }, "related": { "user": [ "username" ] + }, + "user": { + "name": "username" } } @@ -158,27 +158,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:31.126Z info envoy[111111111111111] [Originator@6876 sub=Default] 2023-05-11T10:22:31.070Z POST /sdk HTTP/1.1 200 via_upstream - 1670 11032 1 0 0 1.2.3.4:54080 5.6.7.8:443 127.0.0.1:49192 127.0.0.1:8085", "event": { + "category": [ + "network" + ], "kind": "event", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:31.126000Z", - "source": { - "ip": "1.2.3.4", - "port": 54080, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" + "port": 443 }, - "log": { - "level": "info" + "host": { + "ip": "127.0.0.1" }, "http": { "request": { @@ -189,30 +184,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, - "url": { - "path": "/sdk" - }, - "process": { - "pid": 111111111111111, - "name": "envoy" - }, - "host": { - "ip": "127.0.0.1" - }, - "vmware_vcenter": { - "network": { - "port": "49192", - "port2": "8085" - }, - "datetime": "2023-05-11T10:22:31.070Z", - "upstream_status": "via_upstream", - "host": { - "ip2": "127.0.0.1" - } + "log": { + "level": "info" }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" + }, + "process": { + "name": "envoy", + "pid": 111111111111111 }, "related": { "ip": [ @@ -220,6 +201,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "127.0.0.1", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 54080 + }, + "url": { + "path": "/sdk" + }, + "vmware_vcenter": { + "datetime": "2023-05-11T10:22:31.070Z", + "host": { + "ip2": "127.0.0.1" + }, + "network": { + "port": "49192", + "port2": "8085" + }, + "upstream_status": "via_upstream" } } @@ -233,49 +233,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[11/May/2023:10:22:24 +0000] tomcat-http--47 [Request] 1.2.3.4:48866 to local 1080 - HTTP/1.1 POST /lookupservice/sdk [Response] 200 - 758 bytes [Perf] process 0ms / commit 0ms / conn [+]", "event": { + "category": [ + "network" + ], "kind": "event", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:24Z", - "source": { - "ip": "1.2.3.4", - "port": 48866, - "address": "1.2.3.4" + "destination": { + "port": 1080 }, "http": { "request": { "method": "POST" }, "response": { - "status_code": 200, - "bytes": 758 + "bytes": 758, + "status_code": 200 }, "version": "1.1" }, - "url": { - "path": "/lookupservice/sdk" - }, - "destination": { - "port": 1080 - }, - "vmware_vcenter": { - "conn_status": "+", - "commit_time": "0", - "thread": "tomcat-http--47" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 48866 + }, + "url": { + "path": "/lookupservice/sdk" + }, + "vmware_vcenter": { + "commit_time": "0", + "conn_status": "+", + "thread": "tomcat-http--47" } } @@ -289,26 +289,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:31.093Z info vpxd[22222] [Originator@6876 sub=vpxLro opID=abcdef01] [VpxLRO] -- FINISH lro--1111111111", "event": { - "reason": "FINISH lro--1111111111", + "category": [ + "network" + ], "kind": "event", + "reason": "FINISH lro--1111111111", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:31.093000Z", "log": { "level": "info" }, - "process": { - "pid": 22222, - "name": "vpxd" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" + }, + "process": { + "name": "vpxd", + "pid": 22222 } } @@ -322,26 +322,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:38.102Z info vpxd[22222] [Originator@6876 sub=vpxLro opID=abcdef01] [VpxLRO] -- BEGIN lro--1111111111 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 47f5e298-9aee-4e21-b69b-abc3efd9cd4e(54b2ae59-1b21-4de8-bab0-0d9a415debce)", "event": { - "reason": "BEGIN lro--1111111111 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 47f5e298-9aee-4e21-b69b-abc3efd9cd4e(54b2ae59-1b21-4de8-bab0-0d9a415debce)", + "category": [ + "network" + ], "kind": "event", + "reason": "BEGIN lro--1111111111 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 47f5e298-9aee-4e21-b69b-abc3efd9cd4e(54b2ae59-1b21-4de8-bab0-0d9a415debce)", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:38.102000Z", "log": { "level": "info" }, - "process": { - "pid": 22222, - "name": "vpxd" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" + }, + "process": { + "name": "vpxd", + "pid": 22222 } } @@ -355,29 +355,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:33.027Z [pool-24-thread-1] INFO opId=sps-Main-656189-570 com.vmware.vslm.globalcache.GlobalCatalogCache - Calling bulkUpdate with datastore=ds:///vmfs/volumes/1111111-22222222/ fullSync=false changed size: 0 tidyVClock=0 serverLastVClock=-1", "event": { - "reason": "Calling bulkUpdate with datastore=ds:///vmfs/volumes/1111111-22222222/ fullSync=false changed size: 0 tidyVClock=0 serverLastVClock=-1", + "category": [ + "network" + ], "kind": "event", + "reason": "Calling bulkUpdate with datastore=ds:///vmfs/volumes/1111111-22222222/ fullSync=false changed size: 0 tidyVClock=0 serverLastVClock=-1", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:33.027000Z", "log": { "level": "INFO" }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, "process": { "name": "com.vmware.vslm.globalcache.GlobalCatalogCache" }, "vmware_vcenter": { - "thread": "pool-24-thread-1", - "operationID": "sps-Main-656189-570" - }, - "observer": { - "vendor": "VMWare", - "product": "VCenter" + "operationID": "sps-Main-656189-570", + "thread": "pool-24-thread-1" } } @@ -391,19 +391,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)", "event": { - "reason": "GC (Allocation Failure)", + "category": [ + "network" + ], "kind": "event", + "reason": "GC (Allocation Failure)", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.181000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -417,18 +417,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", "event": { - "reason": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", + "category": [ + "network" + ], "kind": "event", + "reason": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", "type": [ "connection" - ], - "category": [ - "network" ] }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -442,13 +442,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[2023-05-11T13:05:44.744Z] [INFO ] PI-client-connection-monitor c.v.v.a.vapi.runtime.thread.ApacheBioHttpClientBuilderAspect vAPI-client-connection-monitor thread started...", "event": { - "reason": "PI-client-connection-monitor c.v.v.a.vapi.runtime.thread.ApacheBioHttpClientBuilderAspect vAPI-client-connection-monitor thread started...", + "category": [ + "network" + ], "kind": "event", + "reason": "PI-client-connection-monitor c.v.v.a.vapi.runtime.thread.ApacheBioHttpClientBuilderAspect vAPI-client-connection-monitor thread started...", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T13:05:44.744000Z", @@ -456,8 +456,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "INFO" }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -471,19 +471,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.187+0000: 23134193.230: [WeakReference, 0 refs, 0.0000061 secs]", "event": { - "reason": "WeakReference, 0 refs, 0.0000061 secs]", + "category": [ + "network" + ], "kind": "event", + "reason": "WeakReference, 0 refs, 0.0000061 secs]", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.187000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -497,19 +497,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.187+0000: 23134193.230: [FinalReference, 150 refs, 0.0004388 secs]", "event": { - "reason": "FinalReference, 150 refs, 0.0004388 secs]", + "category": [ + "network" + ], "kind": "event", + "reason": "FinalReference, 150 refs, 0.0004388 secs]", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.187000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -523,19 +523,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.188+0000: 23134193.230: [PhantomReference, 0 refs, 0 refs, 0.0000065 secs]", "event": { - "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs]", + "category": [ + "network" + ], "kind": "event", + "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs]", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.188000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -549,19 +549,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.188+0000: 23134193.230: [JNI Weak Reference, 0.0000149 secs]", "event": { - "reason": "JNI Weak Reference, 0.0000149 secs]", + "category": [ + "network" + ], "kind": "event", + "reason": "JNI Weak Reference, 0.0000149 secs]", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.188000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -575,19 +575,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-11T10:22:26.187+0000: 23134193.230: [SoftReference, 0 refs, 0.0000457 secs]", "event": { - "reason": "SoftReference, 0 refs, 0.0000457 secs]", + "category": [ + "network" + ], "kind": "event", + "reason": "SoftReference, 0 refs, 0.0000457 secs]", "type": [ "connection" - ], - "category": [ - "network" ] }, "@timestamp": "2023-05-11T10:22:26.187000Z", "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" } } @@ -601,37 +601,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-13T18:07:37.243162Z] [vim.event.BadUsernameSessionEvent] [error] [local-vpxuser] [hostname] [11111111] [Cannot login local-vpxuser@5.6.7.8]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.BadUsernameSessionEvent", "kind": "event", "type": [ "end" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-13T18:07:37.243162Z", - "user": { - "name": "local-vpxuser" - }, - "source": { - "user": { - "name": "local-vpxuser" - } - }, "host": { - "name": "hostname", - "ip": "5.6.7.8" + "ip": "5.6.7.8", + "name": "hostname" }, "log": { "level": "error" }, - "vmware_vcenter": { - "event_id": "11111111" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ @@ -640,6 +629,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "local-vpxuser" ] + }, + "source": { + "user": { + "name": "local-vpxuser" + } + }, + "user": { + "name": "local-vpxuser" + }, + "vmware_vcenter": { + "event_id": "11111111" } } @@ -653,31 +653,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-05-11T09:13:29.569403Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\\vpxd-extension-3876e603-9146-4105-90ff-075afdf17160] [] [11111111] [User VSPHERE.LOCAL\\vpxd-extension-3876e603-9146-4105-90ff-075afdf17160@10.79.48.3 logged in as VMware vim-java 1.0]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.UserLoginSessionEvent", "kind": "event", "type": [ "start" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-05-11T09:13:29.569403Z", - "user": { - "name": "VMware vim-java 1.0" + "host": { + "ip": "10.79.48.3" }, "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111" - }, - "host": { - "ip": "10.79.48.3" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ @@ -686,6 +680,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "VMware vim-java 1.0" ] + }, + "user": { + "name": "VMware vim-java 1.0" + }, + "vmware_vcenter": { + "event_id": "11111111" } } @@ -699,31 +699,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-14T15:45:26.279286Z] [vim.event.UserLoginSessionEvent] [info] [root] [hostname] [11111111] [User root@127.0.0.1 logged in as pyvmomi]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.UserLoginSessionEvent", "kind": "event", "type": [ "start" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-14T15:45:26.279286Z", - "user": { - "name": "pyvmomi" + "host": { + "ip": "127.0.0.1" }, "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111" - }, - "host": { - "ip": "127.0.0.1" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ @@ -732,6 +726,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "pyvmomi" ] + }, + "user": { + "name": "pyvmomi" + }, + "vmware_vcenter": { + "event_id": "11111111" } } @@ -745,46 +745,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-14T15:46:37.629206Z] [vim.event.UserLogoutSessionEvent] [info] [root] [hostname] [11111111] [User root@127.0.0.1 logged out (login time: Tuesday, 14 February, 2023 03:46:37 PM, number of API invocations: 7, user agent: pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64))]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.UserLogoutSessionEvent", "kind": "event", "type": [ "end" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-14T15:46:37.629206Z", - "user_agent": { - "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64))", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Other" - } - }, "host": { - "name": "hostname", - "ip": "127.0.0.1" + "ip": "127.0.0.1", + "name": "hostname" }, "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111", - "login_time": "Tuesday, 14 February, 2023 03:46:37 PM", - "api_invocations": "7" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ "127.0.0.1" ] + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64))", + "os": { + "name": "Other" + } + }, + "vmware_vcenter": { + "api_invocations": "7", + "event_id": "11111111", + "login_time": "Tuesday, 14 February, 2023 03:46:37 PM" } } @@ -798,32 +798,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-14T15:48:27.711996Z] [vim.event.EventEx] [info] [] [hostname] [11111111] [SSH session was opened for root@1.2.3.4.]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.EventEx", "kind": "event", "type": [ "info" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-14T15:48:27.711996Z", - "user": { - "name": "root" - }, "host": { - "name": "hostname", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "name": "hostname" }, "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ @@ -832,6 +826,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" + }, + "vmware_vcenter": { + "event_id": "11111111" } } @@ -845,32 +845,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-05-11T10:22:07.587451Z] [vim.event.EventEx] [info] [] [hostname] [11111111] [SSH session was closed for root@1.2.3.4.]", "event": { + "category": [ + "authentication" + ], "code": "vim.event.EventEx", "kind": "event", "type": [ "info" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-05-11T10:22:07.587451Z", - "user": { - "name": "root" - }, "host": { - "name": "hostname", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "name": "hostname" }, "log": { "level": "info" }, - "vmware_vcenter": { - "event_id": "11111111" - }, "observer": { - "vendor": "VMWare", - "product": "VCenter" + "product": "VCenter", + "vendor": "VMWare" }, "related": { "ip": [ @@ -879,6 +873,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" + }, + "vmware_vcenter": { + "event_id": "11111111" } } @@ -892,14 +892,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Event [11111111] [1-1] [2023-02-09T19:47:59.332412Z] [vim.event.AlreadyAuthenticatedSessionEvent] [info] [hostname] [] [11111111] [User cannot logon since the user is already logged on]", "event": { - "reason": "already logged on", + "category": [ + "authentication" + ], "code": "vim.event.AlreadyAuthenticatedSessionEvent", "kind": "event", + "reason": "already logged on", "type": [ "end" - ], - "category": [ - "authentication" ] }, "@timestamp": "2023-02-09T19:47:59.332412Z", @@ -909,12 +909,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "level": "info" }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, "vmware_vcenter": { "event_id": "11111111" - }, - "observer": { - "vendor": "VMWare", - "product": "VCenter" } } diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md index cc43bbffe5..26bfb1e41f 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md @@ -39,38 +39,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|700211|Attack Discovery Detections|3|deviceExternalId=5 rt=Jan 17 2019 03:38:06 GMT+00:00 dhost=VCAC-Window-331 dst=10.201.86.150 customerExternalID=8c1e2d8f-a03b-47ea-aef8-5aeab99ea697 cn1Label=SLF_RiskLevel cn1=0 cn2Label=SLF_PatternNumber cn2=30.1012.00 cs1Label=SLF_RuleID cs1=powershell invoke expression cat=point of entry cs2Label=SLF_ADEObjectGroup_Info_1 cs2=process - powershell.exe - {#012 \"META_FILE_MD5\" : \"7353f60b1739074eb17c5f4dddefe239\",#012 \"META_FILE_NAME\" : \"powershell.exe\",#012 \"META_FILE_SHA1\" : \"6cbce4a295c163791b60fc23d285e6d84f28ee4c\",#012 \"META_FILE_SHA2\" : \"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",#012 \"META_PATH\" : \"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\windowspowershell\\\\\\\\v1.0\\\\\\\\\",#012 \"META_PROCESS_CMD\" : [ \"powershell iex test2\" ],#012 \"META_PROCESS_PID\" : 10924,#012 \"META_SIGNER\" : \"microsoft windows\",#012 \"META_SIGNER_VALIDATION\" : true,#012 \"META_USER_USER_NAME\" : \"Administrator\",#012 \"META_USER_USER_SERVERNAME\" : \"VCAC-WINDOW-331\",#012 \"OID\" : 1#012}#012", "event": { - "dataset": "Attack Discovery Detections", - "severity": 3, - "kind": "alert", "category": [ "intrusion_detection" ], + "dataset": "Attack Discovery Detections", + "kind": "alert", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2019-01-17T03:38:06Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "700211", - "name": "powershell invoke expression", - "ruleset": "point of entry" - }, "destination": { - "ip": "10.201.86.150", - "address": "10.201.86.150" + "address": "10.201.86.150", + "ip": "10.201.86.150" }, "host": { "name": "VCAC-Window-331" }, + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" + }, "related": { "ip": [ "10.201.86.150" ] + }, + "rule": { + "id": "700211", + "name": "powershell invoke expression", + "ruleset": "point of entry" } } @@ -84,36 +84,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|BM:1000|Behavior Monitoring|3|rt=Aug 16 2017 05:00:40 GMT+00:00 dvchost=localhost cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe cn2Label=Event_Type cn2=4 cs1Label=Target cs1=HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\COM+ act=3 cn3Label=Operation cn3=302 shost=shost1 src=10.0.76.40 deviceFacility=Apex One", "event": { - "dataset": "Behavior Monitoring", - "severity": 3, - "kind": "event", + "action": "Terminate", "category": [ "process" ], - "action": "Terminate", + "dataset": "Behavior Monitoring", + "kind": "event", + "severity": 3, "type": [ "end" ] }, "@timestamp": "2017-08-16T05:00:40Z", + "host": { + "name": "localhost" + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, + "process": { + "executable": "C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe" + }, + "related": { + "ip": [ + "10.0.76.40" + ] + }, "rule": { "id": "BM:1000", "name": "Threat behavior analysis" }, - "host": { - "name": "localhost" - }, "source": { - "ip": "10.0.76.40", - "address": "10.0.76.40" - }, - "process": { - "executable": "C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe" + "address": "10.0.76.40", + "ip": "10.0.76.40" }, "trendmicro": { "apexone": { @@ -122,11 +127,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "event_type": "Registry" } - }, - "related": { - "ip": [ - "10.0.76.40" - ] } } @@ -140,48 +140,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12 rt=Oct 11 2017 06:34:09 GMT+00:00 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=11.0 shost=ApexOneClient01 src=10.201.86.187 cs3Label=SLF_DomainName cs3=DOMAIN act=Block cn1Label=SLF_CCCA_RiskLevel cn1=1 cn2Label=SLF_CCCA_DetectionSource cn2=1 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=10.201.86.195 deviceProcessName=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe", "event": { - "dataset": "CnC Callback", - "severity": 3, - "kind": "event", "category": [ "network" ], + "dataset": "CnC Callback", + "kind": "event", + "severity": 3, "type": "info" }, "@timestamp": "2017-10-11T06:34:09Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "CnC:Block" + "destination": { + "address": "10.201.86.195", + "ip": "10.201.86.195" }, "host": { "name": "ApexOneClient01" }, - "source": { - "ip": "10.201.86.187", - "domain": "DOMAIN", - "address": "DOMAIN" - }, - "destination": { - "ip": "10.201.86.195", - "address": "10.201.86.195" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "process": { - "name": "iexplore.exe", "executable": "C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe", + "name": "iexplore.exe", "working_directory": "C:\\\\Program Files (x86)\\\\Internet Explorer\\" }, "related": { + "hosts": [ + "DOMAIN" + ], "ip": [ "10.201.86.187", "10.201.86.195" - ], - "hosts": [ - "DOMAIN" ] + }, + "rule": { + "id": "CnC:Block" + }, + "source": { + "address": "DOMAIN", + "domain": "DOMAIN", + "ip": "10.201.86.187" } } @@ -195,47 +195,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|700106|Data Loss Prevention|3|cs3Label=Product_Entity/Endpoint cs3=Sample_Host dvchost=Sampledvchost cs2Label=Policy cs2=N/A cn1Label=Product cn1=15 rt=Oct 13 2017 02:54:04 GMT+00:00 src=10.0.9.34 smac=34-E6-D7-84-BC-7F shost=shost1 cs4Label=Incident_Source_(AD_Account) cs4=12467 filePath=D:\\\\2. DRIVER\\\\drivers WIN7\\\\Drivers\\\\DP_CardReader_14032.7z\\\\O2Micro\\\\FORCED\\\\6x86\\\\ fname=O2MDFvst.INF cs5Label=Rule cs5=SAMPLE RULE SET cs6Label=Template cs6=Apex One policy cn3Label=Channel cn3=0 cn2Label=Action cn2=4 deviceFacility=Apex One", "event": { - "dataset": "Data Loss Prevention", - "severity": 3, - "kind": "alert", + "action": "Passed", "category": [ "email" ], + "dataset": "Data Loss Prevention", + "kind": "alert", + "severity": 3, "type": [ "info" - ], - "action": "Passed" + ] }, "@timestamp": "2017-10-13T02:54:04Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "700106", - "name": "SAMPLE RULE SET", - "ruleset": "SAMPLE RULE SET" + "destination": { + "address": "Sampledvchost", + "domain": "Sampledvchost" }, - "source": { - "ip": "10.0.9.34", - "mac": "34-E6-D7-84-BC-7F", - "domain": "shost1", - "address": "shost1" + "file": { + "name": "O2MDFvst.INF", + "path": "D:\\\\2. DRIVER\\\\drivers WIN7\\\\Drivers\\\\DP_CardReader_14032.7z\\\\O2Micro\\\\FORCED\\\\6x86\\\\" }, "host": { "name": "shost1" }, - "user": { - "name": "12467" - }, - "file": { - "path": "D:\\\\2. DRIVER\\\\drivers WIN7\\\\Drivers\\\\DP_CardReader_14032.7z\\\\O2Micro\\\\FORCED\\\\6x86\\\\", - "name": "O2MDFvst.INF" - }, - "destination": { - "domain": "Sampledvchost", - "address": "Sampledvchost" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "hosts": [ @@ -248,6 +234,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "12467" ] + }, + "rule": { + "id": "700106", + "name": "SAMPLE RULE SET", + "ruleset": "SAMPLE RULE SET" + }, + "source": { + "address": "shost1", + "domain": "shost1", + "ip": "10.0.9.34", + "mac": "34-E6-D7-84-BC-7F" + }, + "user": { + "name": "12467" } } @@ -261,50 +261,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|700107|Device Access Control|3|rt=Aug 16 2017 04:49:15 GMT+00:00 cs1Label=Product_Entity/Endpoint cs1=Sample_Host shost=shost1 dvchost=localhost cn1Label=Product cn1=15 sproc=C:\\\\Windows\\\\explorer.exe fname=F:\\\\Autorun.inf cn2Label=Device_Type cn2=0 cn3Label=Permission cn3=3 deviceFacility=Apex One", "event": { + "category": [ + "file" + ], "dataset": "Device Access Control", - "severity": 3, "kind": "event", + "severity": 3, "type": [ "info" - ], - "category": [ - "file" ] }, "@timestamp": "2017-08-16T04:49:15Z", + "destination": { + "address": "localhost", + "domain": "localhost" + }, + "file": { + "name": "F:\\\\Autorun.inf" + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, + "process": { + "executable": "C:\\\\Windows\\\\explorer.exe" + }, + "related": { + "hosts": [ + "localhost", + "shost1" + ] + }, "rule": { "id": "700107" }, "source": { - "domain": "shost1", - "address": "shost1" - }, - "destination": { - "domain": "localhost", - "address": "localhost" - }, - "process": { - "executable": "C:\\\\Windows\\\\explorer.exe" - }, - "file": { - "name": "F:\\\\Autorun.inf" + "address": "shost1", + "domain": "shost1" }, "trendmicro": { "apexone": { "DeviceType": "USB storage device", "Permission": "List device content only" } - }, - "related": { - "hosts": [ - "localhost", - "shost1" - ] } } @@ -318,55 +318,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|EAC:1|Endpoint Application Control Violation Information|3|deviceExternalId=39 rt=Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00 suser=TMCM\\\\QA cs2Label=ApplicationControlEvent_ClientIPAddress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHash=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.exe cs3Label=Command cs3=C:\\\\P2P_TEST.exe duser=QA cs4Label=Rule cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked deviceFacility=Trend Micro Endpoint Application Control", "event": { + "category": [ + "process" + ], "dataset": "Endpoint Application Control Violation Information", - "severity": 3, "kind": "event", + "severity": 3, "type": [ "info" - ], - "category": [ - "process" ] }, "@timestamp": "2012-06-27T03:14:03Z", "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, - "rule": { - "id": "EAC:1", - "name": "Test", - "ruleset": "TestPolicy" - }, - "source": { - "user": { - "name": "TMCM\\\\QA" - }, - "ip": "0.0.0.0", - "address": "0.0.0.0" - }, "process": { + "command_line": "C:\\\\P2P_TEST.exe", "executable": "P2P_TEST.exe", "hash": { "sha1": "c0869b72C5606D22D92A6AC986686BB87485A25b" - }, - "command_line": "C:\\\\P2P_TEST.exe" - }, - "user": { - "name": "QA" + } }, "related": { "hash": [ "c0869b72C5606D22D92A6AC986686BB87485A25b" ], + "ip": [ + "0.0.0.0" + ], "user": [ "QA", "TMCM\\\\QA" - ], - "ip": [ - "0.0.0.0" ] + }, + "rule": { + "id": "EAC:1", + "name": "Test", + "ruleset": "TestPolicy" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "user": { + "name": "TMCM\\\\QA" + } + }, + "user": { + "name": "QA" } } @@ -380,42 +380,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|800102|Engine Update Status|3|rt=Apr 20 2017 12:04:34 GMT+00:00 shost=shost1 cs2Label=Product/Endpoint_IP cs2=10.0.17.6 cn1Label=Connection_Status cn1=100 cn2Label=Engine cn2=4096 cs5Label=Engine_Version cs5=9.950.1006 cn3Label=Engine_Status cn3=1 cs6Label=AUComponent_Type cs6=1 deviceFacility=Apex One", "event": { - "dataset": "Engine Update Status", - "severity": 3, - "kind": "event", "category": [ "process" ], + "dataset": "Engine Update Status", + "kind": "event", + "severity": 3, "type": [ "change" ] }, "@timestamp": "2017-04-20T12:04:34Z", + "host": { + "name": "shost1" + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, + "related": { + "ip": [ + "10.0.17.6" + ] + }, "rule": { "id": "800102" }, - "host": { - "name": "shost1" - }, "source": { - "ip": "10.0.17.6", - "address": "10.0.17.6" + "address": "10.0.17.6", + "ip": "10.0.17.6" }, "trendmicro": { "apexone": { "Engine": "4096", "Engine_Status": "In use" } - }, - "related": { - "ip": [ - "10.0.17.6" - ] } } @@ -429,30 +429,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|700211|Managed Product Logon/Logoff Events|3|deviceExternalId=11 shost=SMEX01 deviceFacility=ScanMail for Microsoft Exchange cs1Label=Product_Version cs1=14 cn1Label=Command_Status cn1=110 msg=A user withthe Administrator role(s) has logged on. Detail Information :UserName:TEST2013\\\\administrator,IP address:10.204.166.127,EventType:Log in/out,SourceType:SMEX UI.", "event": { - "dataset": "Managed Product Logon/Logoff Events", - "severity": 3, - "kind": "event", "category": [ "authentication" ], + "dataset": "Managed Product Logon/Logoff Events", + "kind": "event", + "reason": "A user withthe Administrator role(s) has logged on. Detail Information :UserName:TEST2013\\\\administrator,IP address:10.204.166.127,EventType:Log in/out,SourceType:SMEX UI.", + "severity": 3, "type": [ "info" - ], - "reason": "A user withthe Administrator role(s) has logged on. Detail Information :UserName:TEST2013\\\\administrator,IP address:10.204.166.127,EventType:Log in/out,SourceType:SMEX UI." + ] + }, + "host": { + "name": "SMEX01" }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, - "rule": { - "id": "700211" - }, "process": { "title": "ScanMail for Microsoft Exchange" }, - "host": { - "name": "SMEX01" + "rule": { + "id": "700211" } } @@ -466,50 +466,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|NCIE:Pass|Suspicious Connection|3|deviceExternalId=1 rt=Oct 11 2017 06:34:06 GMT+00:00 cat=1756 deviceFacility=Apex One deviceProcessName=C:\\\\Windows\\\\system32\\\\svchost-1.exe act=Pass src=10.201.86.152 dst=10.69.81.64 spt=54594 dpt=80 deviceDirection=None cn1Label=SLF_PatternType cn1=2 cs2Label=NCIE_ThreatName cs2=Malicious_identified_CnC_querying_on_UDP_detected", "event": { - "dataset": "Suspicious Connection", - "severity": 3, - "kind": "event", + "action": "Pass", "category": [ "network" ], + "code": "1756", + "dataset": "Suspicious Connection", + "kind": "event", + "severity": 3, "type": [ "allowed" - ], - "code": "1756", - "action": "Pass" + ] }, "@timestamp": "2017-10-11T06:34:06Z", + "destination": { + "address": "10.69.81.64", + "ip": "10.69.81.64", + "port": 80 + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, - "rule": { - "id": "NCIE:Pass" - }, "process": { "executable": "C:\\\\Windows\\\\system32\\\\svchost-1.exe" }, + "related": { + "ip": [ + "10.201.86.152", + "10.69.81.64" + ] + }, + "rule": { + "id": "NCIE:Pass" + }, "source": { + "address": "10.201.86.152", "ip": "10.201.86.152", - "port": 54594, - "address": "10.201.86.152" - }, - "destination": { - "ip": "10.69.81.64", - "port": 80, - "address": "10.69.81.64" + "port": 54594 }, "trendmicro": { "apexone": { "NCIE_ThreatName": "Malicious_identified_CnC_querying_on_UDP_detected" } - }, - "related": { - "ip": [ - "10.201.86.152", - "10.69.81.64" - ] } } @@ -523,42 +523,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Nov 02 2017 12:46:44 GMT+00:00 shost=shost1 cs1Label=Operating_System cs1=Windows 7 cs2Label=Product/Endpoint_IP cs2=10.0.7.20 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Default cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=2048 cs5Label=Pattern/Rule_Version cs5=1548 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One", "event": { - "dataset": "Pattern Update Status", - "severity": 3, - "kind": "event", "category": [ "configuration" ], + "dataset": "Pattern Update Status", + "kind": "event", + "severity": 3, "type": [ "change" ] }, "@timestamp": "2017-11-02T12:46:44Z", + "host": { + "ip": "10.0.7.20", + "name": "shost1", + "os": { + "name": "Windows 7" + } + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, + "related": { + "ip": [ + "10.0.7.20" + ] + }, "rule": { "id": "2048" }, - "host": { - "name": "shost1", - "os": { - "name": "Windows 7" - }, - "ip": "10.0.7.20" - }, "trendmicro": { "apexone": { "Connection_Status": 100, "Pattern_RuleStatus": "1 version old" } - }, - "related": { - "ip": [ - "10.0.7.20" - ] } } @@ -572,50 +572,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|PML:File cleaned|virusa|3|deviceFacility=1 dvchost=Sample_Host cs2Label=DetectionName cs2=virusa suser=Sample\\\\Administrator cn2Label=DetectionType cn2=0 filePath=C:\\\\WindowsFILENAME deviceCustomDate1Label=FileCreationDate deviceCustomDate1=Nov 03 2016 08:58:03 GMT+00:00 sproc=notepad.exe cs4Label=ProcessCommandLine cs4=notepad.exe -test duser=admin app=2 cs3Label=InfectionLocation cs3=http://10.0.0.1/ dst=10.0.17.6 cn3Label=Confidence cn3=82 act=21", "event": { - "dataset": "virusa", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "dataset": "virusa", + "kind": "alert", + "severity": 3, "type": [ "info" ] }, - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "PML:File cleaned" - }, "file": { - "path": "C:\\\\WindowsFILENAME", + "directory": "C:\\", "name": "WindowsFILENAME", - "directory": "C:\\" - }, - "user": { - "target": { - "name": [ - "admin" - ] - }, - "name": "Sample\\\\Administrator" + "path": "C:\\\\WindowsFILENAME" }, "host": { "ip": "10.0.17.6" }, - "url": { - "original": "http://10.0.0.1/", - "domain": "10.0.0.1", - "path": "/", - "scheme": "http", - "port": 80 + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "process": { - "executable": "notepad.exe", - "command_line": "notepad.exe -test" + "command_line": "notepad.exe -test", + "executable": "notepad.exe" }, "related": { "ip": [ @@ -624,6 +606,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Sample\\\\Administrator" ] + }, + "rule": { + "id": "PML:File cleaned" + }, + "url": { + "domain": "10.0.0.1", + "original": "http://10.0.0.1/", + "path": "/", + "port": 80, + "scheme": "http" + }, + "user": { + "name": "Sample\\\\Administrator", + "target": { + "name": [ + "admin" + ] + } } } @@ -637,57 +637,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|VAD|VAN_RANSOMWARE.umxxhelloransom_abc|3|deviceExternalId=2 rt=Mar 22 2018 08:23:23 GMT+00:00 deviceFacility=Apex One dvchost=OSCE01 dhost=Isolate-ClientA dst=0.0.0.0 app=1 sourceServiceNameTest1@trend.com.tw destinationServiceName=Test2@tmcm.extbeta.com;Test3@tmcm.extbeta.com sproc=VA fileHash=3395856CE81F2B7382DEE72602F798B642F14140 fname=C:\\\\\\\\QA_Log.zip request=http://127.1.1.1 cs1Label=Security_Threat cs1=VAN_RANSOMWARE.umxxhelloransom_abc cn1Label=Risk_Level cn1=0 cs2Label=Threat_Categories cs2=Anti-security, self-preservation cs3Label=Cloud_Service_Vendor cs3=Google Drive", "event": { - "dataset": "VAN_RANSOMWARE.umxxhelloransom_abc", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "dataset": "VAN_RANSOMWARE.umxxhelloransom_abc", + "kind": "alert", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2018-03-22T08:23:23Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "VAD" + "file": { + "directory": "C:\\\\\\", + "hash": { + "sha1": "3395856CE81F2B7382DEE72602F798B642F14140" + }, + "name": "QA_Log.zip", + "path": "C:\\\\\\\\QA_Log.zip" }, "host": { "name": "Isolate-ClientA" }, + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" + }, "process": { "name": "VA" }, - "file": { - "hash": { - "sha1": "3395856CE81F2B7382DEE72602F798B642F14140" - }, - "path": "C:\\\\\\\\QA_Log.zip", - "name": "QA_Log.zip", - "directory": "C:\\\\\\" + "related": { + "hash": [ + "3395856CE81F2B7382DEE72602F798B642F14140" + ] }, - "url": { - "original": "http://127.1.1.1", - "domain": "127.1.1.1", - "scheme": "http", - "port": 80 + "rule": { + "id": "VAD" }, "trendmicro": { "apexone": { - "Security_Threat": "VAN_RANSOMWARE.umxxhelloransom_abc", + "Cloud_Service_Vendor": "Google Drive", "Risk_Level": 0, - "Threat_Categories": "Anti-security, self-preservation", - "Cloud_Service_Vendor": "Google Drive" + "Security_Threat": "VAN_RANSOMWARE.umxxhelloransom_abc", + "Threat_Categories": "Anti-security, self-preservation" } }, - "related": { - "hash": [ - "3395856CE81F2B7382DEE72602F798B642F14140" - ] + "url": { + "domain": "127.1.1.1", + "original": "http://127.1.1.1", + "port": 80, + "scheme": "http" } } @@ -701,61 +701,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|MS:0|This is a policy name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00:00 dhost=user@test.com duser=user@test.com act=0 cs2Label=CLF_ProductVersion cs2=3.2 cs3Label=SL_FilterType cs3=0 cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=SL_MessageAction cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=CLF_ServerityCode cn1=2 fname=NE_AEP.1550 msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser=user2@test.com deviceFacility=Deep Discovery Email Inspector src=10.206.155.122", "event": { - "dataset": "This is a policy name", - "severity": 3, - "kind": "event", + "action": "Unknown", "category": [ "email" ], + "code": "20", + "dataset": "This is a policy name", + "kind": "event", + "severity": 3, "type": [ "info" - ], - "code": "20", - "action": "Unknown" + ] }, "@timestamp": "2018-09-17T01:27:42Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "MS:0", - "ruleset": "1705" - }, "email": { - "to": { - "address": [ - "user@test.com" - ] - }, "from": { "address": [ "user2@test.com" ] }, - "subject": "plain_qp_no8_av1u_NE_AEP.1550" + "subject": "plain_qp_no8_av1u_NE_AEP.1550", + "to": { + "address": [ + "user@test.com" + ] + } + }, + "file": { + "name": "NE_AEP.1550" }, "host": { "name": "ApexOneClient01" }, - "file": { - "name": "NE_AEP.1550" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" + }, + "related": { + "ip": [ + "10.206.155.122" + ] + }, + "rule": { + "id": "MS:0", + "ruleset": "1705" }, "source": { - "ip": "10.206.155.122", - "address": "10.206.155.122" + "address": "10.206.155.122", + "ip": "10.206.155.122" }, "trendmicro": { "apexone": { "SL_FilterType": "Unknown", "SL_MessageAction": "Unknown" } - }, - "related": { - "ip": [ - "10.206.155.122" - ] } } @@ -769,47 +769,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|Spyware Detected|Spyware Detected|3|deviceExternalId=15 rt=2023-03-13 13:05:13 cnt=1 dhost=mymachine.local cn1Label=PatternType cn1=1073741840 cs1Label=VirusName cs1=HKTL_MIMIKATZ64 cs2Label=EngineVersion cs2=6.2.4063 cs5Label=ActionResult cs5=Acc\u00e8s refus\u00e9 cs6Label=PatternVersion cs6=2603 cat=1727 dvchost=zettiz.manage.trendmicro.com fname=C:\\\\Users\\\\adminuser\\\\Downloads\\\\mimikatz_trunk.KYaAbNAv.zip.part(x64\\\\mimidrv.sys) filePath=C:\\\\Users\\\\adminuser\\\\Downloads\\\\mimikatz_trunk.KYaAbNAv.zip.part(x64\\\\mimidrv.sys) dst=10.0.4.5 TMCMLogDetectedIP=10.0.4.5 TMCMLogDetectedHost=mymachine.local deviceFacility=Apex One fileHash=4112EF95386EA4D1131BE7C600D49A310E9D8F5B duser=adminuser cn2Label=SpywareHostDetail_ScanType cn2=11 cn3Label=SpywareHostDetail_RiskType cn3=0 ApexCentralHost=Apex Central as a Service devicePayloadId=70003A0D208D-A9F111ED-C19F-EAC6-541C TMCMdevicePlatform=Windows 10 10.0 (Build 19044) deviceNtDomain=N/A dntdom=Workgroup\\\\ ", "event": { - "dataset": "Spyware Detected", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "dataset": "Spyware Detected", + "kind": "alert", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-03-13T13:05:13Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "Spyware Detected" - }, - "trendmicro": { - "apexone": { - "VirusName": "HKTL_MIMIKATZ64" - } - }, "file": { - "path": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\mimikatz_trunk.KYaAbNAv.zip.part(x64\\\\mimidrv.sys)", - "name": "mimidrv.sys)", "directory": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\mimikatz_trunk.KYaAbNAv.zip.part(x64\\", "hash": { "sha1": "4112EF95386EA4D1131BE7C600D49A310E9D8F5B" - } + }, + "name": "mimidrv.sys)", + "path": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\mimikatz_trunk.KYaAbNAv.zip.part(x64\\\\mimidrv.sys)" }, "host": { "name": "mymachine.local" }, - "source": { - "ip": "10.0.4.5", - "address": "10.0.4.5" - }, - "user": { - "name": "adminuser" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "hash": [ @@ -821,6 +806,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "adminuser" ] + }, + "rule": { + "id": "Spyware Detected" + }, + "source": { + "address": "10.0.4.5", + "ip": "10.0.4.5" + }, + "trendmicro": { + "apexone": { + "VirusName": "HKTL_MIMIKATZ64" + } + }, + "user": { + "name": "adminuser" } } @@ -834,46 +834,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|Spyware Detected|Spyware Detected|3|deviceExternalId=3 rt=Oct 06 2017 08:39:46 GMT+00:00 cnt=1 dhost=ApexOneClient01 cn1Label=PatternType cn1=1073741840 cs1Label=VirusName cs1=ADW_OPENCANDY cs2Label=EngineVersion cs2=6.2.3027 cs5Label=ActionResult cs5=Reboot system successfully cs6Label=PatternVersion cs6=1297 cat=1727 dvchost=ApexOneClient01 fname=F:\\\\Malware\\\\psas\\\\rsrc2.bin filePath=F:\\\\Malware\\\\psas\\\\rsrc2.bin dst=50.8.1.1 deviceFacility=Apex One", "event": { - "dataset": "Spyware Detected", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "dataset": "Spyware Detected", + "kind": "alert", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2017-10-06T08:39:46Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "Spyware Detected" - }, - "trendmicro": { - "apexone": { - "VirusName": "ADW_OPENCANDY" - } - }, "file": { - "path": "F:\\\\Malware\\\\psas\\\\rsrc2.bin", + "directory": "F:\\\\Malware\\\\psas\\", "name": "rsrc2.bin", - "directory": "F:\\\\Malware\\\\psas\\" + "path": "F:\\\\Malware\\\\psas\\\\rsrc2.bin" }, "host": { "name": "ApexOneClient01" }, - "source": { - "ip": "50.8.1.1", - "address": "50.8.1.1" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "ip": [ "50.8.1.1" ] + }, + "rule": { + "id": "Spyware Detected" + }, + "source": { + "address": "50.8.1.1", + "ip": "50.8.1.1" + }, + "trendmicro": { + "apexone": { + "VirusName": "ADW_OPENCANDY" + } } } @@ -887,40 +887,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|FH:Log|Suspicious Files|3|deviceExternalId=1 rt=Nov 15 2016 02:47:21 GMT+00:00 cat=1766 deviceFacility=Apex One cn1Label=SLF_ProductVersion cn1=11 dst=10.201.86.151 dhost=APEX-ONE-CLIENT-1 cs2Label=SLF_TrueFileType cs2=SLF_TrueFileType fileHash=D6712CAE5EC821F910E14945153AE7871AA536CA cs3Label=SLF_FileSource cs3=C:\\\\Users\\\\Administrator\\\\Desktop\\\\BT-SHA1-SAMPLE\\\\BT-SHA1-SAMPLE\\\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE cn2Label=SLF_SourceType cn2=0 act=Log cn3Label=SLF_ScanType cn3=1", "event": { - "dataset": "Suspicious Files", - "severity": 3, - "kind": "alert", + "action": "Log", "category": [ "malware" ], + "dataset": "Suspicious Files", + "kind": "alert", + "severity": 3, "type": [ "info" - ], - "action": "Log" + ] }, "@timestamp": "2016-11-15T02:47:21Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "FH:Log" - }, "file": { - "path": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\BT-SHA1-SAMPLE\\\\BT-SHA1-SAMPLE\\\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE", - "name": "017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE", "directory": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\BT-SHA1-SAMPLE\\\\BT-SHA1-SAMPLE\\", "hash": { "sha1": "D6712CAE5EC821F910E14945153AE7871AA536CA" - } + }, + "name": "017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE", + "path": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\BT-SHA1-SAMPLE\\\\BT-SHA1-SAMPLE\\\\017545113A434757C5F0F13095DBBF138BD76A40;0x36D572AE" }, "host": { "name": "APEX-ONE-CLIENT-1" }, - "source": { - "ip": "10.201.86.151", - "address": "10.201.86.151" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "hash": [ @@ -929,6 +922,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "10.201.86.151" ] + }, + "rule": { + "id": "FH:Log" + }, + "source": { + "address": "10.201.86.151", + "ip": "10.201.86.151" } } @@ -942,61 +942,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|MS:0|This is a policy name|3|deviceExternalId=90045 rt=Sep 17 2018 01:27:42 GMT+00:00 dhost=user@test.com duser=user@test.com act=0 cs2Label=CLF_ProductVersion cs2=3.2 cs3Label=SL_FilterType cs3=0 cs5Label=CLF_ReasonCodeSource cs5=20 cs6Label=SL_MessageAction cs6=0 cat=1705 dvchost=ApexOneClient01 cn1Label=CLF_ServerityCode cn1=2 fname=NE_AEP.1550 msg=plain_qp_no8_av1u_NE_AEP.1550 shost=user2@test.com suser=user2@test.com deviceFacility=Deep Discovery Email Inspector src=10.206.155.122", "event": { - "dataset": "This is a policy name", - "severity": 3, - "kind": "event", + "action": "Unknown", "category": [ "email" ], + "code": "20", + "dataset": "This is a policy name", + "kind": "event", + "severity": 3, "type": [ "info" - ], - "code": "20", - "action": "Unknown" + ] }, "@timestamp": "2018-09-17T01:27:42Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "MS:0", - "ruleset": "1705" - }, "email": { - "to": { - "address": [ - "user@test.com" - ] - }, "from": { "address": [ "user2@test.com" ] }, - "subject": "plain_qp_no8_av1u_NE_AEP.1550" + "subject": "plain_qp_no8_av1u_NE_AEP.1550", + "to": { + "address": [ + "user@test.com" + ] + } + }, + "file": { + "name": "NE_AEP.1550" }, "host": { "name": "ApexOneClient01" }, - "file": { - "name": "NE_AEP.1550" + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" + }, + "related": { + "ip": [ + "10.206.155.122" + ] + }, + "rule": { + "id": "MS:0", + "ruleset": "1705" }, "source": { - "ip": "10.206.155.122", - "address": "10.206.155.122" + "address": "10.206.155.122", + "ip": "10.206.155.122" }, "trendmicro": { "apexone": { "SL_FilterType": "Unknown", "SL_MessageAction": "Unknown" } - }, - "related": { - "ip": [ - "10.206.155.122" - ] } } @@ -1010,39 +1010,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|AV:File renamed|JS_EXPLOIT.SMDN|3|deviceExternalId=104 rt=Feb 18 2016 14:34:00 GMT+00:00 cnt=1 dhost=ApexOneClient01 duser=Admin004 act=File renamed cn1Label=VLF_PatternNumber cn1=920500 cn2Label=VLF_SecondAction cn2=3 cs1Label=VLF_FunctionCode cs1=Manual Scan cs2Label=VLF_EngineVersion cs2=9.500.1005 cs3Label=CLF_ProductVersion cs3=10.6 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=File renamed cs6Label=VLF_SecondActionResult cs6=N/A cat=1703 dvchost=ApexOneServer01 cn3Label=CLF_ServerityCode cn3=2 fname=0348C693056617D34FC5B5BAB4643885FEE5FEDF;0xD5D56AC2 filePath=C:\\\\Users\\\\Administrator\\\\Desktop\\\\trend_test_virus\\\\Trojans\\\\ msg=BMAC Schedule of Events.xls shost=ABC-OSCE-WKS12 suser=ABC-OSCE-WKS12 dst=10.201.129.24 deviceFacility=Apex One", "event": { - "dataset": "JS_EXPLOIT.SMDN", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "code": "virus log", + "dataset": "JS_EXPLOIT.SMDN", + "kind": "alert", + "severity": 3, "type": [ "info" - ], - "code": "virus log" + ] }, "@timestamp": "2016-02-18T14:34:00Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "AV:File renamed" - }, - "host": { - "name": "ApexOneClient01" - }, - "user": { - "name": "Admin004" - }, "file": { "name": "0348C693056617D34FC5B5BAB4643885FEE5FEDF;0xD5D56AC2", "path": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\trend_test_virus\\\\Trojans\\\\" }, - "source": { - "ip": "10.201.129.24", - "address": "10.201.129.24" + "host": { + "name": "ApexOneClient01" + }, + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "ip": [ @@ -1051,6 +1041,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Admin004" ] + }, + "rule": { + "id": "AV:File renamed" + }, + "source": { + "address": "10.201.129.24", + "ip": "10.201.129.24" + }, + "user": { + "name": "Admin004" } } @@ -1064,39 +1064,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|AV:Fichier nettoy\u00e9|WORM_GAMARUE.ITK|3|deviceExternalId=7 rt=2023-03-15 13:23:47 cnt=1 dhost=mymachine.local TMCMLogDetectedHost=mymachine.local duser=mymachine.local\\\\adminuser act=Fichier nettoy\u00e9 cn1Label=VLF_PatternNumber cn1=1831100 cn2Label=VLF_SecondAction cn2=1 cs1Label=VLF_FunctionCode cs1=Scan en temps r\u00e9el cs2Label=VLF_EngineVersion cs2=22.580.1004 cs3Label=CLF_ProductVersion cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=Fichier nettoy\u00e9 cs6Label=VLF_SecondActionResult cs6=N/A cat=1703 dvchost=zettiz.manage.trendmicro.com cn3Label=SummaryToExport_OverallRiskRating cn3=1 fname=5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687 filePath=C:\\\\Users\\\\adminuser\\\\Downloads\\\\5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687\\\\ dst=10.0.4.5 TMCMLogDetectedIP=10.0.4.5 deviceFacility=Apex One ApexCentralHost=Apex Central as a Service reason=G devicePayloadId=70003A0D208D-A9F111ED-C334-C056-44DE TMCMdevicePlatform=Windows 10 10.0 (Build 19044) deviceNtDomain=N/A dntdom=Workgroup\\\\", "event": { - "dataset": "WORM_GAMARUE.ITK", - "severity": 3, - "kind": "alert", "category": [ "malware" ], + "code": "virus log", + "dataset": "WORM_GAMARUE.ITK", + "kind": "alert", + "severity": 3, "type": [ "info" - ], - "code": "virus log" + ] }, "@timestamp": "2023-03-15T13:23:47Z", - "observer": { - "vendor": "Trend Micro", - "product": "Apex Central", - "version": "2019" - }, - "rule": { - "id": "AV:Fichier nettoy\u00e9" - }, - "host": { - "name": "mymachine.local" - }, - "user": { - "name": "mymachine.local\\\\adminuser" - }, "file": { "name": "5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687", "path": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687\\\\" }, - "source": { - "ip": "10.0.4.5", - "address": "10.0.4.5" + "host": { + "name": "mymachine.local" + }, + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" }, "related": { "ip": [ @@ -1105,6 +1095,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "mymachine.local\\\\adminuser" ] + }, + "rule": { + "id": "AV:Fichier nettoy\u00e9" + }, + "source": { + "address": "10.0.4.5", + "ip": "10.0.4.5" + }, + "user": { + "name": "mymachine.local\\\\adminuser" } } @@ -1118,58 +1118,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Apex Central|2019|WB:7|7|3|deviceExternalId=38 rt=Nov 15 2017 08:43:57 GMT+00:00 app=17 cntLabel=AggregatedCount cnt=1 dpt=80 act=1 src=10.1.128.46 cs1Label=SLF_PolicyName cs1=External User Policy deviceDirection=2 cat=7 dvchost=ApexOneClient08 fname=test.txt request=http://www.violetsoft.net/counter/insert.php?dbserver\\=db1&c_pcode\\=25&c_pid\\=funpop1&c_kind\\=4&c_mac\\=FE-ED-BE-EF-0C-E1 deviceFacility=Apex One shost=ABC-HOST-WKS12", "event": { - "dataset": "7", - "severity": 3, - "kind": "event", + "action": "Pass", "category": [ "network" ], - "action": "Pass", + "dataset": "7", + "kind": "event", + "severity": 3, "type": [ "allowed" ] }, "@timestamp": "2017-11-15T08:43:57Z", + "destination": { + "port": 80 + }, + "file": { + "name": "test.txt" + }, + "host": { + "name": "ApexOneClient08" + }, + "network": { + "direction": "Outbound" + }, "observer": { - "vendor": "Trend Micro", "product": "Apex Central", + "vendor": "Trend Micro", "version": "2019" }, + "related": { + "ip": [ + "10.1.128.46" + ] + }, "rule": { "id": "WB:7", "ruleset": "External User Policy" }, - "destination": { - "port": 80 - }, "source": { - "ip": "10.1.128.46", - "address": "10.1.128.46" - }, - "host": { - "name": "ApexOneClient08" - }, - "file": { - "name": "test.txt" + "address": "10.1.128.46", + "ip": "10.1.128.46" }, "url": { - "original": "http://www.violetsoft.net/counter/insert.php?dbserver\\=db1&c_pcode\\=25&c_pid\\=funpop1&c_kind\\=4&c_mac\\=FE-ED-BE-EF-0C-E1", "domain": "www.violetsoft.net", - "top_level_domain": "net", - "subdomain": "www", - "registered_domain": "violetsoft.net", + "original": "http://www.violetsoft.net/counter/insert.php?dbserver\\=db1&c_pcode\\=25&c_pid\\=funpop1&c_kind\\=4&c_mac\\=FE-ED-BE-EF-0C-E1", "path": "/counter/insert.php", + "port": 80, "query": "dbserver\\=db1&c_pcode\\=25&c_pid\\=funpop1&c_kind\\=4&c_mac\\=FE-ED-BE-EF-0C-E1", + "registered_domain": "violetsoft.net", "scheme": "http", - "port": 80 - }, - "network": { - "direction": "Outbound" - }, - "related": { - "ip": [ - "10.1.128.46" - ] + "subdomain": "www", + "top_level_domain": "net" } } diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index 46958ce788..119a5c85bf 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -38,36 +38,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 424805057484 eni-0f06a40fc9be596f6 212.83.179.156 10.0.0.96 123 123 17 2 152 1599665193 1599665488 ACCEPT OK", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], - "start": "2020-09-09T15:26:33Z", "end": "2020-09-09T15:31:28Z", - "action": "accept", + "kind": "event", + "start": "2020-09-09T15:26:33Z", "type": [ "allowed" ] }, + "@timestamp": "2020-09-09T15:26:33Z", "action": { - "outcome": "ok", - "type": "forward", "name": "accept", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "424805057484" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "424805057484" } }, "destination": { - "port": 123, + "address": "10.0.0.96", "ip": "10.0.0.96", - "address": "10.0.0.96" + "port": 123 }, "network": { "iana_number": "17", @@ -80,22 +81,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "10.0.0.96", + "212.83.179.156" + ] + }, "source": { - "port": 123, + "address": "212.83.179.156", "bytes": 152, - "packets": 2, "ip": "212.83.179.156", - "address": "212.83.179.156" + "packets": 2, + "port": 123 }, "user": { "id": "424805057484" - }, - "@timestamp": "2020-09-09T15:26:33Z", - "related": { - "ip": [ - "10.0.0.96", - "212.83.179.156" - ] } } @@ -109,36 +109,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"5.6.7.8\",\"dstaddr\":\"1.2.3.4\",\"srcport\":4712,\"dstport\":53205,\"protocol\":6,\"packets\":12,\"bytes\":2610,\"start\":1661950735,\"end\":1661950746,\"action\":\"ACCEPT\",\"log_status\":\"OK\"}\n", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], - "start": "2022-08-31T12:58:55Z", "end": "2022-08-31T12:59:06Z", - "action": "accept", + "kind": "event", + "start": "2022-08-31T12:58:55Z", "type": [ "allowed" ] }, + "@timestamp": "2022-08-31T12:58:55Z", "action": { - "outcome": "ok", - "type": "forward", "name": "accept", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "424805057484" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "424805057484" } }, "destination": { - "port": 53205, + "address": "1.2.3.4", "ip": "1.2.3.4", - "address": "1.2.3.4" + "port": 53205 }, "network": { "iana_number": "6", @@ -151,22 +152,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "source": { - "port": 4712, + "address": "5.6.7.8", "bytes": 2610, - "packets": 12, "ip": "5.6.7.8", - "address": "5.6.7.8" + "packets": 12, + "port": 4712 }, "user": { "id": "424805057484" - }, - "@timestamp": "2022-08-31T12:58:55Z", - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] } } @@ -180,36 +180,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "5 424805057484 eni-1235b8ca123456789 52.95.128.179 10.0.0.71 46945 53 17 1 73 1658131186 1658131216 ACCEPT OK vpc-abcdefab012345678 subnet-aaaaaaaa012345678 - 0 IPv4 52.95.128.179 10.0.0.71 eu-west-1 euw1-az3 - - - - egress 8", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], - "start": "2022-07-18T07:59:46Z", "end": "2022-07-18T08:00:16Z", - "action": "accept", + "kind": "event", + "start": "2022-07-18T07:59:46Z", "type": [ "allowed" ] }, + "@timestamp": "2022-07-18T07:59:46Z", "action": { - "outcome": "ok", - "type": "forward", "name": "accept", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "424805057484" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "424805057484" } }, "destination": { - "port": 53, + "address": "10.0.0.71", "ip": "10.0.0.71", - "address": "10.0.0.71" + "port": 53 }, "network": { "iana_number": "17", @@ -222,22 +223,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "10.0.0.71", + "52.95.128.179" + ] + }, "source": { - "port": 46945, + "address": "52.95.128.179", "bytes": 73, - "packets": 1, "ip": "52.95.128.179", - "address": "52.95.128.179" + "packets": 1, + "port": 46945 }, "user": { "id": "424805057484" - }, - "@timestamp": "2022-07-18T07:59:46Z", - "related": { - "ip": [ - "10.0.0.71", - "52.95.128.179" - ] } } @@ -251,36 +251,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], - "start": "2016-10-31T11:35:08Z", "end": "2016-10-31T11:37:00Z", - "action": "accept", + "kind": "event", + "start": "2016-10-31T11:35:08Z", "type": [ "allowed" ] }, + "@timestamp": "2016-10-31T11:35:08Z", "action": { - "outcome": "ok", - "type": "forward", "name": "accept", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "123456789010" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "123456789010" } }, "destination": { - "port": 22, + "address": "2001:db8:1234:a102:3304:8879:34cf:4071", "ip": "2001:db8:1234:a102:3304:8879:34cf:4071", - "address": "2001:db8:1234:a102:3304:8879:34cf:4071" + "port": 22 }, "network": { "iana_number": "6", @@ -293,22 +294,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "2001:db8:1234:a100:8d6e:3477:df66:f105", + "2001:db8:1234:a102:3304:8879:34cf:4071" + ] + }, "source": { - "port": 34892, + "address": "2001:db8:1234:a100:8d6e:3477:df66:f105", "bytes": 8855, - "packets": 54, "ip": "2001:db8:1234:a100:8d6e:3477:df66:f105", - "address": "2001:db8:1234:a100:8d6e:3477:df66:f105" + "packets": 54, + "port": 34892 }, "user": { "id": "123456789010" - }, - "@timestamp": "2016-10-31T11:35:08Z", - "related": { - "ip": [ - "2001:db8:1234:a100:8d6e:3477:df66:f105", - "2001:db8:1234:a102:3304:8879:34cf:4071" - ] } } @@ -322,24 +322,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA", "event": { - "kind": "event", "category": [ "network" ], - "start": "2015-05-10T18:01:16Z", - "end": "2015-05-10T18:02:14Z" + "end": "2015-05-10T18:02:14Z", + "kind": "event", + "start": "2015-05-10T18:01:16Z" }, + "@timestamp": "2015-05-10T18:01:16Z", "action": { "outcome": "nodata", "type": "forward" }, "cloud": { + "account": { + "id": "123456789010" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "123456789010" } }, "observer": { @@ -351,8 +352,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "user": { "id": "123456789010" - }, - "@timestamp": "2015-05-10T18:01:16Z" + } } ``` @@ -365,36 +365,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2 424805057484 eni-0f06a40fc9be596f6 195.14.170.50 10.0.0.96 53996 20248 6 1 40 1599665374 1599665428 REJECT OK", "event": { - "kind": "event", + "action": "reject", "category": [ "network" ], - "start": "2020-09-09T15:29:34Z", "end": "2020-09-09T15:30:28Z", - "action": "reject", + "kind": "event", + "start": "2020-09-09T15:29:34Z", "type": [ "denied" ] }, + "@timestamp": "2020-09-09T15:29:34Z", "action": { - "outcome": "ok", - "type": "forward", "name": "reject", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "424805057484" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "424805057484" } }, "destination": { - "port": 20248, + "address": "10.0.0.96", "ip": "10.0.0.96", - "address": "10.0.0.96" + "port": 20248 }, "network": { "iana_number": "6", @@ -407,22 +408,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "10.0.0.96", + "195.14.170.50" + ] + }, "source": { - "port": 53996, + "address": "195.14.170.50", "bytes": 40, - "packets": 1, "ip": "195.14.170.50", - "address": "195.14.170.50" + "packets": 1, + "port": 53996 }, "user": { "id": "424805057484" - }, - "@timestamp": "2020-09-09T15:29:34Z", - "related": { - "ip": [ - "10.0.0.96", - "195.14.170.50" - ] } } @@ -436,36 +436,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":53094,\"dstport\":2323,\"protocol\":6,\"packets\":1,\"bytes\":40,\"start\":1661950735,\"end\":1661950746,\"action\":\"REJECT\",\"log_status\":\"OK\"}\n", "event": { - "kind": "event", + "action": "reject", "category": [ "network" ], - "start": "2022-08-31T12:58:55Z", "end": "2022-08-31T12:59:06Z", - "action": "reject", + "kind": "event", + "start": "2022-08-31T12:58:55Z", "type": [ "denied" ] }, + "@timestamp": "2022-08-31T12:58:55Z", "action": { - "outcome": "ok", - "type": "forward", "name": "reject", - "target": "network-traffic" + "outcome": "ok", + "target": "network-traffic", + "type": "forward" }, "cloud": { + "account": { + "id": "424805057484" + }, "provider": "aws", "service": { "name": "vpc" - }, - "account": { - "id": "424805057484" } }, "destination": { - "port": 2323, + "address": "5.6.7.8", "ip": "5.6.7.8", - "address": "5.6.7.8" + "port": 2323 }, "network": { "iana_number": "6", @@ -478,22 +479,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "source": { - "port": 53094, + "address": "1.2.3.4", "bytes": 40, - "packets": 1, "ip": "1.2.3.4", - "address": "1.2.3.4" + "packets": 1, + "port": 53094 }, "user": { "id": "424805057484" - }, - "@timestamp": "2022-08-31T12:58:55Z", - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index ffa6cb6820..1ea47e0213 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -35,51 +35,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"617755838952421242\",\"accountName\": \"CORP\",\"activityType\": 90,\"agentId\": \"1109290742018175361\",\"agentUpdatedVersion\": null,\"comments\": null,\"createdAt\": \"2021-03-11T12:42:56.308213Z\",\"data\": { \"accountName\": \"CORP\", \"computerName\": \"debian-SentinelOne\", \"createdAt\": \"2021-03-11T12:42:56.297860Z\", \"fullScopeDetails\": \"Group Default Group in Site Sekoia.io of Account CORP\", \"groupName\": \"Default Group\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"Sekoia.io\", \"status\": \"started\"},\"description\": null,\"groupId\": \"1107851598374945694\",\"groupName\": \"Default Group\",\"hash\": null,\"id\": \"1109290868249950294\",\"osFamily\": null,\"primaryDescription\": \"Agent debian-SentinelOne started full disk scan at Thu, 11 Mar 2021, 12:42:56 UTC.\",\"secondaryDescription\": null,\"siteId\": \"1107851598358168475\",\"siteName\": \"Sekoia.io\",\"threatId\": null,\"updatedAt\": \"2021-03-11T12:42:56.301271Z\",\"userId\": null}", "event": { - "reason": "Agent debian-SentinelOne started full disk scan at Thu, 11 Mar 2021, 12:42:56 UTC.", "action": "Agent Started Full Disk Scan", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Agent debian-SentinelOne started full disk scan at Thu, 11 Mar 2021, 12:42:56 UTC.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1109290868249950294, - "siteId": 1107851598358168475, - "sitename": "Sekoia.io", - "updatedAt": "2021-03-11T12:42:56.301271Z", - "createdAt": "2021-03-11T12:42:56.308213Z", - "data": { - "accountName": "CORP", - "fullScopeDetails": "Group Default Group in Site Sekoia.io of Account CORP", - "scopeLevel": "Group", - "scopeName": "Default Group", - "status": "started", - "groupName": "Default Group", - "siteName": "Sekoia.io", - "computerName": "debian-SentinelOne", - "createdAt": "2021-03-11T12:42:56.297860Z" - } - }, - "organization": { - "id": "617755838952421242", - "name": "CORP" - }, + "@timestamp": "2021-03-11T12:42:56.308213Z", "action": { "type": 90 }, + "agent": { + "id": "1109290742018175361" + }, "group": { "id": "1107851598374945694", "name": "Default Group" }, - "agent": { - "id": "1109290742018175361" - }, - "@timestamp": "2021-03-11T12:42:56.308213Z", "host": { "name": "debian-SentinelOne" + }, + "organization": { + "id": "617755838952421242", + "name": "CORP" + }, + "sentinelone": { + "createdAt": "2021-03-11T12:42:56.308213Z", + "data": { + "accountName": "CORP", + "computerName": "debian-SentinelOne", + "createdAt": "2021-03-11T12:42:56.297860Z", + "fullScopeDetails": "Group Default Group in Site Sekoia.io of Account CORP", + "groupName": "Default Group", + "scopeLevel": "Group", + "scopeName": "Default Group", + "siteName": "Sekoia.io", + "status": "started" + }, + "eventid": 1109290868249950294, + "siteId": 1107851598358168475, + "sitename": "Sekoia.io", + "updatedAt": "2021-03-11T12:42:56.301271Z" } } @@ -93,57 +93,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 120, \"agentId\": \"977351746870921161\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-11T06:49:21.769668Z\", \"data\": {\"accountName\": \"CORP\", \"computerName\": \"CL002793\", \"disabledLevel\": null, \"enabledReason\": \"expired\", \"expiration\": null, \"externalIp\": \"88.127.242.225\", \"fullScopeDetails\": \"Group DSI in Site CORP-workstations of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-workstations / DSI\", \"groupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"DSI\", \"siteName\": \"CORP-workstations\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1396124097359316984\", \"osFamily\": null, \"primaryDescription\": \"The CL002793 Agent is enabled due to time expiration.\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-11T06:49:21.765992Z\", \"userId\": null}\n\n", "event": { - "reason": "The CL002793 Agent is enabled due to time expiration.", "action": "Agent Enabled", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The CL002793 Agent is enabled due to time expiration.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1396124097359316984, - "siteId": 551799242253151036, - "updatedAt": "2022-04-11T06:49:21.765992Z", - "createdAt": "2022-04-11T06:49:21.769668Z", - "data": { - "externalIp": "88.127.242.225", - "accountName": "CORP", - "enabledReason": "expired", - "fullScopeDetails": "Group DSI in Site CORP-workstations of Account CORP", - "fullScopeDetailsPath": "Global / CORP / CORP-workstations / DSI", - "scopeLevel": "Group", - "scopeName": "DSI", - "groupName": "DSI", - "siteName": "CORP-workstations", - "computerName": "CL002793" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-11T06:49:21.769668Z", "action": { "type": 120 }, - "group": { - "id": "797501649544140679" - }, "agent": { "id": "977351746870921161" }, - "@timestamp": "2022-04-11T06:49:21.769668Z", + "group": { + "id": "797501649544140679" + }, "host": { "ip": [ "88.127.242.225" ], "name": "CL002793" }, + "organization": { + "id": "551799238352448315" + }, "related": { "ip": [ "88.127.242.225" ] + }, + "sentinelone": { + "createdAt": "2022-04-11T06:49:21.769668Z", + "data": { + "accountName": "CORP", + "computerName": "CL002793", + "enabledReason": "expired", + "externalIp": "88.127.242.225", + "fullScopeDetails": "Group DSI in Site CORP-workstations of Account CORP", + "fullScopeDetailsPath": "Global / CORP / CORP-workstations / DSI", + "groupName": "DSI", + "scopeLevel": "Group", + "scopeName": "DSI", + "siteName": "CORP-workstations" + }, + "eventid": 1396124097359316984, + "siteId": 551799242253151036, + "updatedAt": "2022-04-11T06:49:21.765992Z" } } @@ -157,57 +157,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 128, \"agentId\": \"859960378210728293\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:06:38.941691Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"a01pwrbi005\", \"disabledLevel\": \"db corruption\", \"enabledReason\": null, \"expiration\": null, \"externalIp\": \"62.122.8.8\", \"fullScopeDetails\": \"Group Env. 01 - Prod in Site corp-servers-windows of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-servers-windows / Env. 01 - Prod\", \"groupName\": \"Env. 01 - Prod\", \"scopeLevel\": \"Group\", \"scopeName\": \"Env. 01 - Prod\", \"siteName\": \"corp-servers-windows\"}, \"description\": null, \"groupId\": \"834457314771868699\", \"hash\": null, \"id\": \"1391844541367588156\", \"osFamily\": null, \"primaryDescription\": \"Functionality of the SentinelOne Agent on a01pwrbi005 is limited, due to a database corruption. Contact Support.\", \"secondaryDescription\": null, \"siteId\": \"795516416264105067\", \"threatId\": null, \"updatedAt\": \"2022-04-05T09:06:38.937917Z\", \"userId\": null}", "event": { - "reason": "Functionality of the SentinelOne Agent on a01pwrbi005 is limited, due to a database corruption. Contact Support.", "action": "Agent Disabled Because of Database Corruption", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Functionality of the SentinelOne Agent on a01pwrbi005 is limited, due to a database corruption. Contact Support.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1391844541367588156, - "siteId": 795516416264105067, - "updatedAt": "2022-04-05T09:06:38.937917Z", - "createdAt": "2022-04-05T09:06:38.941691Z", - "data": { - "externalIp": "62.122.8.8", - "accountName": "corp", - "disabledLevel": "db corruption", - "fullScopeDetails": "Group Env. 01 - Prod in Site corp-servers-windows of Account corp", - "fullScopeDetailsPath": "Global / corp / corp-servers-windows / Env. 01 - Prod", - "scopeLevel": "Group", - "scopeName": "Env. 01 - Prod", - "groupName": "Env. 01 - Prod", - "siteName": "corp-servers-windows", - "computerName": "a01pwrbi005" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-05T09:06:38.941691Z", "action": { "type": 128 }, - "group": { - "id": "834457314771868699" - }, "agent": { "id": "859960378210728293" }, - "@timestamp": "2022-04-05T09:06:38.941691Z", + "group": { + "id": "834457314771868699" + }, "host": { "ip": [ "62.122.8.8" ], "name": "a01pwrbi005" }, + "organization": { + "id": "551799238352448315" + }, "related": { "ip": [ "62.122.8.8" ] + }, + "sentinelone": { + "createdAt": "2022-04-05T09:06:38.941691Z", + "data": { + "accountName": "corp", + "computerName": "a01pwrbi005", + "disabledLevel": "db corruption", + "externalIp": "62.122.8.8", + "fullScopeDetails": "Group Env. 01 - Prod in Site corp-servers-windows of Account corp", + "fullScopeDetailsPath": "Global / corp / corp-servers-windows / Env. 01 - Prod", + "groupName": "Env. 01 - Prod", + "scopeLevel": "Group", + "scopeName": "Env. 01 - Prod", + "siteName": "corp-servers-windows" + }, + "eventid": 1391844541367588156, + "siteId": 795516416264105067, + "updatedAt": "2022-04-05T09:06:38.937917Z" } } @@ -221,65 +221,65 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 2001, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:15.006573Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"globalStatus\": \"success\", \"groupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"DSI\", \"siteName\": \"corp-workstations\", \"threatClassification\": \"PUA\", \"threatClassificationSource\": \"Engine\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846353852639605\", \"osFamily\": null, \"primaryDescription\": \"The agent CL001234 successfully killed the threat: Run SwitchThemeColor.ps1.lnk.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:15.001215Z\", \"userId\": null}", "event": { - "reason": "The agent CL001234 successfully killed the threat: Run SwitchThemeColor.ps1.lnk.", "action": "Threat Mitigation Report Kill Success", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The agent CL001234 successfully killed the threat: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1391846353852639605, - "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", - "siteId": 551799242253151036, - "threatId": "1391846352913115209", - "updatedAt": "2022-04-05T09:10:15.001215Z", - "createdAt": "2022-04-05T09:10:15.006573Z", - "data": { - "accountName": "corp", - "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", - "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", - "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", - "scopeLevel": "Group", - "scopeName": "DSI", - "groupName": "DSI", - "siteName": "corp-workstations", - "computerName": "CL001234", - "globalStatus": "success", - "threatClassification": "PUA", - "threatClassificationSource": "Engine" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-05T09:10:15.006573Z", "action": { "type": 2001 }, - "group": { - "id": "797501649544140679" - }, "agent": { "id": "997510333395640565" }, - "@timestamp": "2022-04-05T09:10:15.006573Z", - "host": { - "name": "CL001234" - }, "file": { - "name": "Run SwitchThemeColor.ps1.lnk", - "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", "hash": { "sha1": "08731ccac0d404da077e7029062f73ca3d8faf61" - } + }, + "name": "Run SwitchThemeColor.ps1.lnk", + "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk" + }, + "group": { + "id": "797501649544140679" + }, + "host": { + "name": "CL001234" + }, + "organization": { + "id": "551799238352448315" }, "related": { "hash": [ "08731ccac0d404da077e7029062f73ca3d8faf61" ] + }, + "sentinelone": { + "createdAt": "2022-04-05T09:10:15.006573Z", + "data": { + "accountName": "corp", + "computerName": "CL001234", + "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", + "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", + "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", + "globalStatus": "success", + "groupName": "DSI", + "scopeLevel": "Group", + "scopeName": "DSI", + "siteName": "corp-workstations", + "threatClassification": "PUA", + "threatClassificationSource": "Engine" + }, + "eventid": 1391846353852639605, + "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", + "siteId": 551799242253151036, + "threatId": "1391846352913115209", + "updatedAt": "2022-04-05T09:10:15.001215Z" } } @@ -293,68 +293,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 2004, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:15.137471Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"downloadUrl\": \"/threats/mitigation-report/1391846354842495401\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"globalStatus\": null, \"groupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"DSI\", \"siteName\": \"corp-workstations\", \"threatClassification\": \"PUA\", \"threatClassificationSource\": \"Engine\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846354951547317\", \"osFamily\": null, \"primaryDescription\": \"The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:15.132383Z\", \"userId\": null}", "event": { - "reason": "The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk.", "action": "Threat Mitigation Report Quarantine Success", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" ] }, + "@timestamp": "2022-04-05T09:10:15.137471Z", + "action": { + "type": 2004 + }, + "agent": { + "id": "997510333395640565" + }, + "file": { + "hash": { + "sha1": "08731ccac0d404da077e7029062f73ca3d8faf61" + }, + "name": "Run SwitchThemeColor.ps1.lnk", + "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk" + }, + "group": { + "id": "797501649544140679" + }, + "host": { + "name": "CL001234" + }, + "organization": { + "id": "551799238352448315" + }, + "related": { + "hash": [ + "08731ccac0d404da077e7029062f73ca3d8faf61" + ] + }, "sentinelone": { - "eventid": 1391846354951547317, - "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", - "siteId": 551799242253151036, - "threatId": "1391846352913115209", - "updatedAt": "2022-04-05T09:10:15.132383Z", "createdAt": "2022-04-05T09:10:15.137471Z", "data": { "accountName": "corp", + "computerName": "CL001234", "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", + "groupName": "DSI", "scopeLevel": "Group", "scopeName": "DSI", - "groupName": "DSI", "siteName": "corp-workstations", - "computerName": "CL001234", "threatClassification": "PUA", "threatClassificationSource": "Engine" - } - }, - "organization": { - "id": "551799238352448315" - }, - "action": { - "type": 2004 - }, - "group": { - "id": "797501649544140679" - }, - "agent": { - "id": "997510333395640565" - }, - "@timestamp": "2022-04-05T09:10:15.137471Z", - "host": { - "name": "CL001234" + }, + "eventid": 1391846354951547317, + "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", + "siteId": 551799242253151036, + "threatId": "1391846352913115209", + "updatedAt": "2022-04-05T09:10:15.132383Z" }, "url": { "original": "/threats/mitigation-report/1391846354842495401", "path": "/threats/mitigation-report/1391846354842495401" - }, - "file": { - "name": "Run SwitchThemeColor.ps1.lnk", - "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", - "hash": { - "sha1": "08731ccac0d404da077e7029062f73ca3d8faf61" - } - }, - "related": { - "hash": [ - "08731ccac0d404da077e7029062f73ca3d8faf61" - ] } } @@ -368,50 +368,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 25, \"agentId\": null, \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-14T06:19:49.402205Z\", \"data\": {\"accountName\": \"CORP\", \"byUser\": \"Jean Dupont\", \"deactivationPeriodInDays\": \"90\", \"fullScopeDetails\": \"Site CORP-servers-windows of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-servers-windows\", \"groupName\": null, \"role\": \"Contr\\u00f4le Interne\", \"scopeLevel\": \"Site\", \"scopeName\": \"CORP-servers-windows\", \"siteName\": \"CORP-servers-windows\", \"userScope\": \"site\", \"username\": \"Foo User\"}, \"description\": \"Jean Dupont\", \"groupId\": null, \"hash\": null, \"id\": \"1398283556850059260\", \"osFamily\": null, \"primaryDescription\": \"The management user Jean Dupont deleted the user Foo User.\", \"secondaryDescription\": null, \"siteId\": \"795516416264105067\", \"threatId\": null, \"updatedAt\": \"2022-04-14T06:19:49.402210Z\", \"userId\": \"1157751223520522706\"}", "event": { - "reason": "The management user Jean Dupont deleted the user Foo User.", "action": "User Deleted", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The management user Jean Dupont deleted the user Foo User.", "type": [ "info" ] }, + "@timestamp": "2022-04-14T06:19:49.402205Z", + "action": { + "type": 25 + }, + "organization": { + "id": "551799238352448315" + }, + "related": { + "user": [ + "Foo User" + ] + }, "sentinelone": { - "eventid": 1398283556850059260, - "siteId": 795516416264105067, - "description": "Jean Dupont", - "updatedAt": "2022-04-14T06:19:49.402210Z", "createdAt": "2022-04-14T06:19:49.402205Z", "data": { "accountName": "CORP", "byUser": "Jean Dupont", + "deactivationPeriodInDays": "90", "fullScopeDetails": "Site CORP-servers-windows of Account CORP", "fullScopeDetailsPath": "Global / CORP / CORP-servers-windows", "role": "Contr\u00f4le Interne", "scopeLevel": "Site", "scopeName": "CORP-servers-windows", "siteName": "CORP-servers-windows", - "userScope": "site", - "deactivationPeriodInDays": "90" - } - }, - "organization": { - "id": "551799238352448315" - }, - "action": { - "type": 25 + "userScope": "site" + }, + "description": "Jean Dupont", + "eventid": 1398283556850059260, + "siteId": 795516416264105067, + "updatedAt": "2022-04-14T06:19:49.402210Z" }, "user": { "id": 1157751223520522706, "name": "Foo User" - }, - "@timestamp": "2022-04-14T06:19:49.402205Z", - "related": { - "user": [ - "Foo User" - ] } } @@ -425,58 +425,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 3016, \"agentId\": null, \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-11T07:18:34.090547Z\", \"data\": {\"accountName\": \"CORP\", \"exclusionType\": \"path\", \"fullScopeDetails\": \"Group Env. 99 - Admin in Site CORP-servers-windows of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-servers-windows / Env. 99 - Admin\", \"groupName\": \"Env. 99 - Admin\", \"osFamily\": \"Windows\", \"scopeLevel\": \"Group\", \"scopeName\": \"Env. 99 - Admin\", \"siteName\": \"CORP-servers-windows\", \"username\": \"Jean DUPONT\", \"value\": \"C:\\\\Windows\\\\system32\\\\diskshadow.exe\"}, \"description\": null, \"groupId\": \"860506107823075486\", \"hash\": null, \"id\": \"1396138796888471533\", \"osFamily\": \"windows\", \"primaryDescription\": \"The Management user Jean DUPONT deleted the Path Exclusion C:\\\\Windows\\\\system32\\\\diskshadow.exe for Windows from the Group Env. 99 - Admin\", \"secondaryDescription\": null, \"siteId\": \"795516416264105067\", \"threatId\": null, \"updatedAt\": \"2022-04-11T07:18:34.089273Z\", \"userId\": \"827950513703271774\"}\n\n", "event": { - "reason": "The Management user Jean DUPONT deleted the Path Exclusion C:\\Windows\\system32\\diskshadow.exe for Windows from the Group Env. 99 - Admin", "action": "Path Exclusion Deleted", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The Management user Jean DUPONT deleted the Path Exclusion C:\\Windows\\system32\\diskshadow.exe for Windows from the Group Env. 99 - Admin", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1396138796888471533, - "siteId": 795516416264105067, - "updatedAt": "2022-04-11T07:18:34.089273Z", - "createdAt": "2022-04-11T07:18:34.090547Z", - "data": { - "accountName": "CORP", - "exclusionType": "path", - "fullScopeDetails": "Group Env. 99 - Admin in Site CORP-servers-windows of Account CORP", - "fullScopeDetailsPath": "Global / CORP / CORP-servers-windows / Env. 99 - Admin", - "scopeLevel": "Group", - "scopeName": "Env. 99 - Admin", - "groupName": "Env. 99 - Admin", - "siteName": "CORP-servers-windows" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-11T07:18:34.090547Z", "action": { "type": 3016 }, - "user": { - "id": 827950513703271774, - "name": "Jean DUPONT" + "file": { + "directory": "C:\\Windows\\system32", + "name": "diskshadow.exe", + "path": "C:\\Windows\\system32\\diskshadow.exe" }, "group": { "id": "860506107823075486" }, + "organization": { + "id": "551799238352448315" + }, "os": { "family": "Windows" }, - "@timestamp": "2022-04-11T07:18:34.090547Z", - "file": { - "path": "C:\\Windows\\system32\\diskshadow.exe", - "name": "diskshadow.exe", - "directory": "C:\\Windows\\system32" - }, "related": { "user": [ "Jean DUPONT" ] + }, + "sentinelone": { + "createdAt": "2022-04-11T07:18:34.090547Z", + "data": { + "accountName": "CORP", + "exclusionType": "path", + "fullScopeDetails": "Group Env. 99 - Admin in Site CORP-servers-windows of Account CORP", + "fullScopeDetailsPath": "Global / CORP / CORP-servers-windows / Env. 99 - Admin", + "groupName": "Env. 99 - Admin", + "scopeLevel": "Group", + "scopeName": "Env. 99 - Admin", + "siteName": "CORP-servers-windows" + }, + "eventid": 1396138796888471533, + "siteId": 795516416264105067, + "updatedAt": "2022-04-11T07:18:34.089273Z" + }, + "user": { + "id": 827950513703271774, + "name": "Jean DUPONT" } } @@ -490,61 +490,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 4003, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:14.913348Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"confidenceLevel\": \"suspicious\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"groupName\": \"DSI\", \"siteName\": \"corp-workstations\", \"threatClassification\": null, \"threatClassificationSource\": null, \"username\": null}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846353072498959\", \"osFamily\": null, \"primaryDescription\": \"Threat with confidence level suspicious detected: Run SwitchThemeColor.ps1.lnk.\", \"secondaryDescription\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:14.903935Z\", \"userId\": null}", "event": { - "reason": "Threat with confidence level suspicious detected: Run SwitchThemeColor.ps1.lnk.", "action": "New Suspicious Threat Not Mitigated", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Threat with confidence level suspicious detected: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1391846353072498959, - "secondaryDescription": "08731ccac0d404da077e7029062f73ca3d8faf61", - "siteId": 551799242253151036, - "threatId": "1391846352913115209", - "updatedAt": "2022-04-05T09:10:14.903935Z", - "createdAt": "2022-04-05T09:10:14.913348Z", - "data": { - "accountName": "corp", - "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", - "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", - "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", - "groupName": "DSI", - "siteName": "corp-workstations", - "computerName": "CL001234", - "confidenceLevel": "suspicious" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-05T09:10:14.913348Z", "action": { "type": 4003 }, - "group": { - "id": "797501649544140679" - }, "agent": { "id": "997510333395640565" }, - "@timestamp": "2022-04-05T09:10:14.913348Z", - "host": { - "name": "CL001234" - }, "file": { - "name": "Run SwitchThemeColor.ps1.lnk", - "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", "hash": { "sha1": "08731ccac0d404da077e7029062f73ca3d8faf61" - } + }, + "name": "Run SwitchThemeColor.ps1.lnk", + "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk" + }, + "group": { + "id": "797501649544140679" + }, + "host": { + "name": "CL001234" + }, + "organization": { + "id": "551799238352448315" }, "related": { "hash": [ "08731ccac0d404da077e7029062f73ca3d8faf61" ] + }, + "sentinelone": { + "createdAt": "2022-04-05T09:10:14.913348Z", + "data": { + "accountName": "corp", + "computerName": "CL001234", + "confidenceLevel": "suspicious", + "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", + "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", + "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", + "groupName": "DSI", + "siteName": "corp-workstations" + }, + "eventid": 1391846353072498959, + "secondaryDescription": "08731ccac0d404da077e7029062f73ca3d8faf61", + "siteId": 551799242253151036, + "threatId": "1391846352913115209", + "updatedAt": "2022-04-05T09:10:14.903935Z" } } @@ -558,64 +558,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 4008, \"agentId\": \"997510333395640565\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:10:15.125572Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"escapedMaliciousProcessArguments\": null, \"fileContentHash\": \"08731ccac0d404da077e7029062f73ca3d8faf61\", \"fileDisplayName\": \"Run SwitchThemeColor.ps1.lnk\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"fullScopeDetails\": \"Group DSI in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / DSI\", \"groupName\": \"DSI\", \"newStatus\": \"Mitigated\", \"originalStatus\": \"Not mitigated\", \"siteName\": \"corp-workstations\", \"threatClassification\": \"PUA\", \"threatClassificationSource\": \"Engine\"}, \"description\": null, \"groupId\": \"797501649544140679\", \"hash\": null, \"id\": \"1391846354850884010\", \"osFamily\": null, \"primaryDescription\": \"Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user.name\\\\Desktop\\\\Run SwitchThemeColor.ps1.lnk\", \"siteId\": \"551799242253151036\", \"threatId\": \"1391846352913115209\", \"updatedAt\": \"2022-04-05T09:10:15.119559Z\", \"userId\": null}", "event": { - "reason": "Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated.", "action": "Threat Mitigation Status Changed", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1391846354850884010, - "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", - "siteId": 551799242253151036, - "threatId": "1391846352913115209", - "updatedAt": "2022-04-05T09:10:15.119559Z", - "createdAt": "2022-04-05T09:10:15.125572Z", - "data": { - "accountName": "corp", - "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", - "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", - "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", - "groupName": "DSI", - "siteName": "corp-workstations", - "computerName": "CL001234", - "newStatus": "Mitigated", - "originalStatus": "Not mitigated", - "threatClassification": "PUA", - "threatClassificationSource": "Engine" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-05T09:10:15.125572Z", "action": { "type": 4008 }, - "group": { - "id": "797501649544140679" - }, "agent": { "id": "997510333395640565" }, - "@timestamp": "2022-04-05T09:10:15.125572Z", - "host": { - "name": "CL001234" - }, "file": { - "name": "Run SwitchThemeColor.ps1.lnk", - "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", "hash": { "sha1": "08731ccac0d404da077e7029062f73ca3d8faf61" - } + }, + "name": "Run SwitchThemeColor.ps1.lnk", + "path": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk" + }, + "group": { + "id": "797501649544140679" + }, + "host": { + "name": "CL001234" + }, + "organization": { + "id": "551799238352448315" }, "related": { "hash": [ "08731ccac0d404da077e7029062f73ca3d8faf61" ] + }, + "sentinelone": { + "createdAt": "2022-04-05T09:10:15.125572Z", + "data": { + "accountName": "corp", + "computerName": "CL001234", + "fileDisplayName": "Run SwitchThemeColor.ps1.lnk", + "fullScopeDetails": "Group DSI in Site corp-workstations of Account corp", + "fullScopeDetailsPath": "Global / corp / corp-workstations / DSI", + "groupName": "DSI", + "newStatus": "Mitigated", + "originalStatus": "Not mitigated", + "siteName": "corp-workstations", + "threatClassification": "PUA", + "threatClassificationSource": "Engine" + }, + "eventid": 1391846354850884010, + "secondaryDescription": "\\Device\\HarddiskVolume3\\Users\\user.name\\Desktop\\Run SwitchThemeColor.ps1.lnk", + "siteId": 551799242253151036, + "threatId": "1391846352913115209", + "updatedAt": "2022-04-05T09:10:15.119559Z" } } @@ -629,48 +629,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 47, \"agentId\": \"1351979140358907826\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-10T22:10:31.034788Z\", \"data\": {\"accountName\": \"CORP\", \"computerName\": \"CL-ABCEDFG\", \"fullScopeDetails\": \"Group Default Group in Site CORP-workstations of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-workstations / Default Group\", \"groupName\": \"Default Group\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"CORP-workstations\", \"username\": null, \"uuid\": \"961376bbd9694a2ba2e1bb77ba027e38\"}, \"description\": null, \"groupId\": \"551799242261539645\", \"hash\": null, \"id\": \"1395862953807825318\", \"osFamily\": null, \"primaryDescription\": \"Agent CL-ABCEDFG automatically decommissioned.\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-10T22:10:31.034790Z\", \"userId\": null}", "event": { - "reason": "Agent CL-ABCEDFG automatically decommissioned.", "action": "Agent Decommissioned", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Agent CL-ABCEDFG automatically decommissioned.", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1395862953807825318, - "siteId": 551799242253151036, - "updatedAt": "2022-04-10T22:10:31.034790Z", - "createdAt": "2022-04-10T22:10:31.034788Z", - "data": { - "accountName": "CORP", - "fullScopeDetails": "Group Default Group in Site CORP-workstations of Account CORP", - "fullScopeDetailsPath": "Global / CORP / CORP-workstations / Default Group", - "scopeLevel": "Group", - "scopeName": "Default Group", - "uuid": "961376bbd9694a2ba2e1bb77ba027e38", - "groupName": "Default Group", - "siteName": "CORP-workstations", - "computerName": "CL-ABCEDFG" - } - }, - "organization": { - "id": "551799238352448315" - }, + "@timestamp": "2022-04-10T22:10:31.034788Z", "action": { "type": 47 }, - "group": { - "id": "551799242261539645" - }, "agent": { "id": "1351979140358907826" }, - "@timestamp": "2022-04-10T22:10:31.034788Z", + "group": { + "id": "551799242261539645" + }, "host": { "name": "CL-ABCEDFG" + }, + "organization": { + "id": "551799238352448315" + }, + "sentinelone": { + "createdAt": "2022-04-10T22:10:31.034788Z", + "data": { + "accountName": "CORP", + "computerName": "CL-ABCEDFG", + "fullScopeDetails": "Group Default Group in Site CORP-workstations of Account CORP", + "fullScopeDetailsPath": "Global / CORP / CORP-workstations / Default Group", + "groupName": "Default Group", + "scopeLevel": "Group", + "scopeName": "Default Group", + "siteName": "CORP-workstations", + "uuid": "961376bbd9694a2ba2e1bb77ba027e38" + }, + "eventid": 1395862953807825318, + "siteId": 551799242253151036, + "updatedAt": "2022-04-10T22:10:31.034790Z" } } @@ -684,51 +684,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 5009, \"agentId\": \"841026328128144438\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-05T09:12:46.391928Z\", \"data\": {\"accountName\": \"corp\", \"computerName\": \"CL001234\", \"fullScopeDetails\": \"Group Default Group in Site corp-workstations of Account corp\", \"fullScopeDetailsPath\": \"Global / corp / corp-workstations / Default Group\", \"groupName\": \"Default Group\", \"newGroupId\": \"551799242261539645\", \"newGroupName\": \"Default Group\", \"oldGroupId\": \"797501649544140679\", \"oldGroupName\": \"DSI\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"corp-workstations\"}, \"description\": null, \"groupId\": \"551799242261539645\", \"hash\": null, \"id\": \"1391847623762392173\", \"osFamily\": null, \"primaryDescription\": \"The Agent CL001234 moved dynamically from Group DSI to Group Default Group\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-05T09:12:45.472693Z\", \"userId\": null}", "event": { - "reason": "The Agent CL001234 moved dynamically from Group DSI to Group Default Group", "action": "Agent Moved To A Different Group", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The Agent CL001234 moved dynamically from Group DSI to Group Default Group", "type": [ "info" ] }, + "@timestamp": "2022-04-05T09:12:46.391928Z", + "action": { + "type": 5009 + }, + "agent": { + "id": "841026328128144438" + }, + "group": { + "id": "551799242261539645" + }, + "host": { + "name": "CL001234" + }, + "organization": { + "id": "551799238352448315" + }, "sentinelone": { - "eventid": 1391847623762392173, - "siteId": 551799242253151036, - "updatedAt": "2022-04-05T09:12:45.472693Z", "createdAt": "2022-04-05T09:12:46.391928Z", "data": { "accountName": "corp", + "computerName": "CL001234", "fullScopeDetails": "Group Default Group in Site corp-workstations of Account corp", "fullScopeDetailsPath": "Global / corp / corp-workstations / Default Group", - "scopeLevel": "Group", - "scopeName": "Default Group", "groupName": "Default Group", - "siteName": "corp-workstations", - "computerName": "CL001234", "newGroupId": "551799242261539645", "newGroupName": "Default Group", "oldGroupId": "797501649544140679", - "oldGroupName": "DSI" - } - }, - "organization": { - "id": "551799238352448315" - }, - "action": { - "type": 5009 - }, - "group": { - "id": "551799242261539645" - }, - "agent": { - "id": "841026328128144438" - }, - "@timestamp": "2022-04-05T09:12:46.391928Z", - "host": { - "name": "CL001234" + "oldGroupName": "DSI", + "scopeLevel": "Group", + "scopeName": "Default Group", + "siteName": "corp-workstations" + }, + "eventid": 1391847623762392173, + "siteId": 551799242253151036, + "updatedAt": "2022-04-05T09:12:45.472693Z" } } @@ -742,64 +742,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"123456789831564686\", \"activityType\": 5126, \"agentId\": \"1098352279374896038\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-29T17:20:31.139698Z\", \"data\": {\"accountName\": \"CORP\", \"bluetoothAddress\": \"\", \"computerName\": \"CORP123\", \"creator\": \"N/A\", \"deviceClass\": \"E0h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"\", \"eventId\": \"{1988659d-af84-11ec-914c-806e6f6e6963}\", \"eventTime\": \"2022-03-29T17:17:40.622+00:00\", \"eventType\": \"connected\", \"fullScopeDetails\": \"Group Default Group in Site CORP-Users of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-Users / Default Group\", \"gattService\": \"\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"interface\": \"USB\", \"lastLoggedInUserName\": \"user.name\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"productId\": \"AAA\", \"profileUuids\": \"N/A\", \"ruleId\": -1, \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"CORP-Users\", \"uid\": \"\", \"vendorId\": \"8087\", \"version\": \"N/A\"}, \"description\": null, \"groupId\": \"1083054176758610128\", \"hash\": null, \"id\": \"1387019684138751044\", \"osFamily\": null, \"primaryDescription\": \"USB device was connected on CORP123.\", \"secondaryDescription\": null, \"siteId\": \"1083054176741832911\", \"threatId\": null, \"updatedAt\": \"2022-03-29T17:20:30.998054Z\", \"userId\": null}", "event": { - "reason": "USB device was connected on CORP123.", "action": "Device Control Approved Event", - "kind": "event", "category": "host", + "kind": "event", + "reason": "USB device was connected on CORP123.", "type": [ "allowed" ] }, + "@timestamp": "2022-03-29T17:20:31.139698Z", + "action": { + "type": 5126 + }, + "agent": { + "id": "1098352279374896038" + }, + "group": { + "id": "1083054176758610128" + }, + "host": { + "name": "CORP123" + }, + "organization": { + "id": "123456789831564686" + }, + "rule": { + "id": "-1" + }, "sentinelone": { - "eventid": 1387019684138751044, - "siteId": 1083054176741832911, - "updatedAt": "2022-03-29T17:20:30.998054Z", "createdAt": "2022-03-29T17:20:31.139698Z", "data": { "accountName": "CORP", + "computerName": "CORP123", + "creator": "N/A", "deviceClass": "E0h", + "eventId": "{1988659d-af84-11ec-914c-806e6f6e6963}", + "eventTime": "2022-03-29T17:17:40.622+00:00", + "eventType": "connected", "fullScopeDetails": "Group Default Group in Site CORP-Users of Account CORP", "fullScopeDetailsPath": "Global / CORP / CORP-Users / Default Group", + "groupId": 1083054176758610128, + "groupName": "Default Group", "interface": "USB", + "lastLoggedInUserName": "user.name", "lmpVersion": "N/A", + "minorClass": "N/A", + "osType": "windows", "productId": "AAA", "profileUuids": "N/A", "ruleType": "productId", "scopeLevel": "Group", "scopeName": "Default Group", - "vendorId": 8087, - "version": "N/A", - "groupName": "Default Group", "siteName": "CORP-Users", - "computerName": "CORP123", - "creator": "N/A", - "eventId": "{1988659d-af84-11ec-914c-806e6f6e6963}", - "eventTime": "2022-03-29T17:17:40.622+00:00", - "eventType": "connected", - "groupId": 1083054176758610128, - "lastLoggedInUserName": "user.name", - "minorClass": "N/A", - "osType": "windows" - } - }, - "organization": { - "id": "123456789831564686" - }, - "action": { - "type": 5126 - }, - "group": { - "id": "1083054176758610128" - }, - "agent": { - "id": "1098352279374896038" - }, - "@timestamp": "2022-03-29T17:20:31.139698Z", - "host": { - "name": "CORP123" - }, - "rule": { - "id": "-1" + "vendorId": 8087, + "version": "N/A" + }, + "eventid": 1387019684138751044, + "siteId": 1083054176741832911, + "updatedAt": "2022-03-29T17:20:30.998054Z" } } @@ -813,40 +813,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"551799238352448315\", \"activityType\": 5232, \"agentId\": \"840949586976454071\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-14T11:30:19.543892Z\", \"data\": {\"accountName\": \"CORP\", \"action\": \"Block\", \"application\": null, \"applicationType\": \"any\", \"computerName\": \"CORP1234\", \"createdByUsername\": \"CUS_TER_211022_09_10_03_c4b7bce44eaf5d749e0399dd34f70ab83e3a1fd7\", \"direction\": \"inbound\", \"durationOfMeasurement\": 60, \"fullScopeDetails\": \"Group Default Group in Site CORP-workstations of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-workstations / Default Group\", \"groupName\": \"Default Group\", \"localHost\": null, \"localHostType\": \"any\", \"localPortType\": \"any\", \"localPorts\": \"\", \"locationNames\": [], \"numberOfEvents\": 3, \"order\": 32, \"osTypes\": [\"windows\"], \"processId\": 4, \"processName\": \"\", \"protocol\": \"\", \"remoteHost\": null, \"remoteHostType\": \"any\", \"remotePortType\": \"any\", \"remotePorts\": \"\", \"reportedDirection\": \"inbound\", \"reportedLocalHost\": null, \"reportedLocalPort\": \"\", \"reportedProtocol\": \"\", \"reportedRemoteHost\": \"1.1.1.1\", \"reportedRemotePort\": \"\", \"ruleDescription\": \"Flux\", \"ruleId\": 556166862007673241, \"ruleName\": \"Block all\", \"ruleScopeLevel\": \"site\", \"ruleScopeName\": \"CORP-workstations (CORP)\", \"siteName\": \"CORP-workstations\", \"status\": \"Enabled\", \"tagNames\": []}, \"description\": null, \"groupId\": \"551799242261539645\", \"hash\": null, \"id\": \"1398439837979472030\", \"osFamily\": null, \"primaryDescription\": \"Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP).\", \"secondaryDescription\": null, \"siteId\": \"551799242253151036\", \"threatId\": null, \"updatedAt\": \"2022-04-14T11:30:19.543894Z\", \"userId\": null}", "event": { - "reason": "Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP).", "action": "Firewall Control Blocked Event", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP).", "type": [ "info" ] }, + "@timestamp": "2022-04-14T11:30:19.543892Z", + "action": { + "type": 5232 + }, + "agent": { + "id": "840949586976454071" + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "group": { + "id": "551799242261539645" + }, + "host": { + "name": "CORP1234" + }, + "network": { + "direction": "inbound" + }, + "organization": { + "id": "551799238352448315" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "rule": { + "description": "Flux", + "id": "556166862007673241", + "name": "Block all" + }, "sentinelone": { - "eventid": 1398439837979472030, - "siteId": 551799242253151036, - "updatedAt": "2022-04-14T11:30:19.543894Z", "createdAt": "2022-04-14T11:30:19.543892Z", "data": { "accountName": "CORP", "action": "Block", - "fullScopeDetails": "Group Default Group in Site CORP-workstations of Account CORP", - "fullScopeDetailsPath": "Global / CORP / CORP-workstations / Default Group", - "order": 32, - "status": "Enabled", - "groupName": "Default Group", - "siteName": "CORP-workstations", - "computerName": "CORP1234", - "ruleScopeName": "CORP-workstations (CORP)", "applicationType": "any", + "computerName": "CORP1234", "createdByUsername": "CUS_TER_211022_09_10_03_c4b7bce44eaf5d749e0399dd34f70ab83e3a1fd7", "direction": "inbound", "durationOfMeasurement": 60, + "fullScopeDetails": "Group Default Group in Site CORP-workstations of Account CORP", + "fullScopeDetailsPath": "Global / CORP / CORP-workstations / Default Group", + "groupName": "Default Group", "localHostType": "any", "localPortType": "any", "locationNames": [], "numberOfEvents": 3, + "order": 32, "osTypes": [ "windows" ], @@ -854,41 +881,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "remoteHostType": "any", "remotePortType": "any", "ruleScopeLevel": "site", + "ruleScopeName": "CORP-workstations (CORP)", + "siteName": "CORP-workstations", + "status": "Enabled", "tagNames": [] - } - }, - "organization": { - "id": "551799238352448315" - }, - "action": { - "type": 5232 - }, - "group": { - "id": "551799242261539645" - }, - "agent": { - "id": "840949586976454071" - }, - "@timestamp": "2022-04-14T11:30:19.543892Z", - "host": { - "name": "CORP1234" - }, - "rule": { - "name": "Block all", - "id": "556166862007673241", - "description": "Flux" - }, - "network": { - "direction": "inbound" - }, - "destination": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "related": { - "ip": [ - "1.1.1.1" - ] + }, + "eventid": 1398439837979472030, + "siteId": 551799242253151036, + "updatedAt": "2022-04-14T11:30:19.543894Z" } } @@ -902,58 +902,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"901144152444038278\", \"activityType\": 71, \"agentId\": \"1396250507390940172\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-11T11:00:31.291987Z\", \"data\": {\"accountName\": \"CORP\", \"computerName\": \"CORP-12347\", \"externalIp\": \"11.22.33.44\", \"fullScopeDetails\": \"Group Default Group in Site DEFAULT of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / DEFAULT / Default Group\", \"groupName\": \"Default Group\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"DEFAULT\", \"system\": true, \"username\": null, \"uuid\": \"1e74916f8ac14a1b8d9b575ef7e91448\"}, \"description\": null, \"groupId\": \"901144152477592712\", \"hash\": null, \"id\": \"1396250509672642912\", \"osFamily\": null, \"primaryDescription\": \"System initiated a full disk scan to the agent: CORP-12347 (11.22.33.44).\", \"secondaryDescription\": null, \"siteId\": \"901144152460815495\", \"threatId\": null, \"updatedAt\": \"2022-04-11T11:00:31.291994Z\", \"userId\": null}\n\n", "event": { - "reason": "System initiated a full disk scan to the agent: CORP-12347 (11.22.33.44).", "action": "Scan Initiated", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "System initiated a full disk scan to the agent: CORP-12347 (11.22.33.44).", "type": [ "info" ] }, - "sentinelone": { - "eventid": 1396250509672642912, - "siteId": 901144152460815495, - "updatedAt": "2022-04-11T11:00:31.291994Z", - "createdAt": "2022-04-11T11:00:31.291987Z", - "data": { - "externalIp": "11.22.33.44", - "accountName": "CORP", - "fullScopeDetails": "Group Default Group in Site DEFAULT of Account CORP", - "fullScopeDetailsPath": "Global / CORP / DEFAULT / Default Group", - "scopeLevel": "Group", - "scopeName": "Default Group", - "system": true, - "uuid": "1e74916f8ac14a1b8d9b575ef7e91448", - "groupName": "Default Group", - "siteName": "DEFAULT", - "computerName": "CORP-12347" - } - }, - "organization": { - "id": "901144152444038278" - }, + "@timestamp": "2022-04-11T11:00:31.291987Z", "action": { "type": 71 }, - "group": { - "id": "901144152477592712" - }, "agent": { "id": "1396250507390940172" }, - "@timestamp": "2022-04-11T11:00:31.291987Z", + "group": { + "id": "901144152477592712" + }, "host": { "ip": [ "11.22.33.44" ], "name": "CORP-12347" }, + "organization": { + "id": "901144152444038278" + }, "related": { "ip": [ "11.22.33.44" ] + }, + "sentinelone": { + "createdAt": "2022-04-11T11:00:31.291987Z", + "data": { + "accountName": "CORP", + "computerName": "CORP-12347", + "externalIp": "11.22.33.44", + "fullScopeDetails": "Group Default Group in Site DEFAULT of Account CORP", + "fullScopeDetailsPath": "Global / CORP / DEFAULT / Default Group", + "groupName": "Default Group", + "scopeLevel": "Group", + "scopeName": "Default Group", + "siteName": "DEFAULT", + "system": true, + "uuid": "1e74916f8ac14a1b8d9b575ef7e91448" + }, + "eventid": 1396250509672642912, + "siteId": 901144152460815495, + "updatedAt": "2022-04-11T11:00:31.291994Z" } } @@ -967,32 +967,85 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"901144152444038278\", \"activityType\": 3608, \"agentId\": \"1183145065000215213\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2021-11-16T15:29:38.431997Z\", \"data\": {\"accountName\": \"CORP\", \"alertId\": 1290568698312097725, \"alertid\": 1290568698312097725, \"detectedat\": 1637076565467, \"dveventid\": \"\", \"dveventtype\": \"BEHAVIORALINDICATORS\", \"fullScopeDetails\": \"Group LAPTOP in Site DEFAULT of Account CORP\", \"groupName\": \"LAPTOP\", \"k8sclustername\": \"\", \"k8scontainerid\": \"\", \"k8scontainerimage\": \"\", \"k8scontainerlabels\": \"\", \"k8scontainername\": \"\", \"k8scontrollerkind\": \"\", \"k8scontrollerlabels\": \"\", \"k8scontrollername\": \"\", \"k8snamespace\": \"\", \"k8snamespacelabels\": \"\", \"k8snode\": \"\", \"k8spod\": \"\", \"k8spodlabels\": \"\", \"origagentmachinetype\": \"laptop\", \"origagentname\": \"CORP-LAP-4075\", \"origagentosfamily\": \"windows\", \"origagentosname\": \"Windows 10 Pro\", \"origagentosrevision\": \"19042\", \"origagentsiteid\": \"901144152460815495\", \"origagentuuid\": \"058fd4868adb4b87be24a4c5e9f89220\", \"origagentversion\": \"4.6.14.304\", \"ruleId\": 1259119070812474070, \"ruledescription\": \"Rule migrated from Watchlist\", \"ruleid\": 1259119070812474070, \"rulename\": \"PowershellExecutionPolicyChanged Indicator Monito\", \"rulescopeid\": 901144152460815495, \"rulescopelevel\": \"E_SITE\", \"scopeId\": 901144152460815495, \"scopeLevel\": \"Group\", \"scopeName\": \"LAPTOP\", \"severity\": \"E_MEDIUM\", \"siteName\": \"DEFAULT\", \"sourcename\": \"STAR\", \"sourceparentprocesscommandline\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"sourceparentprocessintegritylevel\": \"medium\", \"sourceparentprocesskey\": \"811577BA383803B5\", \"sourceparentprocessmd5\": \"681a21a3b848ed960073475cd77634ce\", \"sourceparentprocessname\": \"explorer.exe\", \"sourceparentprocesspath\": \"C:\\\\WINDOWS\\\\explorer.exe\", \"sourceparentprocesspid\": 11196, \"sourceparentprocesssha1\": \"3d930943fbea03c9330c4947e5749ed9ceed528a\", \"sourceparentprocesssha256\": \"08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089\", \"sourceparentprocesssigneridentity\": \"MICROSOFT WINDOWS\", \"sourceparentprocessstarttime\": 1636964894046, \"sourceparentprocessstoryline\": \"E1798FE5683F14CF\", \"sourceparentprocesssubsystem\": \"win32\", \"sourceparentprocessusername\": \"CORP\\\\user\", \"sourceprocesscommandline\": \"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \\\"-Command\\\" \\\"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\\\Users\\\\user\\\\Documents\\\\git\\\\DSP2\\\\API HUB\\\\Documentation\\\\Generate.ps1'\\\"\", \"sourceprocessfilepath\": \"C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"sourceprocessfilesingeridentity\": \"MICROSOFT WINDOWS\", \"sourceprocessintegritylevel\": \"medium\", \"sourceprocesskey\": \"8C3CD6D2478943E5\", \"sourceprocessmd5\": \"04029e121a0cfa5991749937dd22a1d9\", \"sourceprocessname\": \"powershell.exe\", \"sourceprocesspid\": 6676, \"sourceprocesssha1\": \"f43d9bb316e30ae1a3494ac5b0624f6bea1bf054\", \"sourceprocesssha256\": \"9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f\", \"sourceprocessstarttime\": 1637076505627, \"sourceprocessstoryline\": \"5D1F81C984CFD44D\", \"sourceprocesssubsystem\": \"win32\", \"sourceprocessusername\": \"CORP\\\\user\", \"systemUser\": 0, \"userId\": 111111111111111111, \"userName\": \"sentinelone\"}, \"description\": null, \"groupId\": \"924347507640996620\", \"hash\": null, \"id\": \"1290568704943967230\", \"osFamily\": null, \"primaryDescription\": \"Alert created for powershell.exe from Custom Rule: PowershellExecutionPolicyChanged Indicator Monito in Group LAPTOP in Site DEFAULT of Account CORP, detected on CORP-LAP-4075.\", \"secondaryDescription\": \"f43d9bb316e30ae1a3494ac5b0624f6bea1bf054\", \"siteId\": \"901144152460815495\", \"threatId\": null, \"updatedAt\": \"2021-11-16T15:29:38.429056Z\", \"userId\": \"111111111111111111\"}", "event": { - "reason": "Alert created for powershell.exe from Custom Rule: PowershellExecutionPolicyChanged Indicator Monito in Group LAPTOP in Site DEFAULT of Account CORP, detected on CORP-LAP-4075.", "action": "Custom Rules - New Alert", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Alert created for powershell.exe from Custom Rule: PowershellExecutionPolicyChanged Indicator Monito in Group LAPTOP in Site DEFAULT of Account CORP, detected on CORP-LAP-4075.", "type": [ "info" ] }, + "@timestamp": "2021-11-16T15:29:38.431997Z", + "action": { + "type": 3608 + }, + "agent": { + "id": "1183145065000215213" + }, + "file": { + "name": "powershell.exe" + }, + "group": { + "id": "924347507640996620" + }, + "organization": { + "id": "901144152444038278" + }, + "process": { + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\user\\Documents\\git\\DSP2\\API HUB\\Documentation\\Generate.ps1'\"", + "executable": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "hash": { + "md5": "04029e121a0cfa5991749937dd22a1d9", + "sha1": "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", + "sha256": "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f" + }, + "parent": { + "code_signature": { + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\WINDOWS\\explorer.exe", + "hash": { + "md5": "681a21a3b848ed960073475cd77634ce", + "sha1": "3d930943fbea03c9330c4947e5749ed9ceed528a", + "sha256": "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089" + }, + "name": "explorer.exe", + "pid": 11196, + "start": "2021-11-15T08:28:14.046000Z" + }, + "pid": 6676, + "start": "2021-11-16T15:28:25.627000Z" + }, + "related": { + "hash": [ + "04029e121a0cfa5991749937dd22a1d9", + "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089", + "3d930943fbea03c9330c4947e5749ed9ceed528a", + "681a21a3b848ed960073475cd77634ce", + "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f", + "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054" + ], + "user": [ + "sentinelone" + ] + }, + "rule": { + "description": "Rule migrated from Watchlist", + "id": "1259119070812474070", + "name": "PowershellExecutionPolicyChanged Indicator Monito" + }, "sentinelone": { - "eventid": 1290568704943967230, - "secondaryDescription": "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", - "siteId": 901144152460815495, - "updatedAt": "2021-11-16T15:29:38.429056Z", "createdAt": "2021-11-16T15:29:38.431997Z", "data": { "accountName": "CORP", - "fullScopeDetails": "Group LAPTOP in Site DEFAULT of Account CORP", - "scopeLevel": "Group", - "scopeName": "LAPTOP", - "scopeId": 901144152460815495, "alertId": 1290568698312097725, "alertid": 1290568698312097725, "detectedat": 1637076565467, "dveventtype": "BEHAVIORALINDICATORS", + "fullScopeDetails": "Group LAPTOP in Site DEFAULT of Account CORP", "groupName": "LAPTOP", "origagentmachinetype": "laptop", "origagentname": "CORP-LAP-4075", @@ -1004,22 +1057,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "origagentversion": "4.6.14.304", "rulescopeid": 901144152460815495, "rulescopelevel": "E_SITE", + "scopeId": 901144152460815495, + "scopeLevel": "Group", + "scopeName": "LAPTOP", "severity": "E_MEDIUM", "siteName": "DEFAULT", "sourcename": "STAR", + "sourceparentprocesscommandline": "C:\\WINDOWS\\Explorer.EXE", "sourceparentprocessintegritylevel": "medium", "sourceparentprocesskey": "811577BA383803B5", - "sourceparentprocessstoryline": "E1798FE5683F14CF", - "sourceparentprocesssubsystem": "win32", - "sourceparentprocessusername": "CORP\\user", - "sourceprocessfilesingeridentity": "MICROSOFT WINDOWS", - "sourceprocessintegritylevel": "medium", - "sourceprocesskey": "8C3CD6D2478943E5", - "sourceprocessstoryline": "5D1F81C984CFD44D", - "sourceprocesssubsystem": "win32", - "sourceprocessusername": "CORP\\user", - "systemUser": 0, - "sourceparentprocesscommandline": "C:\\WINDOWS\\Explorer.EXE", "sourceparentprocessmd5": "681a21a3b848ed960073475cd77634ce", "sourceparentprocessname": "explorer.exe", "sourceparentprocesspath": "C:\\WINDOWS\\explorer.exe", @@ -1028,80 +1074,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sourceparentprocesssha256": "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089", "sourceparentprocesssigneridentity": "MICROSOFT WINDOWS", "sourceparentprocessstarttime": 1636964894046, + "sourceparentprocessstoryline": "E1798FE5683F14CF", + "sourceparentprocesssubsystem": "win32", + "sourceparentprocessusername": "CORP\\user", "sourceprocesscommandline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\user\\Documents\\git\\DSP2\\API HUB\\Documentation\\Generate.ps1'\"", "sourceprocessfilepath": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "sourceprocessfilesingeridentity": "MICROSOFT WINDOWS", + "sourceprocessintegritylevel": "medium", + "sourceprocesskey": "8C3CD6D2478943E5", "sourceprocessmd5": "04029e121a0cfa5991749937dd22a1d9", "sourceprocessname": "powershell.exe", "sourceprocesspid": 6676, "sourceprocesssha1": "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", "sourceprocesssha256": "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f", "sourceprocessstarttime": 1637076505627, + "sourceprocessstoryline": "5D1F81C984CFD44D", + "sourceprocesssubsystem": "win32", + "sourceprocessusername": "CORP\\user", + "systemUser": 0, "userId": 111111111111111111 - } - }, - "organization": { - "id": "901144152444038278" - }, - "action": { - "type": 3608 + }, + "eventid": 1290568704943967230, + "secondaryDescription": "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", + "siteId": 901144152460815495, + "updatedAt": "2021-11-16T15:29:38.429056Z" }, "user": { "id": 111111111111111111, "name": "sentinelone" - }, - "group": { - "id": "924347507640996620" - }, - "agent": { - "id": "1183145065000215213" - }, - "@timestamp": "2021-11-16T15:29:38.431997Z", - "file": { - "name": "powershell.exe" - }, - "rule": { - "name": "PowershellExecutionPolicyChanged Indicator Monito", - "id": "1259119070812474070", - "description": "Rule migrated from Watchlist" - }, - "process": { - "parent": { - "command_line": "C:\\WINDOWS\\Explorer.EXE", - "hash": { - "md5": "681a21a3b848ed960073475cd77634ce", - "sha1": "3d930943fbea03c9330c4947e5749ed9ceed528a", - "sha256": "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089" - }, - "name": "explorer.exe", - "executable": "C:\\WINDOWS\\explorer.exe", - "pid": 11196, - "code_signature": { - "subject_name": "MICROSOFT WINDOWS" - }, - "start": "2021-11-15T08:28:14.046000Z" - }, - "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\user\\Documents\\git\\DSP2\\API HUB\\Documentation\\Generate.ps1'\"", - "executable": "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6676, - "hash": { - "md5": "04029e121a0cfa5991749937dd22a1d9", - "sha1": "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054", - "sha256": "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f" - }, - "start": "2021-11-16T15:28:25.627000Z" - }, - "related": { - "hash": [ - "04029e121a0cfa5991749937dd22a1d9", - "08d3f16dfbb5b5d7b419376a4f73350c13424de984fd43309160ce30bc1df089", - "3d930943fbea03c9330c4947e5749ed9ceed528a", - "681a21a3b848ed960073475cd77634ce", - "9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f", - "f43d9bb316e30ae1a3494ac5b0624f6bea1bf054" - ], - "user": [ - "sentinelone" - ] } } @@ -1115,32 +1115,85 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"901144152444038278\", \"activityType\": 3608, \"agentId\": \"1277428815225733296\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-30T09:00:18.286500Z\", \"data\": {\"accountName\": \"CORP\", \"agentipv4\": \"192.168.102.46\", \"alertid\": 1387492689895241884, \"detectedat\": 1648630801340, \"dnsrequest\": \"\", \"dnsresponse\": \"\", \"dstip\": \"\", \"dstport\": 0, \"dveventid\": \"\", \"dveventtype\": \"FILEMODIFICATION\", \"externalip\": \"11.11.11.11\", \"fullScopeDetails\": \"Group LAPTOP in Site DEFAULT of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / DEFAULT / LAPTOP\", \"groupName\": \"LAPTOP\", \"indicatorcategory\": \"\", \"indicatordescription\": \"\", \"indicatorname\": \"\", \"k8sclustername\": \"\", \"k8scontainerid\": \"\", \"k8scontainerimage\": \"\", \"k8scontainerlabels\": \"\", \"k8scontainername\": \"\", \"k8scontrollerkind\": \"\", \"k8scontrollerlabels\": \"\", \"k8scontrollername\": \"\", \"k8snamespace\": \"\", \"k8snamespacelabels\": \"\", \"k8snode\": \"\", \"k8spod\": \"\", \"k8spodlabels\": \"\", \"loginaccountdomain\": \"\", \"loginaccountsid\": \"\", \"loginisadministratorequivalent\": \"\", \"loginissuccessful\": \"\", \"loginsusername\": \"\", \"logintype\": \"\", \"modulepath\": \"\", \"modulesha1\": \"\", \"neteventdirection\": \"\", \"origagentmachinetype\": \"laptop\", \"origagentname\": \"USR-LAP-4141\", \"origagentosfamily\": \"windows\", \"origagentosname\": \"Windows 10 Pro\", \"origagentosrevision\": \"19042\", \"origagentsiteid\": \"901144152460815495\", \"origagentuuid\": \"53a4af77e0e2465abaa97d16e88a6355\", \"origagentversion\": \"21.7.5.1080\", \"physical\": \"70:b5:e8:92:72:0a\", \"registrykeypath\": \"\", \"registryoldvalue\": \"\", \"registryoldvaluetype\": \"\", \"registrypath\": \"\", \"registryvalue\": \"\", \"ruledescription\": \"Ecriture d'une dll webex \\\"atucfobj.dll\\\" inconnu du syst\\u00e8me sur le parc.\", \"ruleid\": 1360739572188076805, \"rulename\": \"Webex.Meetings.Atucfobj.dll Monitoring\", \"rulescopeid\": 901144152444038278, \"rulescopelevel\": \"E_ACCOUNT\", \"scopeId\": 901144152444038278, \"scopeLevel\": \"Group\", \"scopeName\": \"LAPTOP\", \"severity\": \"E_MEDIUM\", \"siteName\": \"DEFAULT\", \"sourcename\": \"STAR\", \"sourceparentprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\", \"sourceparentprocessintegritylevel\": \"medium\", \"sourceparentprocesskey\": \"DFF45D789645E07E\", \"sourceparentprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceparentprocessname\": \"WebexHost_old.exe\", \"sourceparentprocesspath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceparentprocesspid\": 10996, \"sourceparentprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceparentprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceparentprocesssigneridentity\": \"CISCO WEBEX LLC\", \"sourceparentprocessstarttime\": 1648628294256, \"sourceparentprocessstoryline\": \"114D19D4F405D782\", \"sourceparentprocesssubsystem\": \"win32\", \"sourceparentprocessusername\": \"CORP\\\\user\", \"sourceprocesscommandline\": \"\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /job=upgradeClient /channel=2af416334939280c\", \"sourceprocessfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost_old.exe\", \"sourceprocessfilesigneridentity\": \"CISCO WEBEX LLC\", \"sourceprocessintegritylevel\": \"medium\", \"sourceprocesskey\": \"634272057BAB1D81\", \"sourceprocessmd5\": \"66883dc802f65605077b0b05b1bc901b\", \"sourceprocessname\": \"WebexHost_old.exe\", \"sourceprocesspid\": 7788, \"sourceprocesssha1\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"sourceprocesssha256\": \"d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23\", \"sourceprocessstarttime\": 1648630694853, \"sourceprocessstoryline\": \"114D19D4F405D782\", \"sourceprocesssubsystem\": \"win32\", \"sourceprocessusername\": \"CORP\\\\user\", \"srcip\": \"\", \"srcmachineip\": \"\", \"srcport\": 0, \"systemUser\": 0, \"tgtfilecreatedat\": 1646400756503, \"tgtfilehashsha1\": \"5b1bbda6c8d9bb6e49e5e7c49909d48d5d35658a\", \"tgtfilehashsha256\": \"e89dd9db7c5f93ab2fd216d36e7432ea3b418b5df0191d4849fdb1967b2f6e2e\", \"tgtfileid\": \"5C4E2E3FE950B367\", \"tgtfileissigned\": \"signed\", \"tgtfilemodifiedat\": 1648630718596, \"tgtfileoldpath\": \"\", \"tgtfilepath\": \"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll\", \"tgtproccmdline\": \"\", \"tgtprocessstarttime\": \"\", \"tgtprocimagepath\": \"\", \"tgtprocintegritylevel\": \"unknown\", \"tgtprocname\": \"\", \"tgtprocpid\": 0, \"tgtprocsignedstatus\": \"\", \"tgtprocstorylineid\": \"\", \"tgtprocuid\": \"\", \"tiindicatorcomparisonmethod\": \"\", \"tiindicatorsource\": \"\", \"tiindicatortype\": \"\", \"tiindicatorvalue\": \"\", \"userId\": 901170701818003423, \"userName\": \"User NAME\"}, \"description\": null, \"groupId\": \"924347507640996620\", \"hash\": null, \"id\": \"1387492693815190915\", \"osFamily\": null, \"primaryDescription\": \"Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.\", \"secondaryDescription\": \"84580370c58b1b0c9e4138257018fd98efdf28ba\", \"siteId\": \"901144152460815495\", \"threatId\": null, \"updatedAt\": \"2022-03-30T09:00:18.282935Z\", \"userId\": \"901170701818003423\"}", "event": { - "reason": "Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.", "action": "Custom Rules - New Alert", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.", "type": [ "info" ] }, + "@timestamp": "2022-03-30T09:00:18.286500Z", + "action": { + "type": 3608 + }, + "agent": { + "id": "1277428815225733296" + }, + "file": { + "name": "WebexHost_old.exe" + }, + "group": { + "id": "924347507640996620" + }, + "organization": { + "id": "901144152444038278" + }, + "process": { + "command_line": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /job=upgradeClient /channel=2af416334939280c", + "executable": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", + "hash": { + "md5": "66883dc802f65605077b0b05b1bc901b", + "sha1": "84580370c58b1b0c9e4138257018fd98efdf28ba", + "sha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" + }, + "parent": { + "code_signature": { + "subject_name": "CISCO WEBEX LLC" + }, + "command_line": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun", + "executable": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", + "hash": { + "md5": "66883dc802f65605077b0b05b1bc901b", + "sha1": "84580370c58b1b0c9e4138257018fd98efdf28ba", + "sha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" + }, + "name": "WebexHost_old.exe", + "pid": 10996, + "start": "2022-03-30T08:18:14.256000Z" + }, + "pid": 7788, + "start": "2022-03-30T08:58:14.853000Z" + }, + "related": { + "hash": [ + "66883dc802f65605077b0b05b1bc901b", + "84580370c58b1b0c9e4138257018fd98efdf28ba", + "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" + ], + "user": [ + "User NAME" + ] + }, + "rule": { + "description": "Ecriture d'une dll webex \"atucfobj.dll\" inconnu du syst\u00e8me sur le parc.", + "id": "1360739572188076805", + "name": "Webex.Meetings.Atucfobj.dll Monitoring" + }, "sentinelone": { - "eventid": 1387492693815190915, - "secondaryDescription": "84580370c58b1b0c9e4138257018fd98efdf28ba", - "siteId": 901144152460815495, - "updatedAt": "2022-03-30T09:00:18.282935Z", "createdAt": "2022-03-30T09:00:18.286500Z", "data": { "accountName": "CORP", - "fullScopeDetails": "Group LAPTOP in Site DEFAULT of Account CORP", - "fullScopeDetailsPath": "Global / CORP / DEFAULT / LAPTOP", - "scopeLevel": "Group", - "scopeName": "LAPTOP", - "scopeId": 901144152444038278, + "agentipv4": "192.168.102.46", "alertid": 1387492689895241884, "detectedat": 1648630801340, + "dstport": 0, "dveventtype": "FILEMODIFICATION", + "externalip": "11.11.11.11", + "fullScopeDetails": "Group LAPTOP in Site DEFAULT of Account CORP", + "fullScopeDetailsPath": "Global / CORP / DEFAULT / LAPTOP", "groupName": "LAPTOP", "origagentmachinetype": "laptop", "origagentname": "USR-LAP-4141", @@ -1150,27 +1203,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "origagentsiteid": 901144152460815495, "origagentuuid": "53a4af77e0e2465abaa97d16e88a6355", "origagentversion": "21.7.5.1080", + "physical": "70:b5:e8:92:72:0a", "rulescopeid": 901144152444038278, "rulescopelevel": "E_ACCOUNT", + "scopeId": 901144152444038278, + "scopeLevel": "Group", + "scopeName": "LAPTOP", "severity": "E_MEDIUM", "siteName": "DEFAULT", "sourcename": "STAR", + "sourceparentprocesscommandline": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun", "sourceparentprocessintegritylevel": "medium", "sourceparentprocesskey": "DFF45D789645E07E", - "sourceparentprocessstoryline": "114D19D4F405D782", - "sourceparentprocesssubsystem": "win32", - "sourceparentprocessusername": "CORP\\user", - "sourceprocessintegritylevel": "medium", - "sourceprocesskey": "634272057BAB1D81", - "sourceprocessstoryline": "114D19D4F405D782", - "sourceprocesssubsystem": "win32", - "sourceprocessusername": "CORP\\user", - "systemUser": 0, - "agentipv4": "192.168.102.46", - "dstport": 0, - "externalip": "11.11.11.11", - "physical": "70:b5:e8:92:72:0a", - "sourceparentprocesscommandline": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun", "sourceparentprocessmd5": "66883dc802f65605077b0b05b1bc901b", "sourceparentprocessname": "WebexHost_old.exe", "sourceparentprocesspath": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", @@ -1179,16 +1223,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sourceparentprocesssha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23", "sourceparentprocesssigneridentity": "CISCO WEBEX LLC", "sourceparentprocessstarttime": 1648628294256, + "sourceparentprocessstoryline": "114D19D4F405D782", + "sourceparentprocesssubsystem": "win32", + "sourceparentprocessusername": "CORP\\user", "sourceprocesscommandline": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /job=upgradeClient /channel=2af416334939280c", "sourceprocessfilepath": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", "sourceprocessfilesigneridentity": "CISCO WEBEX LLC", + "sourceprocessintegritylevel": "medium", + "sourceprocesskey": "634272057BAB1D81", "sourceprocessmd5": "66883dc802f65605077b0b05b1bc901b", "sourceprocessname": "WebexHost_old.exe", "sourceprocesspid": 7788, "sourceprocesssha1": "84580370c58b1b0c9e4138257018fd98efdf28ba", "sourceprocesssha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23", "sourceprocessstarttime": 1648630694853, + "sourceprocessstoryline": "114D19D4F405D782", + "sourceprocesssubsystem": "win32", + "sourceprocessusername": "CORP\\user", "srcport": 0, + "systemUser": 0, "tgtfilecreatedat": 1646400756503, "tgtfilehashsha1": "5b1bbda6c8d9bb6e49e5e7c49909d48d5d35658a", "tgtfilehashsha256": "e89dd9db7c5f93ab2fd216d36e7432ea3b418b5df0191d4849fdb1967b2f6e2e", @@ -1199,68 +1252,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "tgtprocintegritylevel": "unknown", "tgtprocpid": 0, "userId": 901170701818003423 - } - }, - "organization": { - "id": "901144152444038278" - }, - "action": { - "type": 3608 + }, + "eventid": 1387492693815190915, + "secondaryDescription": "84580370c58b1b0c9e4138257018fd98efdf28ba", + "siteId": 901144152460815495, + "updatedAt": "2022-03-30T09:00:18.282935Z" }, "user": { "id": 901170701818003423, "name": "User NAME" - }, - "group": { - "id": "924347507640996620" - }, - "agent": { - "id": "1277428815225733296" - }, - "@timestamp": "2022-03-30T09:00:18.286500Z", - "file": { - "name": "WebexHost_old.exe" - }, - "rule": { - "name": "Webex.Meetings.Atucfobj.dll Monitoring", - "id": "1360739572188076805", - "description": "Ecriture d'une dll webex \"atucfobj.dll\" inconnu du syst\u00e8me sur le parc." - }, - "process": { - "parent": { - "command_line": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun", - "hash": { - "md5": "66883dc802f65605077b0b05b1bc901b", - "sha1": "84580370c58b1b0c9e4138257018fd98efdf28ba", - "sha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" - }, - "name": "WebexHost_old.exe", - "executable": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", - "pid": 10996, - "code_signature": { - "subject_name": "CISCO WEBEX LLC" - }, - "start": "2022-03-30T08:18:14.256000Z" - }, - "command_line": "\"C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost.exe\" /job=upgradeClient /channel=2af416334939280c", - "executable": "C:\\Users\\user\\AppData\\Local\\WebEx\\WebexHost_old.exe", - "pid": 7788, - "hash": { - "md5": "66883dc802f65605077b0b05b1bc901b", - "sha1": "84580370c58b1b0c9e4138257018fd98efdf28ba", - "sha256": "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" - }, - "start": "2022-03-30T08:58:14.853000Z" - }, - "related": { - "hash": [ - "66883dc802f65605077b0b05b1bc901b", - "84580370c58b1b0c9e4138257018fd98efdf28ba", - "d8efbbfab923ad72057d165dc30f2c0d39a4f4d2dcb7d6fa8a8c9c5b406fcb23" - ], - "user": [ - "User NAME" - ] } } @@ -1272,116 +1272,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "agent": { - "id": "1109245354690326957" - }, "message": "{\"agentDetectionInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"EXAMPLE CORP\",\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"1.1.1.1\",\"agentIpV6\":\"2001:0db8:85a3:0000:0000:8a2e:0370:7334\",\"agentLastLoggedInUserName\":\"User\",\"agentMitigationMode\":\"detect\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19042\",\"agentRegisteredAt\":\"2021-03-11T11:12:30.665887Z\",\"agentUuid\":\"e50b53c856f041bab326d621d61db4f8\",\"agentVersion\":\"4.6.12.241\",\"externalIp\":\"2.2.2.2\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\"},\"agentRealtimeInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"EXAMPLE CORP\",\"activeThreats\":0,\"agentComputerName\":\"VM-SentinelOne\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1109245354690326957\",\"agentInfected\":false,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"desktop\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19042\",\"agentOsType\":\"windows\",\"agentUuid\":\"e50b53c856f041bab326d621d61db4f8\",\"agentVersion\":\"4.6.12.241\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1109245354698715566\",\"inet\":[\"1.1.1.1\"],\"inet6\":[\"2001:0db8:85a3:0000:0000:8a2e:0370:7334\"],\"name\":\"Ethernet\",\"physical\":\"08:00:27:52:5d:be\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":null,\"scanStartedAt\":\"2021-03-11T11:12:43.266673Z\",\"scanStatus\":\"started\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\",\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1112953674841025235\",\"indicators\":[{\"category\":\"Hiding/Stealthiness\",\"description\":\"The majority of sections in this PE have high entropy, a sign of obfuscation or packing.\",\"ids\":[29],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports functions used to raise kernel exceptions.\",\"ids\":[24],\"tactics\":[]},{\"category\":\"Hiding/Stealthiness\",\"description\":\"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8).\",\"ids\":[12],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Malware\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"provider_unknown\",\"collectionId\":\"1112767491720942490\",\"confidenceLevel\":\"suspicious\",\"createdAt\":\"2021-03-16T14:00:16.879105Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"TMP\",\"fileExtensionType\":\"Misc\",\"filePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\nsr1C3F.tmp\\\\nsh29ED.tmp\",\"fileSize\":2976256,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2021-03-16T14:00:14.188000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"FileZilla_3.53.0_win64_sponsored-setup.exe\",\"pendingActions\":false,\"processUser\":\"VM-SENTINELONE\\\\User\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"4ffe673e3696a4287ab4a9c816d611a5fff56858\",\"sha256\":null,\"storyline\":\"37077C139C322609\",\"threatId\":\"1112953674841025235\",\"threatName\":\"nsh29ED.tmp\",\"updatedAt\":\"2021-03-16T14:00:16.874050Z\"},\"whiteningOptions\":[\"hash\",\"path\"]}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, - "threat": { - "software": { - "type": "Malware" - }, - "indicator": { - "confidence": "suspicious", - "file": { - "created": "2021-03-16T14:00:16.879105Z", - "size": 2976256 - } - }, - "enrichments": { - "matched": { - "occurred": "2021-03-16T14:00:14.188000Z" - } - } + "agent": { + "id": "1109245354690326957" }, "file": { - "name": "nsh29ED.tmp", "extension": "tmp", - "path": "\\Device\\HarddiskVolume2\\Users\\User\\AppData\\Local\\Temp\\nsr1C3F.tmp\\nsh29ED.tmp", - "size": 2976256, "hash": { "sha1": "4ffe673e3696a4287ab4a9c816d611a5fff56858" + }, + "name": "nsh29ED.tmp", + "path": "\\Device\\HarddiskVolume2\\Users\\User\\AppData\\Local\\Temp\\nsr1C3F.tmp\\nsh29ED.tmp", + "size": 2976256 + }, + "host": { + "domain": "WORKGROUP", + "ip": [ + "1.1.1.1", + "2.2.2.2", + "2001:db8:85a3::8a2e:370:7334" + ], + "name": "VM-SentinelOne", + "os": { + "family": "windows", + "version": "Windows 10 Pro" } }, - "sentinelone": { - "threatInfo": { - "analystVerdict": "undefined", - "analystVerdictDescription": "Undefined", - "automaticallyResolved": false, - "classificationSource": "Cloud", - "cloudFilesHashVerdict": "provider_unknown", - "collectionId": "1112767491720942490", - "detectionEngines": [ - { - "key": "pre_execution_suspicious", - "title": "On-Write Static AI - Suspicious" - } - ], - "detectionType": "static", - "engines": [ - "On-Write DFI - Suspicious" - ], - "externalTicketExists": false, - "failedActions": false, - "fileExtensionType": "Misc", - "fileVerificationType": "NotSigned", - "incidentStatus": "unresolved", - "incidentStatusDescription": "Unresolved", - "initiatedBy": "agent_policy", - "initiatedByDescription": "Agent Policy", - "isFileless": false, - "isValidCertificate": false, - "mitigatedPreemptively": false, - "mitigationStatus": "not_mitigated", - "mitigationStatusDescription": "Not mitigated", - "pendingActions": false, - "reachedEventsLimit": false, - "rebootRequired": false, - "storyline": "37077C139C322609", - "threatId": "1112953674841025235", - "updatedAt": "2021-03-16T14:00:16.874050Z", - "fileExtension": "TMP" - }, - "eventid": 1112953674841025235, - "indicators": [ - { - "category": "Hiding/Stealthiness", - "description": "The majority of sections in this PE have high entropy, a sign of obfuscation or packing.", - "ids": [ - 29 - ], - "tactics": [] - }, - { - "category": "General", - "description": "This binary imports functions used to raise kernel exceptions.", - "ids": [ - 24 - ], - "tactics": [] - }, - { - "category": "Hiding/Stealthiness", - "description": "This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8).", - "ids": [ - 12 - ], - "tactics": [] - } + "organization": { + "id": "617755838952421242", + "name": "EXAMPLE CORP" + }, + "process": { + "parent": { + "name": "FileZilla_3.53.0_win64_sponsored-setup.exe" + } + }, + "related": { + "hash": [ + "4ffe673e3696a4287ab4a9c816d611a5fff56858" ], - "mitigationStatus": [], - "whiteningOptions": [ - "hash", - "path" + "ip": [ + "1.1.1.1", + "2.2.2.2", + "2001:db8:85a3::8a2e:370:7334" ], + "user": [ + "VM-SENTINELONE\\User" + ] + }, + "sentinelone": { "agentDetectionInfo": { "accountId": "617755838952421242", "accountName": "EXAMPLE CORP", @@ -1437,106 +1385,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "siteId": 1107851598358168475, "siteName": "Sekoia.io", "userActionsNeeded": [] - } - }, - "process": { - "parent": { - "name": "FileZilla_3.53.0_win64_sponsored-setup.exe" - } - }, - "user": { - "name": "VM-SENTINELONE\\User" - }, - "host": { - "ip": [ - "1.1.1.1", - "2001:db8:85a3::8a2e:370:7334", - "2.2.2.2" - ], - "domain": "WORKGROUP", - "os": { - "version": "Windows 10 Pro", - "family": "windows" }, - "name": "VM-SentinelOne" - }, - "organization": { - "id": "617755838952421242", - "name": "EXAMPLE CORP" - }, - "related": { - "hash": [ - "4ffe673e3696a4287ab4a9c816d611a5fff56858" - ], - "ip": [ - "1.1.1.1", - "2.2.2.2", - "2001:db8:85a3::8a2e:370:7334" - ], - "user": [ - "VM-SENTINELONE\\User" - ] - } - } - - ``` - - -=== "threat2.json" - - ```json - - { - "agent": { - "id": "1113026246149650919" - }, - "message": "{\"agentDetectionInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"CORP\",\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.1.4,1.1.1.1\",\"agentIpV6\":\"fe80::9ddd:fd78:1f21:f709,fe80::9ddd:fd78:1f21:f708,fe80::9ddd:fd78:1f21:f707\",\"agentLastLoggedInUserName\":\"tdr\",\"agentMitigationMode\":\"detect\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19041\",\"agentRegisteredAt\":\"2021-03-16T16:24:28.049913Z\",\"agentUuid\":\"ab268977a30842c88136c5afb77f3e12\",\"agentVersion\":\"4.6.12.241\",\"externalIp\":\"55.55.55.55\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\"},\"agentRealtimeInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"CORP\",\"activeThreats\":9,\"agentComputerName\":\"tdr-vm-template\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1113026246149650919\",\"agentInfected\":true,\"agentIsActive\":false,\"agentIsDecommissioned\":false,\"agentMachineType\":\"desktop\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19041\",\"agentOsType\":\"windows\",\"agentUuid\":\"ab268977a30842c88136c5afb77f3e12\",\"agentVersion\":\"4.6.12.241\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1113026246158039528\",\"inet\":[\"10.0.1.4\"],\"inet6\":[\"fe80::9ddd:fd78:1f21:f709\"],\"name\":\"Ethernet 2\",\"physical\":\"00:0d:3a:b0:42:18\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":null,\"scanStartedAt\":\"2021-03-16T16:25:02.304681Z\",\"scanStatus\":\"started\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\",\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1113032189486913422\",\"indicators\":[{\"category\":\"InfoStealer\",\"description\":\"This uses mimikatz, an open-source application that shows and saves credentials.\",\"ids\":[38],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports functions used to raise kernel exceptions.\",\"ids\":[24],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports debugger functions.\",\"ids\":[6],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary creates a System Service.\",\"ids\":[5],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[],\"threatInfo\":{\"analystVerdict\":\"true_positive\",\"analystVerdictDescription\":\"True positive\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"OPEN SOURCE DEVELOPER, BENJAMIN DELPY\",\"classification\":\"Infostealer\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"984546260612443092\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2021-03-16T16:36:16.554368Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\tdr\\\\Downloads\\\\mimikatz_trunk\\\\x64\\\\mimikatz.exe\",\"fileSize\":1309448,\"fileVerificationType\":\"SignedVerified\",\"identifiedAt\":\"2021-03-16T16:36:16.157000Z\",\"incidentStatus\":\"resolved\",\"incidentStatusDescription\":\"Resolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":true,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"explorer.exe\",\"pendingActions\":false,\"processUser\":\"tdr-vm-template\\\\tdr\",\"publisherName\":\"OPEN SOURCE DEVELOPER, BENJAMIN DELPY\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"d241df7b9d2ec0b8194751cd5ce153e27cc40fa4\",\"sha256\":null,\"storyline\":\"D8F484ABE8543750\",\"threatId\":\"1113032189486913422\",\"threatName\":\"mimikatz.exe\",\"updatedAt\":\"2021-03-16T17:33:41.910607Z\"}}", - "event": { - "kind": "alert", - "category": [ - "malware" - ], - "type": [ - "info" - ] - }, - "threat": { - "indicator": { - "file": { - "code_signature": { - "signing_id": "OPEN SOURCE DEVELOPER, BENJAMIN DELPY" - }, - "created": "2021-03-16T16:36:16.554368Z", - "size": 1309448 + "eventid": 1112953674841025235, + "indicators": [ + { + "category": "Hiding/Stealthiness", + "description": "The majority of sections in this PE have high entropy, a sign of obfuscation or packing.", + "ids": [ + 29 + ], + "tactics": [] }, - "confidence": "malicious" - }, - "software": { - "type": "Infostealer" - }, - "enrichments": { - "matched": { - "occurred": "2021-03-16T16:36:16.157000Z" + { + "category": "General", + "description": "This binary imports functions used to raise kernel exceptions.", + "ids": [ + 24 + ], + "tactics": [] + }, + { + "category": "Hiding/Stealthiness", + "description": "This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8).", + "ids": [ + 12 + ], + "tactics": [] } - } - }, - "file": { - "name": "mimikatz.exe", - "extension": "exe", - "path": "\\Device\\HarddiskVolume2\\Users\\tdr\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe", - "size": 1309448, - "hash": { - "sha1": "d241df7b9d2ec0b8194751cd5ce153e27cc40fa4" - } - }, - "sentinelone": { + ], + "mitigationStatus": [], "threatInfo": { - "analystVerdict": "true_positive", - "analystVerdictDescription": "True positive", + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", "automaticallyResolved": false, "classificationSource": "Cloud", - "cloudFilesHashVerdict": "black", - "collectionId": "984546260612443092", + "cloudFilesHashVerdict": "provider_unknown", + "collectionId": "1112767491720942490", "detectionEngines": [ { "key": "pre_execution_suspicious", @@ -1549,62 +1433,124 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "externalTicketExists": false, "failedActions": false, - "fileExtensionType": "Executable", - "fileVerificationType": "SignedVerified", - "incidentStatus": "resolved", - "incidentStatusDescription": "Resolved", + "fileExtension": "TMP", + "fileExtensionType": "Misc", + "fileVerificationType": "NotSigned", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", "initiatedBy": "agent_policy", "initiatedByDescription": "Agent Policy", "isFileless": false, - "isValidCertificate": true, + "isValidCertificate": false, "mitigatedPreemptively": false, "mitigationStatus": "not_mitigated", "mitigationStatusDescription": "Not mitigated", "pendingActions": false, - "publisherName": "OPEN SOURCE DEVELOPER, BENJAMIN DELPY", "reachedEventsLimit": false, "rebootRequired": false, - "storyline": "D8F484ABE8543750", - "threatId": "1113032189486913422", - "updatedAt": "2021-03-16T17:33:41.910607Z", - "fileExtension": "EXE" + "storyline": "37077C139C322609", + "threatId": "1112953674841025235", + "updatedAt": "2021-03-16T14:00:16.874050Z" }, - "eventid": 1113032189486913422, - "indicators": [ - { - "category": "InfoStealer", - "description": "This uses mimikatz, an open-source application that shows and saves credentials.", - "ids": [ - 38 - ], - "tactics": [] - }, - { - "category": "General", - "description": "This binary imports functions used to raise kernel exceptions.", - "ids": [ - 24 - ], - "tactics": [] - }, - { - "category": "General", - "description": "This binary imports debugger functions.", - "ids": [ - 6 - ], - "tactics": [] - }, - { - "category": "General", - "description": "This binary creates a System Service.", - "ids": [ - 5 - ], - "tactics": [] + "whiteningOptions": [ + "hash", + "path" + ] + }, + "threat": { + "enrichments": { + "matched": { + "occurred": "2021-03-16T14:00:14.188000Z" + } + }, + "indicator": { + "confidence": "suspicious", + "file": { + "created": "2021-03-16T14:00:16.879105Z", + "size": 2976256 } + }, + "software": { + "type": "Malware" + } + }, + "user": { + "name": "VM-SENTINELONE\\User" + } + } + + ``` + + +=== "threat2.json" + + ```json + + { + "message": "{\"agentDetectionInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"CORP\",\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.1.4,1.1.1.1\",\"agentIpV6\":\"fe80::9ddd:fd78:1f21:f709,fe80::9ddd:fd78:1f21:f708,fe80::9ddd:fd78:1f21:f707\",\"agentLastLoggedInUserName\":\"tdr\",\"agentMitigationMode\":\"detect\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19041\",\"agentRegisteredAt\":\"2021-03-16T16:24:28.049913Z\",\"agentUuid\":\"ab268977a30842c88136c5afb77f3e12\",\"agentVersion\":\"4.6.12.241\",\"externalIp\":\"55.55.55.55\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\"},\"agentRealtimeInfo\":{\"accountId\":\"617755838952421242\",\"accountName\":\"CORP\",\"activeThreats\":9,\"agentComputerName\":\"tdr-vm-template\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1113026246149650919\",\"agentInfected\":true,\"agentIsActive\":false,\"agentIsDecommissioned\":false,\"agentMachineType\":\"desktop\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"Windows 10 Pro\",\"agentOsRevision\":\"19041\",\"agentOsType\":\"windows\",\"agentUuid\":\"ab268977a30842c88136c5afb77f3e12\",\"agentVersion\":\"4.6.12.241\",\"groupId\":\"1107851598374945694\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1113026246158039528\",\"inet\":[\"10.0.1.4\"],\"inet6\":[\"fe80::9ddd:fd78:1f21:f709\"],\"name\":\"Ethernet 2\",\"physical\":\"00:0d:3a:b0:42:18\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":null,\"scanStartedAt\":\"2021-03-16T16:25:02.304681Z\",\"scanStatus\":\"started\",\"siteId\":\"1107851598358168475\",\"siteName\":\"Sekoia.io\",\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1113032189486913422\",\"indicators\":[{\"category\":\"InfoStealer\",\"description\":\"This uses mimikatz, an open-source application that shows and saves credentials.\",\"ids\":[38],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports functions used to raise kernel exceptions.\",\"ids\":[24],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary imports debugger functions.\",\"ids\":[6],\"tactics\":[]},{\"category\":\"General\",\"description\":\"This binary creates a System Service.\",\"ids\":[5],\"tactics\":[]}],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[],\"threatInfo\":{\"analystVerdict\":\"true_positive\",\"analystVerdictDescription\":\"True positive\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"OPEN SOURCE DEVELOPER, BENJAMIN DELPY\",\"classification\":\"Infostealer\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"984546260612443092\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2021-03-16T16:36:16.554368Z\",\"detectionEngines\":[{\"key\":\"pre_execution_suspicious\",\"title\":\"On-Write Static AI - Suspicious\"}],\"detectionType\":\"static\",\"engines\":[\"On-Write DFI - Suspicious\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\tdr\\\\Downloads\\\\mimikatz_trunk\\\\x64\\\\mimikatz.exe\",\"fileSize\":1309448,\"fileVerificationType\":\"SignedVerified\",\"identifiedAt\":\"2021-03-16T16:36:16.157000Z\",\"incidentStatus\":\"resolved\",\"incidentStatusDescription\":\"Resolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":true,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"explorer.exe\",\"pendingActions\":false,\"processUser\":\"tdr-vm-template\\\\tdr\",\"publisherName\":\"OPEN SOURCE DEVELOPER, BENJAMIN DELPY\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"d241df7b9d2ec0b8194751cd5ce153e27cc40fa4\",\"sha256\":null,\"storyline\":\"D8F484ABE8543750\",\"threatId\":\"1113032189486913422\",\"threatName\":\"mimikatz.exe\",\"updatedAt\":\"2021-03-16T17:33:41.910607Z\"}}", + "event": { + "category": [ + "malware" ], - "mitigationStatus": [], + "kind": "alert", + "type": [ + "info" + ] + }, + "agent": { + "id": "1113026246149650919" + }, + "file": { + "extension": "exe", + "hash": { + "sha1": "d241df7b9d2ec0b8194751cd5ce153e27cc40fa4" + }, + "name": "mimikatz.exe", + "path": "\\Device\\HarddiskVolume2\\Users\\tdr\\Downloads\\mimikatz_trunk\\x64\\mimikatz.exe", + "size": 1309448 + }, + "host": { + "domain": "WORKGROUP", + "ip": [ + "1.1.1.1", + "10.0.1.4", + "55.55.55.55", + "fe80::9ddd:fd78:1f21:f707", + "fe80::9ddd:fd78:1f21:f708", + "fe80::9ddd:fd78:1f21:f709" + ], + "name": "tdr-vm-template", + "os": { + "family": "windows", + "version": "Windows 10 Pro" + } + }, + "organization": { + "id": "617755838952421242", + "name": "CORP" + }, + "process": { + "parent": { + "name": "explorer.exe" + } + }, + "related": { + "hash": [ + "d241df7b9d2ec0b8194751cd5ce153e27cc40fa4" + ], + "ip": [ + "1.1.1.1", + "10.0.1.4", + "55.55.55.55", + "fe80::9ddd:fd78:1f21:f707", + "fe80::9ddd:fd78:1f21:f708", + "fe80::9ddd:fd78:1f21:f709" + ], + "user": [ + "tdr-vm-template\\tdr" + ] + }, + "sentinelone": { "agentDetectionInfo": { "accountId": "617755838952421242", "accountName": "CORP", @@ -1660,51 +1606,105 @@ Find below few samples of events and how they are normalized by Sekoia.io. "siteId": 1107851598358168475, "siteName": "Sekoia.io", "userActionsNeeded": [] + }, + "eventid": 1113032189486913422, + "indicators": [ + { + "category": "InfoStealer", + "description": "This uses mimikatz, an open-source application that shows and saves credentials.", + "ids": [ + 38 + ], + "tactics": [] + }, + { + "category": "General", + "description": "This binary imports functions used to raise kernel exceptions.", + "ids": [ + 24 + ], + "tactics": [] + }, + { + "category": "General", + "description": "This binary imports debugger functions.", + "ids": [ + 6 + ], + "tactics": [] + }, + { + "category": "General", + "description": "This binary creates a System Service.", + "ids": [ + 5 + ], + "tactics": [] + } + ], + "mitigationStatus": [], + "threatInfo": { + "analystVerdict": "true_positive", + "analystVerdictDescription": "True positive", + "automaticallyResolved": false, + "classificationSource": "Cloud", + "cloudFilesHashVerdict": "black", + "collectionId": "984546260612443092", + "detectionEngines": [ + { + "key": "pre_execution_suspicious", + "title": "On-Write Static AI - Suspicious" + } + ], + "detectionType": "static", + "engines": [ + "On-Write DFI - Suspicious" + ], + "externalTicketExists": false, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "fileVerificationType": "SignedVerified", + "incidentStatus": "resolved", + "incidentStatusDescription": "Resolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "isFileless": false, + "isValidCertificate": true, + "mitigatedPreemptively": false, + "mitigationStatus": "not_mitigated", + "mitigationStatusDescription": "Not mitigated", + "pendingActions": false, + "publisherName": "OPEN SOURCE DEVELOPER, BENJAMIN DELPY", + "reachedEventsLimit": false, + "rebootRequired": false, + "storyline": "D8F484ABE8543750", + "threatId": "1113032189486913422", + "updatedAt": "2021-03-16T17:33:41.910607Z" } }, - "process": { - "parent": { - "name": "explorer.exe" + "threat": { + "enrichments": { + "matched": { + "occurred": "2021-03-16T16:36:16.157000Z" + } + }, + "indicator": { + "confidence": "malicious", + "file": { + "code_signature": { + "signing_id": "OPEN SOURCE DEVELOPER, BENJAMIN DELPY" + }, + "created": "2021-03-16T16:36:16.554368Z", + "size": 1309448 + } + }, + "software": { + "type": "Infostealer" } }, "user": { "name": "tdr-vm-template\\tdr" - }, - "host": { - "ip": [ - "10.0.1.4", - "1.1.1.1", - "fe80::9ddd:fd78:1f21:f709", - "fe80::9ddd:fd78:1f21:f708", - "fe80::9ddd:fd78:1f21:f707", - "55.55.55.55" - ], - "domain": "WORKGROUP", - "os": { - "version": "Windows 10 Pro", - "family": "windows" - }, - "name": "tdr-vm-template" - }, - "organization": { - "id": "617755838952421242", - "name": "CORP" - }, - "related": { - "hash": [ - "d241df7b9d2ec0b8194751cd5ce153e27cc40fa4" - ], - "ip": [ - "1.1.1.1", - "10.0.1.4", - "55.55.55.55", - "fe80::9ddd:fd78:1f21:f707", - "fe80::9ddd:fd78:1f21:f708", - "fe80::9ddd:fd78:1f21:f709" - ], - "user": [ - "tdr-vm-template\\tdr" - ] } } @@ -1716,87 +1716,136 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "agent": { - "id": "1088377752722254024" - }, "message": "{\"EventTime\": \"2022-03-11 14:14:54\", \"agentDetectionInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"agentDetectionState\": null, \"agentDomain\": \"DOMAIN\", \"agentIpV4\": \"192.168.56.1,10.4.4.69\", \"agentIpV6\": \"fe80::e4a1:7fce:33f3:d50e,fe80::605f:b34f:31ac:498\", \"agentLastLoggedInUserName\": \"USERNAME\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentRegisteredAt\": \"2021-02-10T16:12:18.659760Z\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"cloudProviders\": {}, \"externalIp\": \"66.66.66.66\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\"}, \"agentRealtimeInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"activeThreats\": 0, \"agentComputerName\": \"LSYN98873\", \"agentDecommissionedAt\": null, \"agentDomain\": \"DOMAIN\", \"agentId\": \"1088377752722254024\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"laptop\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentOsType\": \"windows\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"networkInterfaces\": [{\"id\": \"1373748335430042703\", \"inet\": [\"10.4.4.69\"], \"inet6\": [\"fe80::605f:b34f:31ac:498\"], \"name\": \"Ethernet\", \"physical\": \"98:fa:9b:5f:f2:bd\"}, {\"id\": \"1362550279953160460\", \"inet\": [\"192.168.56.1\"], \"inet6\": [\"fe80::e4a1:7fce:33f3:d50e\"], \"name\": \"Ethernet 2\", \"physical\": \"0a:00:27:00:00:0b\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": \"2022-01-31T13:56:31.482859Z\", \"scanStartedAt\": \"2022-01-28T15:25:03.885250Z\", \"scanStatus\": \"finished\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": null, \"image\": null, \"labels\": null, \"name\": null}, \"id\": \"1373834705420286869\", \"indicators\": [{\"category\": \"Exploitation\", \"description\": \"Document behaves abnormally\", \"ids\": [62], \"tactics\": [{\"name\": \"Execution\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1059/\", \"name\": \"T1059\"}, {\"link\": \"https://attack.mitre.org/techniques/T1203/\", \"name\": \"T1203\"}, {\"link\": \"https://attack.mitre.org/techniques/T1204/002\", \"name\": \"T1204.002\"}]}, {\"name\": \"Initial Access\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1566/001/\", \"name\": \"T1566.001\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via scheduled task\", \"ids\": [197], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1053/005/\", \"name\": \"T1053.005\"}]}]}, {\"category\": \"Evasion\", \"description\": \"Suspicious registry key was created\", \"ids\": [171], \"tactics\": [{\"name\": \"Defense Evasion\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1112/\", \"name\": \"T1112\"}]}]}, {\"category\": \"Injection\", \"description\": \"Suspicious library loaded into the process memory\", \"ids\": [126], \"tactics\": []}, {\"category\": \"General\", \"description\": \"User logged on\", \"ids\": [266], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1078/\", \"name\": \"T1078\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via an autorun\", \"ids\": [199], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}, {\"name\": \"Privilege Escalation\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}]}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 172, \"total\": 172}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:33.508808Z\", \"latestReport\": \"/threats/mitigation-report/1373834825528452160\", \"mitigationEndedAt\": \"2022-03-11T12:44:32.875000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:18.331000Z\", \"status\": \"success\"}, {\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 15, \"total\": 15}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:19.294889Z\", \"latestReport\": \"/threats/mitigation-report/1373834706275925531\", \"mitigationEndedAt\": \"2022-03-11T12:44:17.112000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:17.111000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"undefined\", \"analystVerdictDescription\": \"Undefined\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"OFFICE TIMELINE, LLC\", \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"1370955486150335176\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2022-03-11T12:44:19.192413Z\", \"detectionEngines\": [{\"key\": \"executables\", \"title\": \"Behavioral AI\"}], \"detectionType\": \"dynamic\", \"engines\": [\"DBT - Executables\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": \"EXE\", \"fileExtensionType\": \"Executable\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\", \"fileSize\": 65517824, \"fileVerificationType\": \"SignedVerified\", \"identifiedAt\": \"2022-03-11T12:44:16.158000Z\", \"incidentStatus\": \"unresolved\", \"incidentStatusDescription\": \"Unresolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": true, \"maliciousProcessArguments\": \"\\\"C:\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\\\"\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"mitigated\", \"mitigationStatusDescription\": \"Mitigated\", \"originatorProcess\": \"chrome.exe\", \"pendingActions\": false, \"processUser\": \"DOMAIN\\\\USERNAME\", \"publisherName\": \"OFFICE TIMELINE, LLC\", \"reachedEventsLimit\": false, \"rebootRequired\": false, \"sha1\": \"25e43630e04e0858418f0b1a3843ddfd626c1fba\", \"sha256\": null, \"storyline\": \"BB74E569F93D579E\", \"threatId\": \"1373834705420286869\", \"threatName\": \"OfficeTimeline.exe\", \"updatedAt\": \"2022-03-11T12:44:33.501615Z\"}, \"whiteningOptions\": [\"certificate\", \"path\", \"hash\"]}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, - "threat": { - "indicator": { - "file": { - "code_signature": { - "signing_id": "OFFICE TIMELINE, LLC" - }, - "created": "2022-03-11T12:44:19.192413Z", - "size": 65517824 - }, - "confidence": "suspicious" - }, - "software": { - "type": "Malware" - }, - "enrichments": { - "matched": { - "occurred": "2022-03-11T12:44:16.158000Z" - } - } + "agent": { + "id": "1088377752722254024" }, "file": { - "name": "OfficeTimeline.exe", "extension": "exe", - "path": "\\Device\\HarddiskVolume3\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe", - "size": 65517824, "hash": { "sha1": "25e43630e04e0858418f0b1a3843ddfd626c1fba" + }, + "name": "OfficeTimeline.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe", + "size": 65517824 + }, + "host": { + "domain": "DOMAIN", + "ip": [ + "10.4.4.69", + "192.168.56.1", + "66.66.66.66", + "fe80::605f:b34f:31ac:498", + "fe80::e4a1:7fce:33f3:d50e" + ], + "name": "LSYN98873", + "os": { + "family": "windows", + "version": "Windows 10 Pro" + } + }, + "organization": { + "id": "111111111111111111", + "name": "REDACTED" + }, + "process": { + "parent": { + "name": "chrome.exe" } }, + "related": { + "hash": [ + "25e43630e04e0858418f0b1a3843ddfd626c1fba" + ], + "ip": [ + "10.4.4.69", + "192.168.56.1", + "66.66.66.66", + "fe80::605f:b34f:31ac:498", + "fe80::e4a1:7fce:33f3:d50e" + ], + "user": [ + "DOMAIN\\USERNAME" + ] + }, "sentinelone": { - "threatInfo": { - "analystVerdict": "undefined", - "analystVerdictDescription": "Undefined", - "automaticallyResolved": false, - "classificationSource": "Static", - "collectionId": "1370955486150335176", - "detectionEngines": [ + "EventTime": "2022-03-11 14:14:54", + "agentDetectionInfo": { + "accountId": "111111111111111111", + "accountName": "REDACTED", + "agentDomain": "DOMAIN", + "agentIpV4": "192.168.56.1,10.4.4.69", + "agentIpV6": "fe80::e4a1:7fce:33f3:d50e,fe80::605f:b34f:31ac:498", + "agentLastLoggedInUserName": "USERNAME", + "agentMitigationMode": "protect", + "agentOsName": "Windows 10 Pro", + "agentOsRevision": "19044", + "agentRegisteredAt": "2021-02-10T16:12:18.659760Z", + "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", + "agentVersion": "21.7.5.1080", + "externalIp": "66.66.66.66", + "groupId": 1083054176758610128, + "groupName": "Default Group", + "siteId": 1083054176741832911, + "siteName": "REDACTED-Users" + }, + "agentRealtimeInfo": { + "activeThreats": 0, + "agentComputerName": "LSYN98873", + "agentDomain": "DOMAIN", + "agentId": "1088377752722254024", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "laptop", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsRevision": "19044", + "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", + "agentVersion": "21.7.5.1080", + "groupId": 1083054176758610128, + "groupName": "Default Group", + "networkInterfaces": [ { - "key": "executables", - "title": "Behavioral AI" + "id": "1373748335430042703", + "inet": [ + "10.4.4.69" + ], + "inet6": [ + "fe80::605f:b34f:31ac:498" + ], + "name": "Ethernet", + "physical": "98:fa:9b:5f:f2:bd" + }, + { + "id": "1362550279953160460", + "inet": [ + "192.168.56.1" + ], + "inet6": [ + "fe80::e4a1:7fce:33f3:d50e" + ], + "name": "Ethernet 2", + "physical": "0a:00:27:00:00:0b" } ], - "detectionType": "dynamic", - "engines": [ - "DBT - Executables" - ], - "externalTicketExists": false, - "failedActions": false, - "fileExtensionType": "Executable", - "fileVerificationType": "SignedVerified", - "incidentStatus": "unresolved", - "incidentStatusDescription": "Unresolved", - "initiatedBy": "agent_policy", - "initiatedByDescription": "Agent Policy", - "isFileless": false, - "isValidCertificate": true, - "maliciousProcessArguments": "\"C:\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe\"", - "mitigatedPreemptively": false, - "mitigationStatus": "mitigated", - "mitigationStatusDescription": "Mitigated", - "pendingActions": false, - "publisherName": "OFFICE TIMELINE, LLC", - "reachedEventsLimit": false, + "operationalState": "na", "rebootRequired": false, - "storyline": "BB74E569F93D579E", - "threatId": "1373834705420286869", - "updatedAt": "2022-03-11T12:44:33.501615Z", - "fileExtension": "EXE" + "scanFinishedAt": "2022-01-31T13:56:31.482859Z", + "scanStartedAt": "2022-01-28T15:25:03.885250Z", + "scanStatus": "finished", + "siteId": 1083054176741832911, + "siteName": "REDACTED-Users", + "userActionsNeeded": [] }, "eventid": 1373834705420286869, "indicators": [ @@ -1968,122 +2017,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status": "success" } ], - "EventTime": "2022-03-11 14:14:54", - "whiteningOptions": [ - "certificate", - "path", - "hash" - ], - "agentDetectionInfo": { - "accountId": "111111111111111111", - "accountName": "REDACTED", - "agentDomain": "DOMAIN", - "agentIpV4": "192.168.56.1,10.4.4.69", - "agentIpV6": "fe80::e4a1:7fce:33f3:d50e,fe80::605f:b34f:31ac:498", - "agentLastLoggedInUserName": "USERNAME", - "agentMitigationMode": "protect", - "agentOsName": "Windows 10 Pro", - "agentOsRevision": "19044", - "agentRegisteredAt": "2021-02-10T16:12:18.659760Z", - "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", - "agentVersion": "21.7.5.1080", - "externalIp": "66.66.66.66", - "groupId": 1083054176758610128, - "groupName": "Default Group", - "siteId": 1083054176741832911, - "siteName": "REDACTED-Users" - }, - "agentRealtimeInfo": { - "activeThreats": 0, - "agentComputerName": "LSYN98873", - "agentDomain": "DOMAIN", - "agentId": "1088377752722254024", - "agentInfected": false, - "agentIsActive": true, - "agentIsDecommissioned": false, - "agentMachineType": "laptop", - "agentMitigationMode": "protect", - "agentNetworkStatus": "connected", - "agentOsRevision": "19044", - "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", - "agentVersion": "21.7.5.1080", - "groupId": 1083054176758610128, - "groupName": "Default Group", - "networkInterfaces": [ - { - "id": "1373748335430042703", - "inet": [ - "10.4.4.69" - ], - "inet6": [ - "fe80::605f:b34f:31ac:498" - ], - "name": "Ethernet", - "physical": "98:fa:9b:5f:f2:bd" - }, + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "classificationSource": "Static", + "collectionId": "1370955486150335176", + "detectionEngines": [ { - "id": "1362550279953160460", - "inet": [ - "192.168.56.1" - ], - "inet6": [ - "fe80::e4a1:7fce:33f3:d50e" - ], - "name": "Ethernet 2", - "physical": "0a:00:27:00:00:0b" + "key": "executables", + "title": "Behavioral AI" } ], - "operationalState": "na", + "detectionType": "dynamic", + "engines": [ + "DBT - Executables" + ], + "externalTicketExists": false, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "fileVerificationType": "SignedVerified", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "isFileless": false, + "isValidCertificate": true, + "maliciousProcessArguments": "\"C:\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe\"", + "mitigatedPreemptively": false, + "mitigationStatus": "mitigated", + "mitigationStatusDescription": "Mitigated", + "pendingActions": false, + "publisherName": "OFFICE TIMELINE, LLC", + "reachedEventsLimit": false, "rebootRequired": false, - "scanFinishedAt": "2022-01-31T13:56:31.482859Z", - "scanStartedAt": "2022-01-28T15:25:03.885250Z", - "scanStatus": "finished", - "siteId": 1083054176741832911, - "siteName": "REDACTED-Users", - "userActionsNeeded": [] - } + "storyline": "BB74E569F93D579E", + "threatId": "1373834705420286869", + "updatedAt": "2022-03-11T12:44:33.501615Z" + }, + "whiteningOptions": [ + "certificate", + "hash", + "path" + ] }, - "process": { - "parent": { - "name": "chrome.exe" + "threat": { + "enrichments": { + "matched": { + "occurred": "2022-03-11T12:44:16.158000Z" + } + }, + "indicator": { + "confidence": "suspicious", + "file": { + "code_signature": { + "signing_id": "OFFICE TIMELINE, LLC" + }, + "created": "2022-03-11T12:44:19.192413Z", + "size": 65517824 + } + }, + "software": { + "type": "Malware" } }, "user": { "name": "DOMAIN\\USERNAME" - }, - "host": { - "ip": [ - "192.168.56.1", - "10.4.4.69", - "fe80::e4a1:7fce:33f3:d50e", - "fe80::605f:b34f:31ac:498", - "66.66.66.66" - ], - "domain": "DOMAIN", - "os": { - "version": "Windows 10 Pro", - "family": "windows" - }, - "name": "LSYN98873" - }, - "organization": { - "id": "111111111111111111", - "name": "REDACTED" - }, - "related": { - "hash": [ - "25e43630e04e0858418f0b1a3843ddfd626c1fba" - ], - "ip": [ - "10.4.4.69", - "192.168.56.1", - "66.66.66.66", - "fe80::605f:b34f:31ac:498", - "fe80::e4a1:7fce:33f3:d50e" - ], - "user": [ - "DOMAIN\\USERNAME" - ] } } @@ -2095,87 +2095,131 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "agent": { - "id": "1088377752722254024" - }, "message": "{\"EventTime\": \"2022-03-11 14:14:54\", \"agentDetectionInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"agentDetectionState\": null, \"agentDomain\": \"DOMAIN\", \"agentIpV4\": \"192.168.56.1,10.4.4.69\", \"agentIpV6\": \"\", \"agentLastLoggedInUserName\": \"USERNAME\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentRegisteredAt\": \"2021-02-10T16:12:18.659760Z\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"cloudProviders\": {}, \"externalIp\": \"66.66.66.66\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\"}, \"agentRealtimeInfo\": {\"accountId\": \"111111111111111111\", \"accountName\": \"REDACTED\", \"activeThreats\": 0, \"agentComputerName\": \"LSYN98873\", \"agentDecommissionedAt\": null, \"agentDomain\": \"DOMAIN\", \"agentId\": \"1088377752722254024\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"laptop\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Windows 10 Pro\", \"agentOsRevision\": \"19044\", \"agentOsType\": \"windows\", \"agentUuid\": \"5e4482b45d134ae8bf4901cb52b65e88\", \"agentVersion\": \"21.7.5.1080\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"networkInterfaces\": [{\"id\": \"1373748335430042703\", \"inet\": [\"10.4.4.69\"], \"inet6\": [\"fe80::605f:b34f:31ac:498\"], \"name\": \"Ethernet\", \"physical\": \"98:fa:9b:5f:f2:bd\"}, {\"id\": \"1362550279953160460\", \"inet\": [\"192.168.56.1\"], \"inet6\": [\"fe80::e4a1:7fce:33f3:d50e\"], \"name\": \"Ethernet 2\", \"physical\": \"0a:00:27:00:00:0b\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": \"2022-01-31T13:56:31.482859Z\", \"scanStartedAt\": \"2022-01-28T15:25:03.885250Z\", \"scanStatus\": \"finished\", \"siteId\": \"1083054176741832911\", \"siteName\": \"REDACTED-Users\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": null, \"image\": null, \"labels\": null, \"name\": null}, \"id\": \"1373834705420286869\", \"indicators\": [{\"category\": \"Exploitation\", \"description\": \"Document behaves abnormally\", \"ids\": [62], \"tactics\": [{\"name\": \"Execution\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1059/\", \"name\": \"T1059\"}, {\"link\": \"https://attack.mitre.org/techniques/T1203/\", \"name\": \"T1203\"}, {\"link\": \"https://attack.mitre.org/techniques/T1204/002\", \"name\": \"T1204.002\"}]}, {\"name\": \"Initial Access\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1566/001/\", \"name\": \"T1566.001\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via scheduled task\", \"ids\": [197], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1053/005/\", \"name\": \"T1053.005\"}]}]}, {\"category\": \"Evasion\", \"description\": \"Suspicious registry key was created\", \"ids\": [171], \"tactics\": [{\"name\": \"Defense Evasion\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1112/\", \"name\": \"T1112\"}]}]}, {\"category\": \"Injection\", \"description\": \"Suspicious library loaded into the process memory\", \"ids\": [126], \"tactics\": []}, {\"category\": \"General\", \"description\": \"User logged on\", \"ids\": [266], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1078/\", \"name\": \"T1078\"}]}]}, {\"category\": \"Persistence\", \"description\": \"Application registered itself to become persistent via an autorun\", \"ids\": [199], \"tactics\": [{\"name\": \"Persistence\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}, {\"name\": \"Privilege Escalation\", \"source\": \"MITRE\", \"techniques\": [{\"link\": \"https://attack.mitre.org/techniques/T1547/001/\", \"name\": \"T1547.001\"}]}]}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 172, \"total\": 172}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:33.508808Z\", \"latestReport\": \"/threats/mitigation-report/1373834825528452160\", \"mitigationEndedAt\": \"2022-03-11T12:44:32.875000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:18.331000Z\", \"status\": \"success\"}, {\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 15, \"total\": 15}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2022-03-11T12:44:19.294889Z\", \"latestReport\": \"/threats/mitigation-report/1373834706275925531\", \"mitigationEndedAt\": \"2022-03-11T12:44:17.112000Z\", \"mitigationStartedAt\": \"2022-03-11T12:44:17.111000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"undefined\", \"analystVerdictDescription\": \"Undefined\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"OFFICE TIMELINE, LLC\", \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"1370955486150335176\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2022-03-11T12:44:19.192413Z\", \"detectionEngines\": [{\"key\": \"executables\", \"title\": \"Behavioral AI\"}], \"detectionType\": \"dynamic\", \"engines\": [\"DBT - Executables\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": \"EXE\", \"fileExtensionType\": \"Executable\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\", \"fileSize\": 65517824, \"fileVerificationType\": \"SignedVerified\", \"identifiedAt\": \"2022-03-11T12:44:16.158000Z\", \"incidentStatus\": \"unresolved\", \"incidentStatusDescription\": \"Unresolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": true, \"maliciousProcessArguments\": \"\\\"C:\\\\Users\\\\USERNAME\\\\Downloads\\\\OfficeTimeline.exe\\\"\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"mitigated\", \"mitigationStatusDescription\": \"Mitigated\", \"originatorProcess\": \"chrome.exe\", \"pendingActions\": false, \"processUser\": \"DOMAIN\\\\USERNAME\", \"publisherName\": \"OFFICE TIMELINE, LLC\", \"reachedEventsLimit\": false, \"rebootRequired\": false, \"sha1\": \"25e43630e04e0858418f0b1a3843ddfd626c1fba\", \"sha256\": null, \"storyline\": \"BB74E569F93D579E\", \"threatId\": \"1373834705420286869\", \"threatName\": \"OfficeTimeline.exe\", \"updatedAt\": \"2022-03-11T12:44:33.501615Z\"}, \"whiteningOptions\": [\"certificate\", \"path\", \"hash\"]}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, - "threat": { - "indicator": { - "file": { - "code_signature": { - "signing_id": "OFFICE TIMELINE, LLC" - }, - "created": "2022-03-11T12:44:19.192413Z", - "size": 65517824 - }, - "confidence": "suspicious" - }, - "software": { - "type": "Malware" - }, - "enrichments": { - "matched": { - "occurred": "2022-03-11T12:44:16.158000Z" - } - } + "agent": { + "id": "1088377752722254024" }, "file": { - "name": "OfficeTimeline.exe", "extension": "exe", - "path": "\\Device\\HarddiskVolume3\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe", - "size": 65517824, "hash": { "sha1": "25e43630e04e0858418f0b1a3843ddfd626c1fba" + }, + "name": "OfficeTimeline.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe", + "size": 65517824 + }, + "host": { + "domain": "DOMAIN", + "ip": [ + "10.4.4.69", + "192.168.56.1", + "66.66.66.66" + ], + "name": "LSYN98873", + "os": { + "family": "windows", + "version": "Windows 10 Pro" + } + }, + "organization": { + "id": "111111111111111111", + "name": "REDACTED" + }, + "process": { + "parent": { + "name": "chrome.exe" } }, + "related": { + "hash": [ + "25e43630e04e0858418f0b1a3843ddfd626c1fba" + ], + "ip": [ + "10.4.4.69", + "192.168.56.1", + "66.66.66.66" + ], + "user": [ + "DOMAIN\\USERNAME" + ] + }, "sentinelone": { - "threatInfo": { - "analystVerdict": "undefined", - "analystVerdictDescription": "Undefined", - "automaticallyResolved": false, - "classificationSource": "Static", - "collectionId": "1370955486150335176", - "detectionEngines": [ + "EventTime": "2022-03-11 14:14:54", + "agentDetectionInfo": { + "accountId": "111111111111111111", + "accountName": "REDACTED", + "agentDomain": "DOMAIN", + "agentIpV4": "192.168.56.1,10.4.4.69", + "agentLastLoggedInUserName": "USERNAME", + "agentMitigationMode": "protect", + "agentOsName": "Windows 10 Pro", + "agentOsRevision": "19044", + "agentRegisteredAt": "2021-02-10T16:12:18.659760Z", + "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", + "agentVersion": "21.7.5.1080", + "externalIp": "66.66.66.66", + "groupId": 1083054176758610128, + "groupName": "Default Group", + "siteId": 1083054176741832911, + "siteName": "REDACTED-Users" + }, + "agentRealtimeInfo": { + "activeThreats": 0, + "agentComputerName": "LSYN98873", + "agentDomain": "DOMAIN", + "agentId": "1088377752722254024", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "laptop", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsRevision": "19044", + "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", + "agentVersion": "21.7.5.1080", + "groupId": 1083054176758610128, + "groupName": "Default Group", + "networkInterfaces": [ { - "key": "executables", - "title": "Behavioral AI" + "id": "1373748335430042703", + "inet": [ + "10.4.4.69" + ], + "inet6": [ + "fe80::605f:b34f:31ac:498" + ], + "name": "Ethernet", + "physical": "98:fa:9b:5f:f2:bd" + }, + { + "id": "1362550279953160460", + "inet": [ + "192.168.56.1" + ], + "inet6": [ + "fe80::e4a1:7fce:33f3:d50e" + ], + "name": "Ethernet 2", + "physical": "0a:00:27:00:00:0b" } ], - "detectionType": "dynamic", - "engines": [ - "DBT - Executables" - ], - "externalTicketExists": false, - "failedActions": false, - "fileExtensionType": "Executable", - "fileVerificationType": "SignedVerified", - "incidentStatus": "unresolved", - "incidentStatusDescription": "Unresolved", - "initiatedBy": "agent_policy", - "initiatedByDescription": "Agent Policy", - "isFileless": false, - "isValidCertificate": true, - "maliciousProcessArguments": "\"C:\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe\"", - "mitigatedPreemptively": false, - "mitigationStatus": "mitigated", - "mitigationStatusDescription": "Mitigated", - "pendingActions": false, - "publisherName": "OFFICE TIMELINE, LLC", - "reachedEventsLimit": false, + "operationalState": "na", "rebootRequired": false, - "storyline": "BB74E569F93D579E", - "threatId": "1373834705420286869", - "updatedAt": "2022-03-11T12:44:33.501615Z", - "fileExtension": "EXE" + "scanFinishedAt": "2022-01-31T13:56:31.482859Z", + "scanStartedAt": "2022-01-28T15:25:03.885250Z", + "scanStatus": "finished", + "siteId": 1083054176741832911, + "siteName": "REDACTED-Users", + "userActionsNeeded": [] }, "eventid": 1373834705420286869, "indicators": [ @@ -2347,117 +2391,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status": "success" } ], - "EventTime": "2022-03-11 14:14:54", - "whiteningOptions": [ - "certificate", - "path", - "hash" - ], - "agentDetectionInfo": { - "accountId": "111111111111111111", - "accountName": "REDACTED", - "agentDomain": "DOMAIN", - "agentIpV4": "192.168.56.1,10.4.4.69", - "agentLastLoggedInUserName": "USERNAME", - "agentMitigationMode": "protect", - "agentOsName": "Windows 10 Pro", - "agentOsRevision": "19044", - "agentRegisteredAt": "2021-02-10T16:12:18.659760Z", - "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", - "agentVersion": "21.7.5.1080", - "externalIp": "66.66.66.66", - "groupId": 1083054176758610128, - "groupName": "Default Group", - "siteId": 1083054176741832911, - "siteName": "REDACTED-Users" - }, - "agentRealtimeInfo": { - "activeThreats": 0, - "agentComputerName": "LSYN98873", - "agentDomain": "DOMAIN", - "agentId": "1088377752722254024", - "agentInfected": false, - "agentIsActive": true, - "agentIsDecommissioned": false, - "agentMachineType": "laptop", - "agentMitigationMode": "protect", - "agentNetworkStatus": "connected", - "agentOsRevision": "19044", - "agentUuid": "5e4482b45d134ae8bf4901cb52b65e88", - "agentVersion": "21.7.5.1080", - "groupId": 1083054176758610128, - "groupName": "Default Group", - "networkInterfaces": [ - { - "id": "1373748335430042703", - "inet": [ - "10.4.4.69" - ], - "inet6": [ - "fe80::605f:b34f:31ac:498" - ], - "name": "Ethernet", - "physical": "98:fa:9b:5f:f2:bd" - }, + "threatInfo": { + "analystVerdict": "undefined", + "analystVerdictDescription": "Undefined", + "automaticallyResolved": false, + "classificationSource": "Static", + "collectionId": "1370955486150335176", + "detectionEngines": [ { - "id": "1362550279953160460", - "inet": [ - "192.168.56.1" - ], - "inet6": [ - "fe80::e4a1:7fce:33f3:d50e" - ], - "name": "Ethernet 2", - "physical": "0a:00:27:00:00:0b" + "key": "executables", + "title": "Behavioral AI" } ], - "operationalState": "na", + "detectionType": "dynamic", + "engines": [ + "DBT - Executables" + ], + "externalTicketExists": false, + "failedActions": false, + "fileExtension": "EXE", + "fileExtensionType": "Executable", + "fileVerificationType": "SignedVerified", + "incidentStatus": "unresolved", + "incidentStatusDescription": "Unresolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "isFileless": false, + "isValidCertificate": true, + "maliciousProcessArguments": "\"C:\\Users\\USERNAME\\Downloads\\OfficeTimeline.exe\"", + "mitigatedPreemptively": false, + "mitigationStatus": "mitigated", + "mitigationStatusDescription": "Mitigated", + "pendingActions": false, + "publisherName": "OFFICE TIMELINE, LLC", + "reachedEventsLimit": false, "rebootRequired": false, - "scanFinishedAt": "2022-01-31T13:56:31.482859Z", - "scanStartedAt": "2022-01-28T15:25:03.885250Z", - "scanStatus": "finished", - "siteId": 1083054176741832911, - "siteName": "REDACTED-Users", - "userActionsNeeded": [] - } + "storyline": "BB74E569F93D579E", + "threatId": "1373834705420286869", + "updatedAt": "2022-03-11T12:44:33.501615Z" + }, + "whiteningOptions": [ + "certificate", + "hash", + "path" + ] }, - "process": { - "parent": { - "name": "chrome.exe" + "threat": { + "enrichments": { + "matched": { + "occurred": "2022-03-11T12:44:16.158000Z" + } + }, + "indicator": { + "confidence": "suspicious", + "file": { + "code_signature": { + "signing_id": "OFFICE TIMELINE, LLC" + }, + "created": "2022-03-11T12:44:19.192413Z", + "size": 65517824 + } + }, + "software": { + "type": "Malware" } }, "user": { "name": "DOMAIN\\USERNAME" - }, - "host": { - "ip": [ - "192.168.56.1", - "10.4.4.69", - "66.66.66.66" - ], - "domain": "DOMAIN", - "os": { - "version": "Windows 10 Pro", - "family": "windows" - }, - "name": "LSYN98873" - }, - "organization": { - "id": "111111111111111111", - "name": "REDACTED" - }, - "related": { - "hash": [ - "25e43630e04e0858418f0b1a3843ddfd626c1fba" - ], - "ip": [ - "10.4.4.69", - "192.168.56.1", - "66.66.66.66" - ], - "user": [ - "DOMAIN\\USERNAME" - ] } } @@ -2471,54 +2471,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accountId\": \"111111111111111111\", \"activityType\": 27, \"agentId\": null, \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-04-01T08:14:35.018328Z\", \"data\": {\"accountName\": \"CORP\", \"fullScopeDetails\": \"Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP\", \"groupName\": null, \"ipAddress\": \"11.22.33.44\", \"reason\": null, \"role\": \"Admin\", \"scopeLevel\": \"Account\", \"scopeName\": \"CORP\", \"siteName\": null, \"source\": \"mgmt\", \"userScope\": \"account\", \"username\": \"Jean DUPONT\"}, \"description\": null, \"groupId\": null, \"hash\": null, \"id\": \"1388919233083515416\", \"osFamily\": null, \"primaryDescription\": \"The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44.\", \"secondaryDescription\": null, \"siteId\": null, \"threatId\": null, \"updatedAt\": \"2022-04-01T08:14:35.013748Z\", \"userId\": \"111111111111111111\"}", "event": { - "reason": "The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44.", "action": "User Logged In", - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44.", "type": [ "info" ] }, + "@timestamp": "2022-04-01T08:14:35.018328Z", + "action": { + "type": 27 + }, + "organization": { + "id": "111111111111111111" + }, + "related": { + "ip": [ + "11.22.33.44" + ], + "user": [ + "Jean DUPONT" + ] + }, "sentinelone": { - "eventid": 1388919233083515416, - "updatedAt": "2022-04-01T08:14:35.013748Z", "createdAt": "2022-04-01T08:14:35.018328Z", "data": { "accountName": "CORP", "fullScopeDetails": "Account CORP", "fullScopeDetailsPath": "Global / CORP", + "ipAddress": "11.22.33.44", "role": "Admin", "scopeLevel": "Account", "scopeName": "CORP", "source": "mgmt", - "ipAddress": "11.22.33.44", "userScope": "account" - } - }, - "organization": { - "id": "111111111111111111" + }, + "eventid": 1388919233083515416, + "updatedAt": "2022-04-01T08:14:35.013748Z" }, - "action": { - "type": 27 + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" }, "user": { "id": 111111111111111111, "name": "Jean DUPONT" - }, - "@timestamp": "2022-04-01T08:14:35.018328Z", - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, - "related": { - "ip": [ - "11.22.33.44" - ], - "user": [ - "Jean DUPONT" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md index 0f46536529..561497c023 100644 --- a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md +++ b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md @@ -36,20 +36,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ClientIP\":\"34.142.121.18\",\"ClientRequestHost\":\"foo-bar-baz.xyz\",\"ClientRequestMethod\":\"GET\",\"ClientRequestURI\":\"/wp1/wp-includes/wlwmanifest.xml\",\"EdgeEndTimestamp\":1658281702371000000,\"EdgeResponseBytes\":279,\"EdgeResponseStatus\":522,\"EdgeStartTimestamp\":1658281671671000000,\"RayID\":\"72d807ffeba5753d\"}", "event": { - "kind": "event", "category": [ "web" ], - "type": [ - "access" - ], "dataset": "http_requests", + "end": "2022-07-20T01:48:22.371000Z", + "kind": "event", "start": "2022-07-20T01:47:51.671000Z", - "end": "2022-07-20T01:48:22.371000Z" + "type": [ + "access" + ] }, - "source": { - "ip": "34.142.121.18", - "address": "34.142.121.18" + "cloudflare": { + "ClientIP": "34.142.121.18", + "ClientRequestHost": "foo-bar-baz.xyz", + "ClientRequestMethod": "GET", + "ClientRequestURI": "/wp1/wp-includes/wlwmanifest.xml", + "EdgeEndTimestamp": "1658281702371000000", + "EdgeResponseBytes": 279, + "EdgeResponseStatus": 522, + "EdgeStartTimestamp": "1658281671671000000", + "RayID": "72d807ffeba5753d" }, "destination": { "address": "foo-bar-baz.xyz" @@ -63,28 +70,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 522 } }, - "url": { - "path": "/wp1/wp-includes/wlwmanifest.xml" - }, "observer": { - "vendor": "Cloudflare", - "type": "proxy" - }, - "cloudflare": { - "ClientIP": "34.142.121.18", - "ClientRequestHost": "foo-bar-baz.xyz", - "ClientRequestMethod": "GET", - "ClientRequestURI": "/wp1/wp-includes/wlwmanifest.xml", - "EdgeEndTimestamp": "1658281702371000000", - "EdgeResponseBytes": 279, - "EdgeResponseStatus": 522, - "EdgeStartTimestamp": "1658281671671000000", - "RayID": "72d807ffeba5753d" + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "ip": [ "34.142.121.18" ] + }, + "source": { + "address": "34.142.121.18", + "ip": "34.142.121.18" + }, + "url": { + "path": "/wp1/wp-includes/wlwmanifest.xml" } } @@ -98,18 +98,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":545468107,\"ZoneName\":\"foo-bar-baz.xyz\"}\n\n", "event": { - "kind": "event", "category": [ "web" ], + "dataset": "http_requests", + "kind": "event", "type": [ "access" - ], - "dataset": "http_requests" - }, - "observer": { - "vendor": "Cloudflare", - "type": "proxy" + ] }, "cloudflare": { "WAFMatchedVar": "", @@ -122,6 +118,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "WorkerSubrequestCount": 0, "ZoneID": 545468107, "ZoneName": "foo-bar-baz.xyz" + }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" } } diff --git a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md index ccc8a3a214..8e5ab269da 100644 --- a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md +++ b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md @@ -36,38 +36,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Cybereason|Cybereason|1.0|5|Malop Connection Added|5|CybereasonCEFgeneratorBatchId1=58bc2665-b22f-4345-bd90-3f84be47c8b6 cs1=11.1323449861766643222 CybereasonCEFgeneratorcountry1Name=None dst=3.226.77.3 dpt=443 rt=1629500007043 cs1Label=MalopId", "event": { "action": "Malop Connection Added", - "severity": 5, - "code": "5", - "type": [ - "info" - ], "category": [ "session" ], - "kind": "event" + "code": "5", + "kind": "event", + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2021-08-20T22:53:27.043000Z", - "observer": { - "vendor": "Cybereason", - "product": "Cybereason", - "version": "1.0" - }, - "destination": { - "ip": "3.226.77.3", - "port": 443, - "address": "3.226.77.3" - }, "cybereason": { - "event": { - "id": "58bc2665-b22f-4345-bd90-3f84be47c8b6" - }, "cef": { "version": "0" }, + "event": { + "id": "58bc2665-b22f-4345-bd90-3f84be47c8b6" + }, "malop": { "id": "11.1323449861766643222" } }, + "destination": { + "address": "3.226.77.3", + "ip": "3.226.77.3", + "port": 443 + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" + }, "related": { "ip": [ "3.226.77.3" @@ -86,53 +86,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Cybereason|Cybereason|1.0|1|Malop Created|5|rt=1629701622409 deviceCustomDate1=1636629776184 deviceFacility=Under Investigation CybereasonCEFgeneratorBatchId1=078e369b-ea4e-4e98-bc0d-ee71fd40d19d cs1=11.4718101284717793977 cs2=EXTENSION_MANIPULATION cs3=MALICIOUS_INFECTION cs5=maliciousByDualExtensionByFileRootCause cn1=1 cs6=https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977 cn2=1 cs4=bb9dbdca921d84381c893086f65ffca17120b23d requestContext=flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process. cs1Label=MalopId cs2Label=MalopDetectionType cs3Label=MalopActivityType cs4Label=MalopHashList cs5Label=DecisionFeatures cs6Label=IncidentLink cn1Label=AffectedMachinesCount cn2Label=AffectedUsersCount cn3Label=isSigned deviceCustomDate1Label=ModifiedTime", "event": { "action": "Malop Created", - "severity": 5, + "category": [ + "malware" + ], "code": "1", + "kind": "alert", + "reason": "flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process.", + "severity": 5, "type": [ "info" ], - "reason": "flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process.", - "url": "https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977", - "category": [ - "malware" - ], - "kind": "alert" + "url": "https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977" }, "@timestamp": "2021-08-23T06:53:42.409000Z", - "observer": { - "vendor": "Cybereason", - "product": "Cybereason", - "version": "1.0" - }, - "file": { - "hash": { - "sha1": "bb9dbdca921d84381c893086f65ffca17120b23d" - } - }, "cybereason": { - "event": { - "id": "078e369b-ea4e-4e98-bc0d-ee71fd40d19d" - }, "cef": { "version": "0" }, + "event": { + "id": "078e369b-ea4e-4e98-bc0d-ee71fd40d19d" + }, "malop": { - "id": "11.4718101284717793977", - "status": "Under Investigation", - "detection": { - "type": "EXTENSION_MANIPULATION" - }, "activity": { "type": "MALICIOUS_INFECTION" }, - "decision": "maliciousByDualExtensionByFileRootCause", "counters": { "affected_machines": 1, "affected_users": 1 }, - "modified_at": "2021-11-11T11:22:56.184000Z" + "decision": "maliciousByDualExtensionByFileRootCause", + "detection": { + "type": "EXTENSION_MANIPULATION" + }, + "id": "11.4718101284717793977", + "modified_at": "2021-11-11T11:22:56.184000Z", + "status": "Under Investigation" } }, + "file": { + "hash": { + "sha1": "bb9dbdca921d84381c893086f65ffca17120b23d" + } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" + }, "related": { "hash": [ "bb9dbdca921d84381c893086f65ffca17120b23d" @@ -151,33 +151,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Cybereason|Cybereason|1.0|3|Malop Machine Added|5|destinationDnsDomain=desktop-aas6kq7 dst=10.0.2.15 destinationTranslatedAddress=117.99.232.147 CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 flexString2=True dhost=desktop-aas6kq7 CybereasonCEFgeneratorOSandVersion1=Windows_10 CybereasonCEFgeneratorMachineGuid1=-592942600.1198775089551518743 cfp3=1 rt=1625748509151 cfp2=1 cs1Label=MalopId flexString2Label=isMalicious cfp2Label=isOnline cfp3Label=isOriginalMachine request=\"C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe\" deviceProcessName=explorer.exe CybereasonCEFgeneratorChildProcess1=None", "event": { "action": "Malop Machine Added", - "severity": 5, - "code": "3", - "type": [ - "info" - ], "category": [ "intrusion_detection" ], - "kind": "event" + "code": "3", + "kind": "event", + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2021-07-08T12:48:29.151000Z", - "observer": { - "vendor": "Cybereason", - "product": "Cybereason", - "version": "1.0" + "cybereason": { + "cef": { + "version": "0" + }, + "event": { + "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" + }, + "malop": { + "host": { + "is_malicious": true, + "is_online": true, + "is_original_machine": true + }, + "id": "11.-6654920844431693523" + } + }, + "destination": { + "address": "10.0.2.15", + "ip": "10.0.2.15", + "nat": { + "ip": "117.99.232.147" + } }, "host": { "hostname": "desktop-aas6kq7", "id": "-592942600.1198775089551518743", - "os": { - "full": "Windows 10" - }, "ip": [ "10.0.2.15", "117.99.232.147" ], - "name": "desktop-aas6kq7" + "name": "desktop-aas6kq7", + "os": { + "full": "Windows 10" + } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" }, "process": { "command_line": "C:\\Users\\chand\\Downloads\\BT_21.40.5_32_Win7.pdf.exe", @@ -185,36 +208,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "explorer.exe" } }, - "destination": { - "ip": "10.0.2.15", - "nat": { - "ip": "117.99.232.147" - }, - "address": "10.0.2.15" - }, - "cybereason": { - "event": { - "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" - }, - "cef": { - "version": "0" - }, - "malop": { - "id": "11.-6654920844431693523", - "host": { - "is_online": true, - "is_original_machine": true, - "is_malicious": true - } - } - }, "related": { + "hosts": [ + "desktop-aas6kq7" + ], "ip": [ "10.0.2.15", "117.99.232.147" - ], - "hosts": [ - "desktop-aas6kq7" ] } } @@ -230,48 +230,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Cybereason|Cybereason|1.0|2|Malop Process Added|5|CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 cs4=76030baf8e80653b883474f56c06164c33417ece request=\"C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe\" flexString2=True cn3=1 reason=indifferent rt=1629700682928 cs1Label=MalopId flexString2Label=isMalicious cs4Label=processSha1 cn3Label=isSigned", "event": { "action": "Malop Process Added", - "severity": 5, - "code": "2", - "type": [ - "info" - ], "category": [ "intrusion_detection" ], - "kind": "event" + "code": "2", + "kind": "event", + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2021-08-23T06:38:02.928000Z", - "observer": { - "vendor": "Cybereason", - "product": "Cybereason", - "version": "1.0" - }, - "file": { - "hash": { - "sha1": "76030baf8e80653b883474f56c06164c33417ece" - } - }, - "process": { - "command_line": "C:\\Users\\chand\\Downloads\\BT_21.40.5_32_Win7.pdf.exe", - "start": "2021-08-23T06:38:02.928000Z" - }, "cybereason": { - "event": { - "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" - }, "cef": { "version": "0" }, + "event": { + "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" + }, "malop": { - "id": "11.-6654920844431693523", + "file": { + "is_signed": true + }, "host": { "is_malicious": true }, - "file": { - "is_signed": true - } + "id": "11.-6654920844431693523" } }, + "file": { + "hash": { + "sha1": "76030baf8e80653b883474f56c06164c33417ece" + } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" + }, + "process": { + "command_line": "C:\\Users\\chand\\Downloads\\BT_21.40.5_32_Win7.pdf.exe", + "start": "2021-08-23T06:38:02.928000Z" + }, "related": { "hash": [ "76030baf8e80653b883474f56c06164c33417ece" @@ -290,40 +290,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Cybereason|Cybereason|1.0|6|Malop User Added|5|CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 dpriv=None dhost=desktop-aas6kq7 CybereasonCEFgeneratorOrganizationName1=INTEGRATION duser=system cs1Label=MalopId", "event": { "action": "Malop User Added", - "severity": 5, - "code": "6", - "type": [ - "info" - ], "category": [ "intrusion_detection" ], - "kind": "event" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason", - "version": "1.0" - }, - "user": { - "name": "system", - "domain": "INTEGRATION" - }, - "host": { - "hostname": "desktop-aas6kq7", - "name": "desktop-aas6kq7" + "code": "6", + "kind": "event", + "severity": 5, + "type": [ + "info" + ] }, "cybereason": { - "event": { - "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" - }, "cef": { "version": "0" }, + "event": { + "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0" + }, "malop": { "id": "11.-6654920844431693523" } }, + "host": { + "hostname": "desktop-aas6kq7", + "name": "desktop-aas6kq7" + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" + }, "related": { "hosts": [ "desktop-aas6kq7" @@ -331,6 +327,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "system" ] + }, + "user": { + "domain": "INTEGRATION", + "name": "system" } } diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index d941c28509..84bd3d18f3 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -36,46 +36,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ProcessCreateFlags\": \"525324\", \"IntegrityLevel\": \"16384\", \"ParentProcessId\": \"11768266\", \"SourceProcessId\": \"11768266\", \"aip\": \"44.234.227.80\", \"SHA1HashData\": \"0000000000000000000000000000000000000000\", \"UserSid\": \"S-1-5-19\", \"event_platform\": \"Win\", \"TokenType\": \"2\", \"ProcessEndTime\": \"\", \"AuthenticodeHashData\": \"c5b30718753807fa40ef115c94d3725091502e6257dcec13265d6566f4715654\", \"ParentBaseFileName\": \"services.exe\", \"ImageSubsystem\": \"2\", \"id\": \"2372a290-20bb-11ed-bb96-0685b11669dd\", \"EffectiveTransmissionClass\": \"3\", \"SessionId\": \"0\", \"Tags\": \"41, 53, 54, 55, 185, 874, 924, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234\", \"timestamp\": \"1661022364404\", \"event_simpleName\": \"ProcessRollup2\", \"RawProcessId\": \"4164\", \"ConfigStateHash\": \"2764996830\", \"MD5HashData\": \"33ee2de3cd0bdf7d6488a920f4f4eddb\", \"SHA256HashData\": \"e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6\", \"ProcessSxsFlags\": \"64\", \"AuthenticationId\": \"997\", \"ConfigBuild\": \"1007.3.0015406.1\", \"WindowFlags\": \"128\", \"CommandLine\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc\", \"ParentAuthenticationId\": \"997\", \"TargetProcessId\": \"7355100886\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\svchost.exe\", \"SourceThreadId\": \"311002349766\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2V19\", \"ProcessStartTime\": \"1661022364.014\", \"ProcessParameterFlags\": \"8193\", \"aid\": \"12c684659c3842e19f0bfb2b23037bbd\", \"SignInfoFlags\": \"9175042\", \"cid\": \"5ddb0407bef249c19c7a975f17979a1f\"\n}", "event": { "action": "ProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2022-08-20T19:06:04.404000Z", - "process": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", - "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", - "thread": { - "id": 311002349766 - }, - "parent": { - "executable": "services.exe", - "pid": 11768266 - }, - "start": "2022-08-20T19:06:04.014000Z", - "pid": 4164 - }, - "user": { - "id": "S-1-5-19" - }, "agent": { "id": "12c684659c3842e19f0bfb2b23037bbd" }, - "file": { - "hash": { - "sha1": "0000000000000000000000000000000000000000", - "sha256": "e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6", - "md5": "33ee2de3cd0bdf7d6488a920f4f4eddb" - } - }, "crowdstrike": { "customer_id": "5ddb0407bef249c19c7a975f17979a1f" }, - "source": { - "nat": { - "ip": "44.234.227.80" + "file": { + "hash": { + "md5": "33ee2de3cd0bdf7d6488a920f4f4eddb", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6" } }, "host": { @@ -86,6 +65,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", + "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", + "parent": { + "executable": "services.exe", + "pid": 11768266 + }, + "pid": 4164, + "start": "2022-08-20T19:06:04.014000Z", + "thread": { + "id": 311002349766 + } + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -95,6 +87,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "44.234.227.80" ] + }, + "source": { + "nat": { + "ip": "44.234.227.80" + } + }, + "user": { + "id": "S-1-5-19" } } @@ -109,11 +109,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"LocalAddressIP4\": \"1.2.3.4\",\"event_simpleName\": \"NetworkConnectIP4\",\"ContextTimeStamp\": \"1687509721.669\",\"ConfigStateHash\": \"2181989539\",\"ConnectionFlags\": \"0\",\"ContextProcessId\": \"1653928408225\",\"RemotePort\": \"443\",\"aip\": \"4.3.2.1\",\"ConfigBuild\": \"1007.3.0016810.10\",\"event_platform\": \"Win\",\"LocalPort\": \"54887\",\"Entitlements\": \"15\",\"name\": \"NetworkConnectIP4V12\",\"EventOrigin\": \"1\",\"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\",\"Protocol\": \"6\",\"EffectiveTransmissionClass\": \"3\",\"aid\": \"111111111111111\",\"RemoteAddressIP4\": \"5.6.7.8\",\"RemoteAddressString\": \"5.6.7.8\",\"ConnectionDirection\": \"0\",\"InContext\": \"0\",\"timestamp\": \"1687509722190\",\"cid\": \"222222222222222222222\"}", "event": { "action": "NetworkConnectIP4", - "type": [ - "info" - ], "category": [ "network" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:02.190000Z", @@ -123,25 +123,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "observer": { - "ip": [ - "1.2.3.4" - ] - }, - "source": { - "nat": { - "port": 54887, - "ip": "4.3.2.1" - }, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", "nat": { "port": 443 - }, - "ip": "5.6.7.8", - "address": "5.6.7.8" + } }, "host": { "ip": [ @@ -151,12 +138,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "observer": { + "ip": [ + "1.2.3.4" + ] + }, "related": { "ip": [ "1.2.3.4", "4.3.2.1", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 54887 + } } } @@ -171,11 +171,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"UserAccountAddedToGroup\", \"ContextTimeStamp\": \"1687509682.089\", \"ConfigStateHash\": \"3802125890\", \"InterfaceVersion\": \"65536\", \"GroupRid\": \"22222222\", \"aip\": \"4.3.2.1\", \"RpcClientThreadId\": \"15849141992080\", \"ConfigBuild\": \"1007.3.0016810.10\", \"UserRid\": \"11111111\", \"event_platform\": \"Win\", \"DomainSid\": \"S-1-5-21-4444444444-5555555555-6666666666\", \"RpcOpNum\": \"31\", \"Entitlements\": \"15\", \"name\": \"UserAccountAddedToGroupV2\", \"InterfaceGuid\": \"A9D491A8-B327-4601-9033-3B5CFA3B8EE2\", \"RpcClientProcessId\": \"949515896744\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"RpcNestingLevel\": \"0\", \"timestamp\": \"1687509682435\", \"cid\": \"222222222222222222222\"}", "event": { "action": "UserAccountAddedToGroup", - "type": [ - "change" - ], "category": [ "configuration" + ], + "type": [ + "change" ] }, "@timestamp": "2023-06-23T08:41:22.435000Z", @@ -185,19 +185,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "user": { - "target": { - "id": "11111111", - "group": { - "id": "22222222" - } - } - }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -210,6 +197,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "target": { + "group": { + "id": "22222222" + }, + "id": "11111111" + } } } @@ -224,11 +224,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"RawBindIP6\", \"ContextTimeStamp\": \"1687509716.153\", \"LocalAddressIP6\": \"2001:cafe:37:ed:6f:51:7d:67\", \"RemoteAddressIP6\": \"2001:cafe:d:4c:20:88:9d:12\", \"ConfigStateHash\": \"1033701538\", \"ConnectionFlags\": \"0\", \"ContextProcessId\": \"494723716994229288\", \"RemotePort\": \"5353\", \"aip\": \"4.3.2.1\", \"ConfigBuild\": \"1007.4.0016702.10\", \"event_platform\": \"Mac\", \"LocalPort\": \"5353\", \"Entitlements\": \"15\", \"name\": \"RawBindIP6MacV11\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"Protocol\": \"17\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"ConnectionDirection\": \"2\", \"InContext\": \"0\", \"timestamp\": \"1687509716157\", \"cid\": \"222222222222222222222\"}", "event": { "action": "RawBindIP6", - "type": [ - "info" - ], "category": [ "network" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:56.157000Z", @@ -238,20 +238,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "port": 5353, - "ip": "4.3.2.1" - }, - "ip": "2001:cafe:37:ed:6f:51:7d:67", - "address": "2001:cafe:37:ed:6f:51:7d:67" - }, "destination": { + "address": "2001:cafe:d:4c:20:88:9d:12", + "ip": "2001:cafe:d:4c:20:88:9d:12", "nat": { "port": 5353 - }, - "ip": "2001:cafe:d:4c:20:88:9d:12", - "address": "2001:cafe:d:4c:20:88:9d:12" + } }, "host": { "ip": [ @@ -267,6 +259,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2001:cafe:d:4c:20:88:9d:12", "4.3.2.1" ] + }, + "source": { + "address": "2001:cafe:37:ed:6f:51:7d:67", + "ip": "2001:cafe:37:ed:6f:51:7d:67", + "nat": { + "ip": "4.3.2.1", + "port": 5353 + } } } @@ -281,46 +281,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"WindowTitle\": \"C:\\\\WINDOWS\\\\system32\\\\gpupdate.exe\", \"ProcessCreateFlags\": \"525316\", \"IntegrityLevel\": \"16384\", \"ParentProcessId\": \"158964342720\", \"SourceProcessId\": \"158964342720\", \"aip\": \"4.3.2.1\", \"SHA1HashData\": \"0000000000000000000000000000000000000000\", \"UserSid\": \"S-1-5-20\", \"event_platform\": \"Win\", \"TokenType\": \"2\", \"ProcessEndTime\": \"\", \"AuthenticodeHashData\": \"3355447aa2d6c929d3168cfcc4939a15c2f9ab12\", \"ParentBaseFileName\": \"svchost.exe\", \"ImageSubsystem\": \"3\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"SessionId\": \"0\", \"Tags\": \"874, 924, 12094627905582, 12094627906234\", \"timestamp\": \"1687509722104\", \"event_simpleName\": \"ProcessRollup2\", \"RawProcessId\": \"8960\", \"ConfigStateHash\": \"1317737955\", \"MD5HashData\": \"118729dd62b9422d21afe5cebd564f8a\", \"SHA256HashData\": \"b76ce2bba63bd2949fa6e36fba963379b9d682f7642cd3782d9818fcd30a3e00\", \"ProcessSxsFlags\": \"64\", \"AuthenticationId\": \"996\", \"ConfigBuild\": \"1007.3.0016810.10\", \"WindowFlags\": \"128\", \"CommandLine\": \"\\\"gpupdate.exe\\\" /target:computer\", \"ParentAuthenticationId\": \"996\", \"TargetProcessId\": \"173836945399\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\gpupdate.exe\", \"SourceThreadId\": \"12560691805373\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2V19\", \"ProcessStartTime\": \"1687509732.346\", \"ProcessParameterFlags\": \"24577\", \"aid\": \"111111111111111\", \"SignInfoFlags\": \"8683538\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:02.104000Z", - "process": { - "command_line": "\"gpupdate.exe\" /target:computer", - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe", - "thread": { - "id": 12560691805373 - }, - "parent": { - "executable": "svchost.exe", - "pid": 158964342720 - }, - "start": "2023-06-23T08:42:12.346000Z", - "pid": 8960 - }, - "user": { - "id": "S-1-5-20" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha1": "0000000000000000000000000000000000000000", - "sha256": "b76ce2bba63bd2949fa6e36fba963379b9d682f7642cd3782d9818fcd30a3e00", - "md5": "118729dd62b9422d21afe5cebd564f8a" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "md5": "118729dd62b9422d21afe5cebd564f8a", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b76ce2bba63bd2949fa6e36fba963379b9d682f7642cd3782d9818fcd30a3e00" } }, "host": { @@ -331,6 +310,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "\"gpupdate.exe\" /target:computer", + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe", + "parent": { + "executable": "svchost.exe", + "pid": 158964342720 + }, + "pid": 8960, + "start": "2023-06-23T08:42:12.346000Z", + "thread": { + "id": 12560691805373 + } + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -340,6 +332,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "id": "S-1-5-20" } } @@ -354,36 +354,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"LFODownloadConfirmation\", \"ConfigStateHash\": \"1843264982\", \"aip\": \"4.3.2.1\", \"DownloadServer\": \"dl.example.org\", \"DownloadPath\": \"files/afe/333333333333333/1/dal_0234.dll\", \"DownloadPort\": \"443\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"Entitlements\": \"15\", \"name\": \"LFODownloadConfirmationV1\", \"CompletionEventId\": \"Event_ChannelDiffDataDownloadCompleteV1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"0\", \"aid\": \"111111111111111\", \"timestamp\": \"1687509731365\", \"cid\": \"222222222222222222222\", \"TargetFileName\": \"dal_0234.dll\"}", "event": { "action": "LFODownloadConfirmation", - "type": [ - "info" - ], "category": [ "network" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:11.365000Z", "agent": { "id": "111111111111111" }, - "file": { - "path": "dal_0234.dll", - "name": "dal_0234.dll", - "directory": "" - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "url": { - "domain": "dl.example.org", - "path": "files/afe/333333333333333/1/dal_0234.dll", - "top_level_domain": "org", - "subdomain": "dl", - "registered_domain": "example.org" - }, - "source": { - "nat": { - "ip": "4.3.2.1" - } + "file": { + "directory": "", + "name": "dal_0234.dll", + "path": "dal_0234.dll" }, "host": { "ip": [ @@ -394,12 +382,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "related": { - "ip": [ - "4.3.2.1" - ], "hosts": [ "dl.example.org" + ], + "ip": [ + "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "url": { + "domain": "dl.example.org", + "path": "files/afe/333333333333333/1/dal_0234.dll", + "registered_domain": "example.org", + "subdomain": "dl", + "top_level_domain": "org" } } @@ -414,11 +414,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"SpotlightEntityBatchHeader\", \"ConfigStateHash\": \"3360407985\", \"BatchDataTotal\": \"1\", \"SpotlightBatchId\": \"233\", \"SpotlightBinaryFileVersion\": \"125\", \"BatchTimestamp\": \"1687509728.649\", \"aip\": \"4.3.2.1\", \"SpotlightEntityIds\": \"\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"SpotlightChannelFileVersion\": \"86\", \"Entitlements\": \"15\", \"name\": \"SpotlightEntityBatchHeaderV3\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"SpotlightBatchType\": \"0\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"VCISourceType\": \"0\", \"timestamp\": \"1687509731178\", \"cid\": \"222222222222222222222\"}", "event": { "action": "SpotlightEntityBatchHeader", - "type": [ - "info" - ], "category": [ "intrusion_detection" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:11.178000Z", @@ -428,11 +428,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -445,6 +440,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -459,40 +459,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"SyntheticProcessRollup2\", \"RawProcessId\": \"3452\", \"ContextTimeStamp\": \"1687509730.665\", \"ConfigStateHash\": \"3400690438\", \"IntegrityLevel\": \"16384\", \"ParentProcessId\": \"416639351024\", \"aip\": \"4.3.2.1\", \"SHA256HashData\": \" 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"SyntheticPR2Flags\": \"0\", \"AuthenticationId\": \"999\", \"UserSid\": \"S-1-5-18\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"CommandLine\": \"\\\\??\\\\C:\\\\Windows\\\\system32\\\\conhost.exe 0x4\", \"TargetProcessId\": \"416657529216\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\conhost.exe\", \"Entitlements\": \"15\", \"name\": \"SyntheticProcessRollup2V11\", \"ProcessStartTime\": \"1687509729.512\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"timestamp\": \"1687509731699\", \"cid\": \"222222222222222222222\"}", "event": { "action": "SyntheticProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:11.699000Z", - "process": { - "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0x4", - "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", - "parent": { - "pid": 416639351024 - }, - "start": "2023-06-23T08:42:09.512000Z", - "pid": 3452 - }, - "user": { - "id": "S-1-5-18" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": " 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "sha256": " 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -503,6 +486,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0x4", + "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", + "parent": { + "pid": 416639351024 + }, + "pid": 3452, + "start": "2023-06-23T08:42:09.512000Z" + }, "related": { "hash": [ " 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" @@ -510,6 +502,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "id": "S-1-5-18" } } @@ -524,11 +524,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"ChannelActive\", \"ConfigStateHash\": \"1083588104\", \"aip\": \"4.3.2.1\", \"ChannelId\": \"215\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"Entitlements\": \"15\", \"name\": \"ChannelActiveV1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"2\", \"aid\": \"111111111111111\", \"timestamp\": \"1687509731535\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ChannelActive", - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:11.535000Z", @@ -538,11 +538,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -555,6 +550,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -569,38 +569,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ProcessBehaviorBitfield\": \"2\", \"ExitCode\": \"0\", \"ParentProcessId\": \"889069755791\", \"ContextThreadId\": \"23851886833817\", \"aip\": \"4.3.2.1\", \"ConHostId\": \"1008\", \"UserSid\": \"S-1-5-18\", \"CycleTime\": \"2094128880\", \"event_platform\": \"Win\", \"ConHostProcessId\": \"889069755791\", \"MaxThreadCount\": \"10\", \"ImageSubsystem\": \"2\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"timestamp\": \"1687509694399\", \"KernelTime\": \"3437500\", \"UserTime\": \"2968750\", \"event_simpleName\": \"EndOfProcess\", \"RawProcessId\": \"7124\", \"ContextTimeStamp\": \"1687509691.848\", \"ConfigStateHash\": \"3802125890\", \"ContextProcessId\": \"889716540954\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ConfigBuild\": \"1007.3.0016810.10\", \"TargetProcessId\": \"889716540954\", \"Entitlements\": \"15\", \"name\": \"EndOfProcessV15\", \"ProcessStartTime\": \"1687509091.707\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\"}", "event": { "action": "EndOfProcess", - "type": [ - "end" - ], "category": [ "process" + ], + "type": [ + "end" ] }, "@timestamp": "2023-06-23T08:41:34.399000Z", - "process": { - "parent": { - "pid": 889069755791 - }, - "start": "2023-06-23T08:31:31.707000Z", - "pid": 7124 - }, - "user": { - "id": "S-1-5-18" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -611,6 +596,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "parent": { + "pid": 889069755791 + }, + "pid": 7124, + "start": "2023-06-23T08:31:31.707000Z" + }, "related": { "hash": [ "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" @@ -618,6 +610,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "id": "S-1-5-18" } } @@ -632,31 +632,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"FileDeletedCount\": \"0\", \"DirectoryCreatedCount\": \"0\", \"ContextThreadId\": \"0\", \"aip\": \"4.3.2.1\", \"NetworkConnectCount\": \"0\", \"NetworkListenCount\": \"0\", \"event_platform\": \"Mac\", \"NetworkBindCount\": \"0\", \"NetworkRecvAcceptCount\": \"0\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"NewExecutableWrittenCount\": \"0\", \"NetworkCloseCount\": \"0\", \"EffectiveTransmissionClass\": \"3\", \"SuspectStackCount\": \"0\", \"timestamp\": \"1687509738041\", \"event_simpleName\": \"EndOfProcess\", \"RawProcessId\": \"6840\", \"ContextTimeStamp\": \"1687509736.983\", \"ConfigStateHash\": \"1033701538\", \"ContextProcessId\": \"494725159582865908\", \"AsepWrittenCount\": \"0\", \"SuspiciousDnsRequestCount\": \"0\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ConfigBuild\": \"1007.4.0016702.10\", \"NetworkCapableAsepWriteCount\": \"0\", \"ExecutableDeletedCount\": \"0\", \"TargetProcessId\": \"494725159582865908\", \"DnsRequestCount\": \"0\", \"Entitlements\": \"15\", \"name\": \"EndOfProcessMacV15\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\"}", "event": { "action": "EndOfProcess", - "type": [ - "end" - ], "category": [ "process" + ], + "type": [ + "end" ] }, "@timestamp": "2023-06-23T08:42:18.041000Z", - "process": { - "pid": 6840 - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -667,6 +659,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "mac" } }, + "process": { + "pid": 6840 + }, "related": { "hash": [ "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" @@ -674,6 +669,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -688,29 +688,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ScriptContent\": \"IMOMScriptAPI.CreatePropertyBag();\\r\\nIWshShell3.RegRead(\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\HealthService\\\\Parameters\\\\State Directory\\\");\\r\\n\", \"OriginalContentLength\": \"308\", \"ContextThreadId\": \"62730064911753\", \"ScriptingLanguageId\": \"4\", \"aip\": \"4.3.2.1\", \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\", \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\svchost.exe\", \"event_platform\": \"Win\", \"ScriptContentName\": \"\\\\??\\\\C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files 18\\\\410\\\\MonitorKnowledgeDiscovery.vbs\", \"HostProcessType\": \"4\", \"EventOrigin\": \"1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"ParentCommandLine\": \"\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\", \"EffectiveTransmissionClass\": \"2\", \"timestamp\": \"1687509725554\", \"event_simpleName\": \"ScriptControlScanTelemetry\", \"ContextTimeStamp\": \"1687509725.206\", \"ConfigStateHash\": \"2886633557\", \"ContextProcessId\": \"1482950948235\", \"ContentSHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ConfigBuild\": \"1007.3.0016810.10\", \"CommandLine\": \"\\\"C:\\\\windows\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\", \"GrandparentCommandLine\": \"C:\\\\windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\cscript.exe\", \"Entitlements\": \"15\", \"name\": \"ScriptControlScanTelemetryV5\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ScriptControlScanTelemetry", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:05.554000Z", - "process": { - "command_line": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", - "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe" - }, "agent": { "id": "111111111111111" }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -719,10 +710,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe" + }, "related": { "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -737,29 +737,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Options\": \"35651617\",\"ContextThreadId\": \"23159432788089\",\"MinorFunction\": \"0\",\"aip\": \"4.3.2.1\",\"FileIdentifier\": \"b2fce67b4d9d407881c47bceb8795966\",\"Information\": \"2\",\"event_platform\": \"Win\",\"ShareAccess\": \"3\",\"EventOrigin\": \"1\",\"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\",\"FileObject\": \"0\",\"EffectiveTransmissionClass\": \"3\",\"FileAttributes\": \"128\",\"timestamp\": \"1687509728592\",\"Status\": \"0\",\"event_simpleName\": \"DirectoryCreate\",\"ContextTimeStamp\": \"1687509728.531\",\"ConfigStateHash\": \"3802125890\",\"ContextProcessId\": \"937196826584\",\"IrpFlags\": \"2180\",\"HandleCreateAuthenticationId\": \"999\",\"ConfigBuild\": \"1007.3.0016810.10\",\"FileEcpBitmask\": \"0\",\"MajorFunction\": \"0\",\"DesiredAccess\": \"1048577\",\"Entitlements\": \"15\",\"name\": \"DirectoryCreateV2\",\"OperationFlags\": \"0\",\"aid\": \"111111111111111\",\"cid\": \"222222222222222222222\",\"TargetFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\ProgramData\\\\Microsoft\\\\Group Policy\\\\Users\\\\S-1-5-21-1111111111-2222222222-3333333333-27500\\\\History\\\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\\\S-1-5-21-1111111111-2222222222-3333333333-27500\\\\Preferences\"}", "event": { "action": "DirectoryCreate", - "type": [ - "creation" - ], "category": [ "file" + ], + "type": [ + "creation" ] }, "@timestamp": "2023-06-23T08:42:08.592000Z", "agent": { "id": "111111111111111" }, - "file": { - "path": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500\\Preferences", - "name": "Preferences", - "directory": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500" - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } + "file": { + "directory": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500", + "name": "Preferences", + "path": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500\\Preferences" }, "host": { "ip": [ @@ -773,6 +768,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -787,11 +787,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"IP6Records\": \"2001:cafe:60:67:8e:d1:3c:de;\", \"IP4Records\": \"247.92.197.29;\", \"ContextThreadId\": \"7759631428093\", \"aip\": \"4.3.2.1\", \"QueryStatus\": \"0\", \"FirstIP6Record\": \"2001:cafe:60:67:8e:d1:3c:de\", \"InterfaceIndex\": \"0\", \"event_platform\": \"Win\", \"DualRequest\": \"1\", \"EventOrigin\": \"1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"FirstIP4Record\": \"247.92.197.29\", \"timestamp\": \"1687509731178\", \"event_simpleName\": \"DnsRequest\", \"ContextTimeStamp\": \"1687509755.890\", \"ConfigStateHash\": \"3360407985\", \"ContextProcessId\": \"340604176488\", \"DomainName\": \"EXAMPLE\", \"ConfigBuild\": \"1007.3.0016810.10\", \"DnsRequestCount\": \"1\", \"Entitlements\": \"15\", \"name\": \"DnsRequestV4\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\", \"RequestType\": \"28\"}", "event": { "action": "DnsRequest", - "type": [ - "info" - ], "category": [ "network" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:11.178000Z", @@ -802,10 +802,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "customer_id": "222222222222222222222" }, "dns": { - "question": { - "name": "EXAMPLE", - "type": "AAAA" - }, "answers": [ { "data": "247.92.197.29" @@ -813,11 +809,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "data": "2001:cafe:60:67:8e:d1:3c:de" } - ] - }, - "source": { - "nat": { - "ip": "4.3.2.1" + ], + "question": { + "name": "EXAMPLE", + "type": "AAAA" } }, "host": { @@ -829,12 +824,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "related": { - "ip": [ - "4.3.2.1" - ], "hosts": [ "EXAMPLE" + ], + "ip": [ + "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -849,44 +849,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"MachOSubType\": \"1\", \"ParentProcessId\": \"494714991831837524\", \"SourceProcessId\": \"494714991831837524\", \"aip\": \"4.3.2.1\", \"SessionProcessId\": \"494725112584640957\", \"SHA1HashData\": \"0000000000000000000000000000000000000000\", \"event_platform\": \"Mac\", \"ProcessEndTime\": \"\", \"SVUID\": \"0\", \"ParentBaseFileName\": \"launchd\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"2\", \"timestamp\": \"1687509714640\", \"ProcessGroupId\": \"494725112584640957\", \"event_simpleName\": \"ProcessRollup2\", \"RawProcessId\": \"6812\", \"GID\": \"0\", \"ConfigStateHash\": \"1033701538\", \"SVGID\": \"0\", \"EnvironmentVariablesString\": \"MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1\", \"MD5HashData\": \"68b329da9893e34099c7d8ad5cb9c940\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"TeamId\": \"-\", \"ConfigBuild\": \"1007.4.0016702.10\", \"UID\": \"0\", \"CommandLine\": \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\", \"TargetProcessId\": \"494725112584640957\", \"ImageFileName\": \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\", \"RGID\": \"0\", \"SourceThreadId\": \"0\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2MacV8\", \"RUID\": \"0\", \"ProcessStartTime\": \"1687509714.567\", \"CodeSigningFlags\": \"570522369\", \"aid\": \"111111111111111\", \"SigningId\": \"com.apple.ManagedClient\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:54.640000Z", - "process": { - "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", - "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", - "thread": { - "id": 0 - }, - "parent": { - "executable": "launchd", - "pid": 494714991831837524 - }, - "start": "2023-06-23T08:41:54.567000Z", - "pid": 6812, - "args": "MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha1": "0000000000000000000000000000000000000000", - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", - "md5": "68b329da9893e34099c7d8ad5cb9c940" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -897,6 +878,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "mac" } }, + "process": { + "args": "MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1", + "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", + "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", + "parent": { + "executable": "launchd", + "pid": 494714991831837524 + }, + "pid": 6812, + "start": "2023-06-23T08:41:54.567000Z", + "thread": { + "id": 0 + } + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -906,6 +901,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -920,11 +920,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"AsepFlags\": \"1\", \"ContextThreadId\": \"25148034146550\", \"aip\": \"4.3.2.1\", \"RegObjectName\": \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Classes\\\\AppID\\\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\", \"Data1\": \"00\", \"RegOperationType\": \"1\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"TargetCommandLineParameters\": \"\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"RegStringValue\": \"Interactive User\", \"timestamp\": \"1687509704420\", \"event_simpleName\": \"AsepValueUpdate\", \"ContextTimeStamp\": \"1687509704.057\", \"ConfigStateHash\": \"3802125890\", \"RegType\": \"1\", \"ContextProcessId\": \"877036799894\", \"AsepClass\": \"19\", \"AsepIndex\": \"99\", \"AuthenticationId\": \"999\", \"ConfigBuild\": \"1007.3.0016810.10\", \"RegValueName\": \"RunAs\", \"AsepValueType\": \"0\", \"Entitlements\": \"15\", \"name\": \"AsepValueUpdateV7\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\", \"TargetFileName\": \"\"}", "event": { "action": "AsepValueUpdate", - "type": [ - "change" - ], "category": [ "registry" + ], + "type": [ + "change" ] }, "@timestamp": "2023-06-23T08:41:44.420000Z", @@ -934,11 +934,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -948,15 +943,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "registry": { - "value": "RunAs", - "key": "SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}", "hive": "MACHINE", - "path": "MACHINE\\SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\\RunAs" + "key": "SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}", + "path": "MACHINE\\SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\\RunAs", + "value": "RunAs" }, "related": { "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -971,32 +971,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"aip\": \"4.3.2.1\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"InterfaceGuid\": \"B67BED2E-8578-41A4-A6D8-6844967BF78B\", \"RpcClientProcessId\": \"639960183370\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"timestamp\": \"1687509681570\", \"event_simpleName\": \"ServiceStarted\", \"ContextTimeStamp\": \"1687509681.087\", \"UserName\": \"JOHNDOE$\", \"ConfigStateHash\": \"2181989539\", \"InterfaceVersion\": \"131072\", \"RpcClientThreadId\": \"17805043486632\", \"AuthenticationId\": \"999\", \"ServiceDisplayName\": \"gpsvc\", \"ConfigBuild\": \"1007.3.0016810.10\", \"CommandLine\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k GPSvcGroup\", \"TargetProcessId\": \"640784751242\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\svchost.exe\", \"RpcOpNum\": \"19\", \"Entitlements\": \"15\", \"name\": \"ServiceStartedV2\", \"aid\": \"111111111111111\", \"RpcNestingLevel\": \"0\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ServiceStarted", - "type": [ - "start" - ], "category": [ "process" + ], + "type": [ + "start" ] }, "@timestamp": "2023-06-23T08:41:21.570000Z", - "process": { - "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup", - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" - }, - "user": { - "name": "JOHNDOE$" - }, "agent": { "id": "111111111111111" }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1005,6 +993,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup", + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" + }, "related": { "ip": [ "4.3.2.1" @@ -1012,6 +1004,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JOHNDOE$" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "name": "JOHNDOE$" } } @@ -1026,38 +1026,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ExitCode\": \"0\", \"ParentProcessId\": \"4866207374153\", \"ContextThreadId\": \"69461966350890\", \"aip\": \"4.3.2.1\", \"ConHostId\": \"0\", \"UserSid\": \"S-1-5-11\", \"CycleTime\": \"132436798\", \"event_platform\": \"Win\", \"MaxThreadCount\": \"5\", \"ImageSubsystem\": \"2\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"timestamp\": \"1687509730052\", \"KernelTime\": \"468750\", \"UserTime\": \"156250\", \"event_simpleName\": \"EndOfProcess\", \"RawProcessId\": \"7128\", \"ContextTimeStamp\": \"1687509727.956\", \"ConfigStateHash\": \"3802125890\", \"ContextProcessId\": \"4868606663529\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ConfigBuild\": \"1007.3.0016810.10\", \"TargetProcessId\": \"4868606663529\", \"Entitlements\": \"15\", \"name\": \"EndOfProcessV15\", \"ProcessStartTime\": \"1687509727.664\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\"}", "event": { "action": "EndOfProcess", - "type": [ - "end" - ], "category": [ "process" + ], + "type": [ + "end" ] }, "@timestamp": "2023-06-23T08:42:10.052000Z", - "process": { - "parent": { - "pid": 4866207374153 - }, - "start": "2023-06-23T08:42:07.664000Z", - "pid": 7128 - }, - "user": { - "id": "S-1-5-11" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -1068,6 +1053,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "parent": { + "pid": 4866207374153 + }, + "pid": 7128, + "start": "2023-06-23T08:42:07.664000Z" + }, "related": { "hash": [ "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" @@ -1075,6 +1067,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "id": "S-1-5-11" } } @@ -1089,29 +1089,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"FileOperatorSid\": \"S-1-5-21-3788338627-1286547573-2859441171-10584\", \"FileCategory\": \"1\", \"Size\": \"41152\", \"ContextThreadId\": \"28390795533849\", \"MinorFunction\": \"0\", \"aip\": \"4.3.2.1\", \"IsOnNetwork\": \"0\", \"FileIdentifier\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"EventOrigin\": \"1\", \"DiskParentDeviceInstanceId\": \"PCI\\\\VEN_8086&DEV_A102&SUBSYS_8054103C&REV_31\\\\3&11583659&0&B8\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"FileObject\": \"0\", \"EffectiveTransmissionClass\": \"3\", \"timestamp\": \"1687509729599\", \"event_simpleName\": \"GzipFileWritten\", \"ContextTimeStamp\": \"1687509729.282\", \"ConfigStateHash\": \"2181989539\", \"ContextProcessId\": \"1611058048102\", \"IrpFlags\": \"0\", \"AuthenticationId\": \"973219\", \"FileWrittenFlags\": \"0\", \"ConfigBuild\": \"1007.3.0016810.10\", \"FileEcpBitmask\": \"0\", \"MajorFunction\": \"0\", \"IsOnRemovableDisk\": \"0\", \"Entitlements\": \"15\", \"name\": \"GzipFileWrittenV2\", \"OperationFlags\": \"0\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\", \"TargetFileName\": \"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010051\"}", "event": { "action": "GzipFileWritten", - "type": [ - "creation" - ], "category": [ "file" + ], + "type": [ + "creation" ] }, "@timestamp": "2023-06-23T08:42:09.599000Z", "agent": { "id": "111111111111111" }, - "file": { - "path": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_010051", - "name": "f_010051", - "directory": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data" - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } + "file": { + "directory": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data", + "name": "f_010051", + "path": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_010051" }, "host": { "ip": [ @@ -1125,6 +1120,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1139,29 +1139,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ContextBaseFileName\": \"svchost.exe\", \"Options\": \"84017248\", \"ContextThreadId\": \"4518280091474\", \"MinorFunction\": \"0\", \"aip\": \"4.3.2.1\", \"Information\": \"2\", \"FileIdentifier\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f98\", \"event_platform\": \"Win\", \"ShareAccess\": \"0\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"FileObject\": \"0\", \"EffectiveTransmissionClass\": \"3\", \"FileAttributes\": \"128\", \"timestamp\": \"1687509729448\", \"Status\": \"0\", \"event_simpleName\": \"NewExecutableWritten\", \"ContextTimeStamp\": \"1687509728.901\", \"ConfigStateHash\": \"2181989539\", \"ContextProcessId\": \"262254732252\", \"IrpFlags\": \"2180\", \"ContextImageFileName\": \"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\", \"ConfigBuild\": \"1007.3.0016810.10\", \"FileEcpBitmask\": \"0\", \"MajorFunction\": \"0\", \"DesiredAccess\": \"1180054\", \"Entitlements\": \"15\", \"name\": \"NewExecutableWrittenV3\", \"OperationFlags\": \"0\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\", \"TargetFileName\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\Microsoft.Edge_123082\\\\WebView2Loader.dll\"}", "event": { "action": "NewExecutableWritten", - "type": [ - "creation" - ], "category": [ "file" + ], + "type": [ + "creation" ] }, "@timestamp": "2023-06-23T08:42:09.448000Z", "agent": { "id": "111111111111111" }, - "file": { - "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082\\WebView2Loader.dll", - "name": "WebView2Loader.dll", - "directory": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082" - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } + "file": { + "directory": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082", + "name": "WebView2Loader.dll", + "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082\\WebView2Loader.dll" }, "host": { "ip": [ @@ -1175,6 +1170,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1189,46 +1189,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ProcessCreateFlags\": \"525324\", \"IntegrityLevel\": \"4096\", \"ParentProcessId\": \"1084277996656\", \"SourceProcessId\": \"1084277996656\", \"aip\": \"4.3.2.1\", \"SHA1HashData\": \"0000000000000000000000000000000000000000\", \"UserSid\": \"S-1-5-21-1111111111-2222222222-3333333333-44444\", \"WindowStation\": \"Service-0x0-24c530$\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"ProcessEndTime\": \"\", \"AuthenticodeHashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ParentBaseFileName\": \"AcroCEF.exe\", \"ImageSubsystem\": \"2\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"SessionId\": \"1\", \"Tags\": \"25, 874, 924, 211381110440234\", \"timestamp\": \"1687509692218\", \"event_simpleName\": \"ProcessRollup2\", \"RawProcessId\": \"18184\", \"ConfigStateHash\": \"2181989539\", \"MD5HashData\": \"68b329da9893e34099c7d8ad5cb9c940\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ProcessSxsFlags\": \"64\", \"AuthenticationId\": \"2409776\", \"ConfigBuild\": \"1007.3.0016810.10\", \"WindowFlags\": \"384\", \"CommandLine\": \"\\\"C:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\acrocef_1\\\\AcroCEF.exe\\\" --type=gpu-process --log-severity=disable --user-agent-product=\\\"ReaderServices/23.1.20174 Chrome/105.0.0.0\\\" --lang=en-US --user-data-dir=\\\"C:\\\\Users\\\\p.gregoire\\\\AppData\\\\Local\\\\CEF\\\\User Data\\\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\\\"C:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\acrocef_1\\\\debug.log\\\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2\", \"ParentAuthenticationId\": \"2409776\", \"TargetProcessId\": \"1084288767347\", \"Desktop\": \"MyDesktop\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\acrocef_1\\\\AcroCEF.exe\", \"SourceThreadId\": \"25998916493732\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2V19\", \"ProcessStartTime\": \"1687509691.125\", \"ProcessParameterFlags\": \"8193\", \"aid\": \"111111111111111\", \"SignInfoFlags\": \"787456\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:32.218000Z", - "process": { - "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2", - "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe", - "thread": { - "id": 25998916493732 - }, - "parent": { - "executable": "AcroCEF.exe", - "pid": 1084277996656 - }, - "start": "2023-06-23T08:41:31.125000Z", - "pid": 18184 - }, - "user": { - "id": "S-1-5-21-1111111111-2222222222-3333333333-44444" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha1": "0000000000000000000000000000000000000000", - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", - "md5": "68b329da9893e34099c7d8ad5cb9c940" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -1239,6 +1218,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2", + "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe", + "parent": { + "executable": "AcroCEF.exe", + "pid": 1084277996656 + }, + "pid": 18184, + "start": "2023-06-23T08:41:31.125000Z", + "thread": { + "id": 25998916493732 + } + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -1248,6 +1240,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "id": "S-1-5-21-1111111111-2222222222-3333333333-44444" } } @@ -1262,11 +1262,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Parameter2\": \"149480800\", \"event_simpleName\": \"ErrorEvent\", \"Parameter1\": \"1768214888\", \"Parameter3\": \"0\", \"ConfigStateHash\": \"3752158409\", \"aip\": \"4.3.2.1\", \"Line\": \"1062\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"ErrorStatus\": \"3221227780\", \"Entitlements\": \"15\", \"name\": \"ErrorEventV2\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"Facility\": \"67109928\", \"EffectiveTransmissionClass\": \"0\", \"aid\": \"111111111111111\", \"File\": \"0\", \"timestamp\": \"1687509734881\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ErrorEvent", - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:14.881000Z", @@ -1276,11 +1276,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1293,6 +1288,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1307,32 +1307,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ModuleCharacteristics\": \"8226\", \"ContextThreadId\": \"35437388152064\", \"aip\": \"4.3.2.1\", \"ModuleLoadTelemetryClassification\": \"2\", \"event_platform\": \"Win\", \"MappedFromUserMode\": \"1\", \"AuthenticodeHashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"EventOrigin\": \"1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"ModuleSize\": \"7618560\", \"timestamp\": \"1687509685890\", \"event_simpleName\": \"ClassifiedModuleLoad\", \"ContextTimeStamp\": \"1687509685.346\", \"ConfigStateHash\": \"2181989539\", \"ContextProcessId\": \"1629056398985\", \"MD5HashData\": \"68b329da9893e34099c7d8ad5cb9c940\", \"SHA256HashData\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"ConfigBuild\": \"1007.3.0016810.10\", \"TargetProcessId\": \"1629056398985\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\shell32.dll\", \"Entitlements\": \"15\", \"name\": \"ClassifiedModuleLoadV2\", \"PrimaryModule\": \"0\", \"TargetImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\rundll32.exe\", \"aid\": \"111111111111111\", \"SignInfoFlags\": \"9175042\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ClassifiedModuleLoad", - "type": [ - "start" - ], "category": [ "process" + ], + "type": [ + "start" ] }, "@timestamp": "2023-06-23T08:41:25.890000Z", - "process": { - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll" - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", - "md5": "68b329da9893e34099c7d8ad5cb9c940" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "host": { @@ -1343,6 +1335,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll" + }, "related": { "hash": [ "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", @@ -1351,6 +1346,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1365,11 +1365,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"ConfigStateUpdate\", \"ConfigStateHash\": \"3802125890\", \"ConfigStateData\": \"0,0,1007.3.0016810.10|1,1,ab|1,3,8|1,5,1|1,7,c|1,9,0|1,b,21|1,c,0|1,d,36|1,e,36|1,1d,6d|1,20,59|1,23,1|1,26,1|1,36,e|1,37,e|1,38,e|1,39,e|1,3a,1|1,3c,1|1,3d,5|1,3e,1|1,3f,37|1,51,8|1,52,c5|1,55,0|1,58,1|1,5a,2|1,5b,4|1,5c,4|1,5d,7c|1,5f,45|1,62,bf|1,65,0|1,73,0|1,74,37|1,75,0|1,76,0|1,77,0|1,a8,0|1,c8,de|1,c9,2|1,ca,1|1,cb,a0|1,cc,3|1,cd,b4|1,ce,8|1,cf,4|1,d5,5|1,d6,e|1,d7,4|1,d8,1|1,d9,e4|1,da,bb|1,db,62|1,dc,1|1,dd,a|1,de,8e|1,e1,78|1,e2,0|1,e3,41|1,e4,52|1,e5,4a|1,e6,1c|1,e7,1a|1,e8,1d|1,e9,e7|1,ec,34|1,ed,14|1,ee,e9|1,ef,7|1,f3,69|1,f5,ba|1,f8,73|1,f9,1e|1,fb,1|1,fc,e|1,fd,7c|1,ff,33|1,103,89|1,104,20|1,105,3d|1,106,55|1,107,1b|1,108,b|1,109,92|1,10a,4|1,10c,0|1,10d,3|1,10e,9|1,111,35|1,112,a|1,1f4,1|1,1f6,1|1,1fc,1|1,1fe,1|1,1ff,3|1,258,56|1,320,0|1,384,0|1,385,0|1,386,0|1,387,2|1,389,0|1,38a,0|1,38b,0|2,0,138,a8000000032,a8000000034,a8000000049,b8000000040,b8000000041,14000000005a,14000000005c,140000000085,14000000023c,18000000004c,18000000004f,180000000052,180000000053,180000000054,180000000055,1800000000e1,1800000000e2,1800000000ed,1800000000f0,180000000136,180000000137,180000000145,1800000001a8,1800000001fb,180000000201,180000000202,18000000020e,180000000214,180000000215,180000000216,180000000217,180000000218,180000000219,18000000021a,18000000022b,180000000233,180000000237,1800000002a1,1800000002a3,1800000002a6,1800000002a7,1800000002bc,1800000002da,1800000002fd,180000000300,180000000339,18000000033a,18000000033b,18000000033e,180000000349,180000000364,1800000003a4,1800000003c4,1800000003e8,18000000040c,180000000433,180000000434,180000000464,180000000473,180000000474,18000000048c,180000000499,18000000049b,18000000049c,18000000049d,1800000004a9,180000000523,18040000006a,18040000006b,18040000006f,180400000079,18040000007b,18040000007d,18040000009b,18040000009c,18040000009d,18040000009e,18040000009f,1804000000a0,1804000000eb,1804000000ff,180400000106,180400000107,180400000108,180400000117,180400000118,180400000119,180400000140,180400000142,180400000166,180400000167,180400000168,180400000181,180400000187,1804000001b2,1804000001c4,1804000001c5,1804000001c6,1804000001f2,1804000001f3,1804000001f4,180400000225,18040000024f,180400000250,180400000251,18040000025c,18040000025d,18040000025e,1804000002ac,18040000037e,18040000037f,180400000380,180400000383,1804000003b8,1804000003b9,1804000003ba,1804000003d9,1804000003da,1804000003db,1804000003f2,1804000003f3,1804000003f4,1804000003f9,1804000003fa,1804000003fb,180400000400,180400000401,180400000402,180400000408,180400000409,18040000040a,18080000007f,180800000080,180800000081,180800000082,180800000091,1808000000b6,1808000000b7,1808000000c9,1808000000cc,1808000000cf,1808000000dd,1808000000e0,180800000102,18080000010f,180800000147,1808000001cc,1808000001cd,1808000001ce,1808000001cf,1808000001d0,1808000001d1,18080000033f,180c00000061,180c00000062,180c0000006e,180c00000109,180c0000010a,180c0000010b,180c0000012d,180c0000012e,180c0000012f,180c00000130,180c00000131,180c00000132,180c00000133,180c00000134,180c00000135,180c0000016e,180c0000016f,180c00000170,180c0000018d,180c0000018e,180c0000018f,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001c8,180c000001c9,180c000001ca,180c000001f6,180c000001f7,180c000001f8,180c00000253,180c00000254,180c00000255,180c00000260,180c00000261,180c00000262,180c000002ab,180c00000382,180c000003b4,180c000003b5,180c000003b6,180c000003d5,180c000003d6,180c000003d7,180c000003ee,180c000003ef,180c000003f0,180c000003f6,180c000003f7,180c000003f8,180c000003fc,180c000003fd,180c000003fe,180c00000404,180c00000405,180c00000406,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000127,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|\", \"aip\": \"4.3.2.1\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"Entitlements\": \"15\", \"name\": \"ConfigStateUpdateV3\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"0\", \"aid\": \"111111111111111\", \"ChannelDiffStatusList\": \"1\", \"timestamp\": \"1687509729004\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ConfigStateUpdate", - "type": [ - "change" - ], "category": [ "configuration" + ], + "type": [ + "change" ] }, "@timestamp": "2023-06-23T08:42:09.004000Z", @@ -1379,11 +1379,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1396,6 +1391,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1410,11 +1410,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"DnsResponseType\": \"2\", \"IP4Records\": \"11.48.2.25;\", \"ContextThreadId\": \"26154061688880\", \"aip\": \"4.3.2.1\", \"CNAMERecords\": \"eu01.roaming1.example.org;asia03.roaming1.example.org;\", \"QueryStatus\": \"0\", \"InterfaceIndex\": \"0\", \"event_platform\": \"Win\", \"DualRequest\": \"1\", \"EventOrigin\": \"1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"FirstIP4Record\": \"11.48.2.25\", \"timestamp\": \"1687509682314\", \"event_simpleName\": \"DnsRequest\", \"ContextTimeStamp\": \"1687509680.451\", \"ConfigStateHash\": \"2181989539\", \"ContextProcessId\": \"1195201348121\", \"DomainName\": \"roaming.example.org\", \"RespondingDnsServer\": \"67.228.239.228\", \"ConfigBuild\": \"1007.3.0016810.10\", \"DnsRequestCount\": \"1\", \"Entitlements\": \"15\", \"name\": \"DnsRequestV4\", \"aid\": \"111111111111111\", \"cid\": \"222222222222222222222\", \"RequestType\": \"28\"}", "event": { "action": "DnsRequest", - "type": [ - "info" - ], "category": [ "network" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:22.314000Z", @@ -1427,15 +1427,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dns": { "question": { "name": "roaming.example.org", - "type": "AAAA", - "top_level_domain": "org", + "registered_domain": "example.org", "subdomain": "roaming", - "registered_domain": "example.org" - } - }, - "source": { - "nat": { - "ip": "4.3.2.1" + "top_level_domain": "org", + "type": "AAAA" } }, "host": { @@ -1447,12 +1442,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "related": { - "ip": [ - "4.3.2.1" - ], "hosts": [ "roaming.example.org" + ], + "ip": [ + "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1466,11 +1466,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"aid\":\"111111111111111\",\"cid\":\"222222222222222\",\"product_type_desc\":\"Workstation\",\"event_platform\":\"Win\",\"scores\":{\"os\":64,\"sensor\":97,\"overall\":86,\"version\":\"3.6.1\",\"modified_time\":\"2023-02-07T19:31:10.489579379Z\"},\"assessments\":{\"additional_user_mode_data_enabled\":\"yes\",\"automated_remediation\":\"yes\",\"beta_build_disabled\":\"yes\",\"branch_target_injection_mitigation\":\"yes\",\"branch_target_injection_mitigation_hardware_support\":\"yes\",\"branch_target_injection_mitigation_patch\":\"yes\",\"branch_target_injection_mitigation_registry_allowed\":\"yes\",\"credential_guard_running\":\"no\",\"debug_mode_disabled\":\"yes\",\"dma_guard_enabled\":\"no\",\"engine_full_visibility\":\"yes\",\"execution_blocking_custom_blocking_enabled\":\"yes\",\"execution_blocking_intel_threats_enabled\":\"yes\",\"execution_blocking_suspicious_processes_enabled\":\"yes\",\"execution_blocking_suspicious_registry_ops_enabled\":\"yes\",\"execution_blocking_suspicious_scripts_enabled\":\"yes\",\"exploit_mitigation_force_aslr_enabled\":\"yes\",\"exploit_mitigation_heap_spray_allocation_enabled\":\"yes\",\"exploit_mitigation_null_page_allocation_enabled\":\"yes\",\"exploit_mitigation_seh_overwrite_protection_enabled\":\"yes\",\"exploitation_behavior_application_exploitation_activity_enabled\":\"yes\",\"exploitation_behavior_chopper_webshell_enabled\":\"yes\",\"exploitation_behavior_code_injection_enabled\":\"yes\",\"exploitation_behavior_driveby_download_enabled\":\"yes\",\"exploitation_behavior_javascript_execution_rundll32_enabled\":\"yes\",\"firmware_is_uefi\":\"no\",\"hardware_enhanced_exploit_detection\":\"yes\",\"hsti_available\":\"no\",\"http_detections\":\"yes\",\"hvci_enabled\":\"no\",\"hvci_strict_mode\":\"no\",\"in_full_functionality\":\"yes\",\"interpreter_only\":\"yes\",\"iommu_available\":\"yes\",\"iommu_in_use\":\"no\",\"kmci_enabled\":\"yes\",\"l1_terminal_fault_mitigation\":\"yes\",\"lateral_movement_credential_access_credential_dumping_enabled\":\"yes\",\"lateral_movement_credential_access_windows_logon_bypass_enabled\":\"yes\",\"mbec_available\":\"no\",\"ml_adware\":\"yes\",\"ml_adware_prevention\":\"yes\",\"ml_cloud_antimalware\":\"yes\",\"ml_cloud_antimalware_prevention\":\"yes\",\"ml_sensor_antimalware\":\"yes\",\"ml_sensor_antimalware_prevention\":\"yes\",\"quarantine_and_security_registration\":\"yes\",\"quarantine_on_write\":\"yes\",\"ransomware_backup_deletion_enabled\":\"yes\",\"ransomware_cryptowall_enabled\":\"yes\",\"ransomware_file_encryption_enabled\":\"yes\",\"ransomware_file_system_access_enabled\":\"yes\",\"ransomware_locky_enabled\":\"yes\",\"real_time_response_enabled\":\"yes\",\"rogue_data_cache_load_mitigation\":\"yes\",\"rogue_data_cache_load_mitigation_patch\":\"yes\",\"script_based_execution_monitoring_enabled\":\"no\",\"script_enforcement\":\"yes\",\"secure_boot_enabled\":\"no\",\"secure_kernel_running\":\"no\",\"secure_mor_available\":\"no\",\"sensor_tampering_protection\":\"yes\",\"smm_protections\":\"no\",\"speculative_store_bypass_mitigation_available\":\"yes\",\"speculative_store_bypass_mitigation_hardware_support\":\"yes\",\"suspicious_kernel_drivers\":\"yes\",\"system_firmware_bios_enabled\":\"yes\",\"test_signing_disabled\":\"yes\",\"uefi_memory_protection\":\"no\",\"volume_shadow_copy_audit\":\"yes\",\"volume_shadow_copy_protect\":\"yes\",\"vsm_available\":\"yes\",\"windows_insider_program_disabled\":\"yes\",\"windows_insider_program_not_running\":\"yes\",\"windows_os_build\":\"no\"},\"event_type\":\"ZeroTrustHostAssessment\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-02-07T19:31:10.489579Z", @@ -1497,30 +1497,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ComputerName\":\"DEPL0982.local\",\"CurrentLocalIP\":\"1.2.3.4\",\"FirstDiscoveredDate\":\"1688477941.384\",\"LastDiscoveredBy\":\"33333333333333333333333333333333\",\"LocalAddressIP4\":\"1.2.3.4 11.22.33.44\",\"MAC\":\"06-FA-8B-A0-04-37\",\"MACPrefix\":\"06-FA-8B\",\"NeighborName\":\"!!!!UNKNOWN!!!!\",\"__mv_LocalAddressIP4\":\"$1.2.3.4$;$11.22.33.44$\",\"__mv_aip\":\"$4.3.2.1$;$44.33.22.11$\",\"__mv_discoverer_aid\":\"\",\"__mv_discoverer_devicetype\":\"\",\"_time\":\"1688546869.56\",\"aip\":\"4.3.2.1 44.33.22.11\",\"aipCount\":\"2\",\"cid\":\"222222222222222\",\"discovererCount\":\"1\",\"discoverer_aid\":\"33333333333333333333333333333333\",\"discoverer_devicetype\":\"\",\"localipCount\":\"2\",\"subnet\":\"1.2\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-07-04T13:39:01.384000Z", "crowdstrike": { "customer_id": "222222222222222" }, - "observer": { - "mac": "06-FA-8B-A0-04-37", - "ip": [ - "1.2.3.4", - "11.22.33.44" - ] - }, "host": { "ip": [ "4.3.2.1", "44.33.22.11" ], - "name": "DEPL0982.local", + "mac": "06-FA-8B-A0-04-37", + "name": "DEPL0982.local" + }, + "observer": { + "ip": [ + "1.2.3.4", + "11.22.33.44" + ], "mac": "06-FA-8B-A0-04-37" }, "related": { @@ -1543,11 +1543,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"GatewayIP\":\"4.5.6.7\",\"GatewayMAC\":\"E2-B4-CD-72-08-CA\",\"InterfaceAlias\":\"Ethernet 2\",\"InterfaceDescription\":\"Realtek USB GbE Family Controller #2\",\"LocalAddressIP4\":\"1.2.3.4\",\"MAC\":\"70-BD-0C-A6-4B-61\",\"MACPrefix\":\"70-BD-0C\",\"_time\":\"1688557498.592\",\"aid\":\"111111111111111\",\"cid\":\"222222222222222\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "agent": { @@ -1558,8 +1558,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "gateway_ip": "4.5.6.7", "gateway_mac": "E2-B4-CD-72-08-CA" }, + "host": { + "mac": "70-BD-0C-A6-4B-61" + }, "observer": { - "mac": "70-BD-0C-A6-4B-61", "egress": { "interface": { "alias": "Ethernet 2" @@ -1567,19 +1569,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": [ "1.2.3.4" - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "host": { + ], "mac": "70-BD-0C-A6-4B-61" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1593,11 +1593,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"GatewayIP\":\"\",\"GatewayMAC\":\"\",\"InterfaceAlias\":\"en0\",\"InterfaceDescription\":\"\",\"LocalAddressIP4\":\"1.2.3.4\",\"MAC\":\"70-BD-0C-A6-4B-61\",\"MACPrefix\":\"70-BD-0C\",\"_time\":\"1688558155.314\",\"aid\":\"111111111111111\",\"cid\":\"222222222222222\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "agent": { @@ -1606,8 +1606,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222" }, + "host": { + "mac": "70-BD-0C-A6-4B-61" + }, "observer": { - "mac": "70-BD-0C-A6-4B-61", "egress": { "interface": { "alias": "en0" @@ -1615,19 +1617,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": [ "1.2.3.4" - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "host": { + ], "mac": "70-BD-0C-A6-4B-61" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1641,11 +1641,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"GatewayIP\":\"\",\"GatewayMAC\":\"\",\"InterfaceAlias\":\"Connexion au r\u00e9seau local* 2\",\"InterfaceDescription\":\"Microsoft Wi-Fi Direct Virtual Adapter #2\",\"LocalAddressIP4\":\"1.2.3.4\",\"MAC\":\"70-BD-0C-A6-4B-61\",\"MACPrefix\":\"70-BD-0C\",\"_time\":\"1688557813.897\",\"aid\":\"111111111111111\",\"cid\":\"222222222222222\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "agent": { @@ -1654,8 +1654,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222" }, + "host": { + "mac": "70-BD-0C-A6-4B-61" + }, "observer": { - "mac": "70-BD-0C-A6-4B-61", "egress": { "interface": { "alias": "Connexion au r\u00e9seau local* 2" @@ -1663,19 +1665,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": [ "1.2.3.4" - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "host": { + ], "mac": "70-BD-0C-A6-4B-61" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1689,11 +1689,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"AgentLoadFlags\":\"1\",\"AgentLocalTime\":\"1688462537.0\",\"AgentTimeOffset\":\"-5574.207\",\"AgentVersion\":\"6.54.16812.0\",\"BiosManufacturer\":\"HP\",\"BiosVersion\":\"U21 Ver. 02.05.00\",\"ChassisType\":\"Mini PC Desktop\",\"City\":\"Toronto\",\"ComputerName\":\"DEFP0395\",\"ConfigBuild\":\"1007.3.0016812.10\",\"ConfigIDBuild\":\"16812\",\"Continent\":\"America\",\"Country\":\"Canada\",\"FalconGroupingTags\":\"none\",\"FirstSeen\":\"1688132251\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"example.org\",\"OU\":\"Computers;1001.example.toronto;Workspace;Canada;Country\",\"PointerSize\":\"8\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"none\",\"ServicePackMajor\":\"0\",\"SiteName\":\"EQX\",\"SystemManufacturer\":\"HP\",\"SystemProductName\":\"HP Elite Mini 800 G9 Desktop PC\",\"Time\":\"1688542167.026\",\"Timezone\":\"America/New York\",\"Version\":\"Windows 10\",\"aip\":\"1.2.3.4\",\"aid\":\"111111111111111\",\"cid\":\"222222222222222\",\"event_platform\":\"Win\"}", "event": { - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-07-05T07:29:27.026000Z", @@ -1701,32 +1701,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "111111111111111", "version": "6.54.16812.0" }, - "source": { - "geo": { - "country_name": "Canada", - "city_name": "Toronto" - }, - "nat": { - "ip": "1.2.3.4" - } - }, "crowdstrike": { "customer_id": "222222222222222" }, "host": { + "domain": "example.org", "ip": [ "1.2.3.4" ], + "name": "DEFP0395", "os": { "platform": "win" - }, - "name": "DEFP0395", - "domain": "example.org" + } }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "geo": { + "city_name": "Toronto", + "country_name": "Canada" + }, + "nat": { + "ip": "1.2.3.4" + } } } @@ -1741,29 +1741,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"DetectionExcluded\", \"ContextTimeStamp\": \"1687509686.164\", \"ConfigStateHash\": \"3752158409\", \"aip\": \"4.3.2.1\", \"BoundingLimitCount\": \"1\", \"ConfigBuild\": \"1007.3.0016810.10\", \"AllowlistingFilterId\": \"360-global-global\", \"event_platform\": \"Win\", \"CommandLine\": \"C:\\\\WINDOWS\\\\System32\\\\svchost.exe -k netsvcs -p -s BITS\", \"TargetProcessId\": \"550385463832\", \"PatternId\": \"360\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\svchost.exe\", \"ExclusionType\": \"1\", \"Entitlements\": \"15\", \"name\": \"DetectionExcludedV7\", \"ExclusionSource\": \"5\", \"EventOrigin\": \"5\", \"ContextData\": \"\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"timestamp\": \"1687509686381\", \"cid\": \"222222222222222222222\"}", "event": { "action": "DetectionExcluded", - "type": [ - "info" - ], "category": [ "intrusion_detection" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:26.381000Z", - "process": { - "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s BITS", - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" - }, "agent": { "id": "111111111111111" }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1772,10 +1763,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s BITS", + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" + }, "related": { "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1790,11 +1790,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"CurrentSystemTags\", \"ConfigStateHash\": \"1317737955\", \"aip\": \"4.3.2.1\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"SystemTableIndex\": \"0\", \"Entitlements\": \"15\", \"name\": \"CurrentSystemTagsV1\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"0\", \"aid\": \"111111111111111\", \"Tags\": \"312, 11544872091698, 11544872091700, 11544872091721, 12644383719488, 12644383719489, 21990232555610, 21990232555612, 21990232555653, 21990232556092, 26388279066700, 26388279066703, 26388279066706, 26388279066707, 26388279066708, 26388279066709, 26388279066849, 26388279066850, 26388279066861, 26388279066864, 26388279066934, 26388279066935, 26388279066948, 26388279066949, 26388279067048, 26388279067131, 26388279067137, 26388279067138, 26388279067150, 26388279067156, 26388279067157, 26388279067158, 26388279067159, 26388279067160, 26388279067161, 26388279067162, 26388279067179, 26388279067187, 26388279067191, 26388279067210, 26388279067261, 26388279067297, 26388279067299, 26388279067302, 26388279067303, 26388279067324, 26388279067354, 26388279067389, 26388279067392, 26388279067449, 26388279067450, 26388279067451, 26388279067454, 26388279067465, 26388279067492, 26388279067556, 26388279067588, 26388279067589, 26388279067624, 26388279067660, 26388279067699, 26388279067700, 26388279067712, 26388279067748, 26388279067763, 26388279067764, 26388279067788, 26388279067801, 26388279067803, 26388279067804, 26388279067805, 26388279067817, 26388279067939, 26405458935914, 26405458935915, 26405458935919, 26405458935929, 26405458935931, 26405458935933, 26405458935963, 26405458935964, 26405458935965, 26405458935966, 26405458935967, 26405458935968, 26405458936043, 26405458936063, 26405458936070, 26405458936071, 26405458936072, 26405458936087, 26405458936088, 26405458936089, 26405458936128, 26405458936130, 26405458936166, 26405458936167, 26405458936168, 26405458936193, 26405458936199, 26405458936242, 26405458936260, 26405458936261, 26405458936262, 26405458936306, 26405458936307, 26405458936308, 26405458936357, 26405458936399, 26405458936400, 26405458936401, 26405458936412, 26405458936413, 26405458936414, 26405458936492, 26405458936702, 26405458936703, 26405458936704, 26405458936707, 26405458936760, 26405458936761, 26405458936762, 26405458936793, 26405458936794, 26405458936795, 26405458936818, 26405458936819, 26405458936820, 26405458936825, 26405458936826, 26405458936827, 26405458936832, 26405458936833, 26405458936834, 26405458936840, 26405458936841, 26405458936842, 26422638805119, 26422638805120, 26422638805121, 26422638805122, 26422638805137, 26422638805174, 26422638805175, 26422638805193, 26422638805196, 26422638805199, 26422638805213, 26422638805216, 26422638805250, 26422638805263, 26422638805319, 26422638805452, 26422638805453, 26422638805454, 26422638805455, 26422638805456, 26422638805457, 26422638805823, 26439818674273, 26439818674274, 26439818674286, 26439818674441, 26439818674442, 26439818674443, 26439818674477, 26439818674478, 26439818674479, 26439818674480, 26439818674481, 26439818674482, 26439818674483, 26439818674484, 26439818674485, 26439818674542, 26439818674543, 26439818674544, 26439818674573, 26439818674574, 26439818674575, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674632, 26439818674633, 26439818674634, 26439818674678, 26439818674679, 26439818674680, 26439818674771, 26439818674772, 26439818674773, 26439818674784, 26439818674785, 26439818674786, 26439818674859, 26439818675074, 26439818675124, 26439818675125, 26439818675126, 26439818675157, 26439818675158, 26439818675159, 26439818675182, 26439818675183, 26439818675184, 26439818675190, 26439818675191, 26439818675192, 26439818675196, 26439818675197, 26439818675198, 26439818675204, 26439818675205, 26439818675206, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543655, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\", \"timestamp\": \"1687509740892\", \"cid\": \"222222222222222222222\"}", "event": { "action": "CurrentSystemTags", - "type": [ - "change" - ], "category": [ "configuration" + ], + "type": [ + "change" ] }, "@timestamp": "2023-06-23T08:42:20.892000Z", @@ -1804,11 +1804,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1821,6 +1816,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1835,11 +1835,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"AssociateIndicator\", \"ProcessBehavioralContext\": \"\", \"ContextTimeStamp\": \"1687509723.530\", \"ConfigStateHash\": \"2181989539\", \"aip\": \"4.3.2.1\", \"GrandparentProcessBehavioralContext\": \"\", \"ConfigBuild\": \"1007.3.0016810.10\", \"PatternDisposition\": \"0\", \"event_platform\": \"Win\", \"TargetProcessId\": \"1655395637152\", \"PatternId\": \"3\", \"Entitlements\": \"15\", \"name\": \"AssociateIndicatorV11\", \"EventOrigin\": \"5\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"ParentProcessBehavioralContext\": \"\", \"timestamp\": \"1687509723940\", \"cid\": \"222222222222222222222\"}", "event": { "action": "AssociateIndicator", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:42:03.940000Z", @@ -1849,11 +1849,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1866,6 +1861,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1880,28 +1880,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"FirewallDeleteRule\", \"ContextTimeStamp\": \"1687509723.415\", \"UserName\": \"j.doe\", \"ConfigStateHash\": \"2181989539\", \"ContextProcessId\": \"1653642597100\", \"InterfaceVersion\": \"65536\", \"aip\": \"4.3.2.1\", \"RpcClientThreadId\": \"45955897880875\", \"FirewallRuleId\": \"{CE605B68-BD8A-4D72-BA66-15341408C483}\", \"AuthenticationId\": \"1077281\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"RpcOpNum\": \"7\", \"Entitlements\": \"15\", \"name\": \"FirewallDeleteRuleV3\", \"InterfaceGuid\": \"52C47ED7-2CF7-4670-8EE1-49F729A804C8\", \"RpcClientProcessId\": \"1655394096661\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"3\", \"aid\": \"111111111111111\", \"RpcNestingLevel\": \"0\", \"timestamp\": \"1687509723940\", \"cid\": \"222222222222222222222\"}", "event": { "action": "FirewallDeleteRule", - "type": [ - "deletion" - ], "category": [ "configuration" + ], + "type": [ + "deletion" ] }, "@timestamp": "2023-06-23T08:42:03.940000Z", - "user": { - "name": "j.doe" - }, "agent": { "id": "111111111111111" }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -1917,6 +1909,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "j.doe" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "name": "j.doe" } } @@ -1931,34 +1931,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"ProcessRollup2Stats\", \"ConfigStateHash\": \"1033701538\", \"Timeout\": \"600\", \"ParentProcessId\": \"0\", \"aip\": \"4.3.2.1\", \"SuppressType\": \"2\", \"SHA256HashData\": \"be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09\", \"ProcessCount\": \"2\", \"BoundedCount\": \"1\", \"ConfigBuild\": \"1007.4.0016702.10\", \"UID\": \"501\", \"event_platform\": \"Mac\", \"CommandLine\": \"/usr/sbin/system_profiler -nospawn -xml SPConfigurationProfileDataType -detailLevel full\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2StatsMacV3\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"EffectiveTransmissionClass\": \"2\", \"aid\": \"111111111111111\", \"timestamp\": \"1687509707929\", \"cid\": \"222222222222222222222\"}", "event": { "action": "ProcessRollup2Stats", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:47.929000Z", - "process": { - "command_line": "/usr/sbin/system_profiler -nospawn -xml SPConfigurationProfileDataType -detailLevel full", - "parent": { - "pid": 0 - } - }, "agent": { "id": "111111111111111" }, - "file": { - "hash": { - "sha256": "be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09" - } - }, "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" + "file": { + "hash": { + "sha256": "be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09" } }, "host": { @@ -1969,6 +1958,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "mac" } }, + "process": { + "command_line": "/usr/sbin/system_profiler -nospawn -xml SPConfigurationProfileDataType -detailLevel full", + "parent": { + "pid": 0 + } + }, "related": { "hash": [ "be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09" @@ -1976,6 +1971,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -1990,11 +1990,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event_simpleName\": \"SensorHeartbeat\", \"ConfigStateHash\": \"3802125890\", \"NetworkContainmentState\": \"0\", \"aip\": \"4.3.2.1\", \"ConfigIDBase\": \"65994762\", \"SensorStateBitMap\": \"0\", \"ConfigBuild\": \"1007.3.0016810.10\", \"event_platform\": \"Win\", \"ConfigurationVersion\": \"10\", \"Entitlements\": \"15\", \"name\": \"SensorHeartbeatV4\", \"ConfigIDPlatform\": \"3\", \"id\": \"a83b4482-ca45-4d6b-850b-79d8a1b9e60f\", \"ConfigIDBuild\": \"16810\", \"EffectiveTransmissionClass\": \"0\", \"aid\": \"111111111111111\", \"ProvisionState\": \"1\", \"timestamp\": \"1687509687215\", \"cid\": \"222222222222222222222\"}", "event": { "action": "SensorHeartbeat", - "type": [ - "info" - ], "category": [ "host" + ], + "type": [ + "info" ] }, "@timestamp": "2023-06-23T08:41:27.215000Z", @@ -2004,11 +2004,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "crowdstrike": { "customer_id": "222222222222222222222" }, - "source": { - "nat": { - "ip": "4.3.2.1" - } - }, "host": { "ip": [ "4.3.2.1" @@ -2021,6 +2016,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.3.2.1" ] + }, + "source": { + "nat": { + "ip": "4.3.2.1" + } } } @@ -2035,47 +2035,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ProcessCreateFlags\": \"525324\", \"IntegrityLevel\": \"16384\", \"ParentProcessId\": \"11768266\", \"SourceProcessId\": \"11768266\", \"aip\": \"44.234.227.80\", \"SHA1HashData\": \"0000000000000000000000000000000000000000\", \"UserSid\": \"S-1-5-19\", \"event_platform\": \"Win\", \"TokenType\": \"2\", \"ProcessEndTime\": \"1661022378.014\", \"AuthenticodeHashData\": \"c5b30718753807fa40ef115c94d3725091502e6257dcec13265d6566f4715654\", \"ParentBaseFileName\": \"services.exe\", \"ImageSubsystem\": \"2\", \"id\": \"2372a290-20bb-11ed-bb96-0685b11669dd\", \"EffectiveTransmissionClass\": \"3\", \"SessionId\": \"0\", \"Tags\": \"41, 53, 54, 55, 185, 874, 924, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234\", \"timestamp\": \"1661022364404\", \"event_simpleName\": \"ProcessRollup2\", \"RawProcessId\": \"4164\", \"ConfigStateHash\": \"2764996830\", \"MD5HashData\": \"33ee2de3cd0bdf7d6488a920f4f4eddb\", \"SHA256HashData\": \"e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6\", \"ProcessSxsFlags\": \"64\", \"AuthenticationId\": \"997\", \"ConfigBuild\": \"1007.3.0015406.1\", \"WindowFlags\": \"128\", \"CommandLine\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc\", \"ParentAuthenticationId\": \"997\", \"TargetProcessId\": \"7355100886\", \"ImageFileName\": \"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\svchost.exe\", \"SourceThreadId\": \"311002349766\", \"Entitlements\": \"15\", \"name\": \"ProcessRollup2V19\", \"ProcessStartTime\": \"1661022364.014\", \"ProcessParameterFlags\": \"8193\", \"aid\": \"12c684659c3842e19f0bfb2b23037bbd\", \"SignInfoFlags\": \"9175042\", \"cid\": \"5ddb0407bef249c19c7a975f17979a1f\"\n}", "event": { "action": "ProcessRollup2", - "type": [ - "info" - ], "category": [ "process" + ], + "type": [ + "info" ] }, "@timestamp": "2022-08-20T19:06:04.404000Z", - "process": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", - "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", - "thread": { - "id": 311002349766 - }, - "parent": { - "executable": "services.exe", - "pid": 11768266 - }, - "end": "2022-08-20T19:06:18.014000Z", - "start": "2022-08-20T19:06:04.014000Z", - "pid": 4164 - }, - "user": { - "id": "S-1-5-19" - }, "agent": { "id": "12c684659c3842e19f0bfb2b23037bbd" }, - "file": { - "hash": { - "sha1": "0000000000000000000000000000000000000000", - "sha256": "e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6", - "md5": "33ee2de3cd0bdf7d6488a920f4f4eddb" - } - }, "crowdstrike": { "customer_id": "5ddb0407bef249c19c7a975f17979a1f" }, - "source": { - "nat": { - "ip": "44.234.227.80" + "file": { + "hash": { + "md5": "33ee2de3cd0bdf7d6488a920f4f4eddb", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "e9c5a42bdcca52bd24b095eae55dbc5c63a0918fa9b43717e389b470c4accdf6" } }, "host": { @@ -2086,6 +2064,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "process": { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", + "end": "2022-08-20T19:06:18.014000Z", + "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", + "parent": { + "executable": "services.exe", + "pid": 11768266 + }, + "pid": 4164, + "start": "2022-08-20T19:06:04.014000Z", + "thread": { + "id": 311002349766 + } + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -2095,6 +2087,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "44.234.227.80" ] + }, + "source": { + "nat": { + "ip": "44.234.227.80" + } + }, + "user": { + "id": "S-1-5-19" } } diff --git a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md index 106a346663..e5eb18b618 100644 --- a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md +++ b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md @@ -28,25 +28,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-07-02T13:45:50.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"err\",\"EventTime\" : \"2019-07-02T13:45:50+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): conversation failed\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:45:50Z\"},\"category\" : \"authpriv\",\"level\" : \"err\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "error", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-07-02T13:45:50Z", + "action": { + "name": "sudo:auth", + "outcome": "failure", + "type": "open" + }, "azure_linux": { "message": "pam_unix(sudo:auth): conversation failed" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "error" + }, "os": { "family": "linux", "platform": "linux" - }, - "action": { - "name": "sudo:auth", - "type": "open", - "outcome": "failure" - }, - "host": { - "name": "LinuxRedhatDesktop" } } @@ -59,33 +59,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-07-02T13:46:32.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"crit\",\"EventTime\" : \"2019-07-02T13:46:32+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): auth could not identify password for [omsagent]\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:32Z\"},\"category\" : \"authpriv\",\"level\" : \"crit\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "critical", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-07-02T13:46:32Z", + "action": { + "name": "sudo:auth", + "outcome": "failure", + "type": "open" + }, "azure_linux": { "message": "pam_unix(sudo:auth): auth could not identify password for [omsagent]" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "critical" + }, "os": { "family": "linux", "platform": "linux" }, - "action": { - "name": "sudo:auth", - "type": "open", - "outcome": "failure" - }, - "user": { - "name": "omsagent" - }, "related": { "user": [ "omsagent" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "omsagent" } } @@ -98,35 +98,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:50:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"21188\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD (/usr/lib64/sa/sa1 1 1)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:50:01Z", "azure_linux": { "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)" }, - "process": { - "parent": { - "pid": 21188 - }, - "command_line": "/usr/lib64/sa/sa1 1 1", - "executable": "/usr/lib64/sa/sa1" + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" }, "os": { "family": "linux", "platform": "linux" }, - "user": { - "name": "root" + "process": { + "command_line": "/usr/lib64/sa/sa1 1 1", + "executable": "/usr/lib64/sa/sa1", + "parent": { + "pid": 21188 + } }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -139,34 +139,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:29:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"16373\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:29:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD ([ -f /etc/krb5.keytab ] && [ \\\\( ! -f /etc/opt/omi/creds/omi.keytab \\\\) -o \\\\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\\\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:29:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:29:01Z", "azure_linux": { "message": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)" }, - "process": { - "parent": { - "pid": 16373 - }, - "command_line": "[ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true" + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" }, "os": { "family": "linux", "platform": "linux" }, - "user": { - "name": "root" + "process": { + "command_line": "[ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true", + "parent": { + "pid": 16373 + } }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -179,33 +179,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:50:51.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sshd\",\"pid\" : \"14020\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:51+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"Received disconnect from 185.122.161.248 port 39070:11: disconnected by user\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:51Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:50:51Z", "azure_linux": { "message": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user" }, - "process": { - "pid": 14020 + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" }, "os": { "family": "linux", "platform": "linux" }, - "source": { - "ip": "185.122.161.248", - "port": 39070, - "address": "185.122.161.248" + "process": { + "pid": 14020 }, "related": { "ip": [ "185.122.161.248" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "source": { + "address": "185.122.161.248", + "ip": "185.122.161.248", + "port": 39070 } } @@ -218,36 +218,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:48:18.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-06-27T14:48:18+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:18Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:48:18Z", + "action": { + "outcome": "success" + }, "azure_linux": { "message": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" + }, "os": { "family": "linux", "platform": "linux" }, - "user": { - "name": "root" - }, "process": { "command_line": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh", "executable": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh", "working_directory": "/opt/microsoft/omsconfig/Scripts/2.6x-2.7x" }, - "action": { - "outcome": "success" - }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -260,36 +260,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-07-02T13:46:15.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-07-02T13:46:15+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:15Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-07-02T13:46:15Z", + "action": { + "outcome": "success" + }, "azure_linux": { "message": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" + }, "os": { "family": "linux", "platform": "linux" }, - "user": { - "name": "root" - }, "process": { "command_line": "/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log", "executable": "/bin/test", "working_directory": "/" }, - "action": { - "outcome": "success" - }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -302,33 +302,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session closed for user root\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:48:28Z", + "action": { + "name": "sudo:session", + "outcome": "success", + "type": "close" + }, "azure_linux": { "message": "pam_unix(sudo:session): session closed for user root" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" + }, "os": { "family": "linux", "platform": "linux" }, - "action": { - "name": "sudo:session", - "type": "close", - "outcome": "success" - }, - "user": { - "name": "root" - }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -341,33 +341,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session opened for user root by (uid=0)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-06-27T14:48:28Z", + "action": { + "name": "sudo:session", + "outcome": "success", + "type": "open" + }, "azure_linux": { "message": "pam_unix(sudo:session): session opened for user root by (uid=0)" }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" + }, "os": { "family": "linux", "platform": "linux" }, - "action": { - "name": "sudo:session", - "type": "open", - "outcome": "success" - }, - "user": { - "name": "root" - }, "related": { "user": [ "root" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "root" } } @@ -380,33 +380,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"time\" : \"2019-07-02T14:15:01.0000000Z\",\"resourceId\": \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"systemd\",\"Ignore\" : \"syslog\",\"Facility\" : \"daemon\",\"Severity\" : \"info\",\"EventTime\" : \"2019-07-02T14:15:01+0000\",\"SendingHost\": \"localhost\",\"Msg\" : \"Started Session 13124 of user omsagent.\",\"hostname\": \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T14:15:01Z\"},\"category\" : \"daemon\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "log": { - "level": "info", - "hostname": "LinuxRedhatDesktop" - }, "@timestamp": "2019-07-02T14:15:01Z", + "action": { + "name": "systemd:session", + "outcome": "success", + "type": "open" + }, "azure_linux": { "message": "Started Session 13124 of user omsagent." }, + "host": { + "name": "LinuxRedhatDesktop" + }, + "log": { + "hostname": "LinuxRedhatDesktop", + "level": "info" + }, "os": { "family": "linux", "platform": "linux" }, - "user": { - "name": "omsagent" - }, - "action": { - "type": "open", - "name": "systemd:session", - "outcome": "success" - }, "related": { "user": [ "omsagent" ] }, - "host": { - "name": "LinuxRedhatDesktop" + "user": { + "name": "omsagent" } } diff --git a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md index cf55c5546e..8678f97ef3 100644 --- a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md +++ b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md @@ -36,25 +36,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Action\":\"block\",\"ClientIP\":\"113.206.179.28\",\"ClientRequestHost\":\"foo-bar-baz.xyz\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/static/favicon.ico\",\"ClientRequestQuery\":\"\",\"Datetime\":1657630626219000000,\"EdgeResponseStatus\":403,\"RayID\":\"7299f155dda47d6b\"}", "event": { "action": "block", - "kind": "event", "category": [ "network" ], "dataset": "firewall-events", + "kind": "event", "type": [ "denied" ] }, - "source": { - "ip": "113.206.179.28", - "address": "113.206.179.28" - }, "@timestamp": "2022-07-12T12:57:06.219000Z", + "cloudflare": { + "EdgeResponseStatus": 403, + "RayID": "7299f155dda47d6b" + }, "destination": { - "domain": "foo-bar-baz.xyz", "address": "foo-bar-baz.xyz", - "top_level_domain": "xyz", - "registered_domain": "foo-bar-baz.xyz" + "domain": "foo-bar-baz.xyz", + "registered_domain": "foo-bar-baz.xyz", + "top_level_domain": "xyz" }, "http": { "request": { @@ -64,19 +64,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 403 } }, - "url": { - "domain": "foo-bar-baz.xyz", - "path": "/static/favicon.ico", - "top_level_domain": "xyz", - "registered_domain": "foo-bar-baz.xyz" - }, "observer": { - "vendor": "Cloudflare", - "type": "firewall" - }, - "cloudflare": { - "EdgeResponseStatus": 403, - "RayID": "7299f155dda47d6b" + "type": "firewall", + "vendor": "Cloudflare" }, "related": { "hosts": [ @@ -85,6 +75,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "113.206.179.28" ] + }, + "source": { + "address": "113.206.179.28", + "ip": "113.206.179.28" + }, + "url": { + "domain": "foo-bar-baz.xyz", + "path": "/static/favicon.ico", + "registered_domain": "foo-bar-baz.xyz", + "top_level_domain": "xyz" } } @@ -99,78 +99,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Action\":\"block\",\"ClientASN\":4562,\"ClientASNDescription\":\"PERFORMIVE\",\"ClientCountry\":\"us\",\"ClientIP\":\"10.6.12.26\",\"ClientIPClass\":\"noRecord\",\"ClientRefererHost\":\"\",\"ClientRefererPath\":\"\",\"ClientRefererQuery\":\"\",\"ClientRefererScheme\":\"\",\"ClientRequestHost\":\"foo-bar-baz.xyz\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/.env\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestQuery\":\"\",\"ClientRequestScheme\":\"http\",\"ClientRequestUserAgent\":\"Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30\",\"Datetime\":1669858111716000000,\"EdgeColoCode\":\"EWR\",\"EdgeResponseStatus\":403,\"Kind\":\"firewall\",\"MatchIndex\":0,\"Metadata\":{\"group\":\"cloudflare_specials\",\"rule_message\":\"Version Control - Information Disclosure\"},\"OriginResponseStatus\":0,\"OriginatorRayID\":\"00\",\"RayID\":\"77280bee38a6c461\",\"RuleID\":\"100016\",\"Source\":\"waf\"}", "event": { "action": "block", - "kind": "event", "category": [ "network" ], "dataset": "firewall-events", + "kind": "event", + "module": "cloudflare.waf", "type": [ "denied" - ], - "module": "cloudflare.waf" - }, - "source": { - "ip": "10.6.12.26", - "geo": { - "country_name": "us" - }, - "address": "10.6.12.26" + ] }, "@timestamp": "2022-12-01T01:28:31.716000Z", + "cloudflare": { + "ClientIPClass": "noRecord", + "ClientRefererHost": "", + "ClientRefererPath": "", + "ClientRefererQuery": "", + "ClientRefererScheme": "", + "EdgeColoCode": "EWR", + "EdgeResponseStatus": 403, + "Kind": "firewall", + "OriginResponseStatus": 0, + "OriginatorRayID": "00", + "RayID": "77280bee38a6c461", + "source": "waf" + }, "destination": { - "domain": "foo-bar-baz.xyz", "address": "foo-bar-baz.xyz", - "top_level_domain": "xyz", - "registered_domain": "foo-bar-baz.xyz" + "domain": "foo-bar-baz.xyz", + "registered_domain": "foo-bar-baz.xyz", + "top_level_domain": "xyz" }, "http": { "request": { "method": "GET" }, - "version": "HTTP/1.1", "response": { "status_code": 403 - } - }, - "url": { - "domain": "foo-bar-baz.xyz", - "path": "/.env", - "scheme": "http", - "top_level_domain": "xyz", - "registered_domain": "foo-bar-baz.xyz" - }, - "user_agent": { - "original": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", - "device": { - "name": "XiaoMi HM NOTE 1W" }, - "name": "UC Browser", - "version": "11.0.5", - "os": { - "name": "Android", - "version": "4.4.2" - } + "version": "HTTP/1.1" }, "network": { "protocol": "HTTP/1.1" }, "observer": { - "vendor": "Cloudflare", - "type": "firewall" - }, - "cloudflare": { - "ClientIPClass": "noRecord", - "ClientRefererHost": "", - "ClientRefererPath": "", - "ClientRefererQuery": "", - "ClientRefererScheme": "", - "EdgeColoCode": "EWR", - "EdgeResponseStatus": 403, - "Kind": "firewall", - "OriginResponseStatus": 0, - "OriginatorRayID": "00", - "RayID": "77280bee38a6c461", - "source": "waf" + "type": "firewall", + "vendor": "Cloudflare" }, "related": { "hosts": [ @@ -179,6 +153,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "10.6.12.26" ] + }, + "source": { + "address": "10.6.12.26", + "geo": { + "country_name": "us" + }, + "ip": "10.6.12.26" + }, + "url": { + "domain": "foo-bar-baz.xyz", + "path": "/.env", + "registered_domain": "foo-bar-baz.xyz", + "scheme": "http", + "top_level_domain": "xyz" + }, + "user_agent": { + "device": { + "name": "XiaoMi HM NOTE 1W" + }, + "name": "UC Browser", + "original": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", + "os": { + "name": "Android", + "version": "4.4.2" + }, + "version": "11.0.5" } } diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index da316b22bf..88311f45a1 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -41,12 +41,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2019-06-24T09:21:27.369418Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Add unverified domain", + "outcome": "success", "properties": [ { "name": "Name", @@ -60,30 +57,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ], "target": "user", - "outcome": "success", "type": "add" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Add unverified domain", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "2f006047-a6d9-4fca-847a-fffdb209fa4d", + "durationMs": 0, + "operationName": "Add unverified domain", + "operationVersion": "1.0", "properties": { - "id": "Directory_5P1YA_52883815", - "correlationId": "2f006047-a6d9-4fca-847a-fffdb209fa4d" - } - }, - "user": { - "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", - "name": "exampleuser_gmail.com#EXT#@exampleuser.onmicrosoft.com" + "correlationId": "2f006047-a6d9-4fca-847a-fffdb209fa4d", + "id": "Directory_5P1YA_52883815" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" }, "related": { "user": [ "exampleuser_gmail.com#EXT#@exampleuser.onmicrosoft.com" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", + "name": "exampleuser_gmail.com#EXT#@exampleuser.onmicrosoft.com" } } @@ -102,12 +102,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2020-01-02T13:36:37.951568Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Add member to group", + "outcome": "success", "properties": [ { "name": "Group.ObjectID", @@ -125,37 +122,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "oldValue": "" }, { - "name": "example.user@corp.net", "id": "e6285600-5ec8-4ea4-89fc-40db84049b26", + "name": "example.user@corp.net", "type": "targetedUser" } ], "target": "user", - "outcome": "success", "type": "assign" }, "azuread": { - "resourceId": "/tenants/29218bde-dc31-4e0d-969b-bac924ce3216/providers/Microsoft.aadiam", - "operationName": "Add member to group", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "29218bde-dc31-4e0d-969b-bac924ce3216", - "durationMs": 0, "correlationId": "93154481-5703-42a7-89a5-b7de6fbace8e", + "durationMs": 0, "identity": "Microsoft Teams Services", + "operationName": "Add member to group", + "operationVersion": "1.0", "properties": { - "id": "Directory_FI4U8_64698073", - "correlationId": "93154481-5703-42a7-89a5-b7de6fbace8e" - } - }, - "user": { - "id": "1de0a2d4-340e-4d98-b060-2dec8434481a", - "name": "Microsoft Teams Services" + "correlationId": "93154481-5703-42a7-89a5-b7de6fbace8e", + "id": "Directory_FI4U8_64698073" + }, + "resourceId": "/tenants/29218bde-dc31-4e0d-969b-bac924ce3216/providers/Microsoft.aadiam", + "tenantId": "29218bde-dc31-4e0d-969b-bac924ce3216" }, "related": { "user": [ "Microsoft Teams Services" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "1de0a2d4-340e-4d98-b060-2dec8434481a", + "name": "Microsoft Teams Services" } } @@ -169,18 +169,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\": \"2019-06-24T09:18:23.5860200Z\",\"resourceId\": \"/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam\",\"operationName\": \"Add service principal\",\"operationVersion\": \"1.0\",\"category\": \"AuditLogs\",\"tenantId\": \"f6b9ca1d-c995-41bd-ac32-5fba5580215d\",\"resultSignature\": \"None\",\"resultDescription\": \"Microsoft.Online.Workflows.SpnValidationException\",\"durationMs\": 0,\"callerIpAddress\": \"\",\"correlationId\": \"191e390a-0c29-41e1-874b-c57ca3599213\",\"identity\": \"Microsoft Azure AD Internal - Jit Provisioning\",\"level\": \"Informational\",\"properties\": {\"id\": \"Directory_GMR7H_185505965\",\"category\": \"ApplicationManagement\",\"correlationId\": \"191e390a-0c29-41e1-874b-c57ca3599213\",\"result\": \"failure\",\"resultReason\": \"Microsoft.Online.Workflows.SpnValidationException\",\"activityDisplayName\": \"Add service principal\",\"activityDateTime\": \"2019-06-24T09:18:23.58602+00:00\",\"loggedByService\": \"Core Directory\",\"operationType\": \"Add\",\"initiatedBy\": {},\"targetResources\": [{\"id\": \"224fe45d-b5c4-44e7-ace4-7bea31600122\",\"displayName\": \"Azure AD Identity Protection\",\"type\": \"ServicePrincipal\",\"modifiedProperties\": [{\"displayName\": \"AccountEnabled\",\"oldValue\": \"[]\",\"newValue\": \"[true]\"},{\"displayName\": \"AppAddress\",\"oldValue\": \"[]\",\"newValue\": \"[{\\\"AddressType\\\":0,\\\"Address\\\":\\\"https://main.protectioncenter.ext.azure.com\\\",\\\"ReplyAddressClientType\\\":0},{\\\"AddressType\\\":0,\\\"Address\\\":\\\"https://s2.cloudappdiscovery.ext.azure.com/\\\",\\\"ReplyAddressClientType\\\":0}]\"},{\"displayName\": \"AppPrincipalId\",\"oldValue\": \"[]\",\"newValue\": \"[\\\"fc68d9e5-1f76-45ef-99aa-214805418498\\\"]\"},{\"displayName\": \"DisplayName\",\"oldValue\": \"[]\",\"newValue\": \"[\\\"Azure AD Identity Protection\\\"]\"},{\"displayName\": \"ServicePrincipalName\",\"oldValue\": \"[]\",\"newValue\": \"[\\\"https://s2.cloudappdiscovery.ext.azure.com/\\\",\\\"https://main.protectioncenter.ext.azure.com\\\",\\\"fc68d9e5-1f76-45ef-99aa-214805418498\\\"]\"},{\"displayName\": \"Credential\",\"oldValue\": \"[]\",\"newValue\": \"[{\\\"CredentialType\\\":2,\\\"KeyStoreId\\\":\\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\\"KeyGroupId\\\":\\\"375eb77d-1d23-462b-9be7-cb51db9123e3\\\"}]\"},{\"displayName\": \"Included Updated Properties\",\"oldValue\": null,\"newValue\": \"\\\"AccountEnabled, AppAddress, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\\\"\"},{\"displayName\": \"MethodExecutionResult.\",\"oldValue\": null,\"newValue\": \"\\\"Microsoft.Online.Workflows.SpnValidationException\\\"\"},{\"displayName\": \"TargetId.ServicePrincipalNames\",\"oldValue\": null,\"newValue\": \"\\\"https://s2.cloudappdiscovery.ext.azure.com/;https://main.protectioncenter.ext.azure.com;fc68d9e5-1f76-45ef-99aa-214805418498\\\"\"}]}],\"additionalDetails\": []}}", "event": { - "reason": "Microsoft.Online.Workflows.SpnValidationException", "category": [ "iam" - ] + ], + "reason": "Microsoft.Online.Workflows.SpnValidationException" }, "@timestamp": "2019-06-24T09:18:23.586020Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Add service principal", + "outcome": "failure", + "outcome_reason": "Microsoft.Online.Workflows.SpnValidationException", "properties": [ { "name": "AccountEnabled", @@ -223,23 +221,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "oldValue": "" } ], - "outcome_reason": "Microsoft.Online.Workflows.SpnValidationException", - "outcome": "failure", "type": "add" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Add service principal", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "191e390a-0c29-41e1-874b-c57ca3599213", + "durationMs": 0, "identity": "Microsoft Azure AD Internal - Jit Provisioning", + "operationName": "Add service principal", + "operationVersion": "1.0", "properties": { - "id": "Directory_GMR7H_185505965", - "correlationId": "191e390a-0c29-41e1-874b-c57ca3599213" - } + "correlationId": "191e390a-0c29-41e1-874b-c57ca3599213", + "id": "Directory_GMR7H_185505965" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" } } @@ -258,12 +258,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2019-06-24T09:29:28.624272Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Add user", + "outcome": "success", "properties": [ { "name": "AccountEnabled", @@ -286,37 +283,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "oldValue": "[]" }, { - "name": "jean.dupont@usergmail.onmicrosoft.com", "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", + "name": "jean.dupont@usergmail.onmicrosoft.com", "type": "targetedUser" } ], "target": "user", - "outcome": "success", "type": "add" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Add user", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "d40fb664-9901-4cfa-bd3b-afeff8d6b0de", + "durationMs": 0, + "operationName": "Add user", + "operationVersion": "1.0", "properties": { - "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com", + "correlationId": "d40fb664-9901-4cfa-bd3b-afeff8d6b0de", "id": "Directory_HR9C4_45223131", - "correlationId": "d40fb664-9901-4cfa-bd3b-afeff8d6b0de" - } - }, - "user": { - "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", - "name": "user_gmail.com#EXT#@usergmail.onmicrosoft.com" + "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" }, "related": { "user": [ "user_gmail.com#EXT#@usergmail.onmicrosoft.com" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", + "name": "user_gmail.com#EXT#@usergmail.onmicrosoft.com" } } @@ -338,51 +338,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2020-09-28T10:12:41.410424Z", - "service": { - "type": "ldap", - "name": "Windows Azure Active Directory" - }, - "user": { - "id": "913f4b76-e10f-4f1c-aaf1-09356389319b", - "name": "jane.doe@sekoiacorp.onmicrosoft.com" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "81.0", - "os": { - "name": "Windows", - "version": "10" - } - }, - "source": { - "ip": "11.11.11.11", - "address": "11.11.11.11" + "action": { + "name": "authentication", + "target": "user" }, "azuread": { - "resourceId": "00000002-0000-0000-c000-000000000000", - "correlationId": "26e7584c-876b-425f-9119-49b411e21365", - "tokenIssuerType": "AzureAD", - "resourceTenantId": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2", - "authenticationRequirementPolicies": [], - "authenticationRequirement": "multiFactorAuthentication", "authenticationDetails": [ { - "authenticationStepDateTime": "2020-09-28T10:12:41.4104242Z", "authenticationMethod": null, "authenticationMethodDetail": null, - "succeeded": true, + "authenticationStepDateTime": "2020-09-28T10:12:41.4104242Z", + "authenticationStepRequirement": "User", "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", - "authenticationStepRequirement": "User" + "succeeded": true } - ] - }, - "action": { - "target": "user", - "name": "authentication" + ], + "authenticationRequirement": "multiFactorAuthentication", + "authenticationRequirementPolicies": [], + "correlationId": "26e7584c-876b-425f-9119-49b411e21365", + "resourceId": "00000002-0000-0000-c000-000000000000", + "resourceTenantId": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2", + "tokenIssuerType": "AzureAD" }, "host": { "os": { @@ -396,6 +372,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jane.doe@sekoiacorp.onmicrosoft.com" ] + }, + "service": { + "name": "Windows Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "11.11.11.11", + "ip": "11.11.11.11" + }, + "user": { + "id": "913f4b76-e10f-4f1c-aaf1-09356389319b", + "name": "jane.doe@sekoiacorp.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "81.0" } } @@ -414,45 +414,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2019-06-24T09:32:07.463722Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Change user password", + "outcome": "success", "properties": [ { - "name": "jean.dupont@usergmail.onmicrosoft.com", "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", + "name": "jean.dupont@usergmail.onmicrosoft.com", "type": "targetedUser" } ], "target": "user", - "outcome": "success", "type": "update" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Change user password", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca", + "durationMs": 0, + "operationName": "Change user password", + "operationVersion": "1.0", "properties": { - "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com", + "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca", "id": "Directory_1PF86_84995790", - "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca" - } - }, - "user": { - "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", - "name": "jean.dupont@usergmail.onmicrosoft.com" + "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" }, "related": { "user": [ "jean.dupont@usergmail.onmicrosoft.com" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", + "name": "jean.dupont@usergmail.onmicrosoft.com" } } @@ -471,64 +471,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-04-05T13:07:16.779653Z", - "service": { - "type": "ldap", - "name": "Office 365 Exchange Online" - }, "action": { "name": "Sign-in activity" }, "azuread": { - "resourceId": "/tenants/e6eb2b5c-ad71-4c33-9856-1ed49b85bfe2/providers/Microsoft.aadiam", - "operationName": "Sign-in activity", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "category": "SignInLogs", - "tenantId": "e6eb2b5c-ad71-4c33-9856-1ed49b85bfe2", - "durationMs": 0, "correlationId": "7ee10819-f631-4ab1-8edb-4efb7286baba", + "durationMs": 0, "identity": "DUPONT Jean", - "Level": 4, - "callerIpAddress": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", + "operationName": "Sign-in activity", + "operationVersion": "1.0", "properties": { - "id": "b2fdcc8f-954d-4d88-a035-58daefab4f00", + "appDisplayName": "Office 365 Exchange Online", + "authenticationProtocol": "ropc", "correlationId": "7ee10819-f631-4ab1-8edb-4efb7286baba", - "riskState": "none", + "id": "b2fdcc8f-954d-4d88-a035-58daefab4f00", "riskDetail": "none", - "riskLevelAggregated": "none", - "riskLevelDuringSignIn": "none", "riskEventTypes": [], "riskEventTypes_v2": [], - "authenticationProtocol": "ropc", - "appDisplayName": "Office 365 Exchange Online", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", "status": { "errorCode": "0" } - } + }, + "resourceId": "/tenants/e6eb2b5c-ad71-4c33-9856-1ed49b85bfe2/providers/Microsoft.aadiam", + "tenantId": "e6eb2b5c-ad71-4c33-9856-1ed49b85bfe2" + }, + "related": { + "ip": [ + "2001:db8:85a3::8a2e:370:7334" + ] + }, + "service": { + "name": "Office 365 Exchange Online", + "type": "ldap" }, "source": { - "ip": "2001:db8:85a3::8a2e:370:7334", - "address": "2001:db8:85a3::8a2e:370:7334" + "address": "2001:db8:85a3::8a2e:370:7334", + "ip": "2001:db8:85a3::8a2e:370:7334" }, "user": { - "full_name": "DUPONT Jean", - "email": "jean.dupont@corp.com" + "email": "jean.dupont@corp.com", + "full_name": "DUPONT Jean" }, "user_agent": { - "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14326; Pro)", "device": { "name": "Other" }, "name": "Outlook", - "version": "2016", + "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14326; Pro)", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "ip": [ - "2001:db8:85a3::8a2e:370:7334" - ] + }, + "version": "2016" } } @@ -547,38 +547,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2019-06-24T09:21:50.041890Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Remove unverified domain", + "outcome": "success", "properties": [], "target": "user", - "outcome": "success", "type": "delete" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Remove unverified domain", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "d60a1c27-11fa-4777-a349-c6c26ef33348", + "durationMs": 0, + "operationName": "Remove unverified domain", + "operationVersion": "1.0", "properties": { - "id": "Directory_NFSWZ_16832133", - "correlationId": "d60a1c27-11fa-4777-a349-c6c26ef33348" - } - }, - "user": { - "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", - "name": "use_gmail.com#EXT#@usegmail.onmicrosoft.com" + "correlationId": "d60a1c27-11fa-4777-a349-c6c26ef33348", + "id": "Directory_NFSWZ_16832133" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" }, "related": { "user": [ "use_gmail.com#EXT#@usegmail.onmicrosoft.com" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "158c144c-4c1d-4eb4-be08-f2732c8338fd", + "name": "use_gmail.com#EXT#@usegmail.onmicrosoft.com" } } @@ -592,80 +592,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-03-30T14:52:21.7062186Z\",\"resourceId\":\"/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"category\":\"SignInLogs\",\"tenantId\":\"34314e6e-4023-4e4b-a15e-143f63244e2b\",\"resultType\":\"50158\",\"resultSignature\":\"None\",\"resultDescription\":\"External security challenge was not satisfied.\",\"durationMs\":0,\"callerIpAddress\":\"11.11.11.11\",\"correlationId\":\"e68960e2-8996-448c-ba7a-e54eeb8ff2ed\",\"identity\":\"User Name\",\"Level\":4,\"location\":\"FR\",\"properties\":{\"id\":\"22253f56-6fc4-45f2-b148-d7fe15504900\",\"createdDateTime\":\"2022-03-30T14:52:21.7062186+00:00\",\"userDisplayName\":\"User Name\",\"userPrincipalName\":\"User.Name@corp.name\",\"userId\":\"469a0b32-4a8d-4b73-89aa-25ab78df7523\",\"appId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"appDisplayName\":\"Office365 Shell WCSS-Client\",\"ipAddress\":\"11.11.11.11\",\"status\":{\"errorCode\":50158,\"failureReason\":\"External security challenge was not satisfied.\"},\"clientAppUsed\":\"Browser\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36\",\"deviceDetail\":{\"deviceId\":\"\",\"operatingSystem\":\"Windows 10\",\"browser\":\"Chrome 99.0.4844\"},\"location\":{\"city\":\"Bordeaux\",\"state\":\"Gironde\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":44.84040069580078,\"longitude\":-0.5805000066757202}},\"correlationId\":\"e68960e2-8996-448c-ba7a-e54eeb8ff2ed\",\"conditionalAccessStatus\":\"failure\",\"appliedConditionalAccessPolicies\":[{\"id\":\"bc737765-a8db-4902-8000-f389a97feefd\",\"displayName\":\"Check Point Harmony MFA\",\"enforcedGrantControls\":[\"Checkpoint Custom Control\"],\"enforcedSessionControls\":[],\"result\":\"failure\",\"conditionsSatisfied\":3,\"conditionsNotSatisfied\":0},{\"id\":\"174e7650-f969-47fc-bbd5-83e633e0925e\",\"displayName\":\"Access Control Nine Work for Android\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"5fbf9306-99b8-4781-b5fc-81a0787fb289\",\"displayName\":\"Access Control PowerBI (Poste de travail)\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"d1144840-7d4a-44eb-83f1-543c15f89eb8\",\"displayName\":\"Access Control Snowflake\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"90c5434d-decc-4195-b7f9-024cd39fdca4\",\"displayName\":\"Access Control PowerBI (Mobile)\",\"enforcedGrantControls\":[],\"enforcedSessionControls\":[],\"result\":\"notEnabled\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":0},{\"id\":\"989ecd36-d0e1-4990-bd92-b08250fd45f3\",\"displayName\":\"Access Control Gmail\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"fead0f30-10f4-4472-8bc1-c119d511154d\",\"displayName\":\"MFA Cycloid\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"6d0db7f6-3263-48b4-84e9-9c37c3959161\",\"displayName\":\"Block - Webmail Exchange Online\",\"enforcedGrantControls\":[\"Block\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":0,\"conditionsNotSatisfied\":1},{\"id\":\"0ba349bc-748a-4108-b103-298ccd5b1d3f\",\"displayName\":\"Require MFA - Privileged accounts\",\"enforcedGrantControls\":[\"Mfa\"],\"enforcedSessionControls\":[],\"result\":\"notApplied\",\"conditionsSatisfied\":1,\"conditionsNotSatisfied\":2}],\"originalRequestId\":\"22253f56-6fc4-45f2-b148-d7fe15504900\",\"isInteractive\":true,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"authenticationProcessingDetails\":[{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"Legacy TLS (TLS 1.0, 1.1, 3DES)\",\"value\":\"False\"},{\"key\":\"Oauth Scope Info\",\"value\":\"\"},{\"key\":\"Is CAE Token\",\"value\":\"False\"}],\"networkLocationDetails\":[{\"networkType\":\"trustedNamedLocation\",\"networkNames\":[\"IP corp\"]}],\"processingTimeInMilliseconds\":91,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Office365 Shell WCSS-Server\",\"resourceId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"resourceTenantId\":\"34314e6e-4023-4e4b-a15e-143f63244e2b\",\"homeTenantId\":\"34314e6e-4023-4e4b-a15e-143f63244e2b\",\"authenticationDetails\":[{\"authenticationStepDateTime\":\"2022-03-30T14:52:21.7062186+00:00\",\"authenticationMethod\":\"Previously satisfied\",\"succeeded\":true,\"authenticationStepResultDetail\":\"First factor requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"Primary authentication\",\"StatusSequence\":0,\"RequestSequence\":0}],\"authenticationRequirementPolicies\":[],\"authenticationRequirement\":\"singleFactorAuthentication\",\"servicePrincipalId\":\"\",\"userType\":\"Member\",\"flaggedForReview\":false,\"isTenantRestricted\":false,\"autonomousSystemNumber\":48744,\"crossTenantAccessType\":\"none\",\"privateLinkDetails\":{},\"ssoExtensionVersion\":\"\",\"uniqueTokenIdentifier\":\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\"incomingTokenType\":\"none\",\"authenticationProtocol\":\"none\"}}", "event": { - "reason": "External security challenge was not satisfied.", "category": [ "authentication" - ] + ], + "reason": "External security challenge was not satisfied." }, "@timestamp": "2022-03-30T14:52:21.706218Z", - "service": { - "type": "ldap", - "name": "Office365 Shell WCSS-Server" - }, "action": { "name": "Sign-in activity" }, "azuread": { - "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", - "operationName": "Sign-in activity", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "11.11.11.11", "category": "SignInLogs", - "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b", - "durationMs": 0, "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", + "durationMs": 0, "identity": "User Name", - "Level": 4, - "callerIpAddress": "11.11.11.11", + "operationName": "Sign-in activity", + "operationVersion": "1.0", "properties": { - "id": "22253f56-6fc4-45f2-b148-d7fe15504900", + "appDisplayName": "Office365 Shell WCSS-Client", + "authenticationProtocol": "none", "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", - "riskState": "none", + "id": "22253f56-6fc4-45f2-b148-d7fe15504900", "riskDetail": "none", - "riskLevelAggregated": "none", - "riskLevelDuringSignIn": "none", "riskEventTypes": [], "riskEventTypes_v2": [], - "authenticationProtocol": "none", - "appDisplayName": "Office365 Shell WCSS-Client", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", "status": { "errorCode": "50158", "failureReason": "External security challenge was not satisfied." } - } + }, + "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", + "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b" + }, + "related": { + "ip": [ + "11.11.11.11" + ] + }, + "service": { + "name": "Office365 Shell WCSS-Server", + "type": "ldap" }, "source": { - "ip": "11.11.11.11", + "address": "11.11.11.11", "geo": { "city_name": "Bordeaux", - "region_name": "Gironde", "country_iso_code": "FR", "location": { - "lon": -0.5805000066757202, - "lat": 44.84040069580078 - } + "lat": 44.84040069580078, + "lon": -0.5805000066757202 + }, + "region_name": "Gironde" }, - "address": "11.11.11.11" + "ip": "11.11.11.11" }, "user": { - "full_name": "User Name", - "email": "User.Name@corp.name" + "email": "User.Name@corp.name", + "full_name": "User Name" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "99.0.4844", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "ip": [ - "11.11.11.11" - ] + }, + "version": "99.0.4844" } } @@ -684,74 +684,74 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-03-31T12:26:46.019095Z", - "service": { - "type": "ldap", - "name": "Windows Azure Active Directory" - }, "action": { "name": "Sign-in activity" }, "azuread": { - "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", - "operationName": "Sign-in activity", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "11.11.11.11", "category": "SignInLogs", - "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b", - "durationMs": 0, "correlationId": "467c1340-0762-40d2-b6fb-339235633ebb", + "durationMs": 0, "identity": "Admin Jean Dupont", - "Level": 4, - "callerIpAddress": "11.11.11.11", + "operationName": "Sign-in activity", + "operationVersion": "1.0", "properties": { - "id": "8795994f-0bb8-46d7-8797-8c9c385d5900", + "appDisplayName": "Microsoft App Access Panel", + "authenticationProtocol": "none", "correlationId": "467c1340-0762-40d2-b6fb-339235633ebb", - "riskState": "none", + "id": "8795994f-0bb8-46d7-8797-8c9c385d5900", "riskDetail": "none", - "riskLevelAggregated": "none", - "riskLevelDuringSignIn": "none", "riskEventTypes": [], "riskEventTypes_v2": [], - "authenticationProtocol": "none", - "appDisplayName": "Microsoft App Access Panel", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", "status": { "additionalDetails": "MFA requirement satisfied by claim in the token", "errorCode": "0" } - } + }, + "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", + "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b" + }, + "related": { + "ip": [ + "11.11.11.11" + ] + }, + "service": { + "name": "Windows Azure Active Directory", + "type": "ldap" }, "source": { - "ip": "11.11.11.11", + "address": "11.11.11.11", "geo": { "city_name": "Bordeaux", - "region_name": "Gironde", "country_iso_code": "FR", "location": { - "lon": -0.5805000066757202, - "lat": 44.84040069580078 - } + "lat": 44.84040069580078, + "lon": -0.5805000066757202 + }, + "region_name": "Gironde" }, - "address": "11.11.11.11" + "ip": "11.11.11.11" }, "user": { - "full_name": "Admin Jean Dupont", - "email": "admin.jdupont@corp.net" + "email": "admin.jdupont@corp.net", + "full_name": "Admin Jean Dupont" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "device": { "name": "Other" }, "name": "Firefox", - "version": "98.0", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "ip": [ - "11.11.11.11" - ] + }, + "version": "98.0" } } @@ -770,45 +770,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2019-06-24T09:32:07.463722Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Update StsRefreshTokenValidFrom Timestamp", + "outcome": "success", "properties": [ { - "name": "jean.dupont@usergmail.onmicrosoft.com", "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", + "name": "jean.dupont@usergmail.onmicrosoft.com", "type": "targetedUser" } ], "target": "user", - "outcome": "success", "type": "update" }, "azuread": { - "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", - "operationName": "Update StsRefreshTokenValidFrom Timestamp", - "operationVersion": "1.0", "category": "AuditLogs", - "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d", - "durationMs": 0, "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca", + "durationMs": 0, + "operationName": "Update StsRefreshTokenValidFrom Timestamp", + "operationVersion": "1.0", "properties": { - "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com", + "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca", "id": "Directory_1PF86_84995795", - "correlationId": "fd39aead-f711-4c4f-b6a9-ced2c67f3fca" - } - }, - "user": { - "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", - "name": "jean.dupont@usergmail.onmicrosoft.com" + "targetUserPrincipalName": "jean.dupont@usergmail.onmicrosoft.com" + }, + "resourceId": "/tenants/f6b9ca1d-c995-41bd-ac32-5fba5580215d/providers/Microsoft.aadiam", + "tenantId": "f6b9ca1d-c995-41bd-ac32-5fba5580215d" }, "related": { "user": [ "jean.dupont@usergmail.onmicrosoft.com" ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "user": { + "id": "bd8a55aa-6079-4742-8b1b-3f55a398dfc3", + "name": "jean.dupont@usergmail.onmicrosoft.com" } } @@ -822,67 +822,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"3/24/2022 2:42:35 PM\",\"resourceId\":\"/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"11.22.33.44\",\"correlationId\":\"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\",\"identity\":\"bar foo\",\"Level\":4,\"location\":\"fr\",\"properties\":{\"id\":\"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\",\"requestId\":\"d38b6ab7-65b0-419c-b83a-a5787d6fa100\",\"correlationId\":\"325294e4-4026-4cc7-889d-b4be570b3254\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"11.22.33.44\",\"location\":{\"city\":\"La Guaiserie\",\"state\":\"Loir-Et-Cher\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":47.45919,\"longitude\":2.21955}},\"activityDateTime\":\"2022-03-24T14:40:04.234Z\",\"detectedDateTime\":\"2022-03-24T14:40:04.234Z\",\"lastUpdatedDateTime\":\"2022-03-24T14:42:35.066Z\",\"userId\":\"4c64c30a-7a60-4211-bef1-5e4279854e85\",\"userDisplayName\":\"bar foo\",\"userPrincipalName\":\"foo.bar@corp.eu\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\"}}", "event": { + "category": [ + "iam" + ], "reason": "unfamiliarFeatures", "type": [ "connection" - ], - "category": [ - "iam" ] }, "@timestamp": "2022-03-24T14:42:35Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "User Risk Detection" }, "azuread": { - "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam", - "operationName": "User Risk Detection", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "11.22.33.44", "category": "UserRiskEvents", - "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad", - "durationMs": 0, "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", + "durationMs": 0, "identity": "bar foo", - "Level": 4, - "callerIpAddress": "11.22.33.44", + "operationName": "User Risk Detection", + "operationVersion": "1.0", "properties": { + "activity": "signin", + "correlationId": "325294e4-4026-4cc7-889d-b4be570b3254", + "detectionTimingType": "realtime", "id": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", "requestId": "d38b6ab7-65b0-419c-b83a-a5787d6fa100", - "correlationId": "325294e4-4026-4cc7-889d-b4be570b3254", + "riskDetail": "aiConfirmedSigninSafe", "riskEventType": "unfamiliarFeatures", - "riskState": "dismissed", "riskLevel": "low", - "riskDetail": "aiConfirmedSigninSafe", - "source": "IdentityProtection", - "detectionTimingType": "realtime", - "activity": "signin" - } + "riskState": "dismissed", + "source": "IdentityProtection" + }, + "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam", + "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad" + }, + "related": { + "ip": [ + "11.22.33.44" + ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" }, "source": { - "ip": "11.22.33.44", + "address": "11.22.33.44", "geo": { "city_name": "La Guaiserie", - "region_name": "Loir-Et-Cher", "country_iso_code": "fr", "location": { - "lon": 2.21955, - "lat": 47.45919 - } + "lat": 47.45919, + "lon": 2.21955 + }, + "region_name": "Loir-Et-Cher" }, - "address": "11.22.33.44" + "ip": "11.22.33.44" }, "user": { - "full_name": "bar foo", - "email": "foo.bar@corp.eu" - }, - "related": { - "ip": [ - "11.22.33.44" - ] + "email": "foo.bar@corp.eu", + "full_name": "bar foo" } } diff --git a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md index cf77df94dc..d42b23a43a 100644 --- a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md +++ b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md @@ -32,30 +32,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.0.0-698|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=123456789-54646546546 ESAMID=12356 ESAICID=123456 ESADCID=123456 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Aug 1 03:34:23 2022 dvc=1.1.1.1 ESAFriendlyFrom=noreply@corp.net ESAGMVerdict=NOT_EVALUATED startTime=Mon Aug 1 03:30:36 2022 deviceOutboundInterface=OutgoingMail deviceDirection=1 ESAMailFlowPolicy=RELAY suser=noreply@corp.net cs1Label=MailPolicy cs1=RestrictionEmetteur cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<123456@corp.net>' ESAMsgSize=3059 ESAOFVerdict=NOT_EVALUATED duser=foo@other-corp.com ESAHeloDomain=foo.bar.net ESAHeloIP=2.2.2.2 cfp1Label=SBRSScore cfp1= sourceHostName=unknown ESASenderGroup=RELAYLIST sourceAddress=2.2.2.2 msg='\\=?ISO-8859-15?Q?foo\\=20bar\\=20baz\\=20-\\=123456789?\\='\n\n", "event": { - "severity": 5, "action": "DELIVERED", - "reason": "'\\=?ISO-8859-15?Q?foo\\=20bar\\=20baz\\=20-\\=123456789?\\='", "end": "2022-08-01T03:34:23Z", + "reason": "'\\=?ISO-8859-15?Q?foo\\=20bar\\=20baz\\=20-\\=123456789?\\='", + "severity": 5, "start": "2022-08-01T03:30:36Z" }, "@timestamp": "2022-08-01T03:30:36Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.0.0-698" - }, - "rule": { - "id": "ESA_CONSOLIDATED_LOG_EVENT" - }, - "source": { - "user": { - "name": "noreply@corp.net" - }, - "ip": "2.2.2.2", - "address": "2.2.2.2" - }, - "network": { - "direction": "outbound" + "cef": { + "Name": "Consolidated Log Event", + "cfp1Label": "SBRSScore", + "cs1": "RestrictionEmetteur", + "cs1Label": "MailPolicy", + "cs2": "not enabled", + "cs2Label": "SenderCountry", + "cs4": "<123456@corp.net>", + "cs4Label": "ExternalMsgID" }, "destination": { "user": { @@ -66,31 +58,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "unknown", "name": "unknown" }, - "server": { - "ip": "1.1.1.1" + "network": { + "direction": "outbound" }, - "cef": { - "cfp1Label": "SBRSScore", - "cs4": "<123456@corp.net>", - "cs4Label": "ExternalMsgID", - "cs2": "not enabled", - "cs2Label": "SenderCountry", - "cs1": "RestrictionEmetteur", - "cs1Label": "MailPolicy", - "Name": "Consolidated Log Event" + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.0.0-698" }, "related": { "hosts": [ "unknown" ], - "user": [ - "foo@other-corp.com", - "noreply@corp.net" - ], "ip": [ "1.1.1.1", "2.2.2.2" + ], + "user": [ + "foo@other-corp.com", + "noreply@corp.net" ] + }, + "rule": { + "id": "ESA_CONSOLIDATED_LOG_EVENT" + }, + "server": { + "ip": "1.1.1.1" + }, + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "user": { + "name": "noreply@corp.net" + } } } @@ -104,20 +104,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.0.0-698|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=ABC123 ESAMID=123 E SAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Aug 1 06:40:30 2022 ESAGMVerdict=NOT_EVALUATED ESAMFVerdict=NO_MATCH ESAOFVerdict=NOT_EVALUATED ESAStatus=QUEUED\n\n", "event": { - "severity": 5, - "end": "2022-08-01T06:40:30Z" + "end": "2022-08-01T06:40:30Z", + "severity": 5 }, "@timestamp": "2022-08-01T06:40:30Z", + "cef": { + "Name": "Consolidated Log Event" + }, "observer": { - "vendor": "Cisco", "type": "C390 Email Security Appliance", + "vendor": "Cisco", "version": "14.0.0-698" }, "rule": { "id": "ESA_CONSOLIDATED_LOG_EVENT" - }, - "cef": { - "Name": "Consolidated Log Event" } } @@ -134,30 +134,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2021-08-20T22:53:27.043000Z", - "observer": { - "vendor": "Cybereason", - "type": "Cybereason", - "version": "1.0" - }, - "rule": { - "id": "5" + "cef": { + "Name": "Malop Connection Added", + "cs1": "11.1323449861766643222", + "cs1Label": "MalopId", + "dpt": "443", + "rt": "1629500007043" }, "destination": { - "port": 443, + "address": "3.226.77.3", "ip": "3.226.77.3", - "address": "3.226.77.3" + "port": 443 }, - "cef": { - "cs1Label": "MalopId", - "rt": "1629500007043", - "dpt": "443", - "cs1": "11.1323449861766643222", - "Name": "Malop Connection Added" + "observer": { + "type": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" }, "related": { "ip": [ "3.226.77.3" ] + }, + "rule": { + "id": "5" } } @@ -174,13 +174,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2021-08-23T06:53:42.409000Z", - "observer": { - "vendor": "Cybereason", - "type": "Cybereason", - "version": "1.0" + "cef": { + "Name": "Malop Created", + "cn1": 1, + "cn1Label": "AffectedMachinesCount", + "cn2": 1, + "cn2Label": "AffectedUsersCount", + "cs1": "11.4718101284717793977", + "cs1Label": "MalopId", + "cs2": "EXTENSION_MANIPULATION", + "cs2Label": "MalopDetectionType", + "cs3": "MALICIOUS_INFECTION", + "cs3Label": "MalopActivityType", + "cs4": "bb9dbdca921d84381c893086f65ffca17120b23d", + "cs4Label": "MalopHashList", + "cs5": "maliciousByDualExtensionByFileRootCause", + "cs5Label": "DecisionFeatures", + "cs6": "https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977", + "cs6Label": "IncidentLink", + "rt": "1629701622409" }, - "rule": { - "id": "1" + "http": { + "request": { + "referrer": "flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process." + } }, "log": { "syslog": { @@ -189,30 +206,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "http": { - "request": { - "referrer": "flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process." - } + "observer": { + "type": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" }, - "cef": { - "cn2Label": "AffectedUsersCount", - "cn1Label": "AffectedMachinesCount", - "cs6Label": "IncidentLink", - "cs5Label": "DecisionFeatures", - "cs4Label": "MalopHashList", - "cs3Label": "MalopActivityType", - "cs2Label": "MalopDetectionType", - "cs1Label": "MalopId", - "cs4": "bb9dbdca921d84381c893086f65ffca17120b23d", - "cn2": 1, - "cs6": "https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977", - "cn1": 1, - "cs5": "maliciousByDualExtensionByFileRootCause", - "cs3": "MALICIOUS_INFECTION", - "cs2": "EXTENSION_MANIPULATION", - "cs1": "11.4718101284717793977", - "rt": "1629701622409", - "Name": "Malop Created" + "rule": { + "id": "1" } } @@ -229,35 +229,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2021-07-08T12:48:29.151000Z", - "observer": { - "vendor": "Cybereason", - "type": "Cybereason", - "version": "1.0" - }, - "rule": { - "id": "3" - }, - "destination": { - "domain": "desktop-aas6kq7", - "ip": "10.0.2.15", - "address": "desktop-aas6kq7" - }, - "url": { - "original": "C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", - "path": "\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", - "scheme": "c" - }, "cef": { - "cfp3Label": "isOriginalMachine", - "cfp2Label": "isOnline", - "flexString2Label": "isMalicious", - "cs1Label": "MalopId", + "Name": "Malop Machine Added", "cfp2": 1, - "rt": "1625748509151", + "cfp2Label": "isOnline", "cfp3": 1, - "flexString2": "True", + "cfp3Label": "isOriginalMachine", "cs1": "11.-6654920844431693523", - "Name": "Malop Machine Added" + "cs1Label": "MalopId", + "flexString2": "True", + "flexString2Label": "isMalicious", + "rt": "1625748509151" + }, + "destination": { + "address": "desktop-aas6kq7", + "domain": "desktop-aas6kq7", + "ip": "10.0.2.15" + }, + "observer": { + "type": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" }, "related": { "hosts": [ @@ -266,6 +258,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "10.0.2.15" ] + }, + "rule": { + "id": "3" + }, + "url": { + "original": "C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", + "path": "\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", + "scheme": "c" } } @@ -279,13 +279,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cybereason|Cybereason|1.0|2|Malop Process Added|5|CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 cs4=76030baf8e80653b883474f56c06164c33417ece request=\"C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe\" flexString2=True cn3=1 reason=indifferent rt=1629700682928 cs1Label=MalopId flexString2Label=isMalicious cs4Label=processSha1 cn3Label=isSigned", "event": { - "severity": 5, - "action": "indifferent" + "action": "indifferent", + "severity": 5 }, "@timestamp": "2021-08-23T06:38:02.928000Z", + "cef": { + "Name": "Malop Process Added", + "cn3": 1, + "cs1": "11.-6654920844431693523", + "cs1Label": "MalopId", + "cs4": "76030baf8e80653b883474f56c06164c33417ece", + "cs4Label": "processSha1", + "flexString2": "True", + "flexString2Label": "isMalicious", + "rt": "1629700682928" + }, "observer": { - "vendor": "Cybereason", "type": "Cybereason", + "vendor": "Cybereason", "version": "1.0" }, "rule": { @@ -295,17 +306,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "original": "C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", "path": "\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe", "scheme": "c" - }, - "cef": { - "cs4Label": "processSha1", - "flexString2Label": "isMalicious", - "cs1Label": "MalopId", - "rt": "1629700682928", - "cn3": 1, - "flexString2": "True", - "cs4": "76030baf8e80653b883474f56c06164c33417ece", - "cs1": "11.-6654920844431693523", - "Name": "Malop Process Added" } } @@ -321,34 +321,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "severity": 5 }, - "observer": { - "vendor": "Cybereason", - "type": "Cybereason", - "version": "1.0" - }, - "rule": { - "id": "6" + "cef": { + "Name": "Malop User Added", + "cs1": "11.-6654920844431693523", + "cs1Label": "MalopId", + "dpriv": "None" }, "destination": { + "address": "desktop-aas6kq7", "domain": "desktop-aas6kq7", "user": { "name": "system" - }, - "address": "desktop-aas6kq7" + } }, - "cef": { - "cs1Label": "MalopId", - "dpriv": "None", - "cs1": "11.-6654920844431693523", - "Name": "Malop User Added" + "observer": { + "type": "Cybereason", + "vendor": "Cybereason", + "version": "1.0" }, "related": { - "user": [ - "system" - ], "hosts": [ "desktop-aas6kq7" + ], + "user": [ + "system" ] + }, + "rule": { + "id": "6" } } @@ -362,21 +362,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v6.2.9|32102|event:system|7|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0100032102 cat=event:system FortinetFortiGatesubtype=system FortinetFortiGatelevel=alert FortinetFortiGatevd=root FortinetFortiGateeventtime=1637681708541881380 FortinetFortiGatetz=+0100 FortinetFortiGatelogdesc=Configuration changed duser= sproc=console msg=Configuration is changed in the admin session", "event": { - "severity": 7, - "reason": "Configuration is changed in the admin session" + "reason": "Configuration is changed in the admin session", + "severity": 7 + }, + "cef": { + "Name": "event:system", + "cat": "event:system", + "sproc": "console" }, "observer": { - "vendor": "Fortinet", "type": "Fortigate", + "vendor": "Fortinet", "version": "v6.2.9" }, "rule": { "id": "32102" - }, - "cef": { - "sproc": "console", - "cat": "event:system", - "Name": "event:system" } } @@ -390,45 +390,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v5.6.0|18433|anomaly:anomaly clear_ session|7|FTNTFGTlogid=0720018433 cat=anomaly:anomaly FTNTFGTsubtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTseverity=critical src=1.1.1.1 dst=2.2.2.2 deviceInboundInterface=port15 externalId=0 act=clear_session proto=1 app=icmp/146/81 cnt=306 FTNTFGTattack=icmp_flood dpt=20882 FTNTFGTicmptype=0x92 FTNTFGTicmpcode=0x51 FTNTFGTattackid=16777316 FTNTFGTprofile=DoS-policy1 cs2=http://www.fortinet.com/ids/VID16777316 cs2Label=Reference msg=anomaly: icmp_flood, 34 > threshold 25, repeats 306 times FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { - "severity": 7, "action": "clear_session", - "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" - }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v5.6.0" + "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", + "severity": 7 }, - "rule": { - "id": "18433" - }, - "network": { - "protocol": "icmp/146/81", - "transport": "icmp" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "cef": { + "Name": "anomaly:anomaly clear_ session", + "cat": "anomaly:anomaly", + "cnt": 306, + "cs2": "http://www.fortinet.com/ids/VID16777316", + "cs2Label": "Reference", + "dpt": "20882", + "externalId": "0" }, "destination": { - "port": 20882, + "address": "2.2.2.2", "ip": "2.2.2.2", - "address": "2.2.2.2" + "port": 20882 }, - "cef": { - "cs2Label": "Reference", - "cs2": "http://www.fortinet.com/ids/VID16777316", - "dpt": "20882", - "cnt": 306, - "externalId": "0", - "cat": "anomaly:anomaly", - "Name": "anomaly:anomaly clear_ session" + "network": { + "protocol": "icmp/146/81", + "transport": "icmp" + }, + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v5.6.0" }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "rule": { + "id": "18433" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -442,58 +442,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v5.6.0|08192|utm:virus infected blocked|4|FTNTFGTlogid=0211008192 cat=utm:virus FTNTFGTsubtype=virus FTNTFGTeventtype=infected FTNTFGTlevel=warning FTNTFGTvd=vdom1 msg=File is infected act=blocked app=HTTP externalId=56633 src=1.1.1.1 dst=2.2.2.2 spt=45719 dpt=80 deviceInboundInterface=port15 deviceOutboundInterface=port19 proto=6 deviceDirection=0 fname=eicar.com FTNTFGTchecksum=1dd02bdb FTNTFGTquarskip=No-skip cs1=EICAR_TEST_FILE cs1Label=Virus FTNTFGTdtype=Virus cs2=http://www.fortinet.com/ve?vn\\=EICAR_TEST_FILE cs2Label=Reference FTNTFGTvirusid=2172 request=http://2.2.2.2/eicar.com FTNTFGTprofile=default duser= requestClientApplication=Wget/1 10 2 FTNTFGTanalyticscksum=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 FTNTFGTanalyticssubmit=false FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { - "severity": 4, "action": "blocked", - "reason": "File is infected" + "reason": "File is infected", + "severity": 4 }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v5.6.0" + "cef": { + "Name": "utm:virus infected blocked", + "cat": "utm:virus", + "cs1": "EICAR_TEST_FILE", + "cs1Label": "Virus", + "cs2": "http://www.fortinet.com/ve?vn\\=EICAR_TEST_FILE", + "cs2Label": "Reference", + "dpt": "80", + "externalId": "56633" }, - "rule": { - "id": "08192" + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 80 + }, + "file": { + "name": "eicar.com" }, "network": { - "protocol": "HTTP", "direction": "inbound", + "protocol": "HTTP", "transport": "tcp" }, - "file": { - "name": "eicar.com" + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v5.6.0" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "rule": { + "id": "08192" }, "source": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 45719, - "address": "1.1.1.1" - }, - "destination": { - "port": 80, - "ip": "2.2.2.2", - "address": "2.2.2.2" + "port": 45719 }, "url": { - "original": "http://2.2.2.2/eicar.com", "domain": "2.2.2.2", + "original": "http://2.2.2.2/eicar.com", "path": "/eicar.com", - "scheme": "http", - "port": 80 - }, - "cef": { - "cs2Label": "Reference", - "cs2": "http://www.fortinet.com/ve?vn\\=EICAR_TEST_FILE", - "cs1Label": "Virus", - "cs1": "EICAR_TEST_FILE", - "dpt": "80", - "externalId": "56633", - "cat": "utm:virus", - "Name": "utm:virus infected blocked" - }, - "related": { - "ip": [ - "1.1.1.1", - "2.2.2.2" - ] + "port": 80, + "scheme": "http" } } @@ -509,46 +509,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "severity": 3 }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v6.0.10" - }, - "rule": { - "id": "00014" - }, - "network": { - "protocol": "icmp/8/0", - "transport": "icmp" + "cef": { + "Name": "traffic:local accept", + "cat": "traffic:local", + "externalId": "4887198" }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2" }, "host": { "network": { - "ingress": { + "egress": { "bytes": 84 }, - "egress": { + "ingress": { "bytes": 84 } } }, - "destination": { - "ip": "2.2.2.2", - "address": "2.2.2.2" + "network": { + "protocol": "icmp/8/0", + "transport": "icmp" }, - "cef": { - "externalId": "4887198", - "cat": "traffic:local", - "Name": "traffic:local accept" + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v6.0.10" }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "rule": { + "id": "00014" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -562,22 +562,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v6.0.4|32021|event:system login failed|7|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0100032021 cat=event:system FortinetFortiGatesubtype=system FortinetFortiGatelevel=alert FortinetFortiGatevd=root FortinetFortiGateeventtime=1579172447 FortinetFortiGatelogdesc=Admin login disabled sproc=1.1.1.1 FortinetFortiGateaction=login outcome=failed reason=exceed_limit msg=Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", "event": { - "severity": 7, + "action": "exceed_limit", "reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", - "action": "exceed_limit" + "severity": 7 + }, + "cef": { + "Name": "event:system login failed", + "cat": "event:system", + "sproc": "1.1.1.1" }, "observer": { - "vendor": "Fortinet", "type": "Fortigate", + "vendor": "Fortinet", "version": "v6.0.4" }, "rule": { "id": "32021" - }, - "cef": { - "sproc": "1.1.1.1", - "cat": "event:system", - "Name": "event:system login failed" } } @@ -591,36 +591,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v6.0.10|39943|event:vpn ssl-new-con|2|deviceExternalId=FGT3HD3916803645 FTNTFGTlogid=0101039943 cat=event:vpn FTNTFGTsubtype=vpn FTNTFGTlevel=information FTNTFGTvd=root FTNTFGTeventtime=1637338258 FTNTFGTlogdesc=SSL VPN new connection act=ssl-new-con FTNTFGTtunneltype=ssl FTNTFGTtunnelid=0 dst=2.2.2.2 duser=N/A FTNTFGTgroup=N/A FTNTFGTdst_host=N/A reason=N/A msg=SSL new connection", "event": { - "severity": 2, "action": "N/A", - "reason": "SSL new connection" - }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v6.0.10" + "reason": "SSL new connection", + "severity": 2 }, - "rule": { - "id": "39943" + "cef": { + "Name": "event:vpn ssl-new-con", + "cat": "event:vpn" }, "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", "user": { "name": "N/A" - }, - "ip": "2.2.2.2", - "address": "2.2.2.2" + } }, - "cef": { - "cat": "event:vpn", - "Name": "event:vpn ssl-new-con" + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v6.0.10" }, "related": { - "user": [ - "N/A" - ], "ip": [ "2.2.2.2" + ], + "user": [ + "N/A" ] + }, + "rule": { + "id": "39943" } } @@ -634,56 +634,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v5.6.0|00013|traffic:forward close|3|FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 src=2.2.2.2 shost=2.2.2.2 spt=45719 deviceInboundInterface=port15 dst=3.3.3.3 dhost=3.3.3.3 dpt=80 deviceOutboundInterface=port19 FTNTFGTpoluuid=61c4243a-34ba-51e5-c32a-3859389a5162 externalId=56633 proto=6 act=close cs5=10 cs5Label=Policy Id FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=1.1.1.1 sourceTranslatedPort=45719 app=HTTP FTNTFGTappid=38783 FTNTFGTapp=Wget.Like FTNTFGTappcat=General.Interest FTNTFGTapprisk=low FTNTFGTapplist=default FTNTFGTappact=detected cn1=7 cn1Label=Duration out=398 in=1605 cn2=5 cn2Label=Packets Sent cn3=5 cn3Label=Packets Received FTNTFGTutmaction=block FTNTFGTcountav=1 FTNTFGTcountapp=1 FTNTFGTcrscore=50 FTNTFGTcraction=2", "event": { - "severity": 3, - "action": "close" - }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v5.6.0" - }, - "rule": { - "id": "00013" - }, - "network": { - "protocol": "HTTP", - "transport": "tcp" + "action": "close", + "severity": 3 }, - "source": { - "ip": "2.2.2.2", - "port": 45719, - "address": "2.2.2.2" + "cef": { + "Name": "traffic:forward close", + "cat": "traffic:forward", + "cn1": 7, + "cn1Label": "Duration", + "cn2": 5, + "cn2Label": "Packets Sent", + "cn3": 5, + "cs5": "10", + "cs5Label": "Policy Id", + "dpt": "80", + "externalId": "56633" }, "destination": { + "address": "3.3.3.3", "domain": "3.3.3.3", - "port": 80, "ip": "3.3.3.3", - "address": "3.3.3.3" + "port": 80 }, "host": { + "hostname": "2.2.2.2", + "name": "2.2.2.2", "network": { - "ingress": { - "bytes": 1605 - }, "egress": { "bytes": 398 + }, + "ingress": { + "bytes": 1605 } - }, - "hostname": "2.2.2.2", - "name": "2.2.2.2" + } }, - "cef": { - "cn3": 5, - "cn2Label": "Packets Sent", - "cn2": 5, - "cn1Label": "Duration", - "cn1": 7, - "cs5Label": "Policy Id", - "cs5": "10", - "externalId": "56633", - "dpt": "80", - "cat": "traffic:forward", - "Name": "traffic:forward close" + "network": { + "protocol": "HTTP", + "transport": "tcp" + }, + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v5.6.0" }, "related": { "hosts": [ @@ -694,6 +686,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2", "3.3.3.3" ] + }, + "rule": { + "id": "00013" + }, + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 45719 } } @@ -709,49 +709,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "severity": 3 }, - "observer": { - "vendor": "Fortinet", - "type": "Fortigate", - "version": "v6.0.4" - }, - "rule": { - "id": "00013" - }, - "network": { - "protocol": "HTTP", - "transport": "tcp" - }, - "source": { - "ip": "1.1.1.1", - "port": 49260, - "address": "1.1.1.1" + "cef": { + "Name": "traffic:forward timeout", + "cat": "traffic:forward", + "dpt": "80", + "externalId": "12812952" }, "destination": { - "port": 80, + "address": "3.3.3.3", "ip": "3.3.3.3", - "address": "3.3.3.3" + "port": 80 }, "host": { "network": { - "ingress": { - "bytes": 144 - }, "egress": { "bytes": 48 + }, + "ingress": { + "bytes": 144 } } }, - "cef": { - "externalId": "12812952", - "dpt": "80", - "cat": "traffic:forward", - "Name": "traffic:forward timeout" + "network": { + "protocol": "HTTP", + "transport": "tcp" + }, + "observer": { + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v6.0.4" }, "related": { "ip": [ "1.1.1.1", "3.3.3.3" ] + }, + "rule": { + "id": "00013" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 49260 } } @@ -765,44 +765,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SEKOIA.IO|SIC|v0.3.12|666|Download|1|msg= sys.log downloaded by john.doe@example.com src=127.0.0.1 cn1=53 cn1Label=seconds cs1Label=type cs1=ssl_download cs2Label=location cs2=home fname=sys.log fsize=666 suser=john.doe@example.com", "event": { - "severity": 1, - "reason": "sys.log downloaded by john.doe@example.com" - }, - "observer": { - "vendor": "SEKOIA.IO", - "type": "SIC", - "version": "v0.3.12" + "reason": "sys.log downloaded by john.doe@example.com", + "severity": 1 }, - "rule": { - "id": "666" + "cef": { + "Name": "Download", + "cn1": 53, + "cn1Label": "seconds", + "cs1": "ssl_download", + "cs1Label": "type", + "cs2": "home", + "cs2Label": "location" }, "file": { "name": "sys.log", "size": 666 }, - "source": { - "user": { - "name": "john.doe@example.com" - }, - "ip": "127.0.0.1", - "address": "127.0.0.1" - }, - "cef": { - "cs2": "home", - "cs2Label": "location", - "cs1": "ssl_download", - "cs1Label": "type", - "cn1Label": "seconds", - "cn1": 53, - "Name": "Download" + "observer": { + "type": "SIC", + "vendor": "SEKOIA.IO", + "version": "v0.3.12" }, "related": { - "user": [ - "john.doe@example.com" - ], "ip": [ "127.0.0.1" + ], + "user": [ + "john.doe@example.com" ] + }, + "rule": { + "id": "666" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "user": { + "name": "john.doe@example.com" + } } } @@ -816,19 +816,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\\\xxxxx cs2=paloaltonetwork\\\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=", "event": { - "severity": 3, "reason": "Invalid Certificate", - "timezone": "UTC", - "start": "2021-02-28T18:20:40Z" + "severity": 3, + "start": "2021-02-28T18:20:40Z", + "timezone": "UTC" }, "@timestamp": "2021-02-28T18:20:40Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" + "cef": { + "Name": "Radius", + "c6a2": "::ffff:0", + "c6a2Label": "Source IPv6 Address", + "c6a3": "::ffff:0", + "c6a3Label": "Destination IPv6 Address", + "cn1": 0, + "cn1Label": "AuthFactorNo", + "cn2": -5257671089978343424, + "cn2Label": "MFAAuthenticationID", + "cnt": 33554432, + "cs1": "deny-attackers", + "cs1Label": "AuthServerProfile", + "cs2": "paloaltonetwork\\\\xxxxx", + "cs2Label": "NormalizeUser", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "DC", + "cs4Label": "AuthenticationPolicy", + "cs5": "Unknown", + "cs5Label": "ClientType", + "cs6": "rs-logging", + "cs6Label": "LogSetting", + "externalId": "xxxxxxxxxxxxx", + "rt": "Feb 28 2021 18:20:54" }, - "rule": { - "id": "AUTH" + "destination": { + "user": { + "name": "paloaltonetwork\\\\xxxxx" + } }, "file": { "name": "Authentication object2" @@ -836,41 +859,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host": { "name": "xxxxx" }, - "destination": { - "user": { - "name": "paloaltonetwork\\\\xxxxx" - } - }, - "cef": { - "externalId": "xxxxxxxxxxxxx", - "cn1Label": "AuthFactorNo", - "cn1": 0, - "cs5Label": "ClientType", - "cs5": "Unknown", - "cs1Label": "AuthServerProfile", - "cs1": "deny-attackers", - "cs6Label": "LogSetting", - "cs6": "rs-logging", - "cn2Label": "MFAAuthenticationID", - "cn2": -5257671089978343424, - "cnt": 33554432, - "cs4Label": "AuthenticationPolicy", - "cs4": "DC", - "cs2Label": "NormalizeUser", - "cs2": "paloaltonetwork\\\\xxxxx", - "c6a3Label": "Destination IPv6 Address", - "c6a3": "::ffff:0", - "c6a2Label": "Source IPv6 Address", - "c6a2": "::ffff:0", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "rt": "Feb 28 2021 18:20:54", - "Name": "Radius" + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { "user": [ "paloaltonetwork\\\\xxxxx" ] + }, + "rule": { + "id": "AUTH" } } @@ -884,170 +884,170 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\\\\\xxxxx duser=paloaltonetwork\\\\\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx", "event": { - "severity": 3, "action": "deny", - "timezone": "UTC", - "start": "2021-03-01T20:35:54Z" + "severity": 3, + "start": "2021-03-01T20:35:54Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T20:35:54Z", + "cef": { + "Name": "end", + "cn1": 106112, + "cn1Label": "SessionID", + "cnt": 1, + "cs1": "allow-all-employees", + "cs1Label": "Rule", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "datacenter", + "cs4Label": "FromZone", + "cs5": "ethernet4Zone-test1", + "cs5Label": "ToZone", + "cs6": "test", + "cs6Label": "LogSetting", + "dpt": "20122", + "externalId": "xxxxxxxxxxxxx", + "rt": "Mar 01 2021 20:35:54" + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 20122, + "user": { + "name": "paloaltonetwork\\\\\\\\xxxxx" + } + }, + "network": { + "protocol": "gmail-base" + }, "observer": { - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, + "related": { + "ip": [ + "1.1.1.1" + ], + "user": [ + "paloaltonetwork\\\\\\\\xxxxx" + ] + }, "rule": { "id": "DECRYPTION" }, - "network": { - "protocol": "gmail-base" - }, "source": { - "user": { - "name": "paloaltonetwork\\\\\\\\xxxxx" - }, + "address": "1.1.1.1", "ip": "1.1.1.1", "port": 16524, - "address": "1.1.1.1" - }, - "destination": { - "port": 20122, "user": { "name": "paloaltonetwork\\\\\\\\xxxxx" - }, - "ip": "1.1.1.1", - "address": "1.1.1.1" + } + } + } + + ``` + + +=== "pan_ngfw_file_cef.json" + + ```json + + { + "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=1.1.1.1 PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=1.1.1.1-1.1.1.1 PanOSDestinationLocation=1.1.1.1-1.1.1.1 fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType=", + "event": { + "action": "alert", + "severity": 3, + "start": "2021-03-01T21:06:06Z", + "timezone": "UTC" }, + "@timestamp": "2021-03-01T21:06:06Z", "cef": { - "externalId": "xxxxxxxxxxxxx", - "dpt": "20122", - "cnt": 1, + "Name": "file", + "cn1": 4016143, "cn1Label": "SessionID", - "cn1": 106112, - "cs6Label": "LogSetting", - "cs6": "test", - "cs5Label": "ToZone", - "cs5": "ethernet4Zone-test1", - "cs4Label": "FromZone", - "cs4": "datacenter", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", + "cnt": 9, + "cs1": "dg-log-policy", "cs1Label": "Rule", - "cs1": "allow-all-employees", - "rt": "Mar 01 2021 20:35:54", - "Name": "end" + "cs2": "any", + "cs2Label": "URLCategory", + "cs3": "smtp", + "cs3Label": "VirtualLocation", + "cs4": "tap", + "cs4Label": "FromZone", + "cs5": "tap", + "cs5Label": "ToZone", + "cs6": "test", + "cs6Label": "LogSetting", + "dpt": "25", + "externalId": "xxxxxxxxxxxxx", + "flexString2": "client to server", + "flexString2Label": "DirectionOfAttack", + "rt": "Mar 01 2021 21:06:06" + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 25 + }, + "file": { + "directory": "", + "inode": "0", + "name": "page-icon.png", + "path": "page-icon.png" + }, + "host": { + "name": "PA-5220" + }, + "network": { + "protocol": "smtp" + }, + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { - "user": [ - "paloaltonetwork\\\\\\\\xxxxx" - ], "ip": [ "1.1.1.1" ] + }, + "rule": { + "id": "THREAT" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 37404 } } ``` -=== "pan_ngfw_file_cef.json" +=== "pan_ngfw_globalprotect_cef.json" ```json { - "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=1.1.1.1 PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=1.1.1.1-1.1.1.1 PanOSDestinationLocation=1.1.1.1-1.1.1.1 fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType=", + "message": "CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=1.1.1.1 PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=1.1.1.1 PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1", "event": { "severity": 3, - "action": "alert", - "timezone": "UTC", - "start": "2021-03-01T21:06:06Z" + "start": "2021-03-01T20:35:54Z", + "timezone": "UTC" + }, + "@timestamp": "2021-03-01T20:35:54Z", + "cef": { + "Name": "globalprotect", + "rt": "Mar 01 2021 20:35:54" }, - "@timestamp": "2021-03-01T21:06:06Z", "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "THREAT" - }, - "network": { - "protocol": "smtp" - }, - "source": { - "ip": "1.1.1.1", - "port": 37404, - "address": "1.1.1.1" - }, - "host": { - "name": "PA-5220" - }, - "destination": { - "port": 25, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "file": { - "inode": "0", - "path": "page-icon.png", - "name": "page-icon.png", - "directory": "" - }, - "cef": { - "externalId": "xxxxxxxxxxxxx", - "flexString2Label": "DirectionOfAttack", - "flexString2": "client to server", - "cs2Label": "URLCategory", - "cs2": "any", - "dpt": "25", - "cnt": 9, - "cn1Label": "SessionID", - "cn1": 4016143, - "cs6Label": "LogSetting", - "cs6": "test", - "cs5Label": "ToZone", - "cs5": "tap", - "cs4Label": "FromZone", - "cs4": "tap", - "cs3Label": "VirtualLocation", - "cs3": "smtp", - "cs1Label": "Rule", - "cs1": "dg-log-policy", - "rt": "Mar 01 2021 21:06:06", - "Name": "file" - }, - "related": { - "ip": [ - "1.1.1.1" - ] - } - } - - ``` - - -=== "pan_ngfw_globalprotect_cef.json" - - ```json - - { - "message": "CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=1.1.1.1 PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=1.1.1.1 PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1", - "event": { - "severity": 3, - "timezone": "UTC", - "start": "2021-03-01T20:35:54Z" - }, - "@timestamp": "2021-03-01T20:35:54Z", - "observer": { - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, "rule": { "id": "GLOBALPROTECT" - }, - "cef": { - "rt": "Mar 01 2021 20:35:54", - "Name": "globalprotect" } } @@ -1062,63 +1062,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=1.1.1.1 dst=1.1.1.1 cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { "severity": 3, - "timezone": "UTC", - "start": "2021-03-01T21:20:13Z" + "start": "2021-03-01T21:20:13Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T21:20:13Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "HIPMATCH" - }, - "source": { - "user": { - "name": "xxxxx xxxxx" - }, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "host": { - "name": "PA-5220", - "hostname": "machine_name1" - }, - "destination": { - "domain": "machine_name1", - "user": { - "name": "xxxxx xxxxx" - }, - "ip": "1.1.1.1", - "address": "machine_name1" - }, "cef": { - "c6a1Label": "Device IPv6 Address", + "Name": "", "c6a1": "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx", - "cn2Label": "VirtualSystemID", + "c6a1Label": "Device IPv6 Address", + "cat": "match_name1", "cn2": 1, - "externalId": "xxxxxxxxxxxxx", + "cn2Label": "VirtualSystemID", "cnt": 1, - "cat": "match_name1", - "cs2Label": "EndpointOSType", "cs2": "iOS", - "cs3Label": "VirtualLocation", + "cs2Label": "EndpointOSType", "cs3": "vsys1", - "sntdom": "xxxxx", + "cs3Label": "VirtualLocation", + "externalId": "xxxxxxxxxxxxx", "rt": "Mar 01 2021 21:20:13", - "Name": "" + "sntdom": "xxxxx" + }, + "destination": { + "address": "machine_name1", + "domain": "machine_name1", + "ip": "1.1.1.1", + "user": { + "name": "xxxxx xxxxx" + } + }, + "host": { + "hostname": "machine_name1", + "name": "PA-5220" + }, + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { "hosts": [ "machine_name1" ], - "user": [ - "xxxxx xxxxx" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx xxxxx" ] + }, + "rule": { + "id": "HIPMATCH" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "name": "xxxxx xxxxx" + } } } @@ -1133,43 +1133,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Palo Alto Networks|LF|2.0|IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10 PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { "severity": 3, - "timezone": "UTC", - "start": "2021-03-01T21:20:13Z" + "start": "2021-03-01T21:20:13Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T21:20:13Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "IPTAG" + "cef": { + "Name": "iptag", + "cn2": 1, + "cn2Label": "VirtualSystemID", + "cnt": 1, + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "externalId": "xxxxxxxxxxxxx", + "rt": "Mar 01 2021 21:20:13" }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" }, "host": { "name": "PA-VM" }, - "destination": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "cef": { - "cn2Label": "VirtualSystemID", - "cn2": 1, - "externalId": "xxxxxxxxxxxxx", - "cnt": 1, - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "rt": "Mar 01 2021 21:20:13", - "Name": "iptag" + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { "ip": [ "1.1.1.1" ] + }, + "rule": { + "id": "IPTAG" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -1183,54 +1183,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|SCTP||9|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:22:02 deviceExternalId=xxxxxxxxxxxxx PanOSCaptivePortal= PanOSContentVersion= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceMac= PanOSDestinationDeviceModel= PanOSDestinationDeviceOS= PanOSDestinationDeviceVendor= PanOSDestinationLocation=IN PanOSDestinationUUID= PanOSDestinationUserDomain=paloaltonetwork PanOSDestinationUserName=xxxxx PanOSDestinationUserUUID= PanOSInboundInterfaceDetailsPort=1 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer= PanOSIsContainer= PanOSIsDecryptMirror= PanOSIsDecryptedLog= PanOSIsDecryptedPayloadForward= PanOSIsDuplicateLog=false PanOSIsIPV6= PanOSIsInspectrionBeforeSession= PanOSIsMptcpOn= PanOSIsNonStandardDestinationPort= PanOSIsPacketCapture= PanOSIsPhishing= PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy= PanOSIsReconExcluded= PanOSIsServertoClient= PanOSIsSourceXForwarded= PanOSIsSystemReturn= PanOSIsTransaction= PanOSIsTunnelInspected= PanOSIsURLDenied= PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT= PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSSessionEndReason= PanOSSessionOwnerMidx= PanOSSessionTracker= PanOSSeverity=Critical PanOSSourceDeviceClass= PanOSSourceDeviceMac= PanOSSourceDeviceModel= PanOSSourceDeviceOS= PanOSSourceDeviceVendor= PanOSSourceLocation=US PanOSSourceUUID= PanOSSourceUserDomain=paloaltonetwork PanOSSourceUserName=xxxxx PanOSSourceUserUUID= PanOSTunnel=N/A PanOSVirtualSystemID=1 PanOSConfigVersion= start=Mar 01 2021 21:22:02 src=1.1.1.1 dst=1.1.1.1 PanOSNATSource=1.1.1.1 PanOSNATDestination=1.1.1.1 cs1=allow-business-apps cs1Label=Rule PanOSSourceUser=paloaltonetwork\\\\xxxxx PanOSDestinationUser=paloaltonetworkxxxxx PanOSApplication=panorama cs3=vsys1 cs3Label=VirtualLocation cs4=corporate cs4Label=FromZone cs5=untrust cs5Label=ToZone PanOSInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6=test cs6Label=LogSetting PanOSSessionID=391582 cnt=1 spt=3033 dpt=5496 PanOSNATSourcePort=26714 PanOSNATDestinationPort=15054 proto=tcp act=alert PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 externalId=xxxxxxxxxxxxx PanOSEndpointAssociationID=2086888838 PanOSPayloadProtocolID=-1 PanOSSctpChunkType=9 PanOSSCTPEventType=Kerberos single sign-on failed PanOSEventCode=3 PanOSVerificationTag1=0x3bae3042 PanOSVerificationTag2=0x1911015e PanOSSctpCauseCode=0 PanOSDiamAppID=-1 PanOSDiameterCommandCode=-1 PanOSDiamAvpCode=0 PanOSStreamID=0 PanOSAssocationEndReason= PanOSMapAppCode=0 PanOSSccpCallingSSN=0 PanOSSccpCallingGt= PanOSSctpFilter= PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSPacketsTotal=0 PanOSPacketsSent=0 PanOSPacketsReceived=0 PanOSRuleUUID= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "severity": 9, "action": "alert", - "timezone": "UTC", - "start": "2021-03-01T21:22:02Z" + "severity": 9, + "start": "2021-03-01T21:22:02Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T21:22:02Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "SCTP" + "cef": { + "Name": "", + "cnt": 1, + "cs1": "allow-business-apps", + "cs1Label": "Rule", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "corporate", + "cs4Label": "FromZone", + "cs5": "untrust", + "cs5Label": "ToZone", + "cs6": "test", + "cs6Label": "LogSetting", + "dpt": "5496", + "externalId": "xxxxxxxxxxxxx", + "rt": "Mar 01 2021 21:22:02" }, - "source": { + "destination": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 3033, - "address": "1.1.1.1" + "port": 5496 }, "host": { "name": "PA-5220" }, - "destination": { - "port": 5496, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "cef": { - "externalId": "xxxxxxxxxxxxx", - "dpt": "5496", - "cnt": 1, - "cs6Label": "LogSetting", - "cs6": "test", - "cs5Label": "ToZone", - "cs5": "untrust", - "cs4Label": "FromZone", - "cs4": "corporate", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "cs1Label": "Rule", - "cs1": "allow-business-apps", - "rt": "Mar 01 2021 21:22:02", - "Name": "" + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { "ip": [ "1.1.1.1" ] + }, + "rule": { + "id": "SCTP" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 3033 } } @@ -1244,81 +1244,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\\\xxxxx duser0=paloaltonetwork\\\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc", "event": { - "severity": 1, "action": "drop-all", - "timezone": "UTC", - "start": "2021-03-01T20:48:16Z" + "severity": 1, + "start": "2021-03-01T20:48:16Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T20:48:16Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" + "cef": { + "Name": "spyware", + "c6a2": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "c6a2Label": "Source IPv6 Address", + "c6a3": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "c6a3Label": "Destination IPv6 Address", + "cat": "27379", + "cn1": 947181, + "cn1Label": "SessionID", + "cnt": 1, + "cs1": "deny-attackers", + "cs1Label": "Rule", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "datacenter", + "cs4Label": "FromZone", + "cs5": "ethernet4Zone-test4", + "cs5Label": "ToZone", + "cs6": "rs-logging", + "cs6Label": "LogSetting", + "dpt": "4228", + "externalId": "xxxxxxxxxxxxx", + "flexString2": "server to client", + "flexString2Label": "DirectionOfAttack", + "rt": "Mar 01 2021 20:48:21", + "sntdom": "paloaltonetwork" }, - "rule": { - "id": "THREAT" + "destination": { + "address": "paloaltonetwork", + "domain": "paloaltonetwork", + "port": 4228, + "user": { + "name": "xxxxx" + } + }, + "file": { + "inode": "0" + }, + "host": { + "name": "xxxxx" }, "network": { "protocol": "sina-weibo-base" }, - "source": { - "user": { - "name": "xxxxx" - }, - "port": 13884 + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, - "host": { - "name": "xxxxx" + "related": { + "hosts": [ + "paloaltonetwork" + ], + "user": [ + "xxxxx" + ] }, - "destination": { - "domain": "paloaltonetwork", - "port": 4228, + "rule": { + "id": "THREAT" + }, + "source": { + "port": 13884, "user": { "name": "xxxxx" - }, - "address": "paloaltonetwork" - }, - "file": { - "inode": "0" + } }, "url": { "original": "some other fake filename", "path": "some other fake filename" - }, - "cef": { - "externalId": "xxxxxxxxxxxxx", - "flexString2Label": "DirectionOfAttack", - "flexString2": "server to client", - "dpt": "4228", - "cnt": 1, - "cn1Label": "SessionID", - "cn1": 947181, - "cs6Label": "LogSetting", - "cs6": "rs-logging", - "cs5Label": "ToZone", - "cs5": "ethernet4Zone-test4", - "cs4Label": "FromZone", - "cs4": "datacenter", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "cs1Label": "Rule", - "cs1": "deny-attackers", - "c6a3Label": "Destination IPv6 Address", - "c6a3": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", - "c6a2Label": "Source IPv6 Address", - "c6a2": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", - "cat": "27379", - "sntdom": "paloaltonetwork", - "rt": "Mar 01 2021 20:48:21", - "Name": "spyware" - }, - "related": { - "user": [ - "xxxxx" - ], - "hosts": [ - "paloaltonetwork" - ] } } @@ -1332,88 +1332,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=paloaltonetwork\\\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=1.1.1.1 PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5", "event": { - "severity": 3, "action": "unknown", - "timezone": "UTC", - "start": "2021-02-27T20:16:17Z" + "severity": 3, + "start": "2021-02-27T20:16:17Z", + "timezone": "UTC" }, "@timestamp": "2021-02-27T20:16:17Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "TRAFFIC" - }, - "network": { - "protocol": "fileguri" + "cef": { + "Name": "end", + "cat": "unknown", + "cn1": 25596, + "cn1Label": "SessionID", + "cn2": 314, + "cn2Label": "PacketsTotal", + "cn3": 56, + "cnt": 1, + "cs1": "deny-attackers", + "cs1Label": "Rule", + "cs2": "custom-category", + "cs2Label": "URLCategory", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "untrust", + "cs4Label": "FromZone", + "cs5": "ethernet4Zone-test1", + "cs5Label": "ToZone", + "cs6": "rs-logging", + "cs6Label": "LogSetting", + "dpt": "27092", + "externalId": "xxxxxxxxxxxxx", + "rt": "Feb 27 2021 20:16:21", + "sntdom": "xxxxx" }, - "source": { - "user": { - "name": "xxxxx xxxxx" - }, + "destination": { + "address": "paloaltonetwork", + "domain": "paloaltonetwork", "ip": "1.1.1.1", - "port": 22871, - "address": "1.1.1.1" + "port": 27092, + "user": { + "name": "xxxxx" + } }, "host": { "name": "xxxxx", "network": { - "ingress": { - "bytes": 969846 - }, "egress": { "bytes": 400448 + }, + "ingress": { + "bytes": 969846 } } }, - "destination": { - "domain": "paloaltonetwork", - "port": 27092, - "user": { - "name": "xxxxx" - }, - "ip": "1.1.1.1", - "address": "paloaltonetwork" + "network": { + "protocol": "fileguri" }, - "cef": { - "cat": "unknown", - "externalId": "xxxxxxxxxxxxx", - "cs2Label": "URLCategory", - "cs2": "custom-category", - "cn3": 56, - "cn2Label": "PacketsTotal", - "cn2": 314, - "dpt": "27092", - "cnt": 1, - "cn1Label": "SessionID", - "cn1": 25596, - "cs6Label": "LogSetting", - "cs6": "rs-logging", - "cs5Label": "ToZone", - "cs5": "ethernet4Zone-test1", - "cs4Label": "FromZone", - "cs4": "untrust", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "cs1Label": "Rule", - "cs1": "deny-attackers", - "sntdom": "xxxxx", - "rt": "Feb 27 2021 20:16:21", - "Name": "end" + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { - "user": [ - "xxxxx", - "xxxxx xxxxx" - ], "hosts": [ "paloaltonetwork" ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx", + "xxxxx xxxxx" ] + }, + "rule": { + "id": "TRAFFIC" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 22871, + "user": { + "name": "xxxxx xxxxx" + } } } @@ -1427,91 +1427,91 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o\"'\"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=xxxxx\\\\xxxxx o\"'\"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,\u200b11008,\u200b38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5", "event": { - "severity": 1, "action": "block-url", - "timezone": "UTC", - "start": "2021-03-01T20:48:16Z" + "severity": 1, + "start": "2021-03-01T20:48:16Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T20:48:16Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "THREAT" - }, - "network": { - "protocol": "maxdb" - }, - "source": { - "user": { - "name": "xxxxx xxxxx" - }, - "ip": "1.1.1.1", - "port": 32350, - "address": "1.1.1.1" - }, - "host": { - "name": "xxxxx" + "cef": { + "Name": "url", + "cn1": 980296, + "cn1Label": "SessionID", + "cnt": 1, + "cs1": "allow-business-apps", + "cs1Label": "Rule", + "cs2": "sports", + "cs2Label": "URLCategory", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "ethernet4Zone-test4", + "cs4Label": "FromZone", + "cs5": "untrust", + "cs5Label": "ToZone", + "cs6": "rs-logging", + "cs6Label": "LogSetting", + "dpt": "1532", + "externalId": "xxxxxxxxxxxxx", + "flexString2": "server to client", + "flexString2Label": "DirectionOfAttack", + "rt": "Mar 01 2021 20:48:21", + "sntdom": "xxxxx" }, "destination": { + "address": "xxxxx", "domain": "xxxxx", + "ip": "1.1.1.1", "port": 1532, "user": { "name": "xxxxx o\"'\"test" - }, - "ip": "1.1.1.1", - "address": "xxxxx" + } }, "file": { "inode": "0" }, - "url": { - "original": "?%", - "query": "%" + "host": { + "name": "xxxxx" }, "http": { "request": { - "referrer": "application/jpeg", - "method": "post" + "method": "post", + "referrer": "application/jpeg" } }, - "cef": { - "externalId": "xxxxxxxxxxxxx", - "flexString2Label": "DirectionOfAttack", - "flexString2": "server to client", - "cs2Label": "URLCategory", - "cs2": "sports", - "dpt": "1532", - "cnt": 1, - "cn1Label": "SessionID", - "cn1": 980296, - "cs6Label": "LogSetting", - "cs6": "rs-logging", - "cs5Label": "ToZone", - "cs5": "untrust", - "cs4Label": "FromZone", - "cs4": "ethernet4Zone-test4", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "cs1Label": "Rule", - "cs1": "allow-business-apps", - "sntdom": "xxxxx", - "rt": "Mar 01 2021 20:48:21", - "Name": "url" + "network": { + "protocol": "maxdb" + }, + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { - "user": [ - "xxxxx o\"'\"test", - "xxxxx xxxxx" - ], "hosts": [ "xxxxx" ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx o\"'\"test", + "xxxxx xxxxx" ] + }, + "rule": { + "id": "THREAT" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 32350, + "user": { + "name": "xxxxx xxxxx" + } + }, + "url": { + "original": "?%", + "query": "%" } } @@ -1525,70 +1525,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 duser0=paloaltonetworks\\\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "severity": 3, - "timezone": "UTC", "end": "2019-07-09T18:15:44Z", - "start": "2021-03-01T21:06:02Z" + "severity": 3, + "start": "2021-03-01T21:06:02Z", + "timezone": "UTC" }, "@timestamp": "2021-03-01T21:06:02Z", - "observer": { - "vendor": "Palo Alto Networks", - "type": "LF", - "version": "2.0" - }, - "rule": { - "id": "USERID" - }, - "source": { - "ip": "1.1.1.1", - "port": 21015, - "address": "1.1.1.1" - }, - "host": { - "name": "PA-5220" + "cef": { + "Name": "logout", + "cat": "0", + "cn1": 3, + "cn1Label": "AuthFactorNo", + "cn2": 1, + "cn2Label": "VirtualSystemID", + "cn3": 3531, + "cnt": 1, + "cs1": "xxxxx", + "cs1Label": "MFAFactorType", + "cs3": "vsys1", + "cs3Label": "VirtualLocation", + "cs4": "fake-data-source-169", + "cs4Label": "MappingDataSourceName", + "cs5": "probing", + "cs5Label": "MappingDataSource", + "cs6": "netbios_probing", + "cs6Label": "MappingDataSourceType", + "dpt": "49760", + "externalId": "xxxxxxxxxxxxx", + "rt": "Mar 01 2021 21:06:02" }, "destination": { + "address": "paloaltonetwork", "domain": "paloaltonetwork", + "ip": "1.1.1.1", "port": 49760, "user": { "name": "xxxxx" - }, - "ip": "1.1.1.1", - "address": "paloaltonetwork" + } }, - "cef": { - "cn1Label": "AuthFactorNo", - "cn1": 3, - "cs1Label": "MFAFactorType", - "cs1": "xxxxx", - "cn2Label": "VirtualSystemID", - "cn2": 1, - "externalId": "xxxxxxxxxxxxx", - "cs6Label": "MappingDataSourceType", - "cs6": "netbios_probing", - "cs5Label": "MappingDataSource", - "cs5": "probing", - "dpt": "49760", - "cn3": 3531, - "cnt": 1, - "cat": "0", - "cs4Label": "MappingDataSourceName", - "cs4": "fake-data-source-169", - "cs3Label": "VirtualLocation", - "cs3": "vsys1", - "rt": "Mar 01 2021 21:06:02", - "Name": "logout" + "host": { + "name": "PA-5220" + }, + "observer": { + "type": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" }, "related": { - "user": [ - "xxxxx" - ], "hosts": [ "paloaltonetwork" ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx" ] + }, + "rule": { + "id": "USERID" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 21015 } } diff --git a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md index 2743c00811..8df9f4778f 100644 --- a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md +++ b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md @@ -28,79 +28,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:21:58,165, example.intranet, audit.admin.com.rsa.ims.admin.impl.PrincipalAdministrationImpl, INFO, f6202699f3af48788715faa8bcf50198,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,UPDATE_PRINCIPAL,10055,SUCCESS,,e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B,,000000000000000000001000d0021000,000000000000000000001000d0011000,000000000000000000001000e0011000,admin,Admin,Admin,PRINCIPAL,205b3dcb8bcd4186bb9dd9f170194d77,38b39da6807c4016ab4f7acbe6682c8b,000000000000000000001000e0011000,source.hostname,,,,,,", "event": { - "code": "10055", "category": [ "configuration" ], + "code": "10055", "type": [ "change" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" - }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "INFO" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "user": { - "id": "000000000000000000001000d0021000", - "name": "admin" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "user": { - "firstname": "Admin", - "lastname": "Admin" - }, - "event": { - "outcome": "SUCCESS" - }, - "class": " audit.admin.com.rsa.ims.admin.impl.PrincipalAdministrationImpl", "action": { "name": "UPDATE_PRINCIPAL" }, - "session": { - "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" - }, - "source": { - "id": "000000000000000000001000d0011000" - }, + "class": " audit.admin.com.rsa.ims.admin.impl.PrincipalAdministrationImpl", "domain": { "id": "000000000000000000001000e0011000" }, + "event": { + "outcome": "SUCCESS" + }, "objects": { - "type": "PRINCIPAL", "id": "205b3dcb8bcd4186bb9dd9f170194d77", - "source": { - "id": "38b39da6807c4016ab4f7acbe6682c8b" - }, + "name": "source.hostname", "security": { "id": "000000000000000000001000e0011000" }, - "name": "source.hostname" + "source": { + "id": "38b39da6807c4016ab4f7acbe6682c8b" + }, + "type": "PRINCIPAL" + }, + "session": { + "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" + }, + "source": { + "id": "000000000000000000001000d0011000" + }, + "user": { + "firstname": "Admin", + "lastname": "Admin" } } }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "admin" - ] + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "user": { + "id": "000000000000000000001000d0021000", + "name": "admin" } } @@ -114,76 +114,76 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:21:58,183, example.intranet, audit.admin.com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl, INFO, 1c91aa9d56d64ea6816814fbd5f4fd4b,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AM_UNLINK_TOKEN_PRINCIPAL,20046,SUCCESS,,e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B,,000000000000000000001000d0021000,000000000000000000001000d0011000,000000000000000000001000e0011000,admin,Admin,Admin,AM_TOKEN,b43b74700a8c4634b2d5e6335a4a4a2a,,000000000000000000001000e0011000,000517223810,PRINCIPAL,54b6b5513c6410ac1cdda331149e66f3,0c38de293c6410ac0174e9584025c12f,000000000000000000001000e0011000,source.hostname,admin", "event": { - "code": "20046", "category": [ "authentication" ], + "code": "20046", "type": [ "end" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" - }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "INFO" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "user": { - "id": "000000000000000000001000d0021000", - "name": "admin" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "user": { - "firstname": "Admin", - "lastname": "Admin" - }, - "event": { - "outcome": "SUCCESS" - }, - "class": " audit.admin.com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl", "action": { "name": "AM_UNLINK_TOKEN_PRINCIPAL" }, - "session": { - "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" - }, - "source": { - "id": "000000000000000000001000d0011000" - }, + "class": " audit.admin.com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl", "domain": { "id": "000000000000000000001000e0011000" }, + "event": { + "outcome": "SUCCESS" + }, "objects": { - "type": "AM_TOKEN", "id": "b43b74700a8c4634b2d5e6335a4a4a2a", + "name": "000517223810", "security": { "id": "000000000000000000001000e0011000" }, - "name": "000517223810" + "type": "AM_TOKEN" + }, + "session": { + "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" + }, + "source": { + "id": "000000000000000000001000d0011000" + }, + "user": { + "firstname": "Admin", + "lastname": "Admin" } } }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "admin" - ] + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "user": { + "id": "000000000000000000001000d0021000", + "name": "admin" } } @@ -197,48 +197,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_METHOD_FAILED_SYNTAX_ERROR,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n", "event": { - "code": "23008", - "reason": "AUTHN_METHOD_FAILED_SYNTAX_ERROR", "category": [ "authentication" ], + "code": "23008", + "reason": "AUTHN_METHOD_FAILED_SYNTAX_ERROR", "type": [ "start" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "agent": { + "id": "09f1f5fc30e947ce9e564d5a91745091", + "name": "source.hostname" }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "ERROR" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "agent": { - "id": "09f1f5fc30e947ce9e564d5a91745091", - "name": "source.hostname" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "event": { - "outcome": "FAIL" - }, - "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", "action": { "name": "AUTHN_LOGIN_EVENT" }, "agent": { - "ip": "1.2.3.4", "domain": { "id": "000000000000000000001000e0011000" - } + }, + "ip": "1.2.3.4" + }, + "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", + "event": { + "outcome": "FAIL" }, "policy": { "method": { @@ -247,20 +255,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, "user": { "name": "admin" - }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "admin" - ] } } @@ -274,48 +274,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_PRINCIPAL_LOCKED,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n", "event": { - "code": "23008", - "reason": "AUTHN_PRINCIPAL_LOCKED", "category": [ "authentication" ], + "code": "23008", + "reason": "AUTHN_PRINCIPAL_LOCKED", "type": [ "start" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "agent": { + "id": "09f1f5fc30e947ce9e564d5a91745091", + "name": "source.hostname" }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "ERROR" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "agent": { - "id": "09f1f5fc30e947ce9e564d5a91745091", - "name": "source.hostname" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "event": { - "outcome": "FAIL" - }, - "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", "action": { "name": "AUTHN_LOGIN_EVENT" }, "agent": { - "ip": "1.2.3.4", "domain": { "id": "000000000000000000001000e0011000" - } + }, + "ip": "1.2.3.4" + }, + "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", + "event": { + "outcome": "FAIL" }, "policy": { "method": { @@ -324,20 +332,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, "user": { "name": "admin" - }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "admin" - ] } } @@ -351,48 +351,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,", "event": { - "code": "23008", - "reason": "AUTH_RESOLUTION_FAILED_BY_ID_ALIAS", "category": [ "authentication" ], + "code": "23008", + "reason": "AUTH_RESOLUTION_FAILED_BY_ID_ALIAS", "type": [ "info" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "agent": { + "id": "09f1f5fc30e947ce9e564d5a91745091", + "name": "source.hostname" }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "ERROR" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "agent": { - "id": "09f1f5fc30e947ce9e564d5a91745091", - "name": "source.hostname" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "event": { - "outcome": "FAIL" - }, - "class": " audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler", "action": { "name": "AUTH_PRINCIPAL_RESOLUTION" }, "agent": { - "ip": "1.2.3.4", "domain": { "id": "000000000000000000001000e0011000" - } + }, + "ip": "1.2.3.4" + }, + "class": " audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler", + "event": { + "outcome": "FAIL" }, "policy": { "method": { @@ -401,20 +409,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, "user": { "name": "admin" - }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "admin" - ] } } @@ -428,84 +428,84 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:23:02,069, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, da0011b4f66e4b7e86f90f9dd6e937e7,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B,39b1319237f946428aecf267190b537d,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,HDTCO04,HDTCO04,,559eb5ec2d43408cbce2a43b65eafe8c,000000000000000000001000e0011000,1.2.3.4,source.hostname,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,6,4,,,,,da624c0ecf554764953fcc346b999682,000523656192,,", "event": { - "code": "13002", - "reason": "AUTHN_METHOD_SUCCESS", "category": [ "authentication" ], + "code": "13002", + "reason": "AUTHN_METHOD_SUCCESS", "type": [ "start" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "agent": { + "id": "559eb5ec2d43408cbce2a43b65eafe8c", + "name": "source.hostname" }, - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "INFO" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "user": { - "id": "39b1319237f946428aecf267190b537d", - "name": "HDTCO04" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "HDTCO04" + ] }, "rsa": { "securid": { - "user": { - "firstname": "HDTCO04" - }, - "event": { - "outcome": "SUCCESS" - }, - "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", "action": { "name": "AUTHN_LOGIN_EVENT" }, - "session": { - "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" - }, - "source": { - "id": "09f1f5fc30e947ce9e564d5a91745091" + "agent": { + "domain": { + "id": "000000000000000000001000e0011000" + }, + "ip": "1.2.3.4" }, + "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", "domain": { "id": "000000000000000000001000e0011000" }, - "agent": { - "ip": "1.2.3.4", - "domain": { - "id": "000000000000000000001000e0011000" - } + "event": { + "outcome": "SUCCESS" }, "policy": { "method": { "id": "000000000000000000002000f1022000", "name": "SecurID_Native" } + }, + "session": { + "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" + }, + "source": { + "id": "09f1f5fc30e947ce9e564d5a91745091" + }, + "user": { + "firstname": "HDTCO04" } } }, - "agent": { - "id": "559eb5ec2d43408cbce2a43b65eafe8c", - "name": "source.hostname" + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "HDTCO04" - ] + "user": { + "id": "39b1319237f946428aecf267190b537d", + "name": "HDTCO04" } } @@ -519,63 +519,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "12:00:32,804, example.intranet, audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl, INFO, 3ab4596104a043b886a66e80f88b353e,0e34d92f7c6549b19ed28471c02a049b,,1.2.3.4,AUTHN_LOGOUT_EVENT,13001,SUCCESS,,e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B,000000000000000000001000d0021000,000000000000000000001000d0011000,000000000000000000001000e0011000,admin,Admin,Admin,,,,,,,,,,,,,,,,,,,,", "event": { - "code": "13001", "category": [ "authentication" ], + "code": "13001", "type": [ "end" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "INFO" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, - "user": { - "id": "000000000000000000001000d0021000", - "name": "admin" + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "admin" + ] }, "rsa": { "securid": { - "user": { - "firstname": "Admin", - "lastname": "Admin" + "action": { + "name": "AUTHN_LOGOUT_EVENT" + }, + "class": " audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl", + "domain": { + "id": "000000000000000000001000e0011000" }, "event": { "outcome": "SUCCESS" }, - "class": " audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl", - "action": { - "name": "AUTHN_LOGOUT_EVENT" - }, "session": { "id": "e7ec7ff59d604a2ba3fa09067bbd65a4-L0+/miv3k62B" }, "source": { "id": "000000000000000000001000d0011000" }, - "domain": { - "id": "000000000000000000001000e0011000" + "user": { + "firstname": "Admin", + "lastname": "Admin" } } }, - "related": { - "hosts": [ - " example.intranet" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "admin" - ] + "user": { + "id": "000000000000000000001000d0021000", + "name": "admin" } } @@ -596,6 +596,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "process": { + "command_line": "/opt/rsa/am/utils/bin/appliance/queryTimeSettings.sh", + "working_directory": "/opt/rsa/am/server " + }, + "related": { + "user": [ + "root " + ] + }, "rsa": { "securid": { "process": { @@ -603,17 +612,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "process": { - "working_directory": "/opt/rsa/am/server ", - "command_line": "/opt/rsa/am/utils/bin/appliance/queryTimeSettings.sh" - }, "user": { "name": "root " - }, - "related": { - "user": [ - "root " - ] } } @@ -627,10 +627,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Startup finished in 9ms.", "event": { - "reason": "Startup finished in 9ms.", "category": [ "host" ], + "reason": "Startup finished in 9ms.", "type": [ "info" ] @@ -647,10 +647,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Reached target Timers.", "event": { - "reason": "Reached target Timers.", "category": [ "host" ], + "reason": "Reached target Timers.", "type": [ "info" ] @@ -667,35 +667,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "11:17:12,003, example.intranet, system.com.rsa.ims.configuration.impl.ConfigurationServiceImpl, SYSTEM, a9dbe1aae938465692320944498f095a,0e34d92f7c6549b19ed28471c02a049b,,1.2.3.4,CONF_VALUE_UPDATED,16256,SUCCESS,,,,,,,,,ims.agent.monitor.lastTimestamp,0000-Global-0000,2023-03-16 10:01:46.191,,,,", "event": { - "code": "16256", "category": [ "configuration" ], + "code": "16256", "type": [ "change" ] }, - "observer": { - "hostname": " example.intranet", - "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "log": { "level": "SYSTEM" }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "rsa": { - "securid": { - "event": { - "outcome": "SUCCESS" - }, - "class": " system.com.rsa.ims.configuration.impl.ConfigurationServiceImpl", - "action": { - "name": "CONF_VALUE_UPDATED" - } - } + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" }, "related": { "hosts": [ @@ -704,6 +693,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "rsa": { + "securid": { + "action": { + "name": "CONF_VALUE_UPDATED" + }, + "class": " system.com.rsa.ims.configuration.impl.ConfigurationServiceImpl", + "event": { + "outcome": "SUCCESS" + } + } } } diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index 769561805f..0b440ea247 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -35,10 +35,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":6755,\"eventType\":\"AuthActivityAuditEvent\",\"eventCreationTime\":1657663146099,\"version\":\"1.0\"},\"event\":{\"UserId\":\"foo.bar@sekoia.fr\",\"UserIp\":\"83.199.26.17\",\"OperationName\":\"twoFactorAuthenticate\",\"ServiceName\":\"CrowdStrike Authentication\",\"Success\":true,\"UTCTimestamp\":1657663146099}}", "event": { - "kind": "event", "category": [ "configuration" ], + "kind": "event", "type": [ "change" ] @@ -48,20 +48,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event_type": "AuthActivityAuditEvent", "operation_name": "twoFactorAuthenticate" }, - "source": { - "ip": "83.199.26.17", - "address": "83.199.26.17" + "related": { + "ip": [ + "83.199.26.17" + ] }, "service": { "name": "CrowdStrike Authentication" }, + "source": { + "address": "83.199.26.17", + "ip": "83.199.26.17" + }, "user": { "id": "foo.bar@sekoia.fr" - }, - "related": { - "ip": [ - "83.199.26.17" - ] } } @@ -75,28 +75,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":189,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1657174538000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1656688889,\"ProcessEndTime\":0,\"ProcessId\":22164474048,\"ParentProcessId\":22163465296,\"ComputerName\":\"nsewmkzevukn-vm\",\"UserName\":\"Administrator\",\"DetectName\":\"Overwatch Detection\",\"DetectDescription\":\"Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.\",\"Severity\":5,\"SeverityName\":\"Critical\",\"FileName\":\"explorer.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Windows\",\"CommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"SHA256String\":\"249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3\",\"MD5String\":\"d45bd7c7b7bf977246e9409d63435231\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"MachineDomain\":\"nsewmkzevukn-vm\",\"HostGroups\": \"6252fc7505974dc38abfef73269b8deb,b3365faa2fe44893b3c2c6b3bfbf6650,e114797a97894ed3bfd6442ef7eead92,1cd4a1385cac4db1a4d5f4d7ce035b65,2faa12f2f1e046f2bc21cad5d01ae723,37f2ae7c641845a4918f4348a52b4874\"}}", "event": { - "kind": "alert", - "type": [ - "info" - ], "category": [ "intrusion_detection" ], - "severity": 5 + "kind": "alert", + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2022-07-07T06:15:38Z", "crowdstrike": { - "event_type": "DetectionSummaryEvent", "detect_description": "Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.", - "severity_name": "Critical", + "event_type": "DetectionSummaryEvent", "host_groups": [ - "6252fc7505974dc38abfef73269b8deb", - "b3365faa2fe44893b3c2c6b3bfbf6650", - "e114797a97894ed3bfd6442ef7eead92", "1cd4a1385cac4db1a4d5f4d7ce035b65", "2faa12f2f1e046f2bc21cad5d01ae723", - "37f2ae7c641845a4918f4348a52b4874" - ] + "37f2ae7c641845a4918f4348a52b4874", + "6252fc7505974dc38abfef73269b8deb", + "b3365faa2fe44893b3c2c6b3bfbf6650", + "e114797a97894ed3bfd6442ef7eead92" + ], + "severity_name": "Critical" + }, + "file": { + "hash": { + "md5": "d45bd7c7b7bf977246e9409d63435231", + "sha256": "249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3" + } }, "host": { "name": "nsewmkzevukn-vm" @@ -104,24 +110,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "nsewmkzevukn-vm" }, - "user": { - "name": "Administrator" - }, "process": { - "pid": 22164474048, + "command_line": "C:\\Windows\\Explorer.EXE", + "name": "explorer.exe", "parent": { "pid": 22163465296 }, - "command_line": "C:\\Windows\\Explorer.EXE", - "name": "explorer.exe", - "working_directory": "\\Device\\HarddiskVolume2\\Windows", - "start": "2022-07-01T15:21:29Z" - }, - "file": { - "hash": { - "md5": "d45bd7c7b7bf977246e9409d63435231", - "sha256": "249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3" - } + "pid": 22164474048, + "start": "2022-07-01T15:21:29Z", + "working_directory": "\\Device\\HarddiskVolume2\\Windows" }, "related": { "hash": [ @@ -131,6 +128,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Administrator" ] + }, + "user": { + "name": "Administrator" } } @@ -144,22 +144,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"44be50f58ccfcfcfcfcfcfcfcffc\",\"offset\":111111,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1682930000000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1682930000000,\"ProcessEndTime\":1682930000000,\"ProcessId\":1682930000000,\"ParentProcessId\":1682930000000,\"ComputerName\":\"ComputerName\",\"UserName\":\"Username\",\"DetectName\":\"DetectName\",\"DetectDescription\":\"This file meets the Adware/PUP Anti-malware ML algorithms high-confidence threshold.\",\"Severity\":2,\"SeverityName\":\"Low\",\"FileName\":\"Setup_test.exe\",\"FilePath\":\"\\\\Device\\\\Downloads\",\"CommandLine\":\"\\\"C:\\\\Setup_test.exe\\\" \",\"SHA256String\":\"76da317a8e17b7d773f09e3a7487\",\"MD5String\":\"b97cdbe4a9b032\",\"SHA1String\":\"00000000000000000\",\"MachineDomain\":\"AD\",\"FalconHostLink\":\"https://test.com/activity/\",\"SensorId\":\"c9794942866f428\",\"IOCType\":\"hash_sha256\",\"IOCValue\":\"76da317a8e17b7d773f09e3a748782e\",\"DetectId\":\"ldt:c9794942866f:26628996\",\"QuarantineFiles\":[{\"ImageFileName\":\"\\\\Device\\\\Setup_test.exe\",\"SHA256HashData\":\"76da317a8e17b7d773f09e\"}],\"LocalIP\":\"1.2.3.4\",\"MACAddress\":\"00-01-02-03-04-05\",\"Tactic\":\"Machine Learning\",\"Technique\":\"Adware/PUP\",\"Objective\":\"Falcon Detection Method\",\"PatternDispositionDescription\":\"Prevention/Quarantine, process was blocked from execution and quarantine was attempted.\",\"PatternDispositionValue\":2222,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":true,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":true,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false},\"ParentImageFileName\":\"\\\\Device\\\\test.exe\",\"ParentCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\test.exe\\\" \",\"GrandparentImageFileName\":\"\\\\Device\\\\test.exe\",\"GrandparentCommandLine\":\"test.exe\",\"AssociatedFile\":\"\\\\Device\\\\test.exe\",\"PatternId\":5555}}", "event": { - "kind": "alert", - "type": [ - "info" - ], "category": [ "intrusion_detection" ], - "severity": 2 + "kind": "alert", + "severity": 2, + "type": [ + "info" + ] }, "@timestamp": "2023-05-01T08:33:20Z", "crowdstrike": { - "event_type": "DetectionSummaryEvent", - "detect_id": "ldt:c9794942866f:26628996", "detect_description": "This file meets the Adware/PUP Anti-malware ML algorithms high-confidence threshold.", + "detect_id": "ldt:c9794942866f:26628996", + "event_type": "DetectionSummaryEvent", "severity_name": "Low" }, + "file": { + "hash": { + "md5": "b97cdbe4a9b032", + "sha256": "76da317a8e17b7d773f09e3a7487" + } + }, "host": { "ip": "1.2.3.4", "mac": "00-01-02-03-04-05", @@ -168,34 +174,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "ComputerName" }, - "user": { - "name": "Username" - }, "process": { - "pid": 1682930000000, + "command_line": "\"C:\\Setup_test.exe\" ", + "end": "2023-05-01T08:33:20Z", + "name": "Setup_test.exe", "parent": { - "pid": 1682930000000, + "command_line": "\"C:\\Program Files (x86)\\test.exe\" ", "executable": "\\Device\\test.exe", "name": "test.exe", - "working_directory": "\\Device", - "command_line": "\"C:\\Program Files (x86)\\test.exe\" " + "pid": 1682930000000, + "working_directory": "\\Device" }, - "command_line": "\"C:\\Setup_test.exe\" ", - "name": "Setup_test.exe", - "working_directory": "\\Device\\Downloads", - "end": "2023-05-01T08:33:20Z", - "start": "2023-05-01T08:33:20Z" + "pid": 1682930000000, + "start": "2023-05-01T08:33:20Z", + "working_directory": "\\Device\\Downloads" }, - "file": { - "hash": { - "md5": "b97cdbe4a9b032", - "sha256": "76da317a8e17b7d773f09e3a7487" - } + "related": { + "hash": [ + "76da317a8e17b7d773f09e3a7487", + "b97cdbe4a9b032" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "Username" + ] }, "threat": { - "tactic": { - "name": "Machine Learning" - }, "indicator": { "description": "Prevention/Quarantine, process was blocked from execution and quarantine was attempted.", "file": { @@ -205,21 +211,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "file" }, + "tactic": { + "name": "Machine Learning" + }, "technique": { "name": "Adware/PUP" } }, - "related": { - "hash": [ - "76da317a8e17b7d773f09e3a7487", - "b97cdbe4a9b032" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "Username" - ] + "user": { + "name": "Username" } } @@ -233,34 +233,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":733,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1657614940000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"foo.bar@sekoia.fr\",\"UserIp\":\"185.162.177.26\",\"OperationName\":\"detection_update\",\"ServiceName\":\"detections\",\"AuditKeyValues\":[{\"Key\":\"detection_id\",\"ValueString\":\"ldt:5418788591a444d1b45c2b39d3b07b50:21483381998\"},{\"Key\":\"new_state\",\"ValueString\":\"closed\"},{\"Key\":\"assigned_to\",\"ValueString\":\"Erwan Chevalier\"},{\"Key\":\"assigned_to_uid\",\"ValueString\":\"foo.bar@sekoia.fr\"}],\"UTCTimestamp\":1657614940}}", "event": { + "category": [ + "configuration" + ], "kind": "event", "type": [ "change" - ], - "category": [ - "configuration" ] }, "@timestamp": "2022-07-12T08:35:40Z", "crowdstrike": { - "event_type": "UserActivityAuditEvent", "detect_id": "ldt:5418788591a444d1b45c2b39d3b07b50:21483381998", + "event_type": "UserActivityAuditEvent", "operation_name": "detection_update" }, - "source": { - "ip": "185.162.177.26", - "address": "185.162.177.26" + "related": { + "ip": [ + "185.162.177.26" + ] }, "service": { "name": "detections" }, + "source": { + "address": "185.162.177.26", + "ip": "185.162.177.26" + }, "user": { "id": "foo.bar@sekoia.fr" - }, - "related": { - "ip": [ - "185.162.177.26" - ] } } @@ -278,47 +278,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2022-07-28T15:09:51Z", + "cloud": { + "account": { + "id": "35f882a7-80ce-4e98-9efb-56f2382b6856" + }, + "instance": { + "id": "9ed90be6-5f99-456c-9361-141f8cfa39ab" + }, + "region": "rdp-east-us" + }, "crowdstrike": { - "event_type": "Vertex", - "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "customer_id": "5d505aca55a145b3bd234c399201f082", - "host_id": "9ed90be65f99456c9361141f8cfa39ab", - "vertex_type": "device", - "scope": "device", - "object_id": "9ed90be65f99456c9361141f8cfa39ab", + "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "edge": { "subject_id": "pid:9ed90be65f99456c9361141f8cfa39ab:17326818154", "type": "device" }, - "severity_name": "Critical" + "event_type": "Vertex", + "host_id": "9ed90be65f99456c9361141f8cfa39ab", + "object_id": "9ed90be65f99456c9361141f8cfa39ab", + "scope": "device", + "severity_name": "Critical", + "vertex_type": "device" }, "file": { "name": "Config.sys" }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "4.3.2.1" - }, - "address": "1.2.3.4" - }, "host": { - "name": "mycomputer", "ip": [ "10.0.4.4" ], "mac": [ "00-0d-3a-9b-ed-fd" - ] - }, - "cloud": { - "instance": { - "id": "9ed90be6-5f99-456c-9361-141f8cfa39ab" - }, - "account": { - "id": "35f882a7-80ce-4e98-9efb-56f2382b6856" - }, - "region": "rdp-east-us" + ], + "name": "mycomputer" }, "related": { "ip": [ @@ -326,6 +319,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.0.4.4", "4.3.2.1" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1" + } } } @@ -352,14 +352,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "incident_type": "UNUSUAL_ACTIVITY", "severity_name": "INFO" }, - "user": { - "domain": "EXAMPLE.ORG", - "name": "JOHNDOE" - }, "related": { "user": [ "JOHNDOE" ] + }, + "user": { + "domain": "EXAMPLE.ORG", + "name": "JOHNDOE" } } @@ -386,14 +386,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "incident_type": "Use of stale user account", "severity_name": "INFO" }, - "user": { - "domain": "EXAMPLE.ORG", - "name": "JOHNDOE" - }, "related": { "user": [ "JOHNDOE" ] + }, + "user": { + "domain": "EXAMPLE.ORG", + "name": "JOHNDOE" } } @@ -416,11 +416,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2023-08-03T12:04:17Z", "crowdstrike": { - "event_type": "IdpDetectionSummaryEvent", "detect_description": "A stale user became active", "detect_name": "Use of stale user account", + "event_type": "IdpDetectionSummaryEvent", "pattern_id": "51130" }, + "related": { + "user": [ + "JOHNDOE" + ] + }, "threat": { "tactic": { "name": "Initial Access" @@ -433,11 +438,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "domain": "EXAMPLE.ORG", "id": "S-1-5-11-111111111-3333333333-2222222222-33775", "name": "JOHNDOE" - }, - "related": { - "user": [ - "JOHNDOE" - ] } } @@ -456,29 +456,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2022-07-30T20:32:53Z", "crowdstrike": { - "event_type": "Vertex", - "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "customer_id": "5d505aca55a145b3bd234c399201f082", - "host_id": "9ed90be65f99456c9361141f8cfa39ab", - "vertex_type": "module", - "scope": "device", - "object_id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "edge": { "subject_id": "pid:9ed90be65f99456c9361141f8cfa39ab:17326818154", "type": "primary_module" }, - "severity_name": "Critical" - }, - "process": { - "pid": 26229308171 + "event_type": "Vertex", + "host_id": "9ed90be65f99456c9361141f8cfa39ab", + "object_id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "scope": "device", + "severity_name": "Critical", + "vertex_type": "module" }, "file": { "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "md5": "68b329da9893e34099c7d8ad5cb9c940", "sha1": "0000000000000000000000000000000000000000", - "md5": "68b329da9893e34099c7d8ad5cb9c940" + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, + "process": { + "pid": 26229308171 + }, "related": { "hash": [ "0000000000000000000000000000000000000000", @@ -503,45 +503,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2022-07-30T20:22:29Z", "crowdstrike": { - "event_type": "Vertex", - "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "customer_id": "5d505aca55a145b3bd234c399201f082", - "host_id": "9ed90be65f99456c9361141f8cfa39ab", - "vertex_type": "process", - "scope": "device", - "object_id": "123456789", + "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "edge": { "subject_id": "pid:9ed90be65f99456c9361141f8cfa39ab:17326818154", "type": "child_process" }, - "severity_name": "Critical" + "event_type": "Vertex", + "host_id": "9ed90be65f99456c9361141f8cfa39ab", + "object_id": "123456789", + "scope": "device", + "severity_name": "Critical", + "vertex_type": "process" }, - "user": { - "id": "S-1-0-0" + "file": { + "hash": { + "sha256": "f1e8525fe2fbff523b2e56472231d4ac9aa102ba614694213e59b5eb2590cc15" + } }, "process": { "command_line": "taskhostw.exe Install $(Arg0)", + "end": "2012-02-26T17:17:53.608252Z", "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\taskhostw.exe", + "exit_code": 0, "name": "taskhostw.exe", - "title": "C:\\Windows\\system32\\taskhostw.exe", - "working_directory": "\\Device\\HarddiskVolume2\\Windows\\System32", - "pid": 14264, "parent": { "pid": 58913928 }, + "pid": 14264, "start": "2012-02-26T17:17:53.802418Z", - "end": "2012-02-26T17:17:53.608252Z", - "exit_code": 0 - }, - "file": { - "hash": { - "sha256": "f1e8525fe2fbff523b2e56472231d4ac9aa102ba614694213e59b5eb2590cc15" - } + "title": "C:\\Windows\\system32\\taskhostw.exe", + "working_directory": "\\Device\\HarddiskVolume2\\Windows\\System32" }, "related": { "hash": [ "f1e8525fe2fbff523b2e56472231d4ac9aa102ba614694213e59b5eb2590cc15" ] + }, + "user": { + "id": "S-1-0-0" } } @@ -555,10 +555,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\": {\"customerIDString\": \"46de5283260647ec8f28def00bffd094\", \"offset\": 174, \"eventType\": \"AuthActivityAuditEvent\", \"eventCreationTime\": 1657110865303, \"version\": \"1.0\"}, \"event\": {\"UserId\": \"api-client-id:00000000000000000000000000000000\", \"UserIp\": \"185.162.177.26\", \"OperationName\": \"streamStarted\", \"ServiceName\": \"Crowdstrike Streaming API\", \"Success\": true, \"UTCTimestamp\": 1657110865, \"AuditKeyValues\": [{\"Key\": \"partition\", \"ValueString\": \"0\"}, {\"Key\": \"offset\", \"ValueString\": \"-1\"}, {\"Key\": \"appId\", \"ValueString\": \"sio-00000\"}, {\"Key\": \"eventType\", \"ValueString\": \"All event type(s)\"}, {\"Key\": \"APIClientID\", \"ValueString\": \"00000000000000000000000000000000\"}]}}", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "start" ] @@ -568,20 +568,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event_type": "AuthActivityAuditEvent", "operation_name": "streamStarted" }, - "source": { - "ip": "185.162.177.26", - "address": "185.162.177.26" + "related": { + "ip": [ + "185.162.177.26" + ] }, "service": { "name": "Crowdstrike Streaming API" }, + "source": { + "address": "185.162.177.26", + "ip": "185.162.177.26" + }, "user": { "id": "api-client-id:00000000000000000000000000000000" - }, - "related": { - "ip": [ - "185.162.177.26" - ] } } @@ -595,10 +595,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":200,\"eventType\":\"AuthActivityAuditEvent\",\"eventCreationTime\":1657203917516,\"version\":\"1.0\"},\"event\":{\"UserId\":\"api-client-id:00000000000000000000000000000000\",\"UserIp\":\"185.162.177.26\",\"OperationName\":\"streamStopped\",\"ServiceName\":\"Crowdstrike Streaming API\",\"Success\":true,\"UTCTimestamp\":1657203917,\"AuditKeyValues\":[{\"Key\":\"APIClientID\",\"ValueString\":\"00000000000000000000000000000000\"},{\"Key\":\"partition\",\"ValueString\":\"0\"},{\"Key\":\"offset\",\"ValueString\":\"-1\"},{\"Key\":\"appId\",\"ValueString\":\"sio-00000\"},{\"Key\":\"eventType\",\"ValueString\":\"All event type(s)\"}]}}", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "stop" ] @@ -608,20 +608,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event_type": "AuthActivityAuditEvent", "operation_name": "streamStopped" }, - "source": { - "ip": "185.162.177.26", - "address": "185.162.177.26" + "related": { + "ip": [ + "185.162.177.26" + ] }, "service": { "name": "Crowdstrike Streaming API" }, + "source": { + "address": "185.162.177.26", + "ip": "185.162.177.26" + }, "user": { "id": "api-client-id:00000000000000000000000000000000" - }, - "related": { - "ip": [ - "185.162.177.26" - ] } } @@ -635,34 +635,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":747,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1657614940000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"foo.bar@sekoia.fr\",\"UserIp\":\"185.162.177.26\",\"OperationName\":\"detection_update\",\"ServiceName\":\"detections\",\"AuditKeyValues\":[{\"Key\":\"detection_id\",\"ValueString\":\"ldt:5418788591a444d1b45c2b39d3b07b50:21482411386\"},{\"Key\":\"new_state\",\"ValueString\":\"closed\"},{\"Key\":\"assigned_to\",\"ValueString\":\"Foo Bar\"},{\"Key\":\"assigned_to_uid\",\"ValueString\":\"foo.bar@sekoia.fr\"}],\"UTCTimestamp\":1657614940}}", "event": { + "category": [ + "configuration" + ], "kind": "event", "type": [ "change" - ], - "category": [ - "configuration" ] }, "@timestamp": "2022-07-12T08:35:40Z", "crowdstrike": { - "event_type": "UserActivityAuditEvent", "detect_id": "ldt:5418788591a444d1b45c2b39d3b07b50:21482411386", + "event_type": "UserActivityAuditEvent", "operation_name": "detection_update" }, - "source": { - "ip": "185.162.177.26", - "address": "185.162.177.26" + "related": { + "ip": [ + "185.162.177.26" + ] }, "service": { "name": "detections" }, + "source": { + "address": "185.162.177.26", + "ip": "185.162.177.26" + }, "user": { "id": "foo.bar@sekoia.fr" - }, - "related": { - "ip": [ - "185.162.177.26" - ] } } @@ -680,35 +680,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2022-07-30T20:42:28Z", + "action": { + "properties": { + "LogonId": "999", + "LogonType": "0" + } + }, "crowdstrike": { - "event_type": "Vertex", - "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "customer_id": "5d505aca55a145b3bd234c399201f082", - "host_id": "9ed90be65f99456c9361141f8cfa39ab", - "vertex_type": "user", - "scope": "device", - "object_id": "S-1-0-0", + "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "edge": { "subject_id": "pid:9ed90be65f99456c9361141f8cfa39ab:17326818154", "type": "user" }, - "severity_name": "Critical" - }, - "user": { - "domain": "DOMAIN", - "name": "myuser", - "id": "S-1-0-0" - }, - "action": { - "properties": { - "LogonType": "0", - "LogonId": "999" - } + "event_type": "Vertex", + "host_id": "9ed90be65f99456c9361141f8cfa39ab", + "object_id": "S-1-0-0", + "scope": "device", + "severity_name": "Critical", + "vertex_type": "user" }, "related": { "user": [ "myuser" ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-0-0", + "name": "myuser" } } @@ -726,35 +726,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": 5 }, "@timestamp": "2022-07-30T20:27:27Z", + "action": { + "properties": { + "LogonId": "999", + "LogonType": "0" + } + }, "crowdstrike": { - "event_type": "Vertex", - "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "customer_id": "5d505aca55a145b3bd234c399201f082", - "host_id": "9ed90be65f99456c9361141f8cfa39ab", - "vertex_type": "user-session", - "scope": "device", - "object_id": "S-1-0-0|999", + "detect_id": "ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109", "edge": { "subject_id": "pid:9ed90be65f99456c9361141f8cfa39ab:17326818154", "type": "user_session" }, - "severity_name": "Critical" - }, - "user": { - "domain": "DOMAIN", - "name": "mysuer", - "id": "S-1-0-0" - }, - "action": { - "properties": { - "LogonType": "0", - "LogonId": "999" - } + "event_type": "Vertex", + "host_id": "9ed90be65f99456c9361141f8cfa39ab", + "object_id": "S-1-0-0|999", + "scope": "device", + "severity_name": "Critical", + "vertex_type": "user-session" }, "related": { "user": [ "mysuer" ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-0-0", + "name": "mysuer" } } diff --git a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md index 4e7e94df7b..15d4b7f9d8 100644 --- a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md +++ b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md @@ -37,66 +37,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Info: 1649097617.352 7 1.2.3.4 TCP_MISS/302 779 HEAD http://example.g1.com/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3 - DIRECT/example.g1.com text/html DEFAULT_CASE_12-DefaultGroup-Internal_network-NONE-NONE-NONE-DefaultGroup-NONE <\"IW_infr\",6.8,1,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,\"IW_infr\",-,\"-\",\"Infrastructure and Content Delivery Networks\",\"-\",\"Unknown\",\"Unknown\",\"-\",\"-\",890.29,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\",-> - -", "event": { - "start": "2022-04-04T18:40:17.352000Z", + "category": [ + "network", + "web" + ], "duration": 7, "kind": "event", - "category": [ - "web", - "network" - ] + "start": "2022-04-04T18:40:17.352000Z" }, "@timestamp": "2022-04-04T18:40:17.352000Z", - "observer": { - "product": "Cisco Web Security Appliances", - "type": "proxy", - "vendor": "Cisco" + "cisco_wsa": { + "cache_status": "miss", + "hierarchy_code": "DIRECT", + "threat": { + "category": "Not Set", + "name": "-" + }, + "url": { + "category": "Infrastructure and Content Delivery Networks", + "category_code": "IW_infr" + } }, - "network": { - "direction": "egress", - "transport": "tcp" + "destination": { + "address": "example.g1.com", + "domain": "example.g1.com", + "registered_domain": "g1.com", + "subdomain": "example", + "top_level_domain": "com" }, "http": { "request": { "method": "HEAD" }, "response": { - "status_code": 302, "bytes": 779, - "mime_type": "text/html" + "mime_type": "text/html", + "status_code": 302 } }, - "url": { - "original": "http://example.g1.com/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3", - "domain": "example.g1.com", - "top_level_domain": "com", - "subdomain": "example", - "registered_domain": "g1.com", - "path": "/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3", - "scheme": "http", - "port": 80 - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "domain": "example.g1.com", - "address": "example.g1.com", - "top_level_domain": "com", - "subdomain": "example", - "registered_domain": "g1.com" + "network": { + "direction": "egress", + "transport": "tcp" }, - "cisco_wsa": { - "hierarchy_code": "DIRECT", - "cache_status": "miss", - "url": { - "category_code": "IW_infr", - "category": "Infrastructure and Content Delivery Networks" - }, - "threat": { - "name": "-", - "category": "Not Set" - } + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -105,6 +91,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.g1.com", + "original": "http://example.g1.com/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3", + "path": "/release2/chrome_component/ncl4aq5sui3jzdal274hizxkxe_102.0.4984.0/jamhcnnkihinmdlkakkaopbjbbcngflc_102.0.4984.0_all_kqe423m2ktlxwrfccq656tbhhi.crx3", + "port": 80, + "registered_domain": "g1.com", + "scheme": "http", + "subdomain": "example", + "top_level_domain": "com" } } @@ -118,88 +118,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Info: 1278096903.150 97 172.10.11.22 TCP_MISS/200 8187 GET http://my.site.com/ - DIRECT/my.site.com text/plain DEFAULT_CASE_11-PolicyGroupName-Identity-OutboundMalwareScanningPolicy-DataSecurityPolicy-ExternalDLPPolicy-RoutingPolicy -", "event": { - "start": "2010-07-02T18:55:03.150000Z", + "category": [ + "network", + "web" + ], "duration": 97, "kind": "event", - "category": [ - "web", - "network" - ] + "start": "2010-07-02T18:55:03.150000Z" }, "@timestamp": "2010-07-02T18:55:03.150000Z", - "observer": { - "product": "Cisco Web Security Appliances", - "type": "proxy", - "vendor": "Cisco" - }, - "network": { - "direction": "egress", - "transport": "tcp" - }, - "http": { - "request": { - "method": "GET" + "cisco_wsa": { + "cache_status": "miss", + "hierarchy_code": "DIRECT", + "rule": { + "policy": { + "data_security": "DataSecurityPolicy", + "external_dlp": "ExternalDLPPolicy", + "name": "PolicyGroupName", + "outbound_malware_scanning": "OutboundMalwareScanningPolicy", + "routing": "RoutingPolicy" + } }, - "response": { - "status_code": 200, - "bytes": 8187, - "mime_type": "text/plain" + "threat": { + "category": "Known Malicious and High-Risk Files", + "category_code": 37, + "name": "W32.CiscoTestVector", + "reputation_score": 33 + }, + "url": { + "category": "Computers and Internet", + "category_code": "IW_comp" } }, - "url": { - "original": "http://my.site.com/", - "domain": "my.site.com", - "top_level_domain": "com", - "subdomain": "my", - "registered_domain": "site.com", - "path": "/", - "scheme": "http", - "port": 80 - }, - "rule": { - "ruleset": "Identity", - "id": "DEFAULT_CASE_11" - }, - "source": { - "ip": "172.10.11.22", - "address": "172.10.11.22" - }, "destination": { - "domain": "my.site.com", "address": "my.site.com", - "top_level_domain": "com", + "domain": "my.site.com", + "registered_domain": "site.com", "subdomain": "my", - "registered_domain": "site.com" + "top_level_domain": "com" }, "file": { - "name": "WSA-INFECTED-FILE.pdf", "hash": { "sha256": "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e" - } - }, - "cisco_wsa": { - "hierarchy_code": "DIRECT", - "rule": { - "policy": { - "name": "PolicyGroupName", - "outbound_malware_scanning": "OutboundMalwareScanningPolicy", - "data_security": "DataSecurityPolicy", - "external_dlp": "ExternalDLPPolicy", - "routing": "RoutingPolicy" - } }, - "cache_status": "miss", - "url": { - "category_code": "IW_comp", - "category": "Computers and Internet" + "name": "WSA-INFECTED-FILE.pdf" + }, + "http": { + "request": { + "method": "GET" }, - "threat": { - "name": "W32.CiscoTestVector", - "category_code": 37, - "reputation_score": 33, - "category": "Known Malicious and High-Risk Files" + "response": { + "bytes": 8187, + "mime_type": "text/plain", + "status_code": 200 } }, + "network": { + "direction": "egress", + "transport": "tcp" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" + }, "related": { "hash": [ "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e" @@ -210,6 +192,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "172.10.11.22" ] + }, + "rule": { + "id": "DEFAULT_CASE_11", + "ruleset": "Identity" + }, + "source": { + "address": "172.10.11.22", + "ip": "172.10.11.22" + }, + "url": { + "domain": "my.site.com", + "original": "http://my.site.com/", + "path": "/", + "port": 80, + "registered_domain": "site.com", + "scheme": "http", + "subdomain": "my", + "top_level_domain": "com" } } @@ -223,24 +223,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Info: Completed aggregating export files (#files: DOMAINS_BY_APP_TYPE 2023-02-10-11-40 #files: 1 #rows: 2 #total rows 6698) #duration(s): 0.01 #rate: 156/s\n", "event": { - "kind": "event", "category": [ - "web", - "network" - ] - }, - "observer": { - "product": "Cisco Web Security Appliances", - "type": "proxy", - "vendor": "Cisco" - }, - "network": { - "direction": "egress" + "network", + "web" + ], + "kind": "event" }, "cisco_wsa": { "threat": { "category": "Not Set" } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" } } @@ -254,24 +254,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Info: Completed writing export files to database (#counter_group: WEB_APPLICATION_TYPE_APPLICATION_NAME_DETAIL #interval 2023-02-10-11-40 #Serial number: 123456-789101112 #Time since data generated: 369\n", "event": { - "kind": "event", "category": [ - "web", - "network" - ] - }, - "observer": { - "product": "Cisco Web Security Appliances", - "type": "proxy", - "vendor": "Cisco" - }, - "network": { - "direction": "egress" + "network", + "web" + ], + "kind": "event" }, "cisco_wsa": { "threat": { "category": "Not Set" } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" } } @@ -285,88 +285,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1278096903.150 97 172.10.11.22 TCP_MISS/200 8187 GET http://my.site.com/ - DIRECT/my.site.com text/plain DEFAULT_CASE_11-PolicyGroupName-Identity-OutboundMalwareScanningPolicy-DataSecurityPolicy-ExternalDLPPolicy-RoutingPolicy -", "event": { - "start": "2010-07-02T18:55:03.150000Z", + "category": [ + "network", + "web" + ], "duration": 97, "kind": "event", - "category": [ - "web", - "network" - ] + "start": "2010-07-02T18:55:03.150000Z" }, "@timestamp": "2010-07-02T18:55:03.150000Z", - "observer": { - "product": "Cisco Web Security Appliances", - "type": "proxy", - "vendor": "Cisco" - }, - "network": { - "direction": "egress", - "transport": "tcp" - }, - "http": { - "request": { - "method": "GET" + "cisco_wsa": { + "cache_status": "miss", + "hierarchy_code": "DIRECT", + "rule": { + "policy": { + "data_security": "DataSecurityPolicy", + "external_dlp": "ExternalDLPPolicy", + "name": "PolicyGroupName", + "outbound_malware_scanning": "OutboundMalwareScanningPolicy", + "routing": "RoutingPolicy" + } }, - "response": { - "status_code": 200, - "bytes": 8187, - "mime_type": "text/plain" + "threat": { + "category": "Known Malicious and High-Risk Files", + "category_code": 37, + "name": "W32.CiscoTestVector", + "reputation_score": 33 + }, + "url": { + "category": "Computers and Internet", + "category_code": "IW_comp" } }, - "url": { - "original": "http://my.site.com/", - "domain": "my.site.com", - "top_level_domain": "com", - "subdomain": "my", - "registered_domain": "site.com", - "path": "/", - "scheme": "http", - "port": 80 - }, - "rule": { - "ruleset": "Identity", - "id": "DEFAULT_CASE_11" - }, - "source": { - "ip": "172.10.11.22", - "address": "172.10.11.22" - }, "destination": { - "domain": "my.site.com", "address": "my.site.com", - "top_level_domain": "com", + "domain": "my.site.com", + "registered_domain": "site.com", "subdomain": "my", - "registered_domain": "site.com" + "top_level_domain": "com" }, "file": { - "name": "WSA-INFECTED-FILE.pdf", "hash": { "sha256": "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e" - } - }, - "cisco_wsa": { - "hierarchy_code": "DIRECT", - "rule": { - "policy": { - "name": "PolicyGroupName", - "outbound_malware_scanning": "OutboundMalwareScanningPolicy", - "data_security": "DataSecurityPolicy", - "external_dlp": "ExternalDLPPolicy", - "routing": "RoutingPolicy" - } }, - "cache_status": "miss", - "url": { - "category_code": "IW_comp", - "category": "Computers and Internet" + "name": "WSA-INFECTED-FILE.pdf" + }, + "http": { + "request": { + "method": "GET" }, - "threat": { - "name": "W32.CiscoTestVector", - "category_code": 37, - "reputation_score": 33, - "category": "Known Malicious and High-Risk Files" + "response": { + "bytes": 8187, + "mime_type": "text/plain", + "status_code": 200 } }, + "network": { + "direction": "egress", + "transport": "tcp" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" + }, "related": { "hash": [ "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e" @@ -377,6 +359,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "172.10.11.22" ] + }, + "rule": { + "id": "DEFAULT_CASE_11", + "ruleset": "Identity" + }, + "source": { + "address": "172.10.11.22", + "ip": "172.10.11.22" + }, + "url": { + "domain": "my.site.com", + "original": "http://my.site.com/", + "path": "/", + "port": 80, + "registered_domain": "site.com", + "scheme": "http", + "subdomain": "my", + "top_level_domain": "com" } } diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index 3a8629cd60..a75bd0f53e 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -44,8 +44,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "kind": "event", - "reason": "Starting Events watcher", - "provider": "SEKOIA-IO-Endpoint" + "provider": "SEKOIA-IO-Endpoint", + "reason": "Starting Events watcher" }, "@timestamp": "2023-01-23T09:35:34.990000Z", "agent": { @@ -57,10 +57,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "raphael-XPS-13-9370", + "name": "raphael-XPS-13-9370", "os": { "family": "linux" - }, - "name": "raphael-XPS-13-9370" + } }, "log": { "level": "info", @@ -150,10 +150,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "question": { "name": "connect.facebook.net", + "registered_domain": "facebook.net", "size_in_char": 20, - "top_level_domain": "net", "subdomain": "connect", - "registered_domain": "facebook.net" + "top_level_domain": "net" }, "response_code": "0" }, @@ -166,10 +166,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "chrome.exe", "pid": 6440 }, - "user": { - "name": "test", - "domain": "TEST-PC" - }, "related": { "hosts": [ "connect.facebook.net", @@ -178,6 +174,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test" ] + }, + "user": { + "domain": "TEST-PC", + "name": "test" } } @@ -198,18 +198,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "sekoiaio": { - "agent": { - "cpu_usage": 0.26030037, - "memory_usage": 0.14199863 - }, - "host": { - "cpu_usage": 12.285156, - "memory_total": 16961064960, - "memory_available": 8049606656, - "memory_usage": 52 - } - }, "@timestamp": "2022-06-02T12:18:37.672233Z", "agent": { "id": "c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857", @@ -217,13 +205,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "test-PC", - "uptime": 17899, - "name": "test-PC" + "name": "test-PC", + "uptime": 17899 }, "related": { "hosts": [ "test-PC" ] + }, + "sekoiaio": { + "agent": { + "cpu_usage": 0.26030037, + "memory_usage": 0.14199863 + }, + "host": { + "cpu_usage": 12.285156, + "memory_available": 8049606656, + "memory_total": 16961064960, + "memory_usage": 52 + } } } @@ -244,18 +244,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "sekoiaio": { - "agent": { - "cpu_usage": 0.26030037, - "memory_usage": 0.14199863 - }, - "host": { - "cpu_usage": 12.285156, - "memory_total": 16961064960, - "memory_available": 8049606656, - "memory_usage": 52 - } - }, "@timestamp": "2022-06-02T12:18:37.672233Z", "agent": { "id": "c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857", @@ -263,13 +251,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "test-PC", - "uptime": 17899, - "name": "test-PC" + "name": "test-PC", + "uptime": 17899 }, "related": { "hosts": [ "test-PC" ] + }, + "sekoiaio": { + "agent": { + "cpu_usage": 0.26030037, + "memory_usage": 0.14199863 + }, + "host": { + "cpu_usage": 12.285156, + "memory_available": 8049606656, + "memory_total": 16961064960, + "memory_usage": 52 + } } } @@ -292,70 +292,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "sekoiaio": { - "server": { - "os": { - "type": "linux" - }, - "name": "foobar.net" - } - }, "@timestamp": "2023-06-23T07:41:09.858000Z", "action": { + "outcome": "success", "properties": { "hostname": "1.1.1.1", "id": "1063", "op": "login", "terminal": "ssh" - }, - "outcome": "success" + } }, "agent": { "id": "2c59eed20c79ccd855d4a9c336ae9e0d2311970d30b87e426ff582032eeef137", "version": "v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f" }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "id": "1063", + "name": "USER_FOO" + } + }, "host": { + "hostname": "foobar.net", + "name": "foobar.net", "os": { "type": "linux" - }, - "hostname": "foobar.net", - "name": "foobar.net" + } }, "network": { "direction": "ingress" }, "process": { "executable": "/usr/sbin/sshd", - "pid": 1750, - "name": "sshd" + "name": "sshd", + "pid": 1750 }, - "source": { - "address": "1.1.1.1", - "ip": "1.1.1.1" - }, - "user": { - "id": "1063", - "name": "USER_FOO" - }, - "client": { - "ip": "1.1.1.1", - "user": { - "id": "1063", - "name": "USER_FOO" - }, - "address": "1.1.1.1" - }, - "server": {}, "related": { "hosts": [ "foobar.net" ], - "user": [ - "USER_FOO" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "USER_FOO" ] + }, + "sekoiaio": { + "server": { + "name": "foobar.net", + "os": { + "type": "linux" + } + } + }, + "server": {}, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "id": "1063", + "name": "USER_FOO" } } @@ -378,42 +378,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "sekoiaio": { - "server": { - "os": { - "type": "linux" - }, - "name": "PC-FOO" - }, - "client": { - "os": { - "type": "linux" - }, - "name": "PC-FOO" - } - }, "@timestamp": "2023-06-23T07:41:09.963000Z", "action": { + "outcome": "success", "properties": { "old-ses": "4294967295", "tty": "(none)" - }, - "outcome": "success" + } }, "agent": { "id": "f31fc5ca6f75e383f658d526d9b77273fa45c94e1bcedde5d67b1d05b0e7e6fb", "version": "v0.6.2+3ed1a7925ff2e6aa758d382bf19c9ea3f1db49c3" }, + "client": {}, "host": { + "hostname": "PC-FOO", + "name": "PC-FOO", "os": { "type": "linux" - }, - "hostname": "PC-FOO", - "name": "PC-FOO" + } }, "process": { "pid": 121806 }, + "related": { + "hosts": [ + "PC-FOO" + ], + "user": [ + "root" + ] + }, + "sekoiaio": { + "client": { + "name": "PC-FOO", + "os": { + "type": "linux" + } + }, + "server": { + "name": "PC-FOO", + "os": { + "type": "linux" + } + } + }, + "server": {}, "user": { "effective": { "id": "998", @@ -425,16 +435,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "998", "name": "stats" } - }, - "server": {}, - "client": {}, - "related": { - "hosts": [ - "PC-FOO" - ], - "user": [ - "root" - ] } } @@ -457,42 +457,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "sekoiaio": { - "server": { - "os": { - "type": "linux" - }, - "name": "PC-FOO" - } - }, "@timestamp": "2023-06-23T07:41:10.892000Z", "action": { + "outcome": "failure", "properties": { "acct": "(invalid user)", "op": "login", "terminal": "sshd" - }, - "outcome": "failure" + } }, "agent": { "id": "9a886b450f79c889a751cb64775e44f60b61dc421130c97cfe37dc214293f390", "version": "v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f" }, + "client": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "id": "unset", + "name": "root" + } + }, "host": { + "hostname": "PC-FOO", + "name": "PC-FOO", "os": { "type": "linux" - }, - "hostname": "PC-FOO", - "name": "PC-FOO" + } }, "network": { "direction": "ingress" }, "process": { "executable": "/usr/sbin/sshd", - "pid": 3799903, - "name": "sshd" + "name": "sshd", + "pid": 3799903 }, + "related": { + "hosts": [ + "PC-FOO" + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "root" + ] + }, + "sekoiaio": { + "server": { + "name": "PC-FOO", + "os": { + "type": "linux" + } + } + }, + "server": {}, "source": { "address": "1.1.1.1", "ip": "1.1.1.1" @@ -506,26 +526,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": { "name": "(invalid user)" } - }, - "client": { - "ip": "1.1.1.1", - "user": { - "id": "unset", - "name": "root" - }, - "address": "1.1.1.1" - }, - "server": {}, - "related": { - "hosts": [ - "PC-FOO" - ], - "user": [ - "root" - ], - "ip": [ - "1.1.1.1" - ] } } @@ -549,42 +549,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "creation" ] }, - "sekoiaio": { - "process": { - "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01" - }, - "source_process": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain", - "executable": "C:\\Windows\\system32\\svchost.exe", - "name": "svchost.exe", - "parent": { - "pid": 656 - }, - "pid": 1356, - "thread": { - "id": 1480 - }, - "args": [ - "C:\\Windows\\system32\\svchost.exe", - "-k", - "LocalSystemNetworkRestricted", - "-p", - "-s", - "SysMain" - ], - "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01" - }, - "target_process": { - "pid": 4, - "thread": { - "id": 5096 - }, - "guid": "4392d6e4-f852-559f-858c-a4351889e3c4" - } - }, "@timestamp": "2022-07-13T17:35:34.769726Z", "action": { "id": 3, + "outcome": "success", "properties": { "Keywords": "0x8000000000000020", "ProviderGuid": "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}", @@ -598,8 +566,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "UserStackBase": "0x0", "UserStackLimit": "0x0", "Win32StartAddr": "0xFFFFF8020AE71320" - }, - "outcome": "success" + } }, "agent": { "id": "d54749e87baf4b60ec7a9e51e16f1ee39f4aeaaf3070da908e0627cd02cf62f7", @@ -610,6 +577,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "DESKTOP-Q2PN4RP" }, "process": { + "args": [ + "-k", + "-p", + "-s", + "C:\\Windows\\system32\\svchost.exe", + "LocalSystemNetworkRestricted", + "SysMain" + ], "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain", "executable": "C:\\Windows\\system32\\svchost.exe", "name": "svchost.exe", @@ -619,20 +594,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "pid": 1356, "thread": { "id": 1480 - }, - "args": [ - "C:\\Windows\\system32\\svchost.exe", - "-k", - "LocalSystemNetworkRestricted", - "-p", - "-s", - "SysMain" - ] + } }, "related": { "hosts": [ "DESKTOP-Q2PN4RP" ] + }, + "sekoiaio": { + "process": { + "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01" + }, + "source_process": { + "args": [ + "-k", + "-p", + "-s", + "C:\\Windows\\system32\\svchost.exe", + "LocalSystemNetworkRestricted", + "SysMain" + ], + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain", + "executable": "C:\\Windows\\system32\\svchost.exe", + "guid": "1d63ca73-6449-5fa9-8ca0-5ed461943a01", + "name": "svchost.exe", + "parent": { + "pid": 656 + }, + "pid": 1356, + "thread": { + "id": 1480 + } + }, + "target_process": { + "guid": "4392d6e4-f852-559f-858c-a4351889e3c4", + "pid": 4, + "thread": { + "id": 5096 + } + } } } @@ -646,36 +646,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"user\":{\"target\":{\"id\":\"S-1-5-18\",\"name\":\"Syst\u00e8me\",\"domain\":\"AUTORITE NT\"},\"id\":\"S-1-5-18\",\"name\":\"SRV-FOO\",\"domain\":\"MY-DOMAIN\"},\"action\":{\"properties\":{\"AuthenticationPackageName\":\"Negotiate\",\"EventType\":\"AUDIT_SUCCESS\",\"ImpersonationLevel\":\"%%1833\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Keywords\":\"0x8020000000000000\",\"LmPackageName\":\"-\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"LogonProcessName\":\"Advapi \",\"LogonType\":\"5\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"SubjectDomainName\":\"MY-DOMAIN\",\"SubjectLogonId\":\"0x3E7\",\"SubjectUserName\":\"SRV-FOO\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetDomainName\":\"AUTORITE NT\",\"TargetLogonId\":\"0x3E7\",\"TargetUserName\":\"Syst\u00e8me\",\"TargetUserSid\":\"S-1-5-18\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"-\"},\"id\":4624},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4624},\"agent\":{\"id\":\"1193b609e262926e284b6076cab8919b8725fa9f576a22c7e0041edeb04f5c76\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"SRV-FOO\"},\"process\":{\"executable\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"name\":\"services.exe\",\"pid\":676},\"@timestamp\":\"2023-06-23T08:15:00.4849617Z\"}\n", "event": { - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", + "action": "authentication_service", "category": [ "authentication" ], + "code": "4624", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "action": "authentication_service" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "SRV-FOO", - "user": { - "name": "SRV-FOO", - "id": "S-1-5-18" - } - }, - "server": { - "name": "SRV-FOO", - "os": { - "type": "windows" - } - } + ] }, "@timestamp": "2023-06-23T08:15:00.484961Z", "action": { + "id": 4624, + "outcome": "success", "properties": { "AuthenticationPackageName": "Negotiate", "EventType": "AUDIT_SUCCESS", @@ -702,36 +686,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetUserSid": "S-1-5-18", "TransmittedServices": "-", "WorkstationName": "-" - }, - "id": 4624, - "outcome": "success" + } }, "agent": { "id": "1193b609e262926e284b6076cab8919b8725fa9f576a22c7e0041edeb04f5c76", "version": "v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f" }, "host": { + "hostname": "SRV-FOO", + "name": "SRV-FOO", "os": { "type": "windows" - }, - "hostname": "SRV-FOO", - "name": "SRV-FOO" + } }, "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "Advapi ", "pid": 676 }, - "user": { - "target": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, - "id": "S-1-5-18", - "name": "SRV-FOO", - "domain": "MY-DOMAIN" - }, "related": { "hosts": [ "SRV-FOO" @@ -739,6 +711,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SRV-FOO" ] + }, + "sekoiaio": { + "client": { + "name": "SRV-FOO", + "os": { + "type": "windows" + }, + "user": { + "id": "S-1-5-18", + "name": "SRV-FOO" + } + }, + "server": { + "name": "SRV-FOO", + "os": { + "type": "windows" + } + } + }, + "user": { + "domain": "MY-DOMAIN", + "id": "S-1-5-18", + "name": "SRV-FOO", + "target": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" + } } } @@ -752,36 +752,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"user\":{\"target\":{\"id\":\"S-1-0-0\",\"name\":\"foo-vm\",\"domain\":\"foo-vm\"},\"id\":\"S-1-0-0\"},\"action\":{\"properties\":{\"AuthenticationPackageName\":\"NTLM\",\"EventType\":\"AUDIT_FAILURE\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"1.1.1.1\",\"IpPort\":\"0\",\"KeyLength\":\"0\",\"Keywords\":\"0x8010000000000000\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":\"3\",\"ProcessName\":\"-\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"Status\":\"0xC000006D\",\"SubStatus\":\"0xC0000064\",\"SubjectDomainName\":\"-\",\"SubjectLogonId\":\"0x0\",\"SubjectUserName\":\"-\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetDomainName\":\"foo-vm\",\"TargetUserName\":\"foo-vm\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"WIN-FOO\"},\"id\":4625},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4625},\"agent\":{\"id\":\"dd4e2378f7208b8b8557a9b7a725b6d551887b868c72b8cb91668d56eca10c6f\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"foo-vm\"},\"source\":{\"address\":\"1.1.1.1\",\"ip\":\"1.1.1.1\"},\"@timestamp\":\"2023-06-23T08:13:49.4015618Z\"}\n", "event": { - "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing", + "action": "authentication_network", "category": [ "authentication" ], + "code": "4625", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", "type": [ "start" - ], - "action": "authentication_network", - "reason": "user_not_exist" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "WIN-FOO", - "user": { - "id": "S-1-0-0" - } - }, - "server": { - "name": "foo-vm", - "os": { - "type": "windows" - } - } + ] }, "@timestamp": "2023-06-23T08:13:49.401561Z", "action": { + "id": 4625, + "outcome": "failure", "properties": { "AuthenticationPackageName": "NTLM", "EventType": "AUDIT_FAILURE", @@ -808,32 +793,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetUserSid": "S-1-0-0", "TransmittedServices": "-", "WorkstationName": "WIN-FOO" - }, - "id": 4625, - "outcome": "failure" + } }, "agent": { "id": "dd4e2378f7208b8b8557a9b7a725b6d551887b868c72b8cb91668d56eca10c6f", "version": "v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f" }, + "client": { + "ip": "1.1.1.1" + }, "host": { + "hostname": "foo-vm", + "name": "foo-vm", "os": { "type": "windows" - }, - "hostname": "foo-vm", - "name": "foo-vm" - }, - "source": { - "address": "1.1.1.1", - "ip": "1.1.1.1" + } }, - "user": { - "target": { - "id": "S-1-0-0", - "name": "foo-vm", - "domain": "foo-vm" - }, - "id": "S-1-0-0" + "process": { + "name": "NtLmSsp " }, "related": { "hosts": [ @@ -843,11 +820,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.1.1.1" ] }, - "client": { + "sekoiaio": { + "client": { + "name": "WIN-FOO", + "os": { + "type": "windows" + }, + "user": { + "id": "S-1-0-0" + } + }, + "server": { + "name": "foo-vm", + "os": { + "type": "windows" + } + } + }, + "source": { + "address": "1.1.1.1", "ip": "1.1.1.1" }, - "process": { - "name": "NtLmSsp " + "user": { + "id": "S-1-0-0", + "target": { + "domain": "foo-vm", + "id": "S-1-0-0", + "name": "foo-vm" + } } } diff --git a/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md b/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md index 0c766e8adf..1e63fd4785 100644 --- a/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md +++ b/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md @@ -27,80 +27,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=15:01:22 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1631192482 appid=65432 user=\"jean@SEKOIANETWORK.EXAMPLE.FR\" group=\"ADM\" srcip=192.168.1.2 dstip=1.2.3.4 srcport=43564 dstport=443 srcintf=\"port01\" srcintfrole=\"undefined\" dstintf=\"port01\" dstintfrole=\"undefined\" proto=6 service=\"HTTPS\" direction=\"incoming\" policyid=01 sessionid=000000001 applist=\"standard\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"example.com\" incidentserialno=123456789 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\"", "event": { - "start": "2021-09-09T13:01:22Z", + "category": "app-ctrl", "kind": "utm", - "category": "app-ctrl" + "start": "2021-09-09T13:01:22Z" }, "action": { "name": "pass", "type": "app-ctrl-all" }, + "destination": { + "address": "example.com", + "domain": "example.com", + "ip": "1.2.3.4", + "port": 443, + "registered_domain": "example.com", + "top_level_domain": "com" + }, "fortinet": { - "vd": "root", - "devid": "OIDL03VZRZEDKKD", - "logid": "1000234512", - "sessionid": "000000001", - "srcintfrole": "undefined", - "dstintfrole": "undefined", - "policyid": "01", - "level": "information", - "proto": "6", - "appcat": "Web.Client", "app": "HTTPS.BROWSER", + "appcat": "Web.Client", "applist": "standard", "apprisk": "medium", + "devid": "OIDL03VZRZEDKKD", + "direction": "incoming", + "dstintfrole": "undefined", "group": "ADM", "incidentserialno": "123456789", - "direction": "incoming" + "level": "information", + "logid": "1000234512", + "policyid": "01", + "proto": "6", + "sessionid": "000000001", + "srcintfrole": "undefined", + "vd": "root" }, - "source": { - "port": 43564, - "ip": "192.168.1.2", - "address": "192.168.1.2" + "network": { + "direction": "inbound", + "protocol": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "port01" } }, - "egress": { + "hostname": "fortiproxyunit", + "ingress": { "interface": { "name": "port01" } }, - "type": "proxy", - "vendor": "Fortinet", "product": "FortiProxy", - "hostname": "fortiproxyunit" - }, - "destination": { - "port": 443, - "ip": "1.2.3.4", - "domain": "example.com", - "address": "example.com", - "top_level_domain": "com", - "registered_domain": "example.com" - }, - "service": { - "name": "https" + "type": "proxy", + "vendor": "Fortinet" }, "process": { "pid": 65432 }, - "user": { - "name": "jean@SEKOIANETWORK.EXAMPLE.FR" - }, - "url": { - "domain": "example.com", - "full": "example.com/", - "original": "/", - "path": "/" - }, - "network": { - "protocol": "tcp", - "direction": "inbound" - }, "related": { "hosts": [ "example.com", @@ -113,6 +96,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jean@SEKOIANETWORK.EXAMPLE.FR" ] + }, + "service": { + "name": "https" + }, + "source": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 43564 + }, + "url": { + "domain": "example.com", + "full": "example.com/", + "original": "/", + "path": "/" + }, + "user": { + "name": "jean@SEKOIANETWORK.EXAMPLE.FR" } } @@ -126,67 +126,86 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=14:29:04 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"utm\" subtype=\"dlp\" eventtype=\"dlp\" level=\"notice\" vd=\"root\" eventtime=1631190544 filteridx=0 filtertype=\"none\" filtercat=\"none\" severity=\"medium\" policyid=6 sessionid=000000001 epoch=402874927 eventid=0 user=\"USERNAME\" group=\"GROUPNAME\" srcip=192.168.1.2 srcport=12345 srcintf=\"eth\" srcintfrole=\"undefined\" dstip=2.2.2.2 dstport=443 dstintf=\"eth\" dstintfrole=\"undefined\" proto=6 service=\"HTTPS\" filetype=\"png\" direction=\"incoming\" action=\"log-only\" hostname=\"example.fr\" url=\"/rmn.png?foo=bar\" agent=\"Custom Useragent\" filename=\"picture.png\" filesize=100 profile=\"profile_name\"", "event": { - "start": "2021-09-09T12:29:04Z", + "category": "dlp", "kind": "utm", - "category": "dlp" + "start": "2021-09-09T12:29:04Z" }, "action": { "name": "log-only", "type": "dlp" }, + "destination": { + "address": "example.fr", + "domain": "example.fr", + "ip": "2.2.2.2", + "port": 443, + "registered_domain": "example.fr", + "top_level_domain": "fr" + }, + "file": { + "name": "picture.png", + "size": 100, + "type": "png" + }, "fortinet": { - "vd": "root", "devid": "OIDL03VZRZEDKKD", - "logid": "1000234512", - "sessionid": "000000001", - "srcintfrole": "undefined", + "direction": "incoming", "dstintfrole": "undefined", - "policyid": "6", - "level": "notice", - "proto": "6", - "group": "GROUPNAME", - "filteridx": "0", + "eventid": "0", "filtercat": "none", - "profile": "profile_name", + "filteridx": "0", "filtertype": "none", - "eventid": "0", + "group": "GROUPNAME", + "level": "notice", + "logid": "1000234512", + "policyid": "6", + "profile": "profile_name", + "proto": "6", + "sessionid": "000000001", "severity": "medium", - "direction": "incoming" + "srcintfrole": "undefined", + "vd": "root" }, - "source": { - "port": 12345, - "ip": "192.168.1.2", - "address": "192.168.1.2" + "network": { + "direction": "inbound", + "protocol": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "eth" } }, - "egress": { + "hostname": "fortiproxyunit", + "ingress": { "interface": { "name": "eth" } }, - "type": "proxy", - "vendor": "Fortinet", "product": "FortiProxy", - "hostname": "fortiproxyunit" + "type": "proxy", + "vendor": "Fortinet" }, - "destination": { - "port": 443, - "ip": "2.2.2.2", - "domain": "example.fr", - "address": "example.fr", - "top_level_domain": "fr", - "registered_domain": "example.fr" + "related": { + "hosts": [ + "example.fr", + "fortiproxyunit" + ], + "ip": [ + "192.168.1.2", + "2.2.2.2" + ], + "user": [ + "USERNAME" + ] }, "service": { "name": "https" }, - "user": { - "name": "USERNAME" + "source": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 12345 }, "url": { "domain": "example.fr", @@ -195,37 +214,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "path": "/rmn.png", "query": "foo=bar" }, - "file": { - "type": "png", - "name": "picture.png", - "size": 100 + "user": { + "name": "USERNAME" }, "user_agent": { - "original": "Custom Useragent", "device": { "name": "Other" }, "name": "Other", + "original": "Custom Useragent", "os": { "name": "Other" } - }, - "network": { - "protocol": "tcp", - "direction": "inbound" - }, - "related": { - "hosts": [ - "example.fr", - "fortiproxyunit" - ], - "ip": [ - "192.168.1.2", - "2.2.2.2" - ], - "user": [ - "USERNAME" - ] } } @@ -239,28 +239,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=09:44:52 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"event\" subtype=\"system\" level=\"warning\" vd=\"root\" eventtime=1631778292 logdesc=\"File dropped due to poor network connection\" count=6 action=\"transfer\" status=\"drop\" reason=\"poor-network-condition\" msg=\"1 file were dropped by quard to FortiSandbox: 0 reached max retries, 1 reached TTL.\"", "event": { - "start": "2021-09-16T07:44:52Z", + "category": "system", "kind": "event", - "category": "system" + "start": "2021-09-16T07:44:52Z" }, "action": { "name": "transfer" }, "fortinet": { - "vd": "root", "devid": "OIDL03VZRZEDKKD", - "logid": "1000234512", "level": "warning", + "logdesc": "File dropped due to poor network connection", + "logid": "1000234512", "msg": "1 file were dropped by quard to FortiSandbox: 0 reached max retries, 1 reached TTL.", "reason": "poor-network-condition", - "logdesc": "File dropped due to poor network connection", - "status": "drop" + "status": "drop", + "vd": "root" }, "observer": { - "type": "proxy", - "vendor": "Fortinet", + "hostname": "fortiproxyunit", "product": "FortiProxy", - "hostname": "fortiproxyunit" + "type": "proxy", + "vendor": "Fortinet" }, "related": { "hosts": [ @@ -279,70 +279,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=09:40:24 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1631086824 srcip=192.168.1.2 srcport=11111 srcintf=\"eth\" srcintfrole=\"undefined\" dstip=1.2.3.4 dstport=443 dstintf=\"eth\" dstintfrole=\"undefined\" sessionid=000000001 dstcountry=\"France\" srccountry=\"Reserved\" service=\"HTTPS\" wanoptapptype=\"web\" proto=6 action=\"accept\" duration=100 policyid=1 policytype=\"policy\" wanin=01 rcvdbyte=1000 wanout=2000 lanin=3000 sentbyte=4000 lanout=5000 appcat=\"appcat1\" utmaction=\"allow\" countweb=4", "event": { - "start": "2021-09-08T07:40:24Z", - "kind": "traffic", "category": "forward", - "duration": 100 + "duration": 100, + "kind": "traffic", + "start": "2021-09-08T07:40:24Z" }, "action": { "name": "accept", "type": "allow" }, + "destination": { + "address": "1.2.3.4", + "bytes": 1000, + "geo": { + "country_name": "France" + }, + "ip": "1.2.3.4", + "port": 443 + }, "fortinet": { - "vd": "root", + "appcat": "appcat1", "devid": "OIDL03VZRZEDKKD", - "logid": "1000234512", - "sessionid": "000000001", - "srcintfrole": "undefined", "dstintfrole": "undefined", + "lanout": "5000", + "level": "notice", + "logid": "1000234512", "policyid": "1", "policytype": "policy", - "level": "notice", "proto": "6", - "appcat": "appcat1", + "sessionid": "000000001", + "srcintfrole": "undefined", + "vd": "root", "wanin": "01", - "wanout": "2000", - "lanout": "5000" + "wanout": "2000" }, - "source": { - "bytes": 4000, - "port": 11111, - "geo": { - "country_name": "Reserved" - }, - "ip": "192.168.1.2", - "address": "192.168.1.2" + "network": { + "protocol": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "eth" } }, - "egress": { + "hostname": "fortiproxyunit", + "ingress": { "interface": { "name": "eth" } }, - "type": "proxy", - "vendor": "Fortinet", "product": "FortiProxy", - "hostname": "fortiproxyunit" - }, - "destination": { - "port": 443, - "geo": { - "country_name": "France" - }, - "bytes": 1000, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "service": { - "name": "https" - }, - "network": { - "protocol": "tcp" + "type": "proxy", + "vendor": "Fortinet" }, "related": { "hosts": [ @@ -352,6 +340,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "192.168.1.2" ] + }, + "service": { + "name": "https" + }, + "source": { + "address": "192.168.1.2", + "bytes": 4000, + "geo": { + "country_name": "Reserved" + }, + "ip": "192.168.1.2", + "port": 11111 } } @@ -365,105 +365,105 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=10:28:09 devname=\"fortiprxweb02\" devid=\"FPX4HETA21000025\" eventtime=1693384088834139124 tz=\"+0200\" logid=\"0317013312\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" policyid=5 poluuid=\"721cdbfe-f99e-51ed-1e58-8ced3bccf4b9\" policytype=\"policy\" sessionid=1822934421 transid=132186705 user=\"P001834\" group=\"GGA_PROXY_STANDARD\" srcip=10.24.20.183 srcport=55464 srccountry=\"Reserved\" srcintf=\"port1\" srcintfrole=\"undefined\" srcuuid=\"7020872e-f99e-51ed-b1da-cd426e764ff1\" dstip=185.86.138.122 dstport=443 dstcountry=\"France\" dstintf=\"port1\" dstintfrole=\"undefined\" proto=6 service=\"HTTPS\" hostname=\"adapi.smartadserver.com\" profile=\"standard\" action=\"passthrough\" reqtype=\"referral\" url=\"https://adapi.smartadserver.com/h/nshow?siteid=526525&pgid=1640800&fmtid=115018&tag=sas_115018&tmstp=3164739173&visit=S&acd=1693384088720&opid=6ad51551-b841-4005-a201-e725f3a0462b&opdt=1693384088720&ckid=6765086078691789562&cappid=6765086078691789562&async=1&systgt=%24qc%3D1313276323%3B%24ql%3DMedium%3B%24qpc%3D79000%3B%24qt%3D184_442_42565t%3B%24dma%3D0%3B%24b%3D16999%3B%24o%3D11100%3B%24sw%3D1920%3B%24sh%3D1080&tgt=%24dt%3D1t&pgDomain=https://lfna.fff.fr/competitions&noadcbk=sas.noad&gdpr=1&gdpr_consent=\" referralurl=\"https://lfna.fff.fr/\" sentbyte=3753 rcvdbyte=512 direction=\"outgoing\" msg=\"URL belongs to an allowed category in policy\" method=\"domain\" cat=17 catdesc=\"Advertising\"", "event": { - "start": "2023-08-30T08:28:08.800000Z", + "category": "webfilter", "kind": "utm", - "category": "webfilter" + "start": "2023-08-30T08:28:08.800000Z" }, "action": { "name": "passthrough", "type": "ftgd_allow" }, + "destination": { + "address": "adapi.smartadserver.com", + "bytes": 512, + "domain": "adapi.smartadserver.com", + "geo": { + "country_name": "France" + }, + "ip": "185.86.138.122", + "port": 443, + "registered_domain": "smartadserver.com", + "subdomain": "adapi", + "top_level_domain": "com" + }, "fortinet": { - "vd": "root", "devid": "FPX4HETA21000025", - "logid": "0317013312", - "sessionid": "1822934421", - "srcintfrole": "undefined", "dstintfrole": "undefined", + "group": "GGA_PROXY_STANDARD", + "level": "notice", + "logid": "0317013312", "policyid": "5", - "poluuid": "721cdbfe-f99e-51ed-1e58-8ced3bccf4b9", "policytype": "policy", - "level": "notice", - "reqtype": "referral", + "poluuid": "721cdbfe-f99e-51ed-1e58-8ced3bccf4b9", "proto": "6", - "group": "GGA_PROXY_STANDARD" + "reqtype": "referral", + "sessionid": "1822934421", + "srcintfrole": "undefined", + "vd": "root" }, - "source": { - "bytes": 3753, - "port": 55464, - "geo": { - "country_name": "Reserved" - }, - "ip": "10.24.20.183", - "address": "10.24.20.183" + "http": { + "request": { + "referrer": "https://lfna.fff.fr/" + } + }, + "network": { + "protocol": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "port1" } }, - "egress": { + "hostname": "fortiprxweb02", + "ingress": { "interface": { "name": "port1" } }, - "type": "proxy", - "vendor": "Fortinet", "product": "FortiProxy", - "hostname": "fortiprxweb02" + "type": "proxy", + "vendor": "Fortinet" }, - "destination": { - "port": 443, - "geo": { - "country_name": "France" - }, - "bytes": 512, - "ip": "185.86.138.122", - "domain": "adapi.smartadserver.com", - "address": "adapi.smartadserver.com", - "top_level_domain": "com", - "subdomain": "adapi", - "registered_domain": "smartadserver.com" + "related": { + "hosts": [ + "adapi.smartadserver.com", + "fortiprxweb02" + ], + "ip": [ + "10.24.20.183", + "185.86.138.122" + ], + "user": [ + "P001834" + ] }, "service": { "name": "https" }, - "user": { - "name": "P001834" - }, - "http": { - "request": { - "referrer": "https://lfna.fff.fr/" - } + "source": { + "address": "10.24.20.183", + "bytes": 3753, + "geo": { + "country_name": "Reserved" + }, + "ip": "10.24.20.183", + "port": 55464 }, "url": { "domain": "adapi.smartadserver.com", "full": "adapi.smartadserver.comhttps://adapi.smartadserver.com/h/nshow?siteid=526525&pgid=1640800&fmtid=115018&tag=sas_115018&tmstp=3164739173&visit=S&acd=1693384088720&opid=6ad51551-b841-4005-a201-e725f3a0462b&opdt=1693384088720&ckid=6765086078691789562&cappid=6765086078691789562&async=1&systgt=%24qc%3D1313276323%3B%24ql%3DMedium%3B%24qpc%3D79000%3B%24qt%3D184_442_42565t%3B%24dma%3D0%3B%24b%3D16999%3B%24o%3D11100%3B%24sw%3D1920%3B%24sh%3D1080&tgt=%24dt%3D1t&pgDomain=https://lfna.fff.fr/competitions&noadcbk=sas.noad&gdpr=1&gdpr_consent=", "original": "https://adapi.smartadserver.com/h/nshow?siteid=526525&pgid=1640800&fmtid=115018&tag=sas_115018&tmstp=3164739173&visit=S&acd=1693384088720&opid=6ad51551-b841-4005-a201-e725f3a0462b&opdt=1693384088720&ckid=6765086078691789562&cappid=6765086078691789562&async=1&systgt=%24qc%3D1313276323%3B%24ql%3DMedium%3B%24qpc%3D79000%3B%24qt%3D184_442_42565t%3B%24dma%3D0%3B%24b%3D16999%3B%24o%3D11100%3B%24sw%3D1920%3B%24sh%3D1080&tgt=%24dt%3D1t&pgDomain=https://lfna.fff.fr/competitions&noadcbk=sas.noad&gdpr=1&gdpr_consent=", - "top_level_domain": "com", - "subdomain": "adapi", - "registered_domain": "smartadserver.com", "path": "/h/nshow", + "port": 443, "query": "siteid=526525&pgid=1640800&fmtid=115018&tag=sas_115018&tmstp=3164739173&visit=S&acd=1693384088720&opid=6ad51551-b841-4005-a201-e725f3a0462b&opdt=1693384088720&ckid=6765086078691789562&cappid=6765086078691789562&async=1&systgt=%24qc%3D1313276323%3B%24ql%3DMedium%3B%24qpc%3D79000%3B%24qt%3D184_442_42565t%3B%24dma%3D0%3B%24b%3D16999%3B%24o%3D11100%3B%24sw%3D1920%3B%24sh%3D1080&tgt=%24dt%3D1t&pgDomain=https://lfna.fff.fr/competitions&noadcbk=sas.noad&gdpr=1&gdpr_consent=", + "registered_domain": "smartadserver.com", "scheme": "https", - "port": 443 - }, - "network": { - "protocol": "tcp" + "subdomain": "adapi", + "top_level_domain": "com" }, - "related": { - "hosts": [ - "adapi.smartadserver.com", - "fortiprxweb02" - ], - "ip": [ - "10.24.20.183", - "185.86.138.122" - ], - "user": [ - "P001834" - ] + "user": { + "name": "P001834" } } @@ -477,50 +477,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=15:01:23 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"traffic\" subtype=\"http-transaction\" level=\"notice\" vd=\"root\" eventtime=1631192483 srcip=192.168.1.2 dstip=1.1.1.1 scheme=\"https\" srcport=123456 dstport=443 hostname=\"example.com\" url=\"https://example.com/foo.html?id=123\" policyid=1 reqlength=100 resplength=200 resptype=\"normal\" statuscode=200 reqtime=1631182483 resptime=1631182483 respfinishtime=1631182483 duration=100", "event": { - "start": "2021-09-09T13:01:23Z", - "kind": "traffic", "category": "http-transaction", - "duration": 100 + "duration": 100, + "kind": "traffic", + "start": "2021-09-09T13:01:23Z" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "ip": "1.1.1.1", + "port": 443, + "registered_domain": "example.com", + "top_level_domain": "com" }, "fortinet": { - "vd": "root", "devid": "OIDL03VZRZEDKKD", + "level": "notice", "logid": "1000234512", "policyid": "1", - "level": "notice", "reqtime": "2021-09-09T10:14:43.0Z", + "respfinishtime": "2021-09-09T10:14:43.0Z", "resptime": "2021-09-09T10:14:43.0Z", - "respfinishtime": "2021-09-09T10:14:43.0Z" - }, - "source": { - "port": 123456, - "ip": "192.168.1.2", - "address": "192.168.1.2" - }, - "destination": { - "port": 443, - "ip": "1.1.1.1", - "domain": "example.com", - "address": "example.com", - "top_level_domain": "com", - "registered_domain": "example.com" - }, - "observer": { - "type": "proxy", - "vendor": "Fortinet", - "product": "FortiProxy", - "hostname": "fortiproxyunit" - }, - "url": { - "domain": "example.com", - "full": "https://example.com/foo.html?id=123", - "original": "https://example.com/foo.html?id=123", - "top_level_domain": "com", - "registered_domain": "example.com", - "path": "/foo.html", - "query": "id=123", - "scheme": "https", - "port": 443 + "vd": "root" }, "http": { "request": { @@ -531,6 +509,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "hostname": "fortiproxyunit", + "product": "FortiProxy", + "type": "proxy", + "vendor": "Fortinet" + }, "related": { "hosts": [ "example.com", @@ -540,6 +524,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.1.1.1", "192.168.1.2" ] + }, + "source": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 123456 + }, + "url": { + "domain": "example.com", + "full": "https://example.com/foo.html?id=123", + "original": "https://example.com/foo.html?id=123", + "path": "/foo.html", + "port": 443, + "query": "id=123", + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" } } @@ -553,71 +553,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=14:19:19 devname=\"fortiproxyunit\" devid=\"OIDL03VZRZEDKKD\" logid=\"1000234512\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" eventtime=1631179959 policyid=5 sessionid=10000000 user=\"john\" group=\"groupname\" srcip=192.168.1.2 srcport=10000 srcintf=\"eth\" srcintfrole=\"undefined\" dstip=1.1.1.1 dstport=443 dstintf=\"eth\" dstintfrole=\"undefined\" proto=6 service=\"HTTPS\" hostname=\"example.fr\" profile=\"standard\" action=\"passthrough\" reqtype=\"referral\" url=\"/foo/bar.html?id=1\"", "event": { - "start": "2021-09-09T09:32:39Z", + "category": "webfilter", "kind": "utm", - "category": "webfilter" + "start": "2021-09-09T09:32:39Z" }, "action": { "name": "passthrough", "type": "ftgd_allow" }, + "destination": { + "address": "example.fr", + "domain": "example.fr", + "ip": "1.1.1.1", + "port": 443, + "registered_domain": "example.fr", + "top_level_domain": "fr" + }, "fortinet": { - "vd": "root", "devid": "OIDL03VZRZEDKKD", - "logid": "1000234512", - "sessionid": "10000000", - "srcintfrole": "undefined", "dstintfrole": "undefined", - "policyid": "5", + "group": "groupname", "level": "notice", - "reqtype": "referral", + "logid": "1000234512", + "policyid": "5", "proto": "6", - "group": "groupname" + "reqtype": "referral", + "sessionid": "10000000", + "srcintfrole": "undefined", + "vd": "root" }, - "source": { - "port": 10000, - "ip": "192.168.1.2", - "address": "192.168.1.2" + "network": { + "protocol": "tcp" }, "observer": { - "ingress": { + "egress": { "interface": { "name": "eth" } }, - "egress": { + "hostname": "fortiproxyunit", + "ingress": { "interface": { "name": "eth" } }, - "type": "proxy", - "vendor": "Fortinet", "product": "FortiProxy", - "hostname": "fortiproxyunit" - }, - "destination": { - "port": 443, - "ip": "1.1.1.1", - "domain": "example.fr", - "address": "example.fr", - "top_level_domain": "fr", - "registered_domain": "example.fr" - }, - "service": { - "name": "https" - }, - "user": { - "name": "john" - }, - "url": { - "domain": "example.fr", - "full": "example.fr/foo/bar.html?id=1", - "original": "/foo/bar.html?id=1", - "path": "/foo/bar.html", - "query": "id=1" - }, - "network": { - "protocol": "tcp" + "type": "proxy", + "vendor": "Fortinet" }, "related": { "hosts": [ @@ -631,6 +613,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john" ] + }, + "service": { + "name": "https" + }, + "source": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 10000 + }, + "url": { + "domain": "example.fr", + "full": "example.fr/foo/bar.html?id=1", + "original": "/foo/bar.html?id=1", + "path": "/foo/bar.html", + "query": "id=1" + }, + "user": { + "name": "john" } } diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md index 335b3a5ac9..98d5e0428a 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md @@ -38,57 +38,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4719", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 4719, + "name": "System audit policy was changed", + "outcome": "success", + "properties": [ + { + "AuditPolicyChanges": "%%8450", + "opcode": 0 + } + ], + "record_id": 56204662, + "type": "Security" }, - "log": { - "hostname": "WinAzureTest" + "azure_windows": { + "event_data": { + "AuditPolicyChanges": "%%8450", + "CategoryId": "%%8273", + "SubcategoryGuid": "{0CCE9215-69AE-11D9-BED3-505054503030}", + "SubcategoryId": "%%12544", + "SubjectDomainName": "ACME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "Acmesubject$", + "SubjectUserSid": "S-1-5-18" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "13568" }, "host": { "hostname": "WinAzureTest", "name": "WinAzureTest" }, - "user": { - "id": "S-1-5-18", - "domain": "ACME", - "name": "Acmesubject$" + "log": { + "hostname": "WinAzureTest" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { + "pid": 592, "thread": { "id": 6452 - }, - "pid": 592 - }, - "azure_windows": { - "task": "13568", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "Acmesubject$", - "SubjectDomainName": "ACME", - "SubjectLogonId": "0x3e7", - "CategoryId": "%%8273", - "SubcategoryId": "%%12544", - "SubcategoryGuid": "{0CCE9215-69AE-11D9-BED3-505054503030}", - "AuditPolicyChanges": "%%8450" } }, - "action": { - "type": "Security", - "id": 4719, - "record_id": 56204662, - "properties": [ - { - "opcode": 0, - "AuditPolicyChanges": "%%8450" - } - ], - "name": "System audit policy was changed", - "outcome": "success" - }, "related": { "hosts": [ "WinAzureTest" @@ -96,6 +91,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Acmesubject$" ] + }, + "user": { + "domain": "ACME", + "id": "S-1-5-18", + "name": "Acmesubject$" } } @@ -124,109 +124,94 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tIdentification\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1004336348-2052111302-725345543-33053\\r\\n\\tAccount Name:\\t\\tHOSTMON\\r\\n\\tAccount Domain:\\t\\tACME.LOCAL\\r\\n\\tLogon ID:\\t\\t0x6409B67A\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.129.224.1\\r\\n\\tSource Port:\\t\\t55731\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"EventId\":4624,\"Level\":0,\"Opcode\":0,\"Pid\":632,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"4624201254400x80200000000000009999727SecurityAZNTPI-01.acme.localS-1-0-0--0x0S-1-5-21-1004336348-2052111302-725345543-33053HOSTMONACME.LOCAL0x6409b67a3KerberosKerberos-{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}--00x0-10.129.224.155731%%1832---%%18430x0%%1842\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":12544,\"Tid\":904},\"time\":\"2019-07-22T11:20:54.5585776Z\"}", "event": { - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", "category": [ "authentication" ], + "code": "4624", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" ] }, - "sekoiaio": { - "server": { - "os": { - "type": "windows" + "action": { + "id": 4624, + "name": "An account was successfully logged on", + "outcome": "success", + "properties": [ + { + "domain": "ACME.LOCAL", + "id": "S-1-5-21-1004336348-2052111302-725345543-33053", + "name": "HOSTMON", + "opcode": 0, + "type": "targetedUser" } - } - }, - "os": { - "family": "windows", - "platform": "windows" - }, - "log": { - "hostname": "AZNTPI-01.acme.local" - }, - "host": { - "hostname": "AZNTPI-01.acme.local", - "name": "AZNTPI-01.acme.local" - }, - "user": { - "id": "S-1-0-0" - }, - "source": { - "port": 55731, - "ip": "10.129.224.1", - "address": "10.129.224.1" - }, - "process": { - "thread": { - "id": 904 - }, - "pid": 632, - "parent": { - "pid": 0 - } + ], + "record_id": 9999727, + "target": "user", + "type": "Security" }, "azure_windows": { - "task": "12544", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", "event_data": { - "SubjectUserSid": "S-1-0-0", - "SubjectUserName": "-", - "SubjectDomainName": "-", - "SubjectLogonId": "0x0", - "TargetUserSid": "S-1-5-21-1004336348-2052111302-725345543-33053", - "TargetUserName": "HOSTMON", - "TargetDomainName": "ACME.LOCAL", - "TargetLogonId": "0x6409b67a", - "LogonType": "3", - "LogonProcessName": "Kerberos", "AuthenticationPackageName": "Kerberos", - "WorkstationName": "-", - "LogonGuid": "{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}", - "TransmittedServices": "-", - "LmPackageName": "-", + "ElevatedToken": "%%1842", + "ImpersonationLevel": "%%1832", + "IpAddress": "10.129.224.1", + "IpPort": "55731", "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}", + "LogonProcessName": "Kerberos", + "LogonType": "3", "ProcessId": "0x0", "ProcessName": "-", - "IpAddress": "10.129.224.1", - "IpPort": "55731", - "ImpersonationLevel": "%%1832", "RestrictedAdminMode": "-", - "TargetOutboundUserName": "-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "ACME.LOCAL", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6409b67a", "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "HOSTMON", + "TargetUserSid": "S-1-5-21-1004336348-2052111302-725345543-33053", + "TransmittedServices": "-", "VirtualAccount": "%%1843", - "TargetLinkedLogonId": "0x0", - "ElevatedToken": "%%1842" + "WorkstationName": "-" }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "12544", "user": { - "identifier": "S-1-5-21-1004336348-2052111302-725345543-33053", - "type": "targetedUser", - "name": "HOSTMON", "domain": { "name": "ACME.LOCAL" - } + }, + "identifier": "S-1-5-21-1004336348-2052111302-725345543-33053", + "name": "HOSTMON", + "type": "targetedUser" } }, - "action": { - "type": "Security", - "id": 4624, - "record_id": 9999727, - "properties": [ - { - "opcode": 0, - "id": "S-1-5-21-1004336348-2052111302-725345543-33053", - "name": "HOSTMON", - "type": "targetedUser", - "domain": "ACME.LOCAL" - } - ], - "target": "user", - "name": "An account was successfully logged on", - "outcome": "success" + "host": { + "hostname": "AZNTPI-01.acme.local", + "name": "AZNTPI-01.acme.local" + }, + "log": { + "hostname": "AZNTPI-01.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 632, + "thread": { + "id": 904 + } }, "related": { "hosts": [ @@ -235,6 +220,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "10.129.224.1" ] + }, + "sekoiaio": { + "server": { + "os": { + "type": "windows" + } + } + }, + "source": { + "address": "10.129.224.1", + "ip": "10.129.224.1", + "port": 55731 + }, + "user": { + "id": "S-1-0-0" } } @@ -251,60 +251,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "5058", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 5058, + "name": "Key file operation", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 249096, + "type": "Security" }, - "log": { - "hostname": "WindowsDesktop" + "azure_windows": { + "event_data": { + "AlgorithmName": "UNKNOWN", + "ClientCreationTime": "2019-06-24T09:18:43.902454200Z", + "ClientProcessId": "5396", + "KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b", + "KeyName": "{3F1E0FA6-ACA6-4152-803B-976EF5816428}", + "KeyType": "%%2499", + "Operation": "%%2458", + "ProviderName": "Microsoft Software Key Storage Provider", + "ReturnCode": "0x0", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WindowsDesktop$", + "SubjectUserSid": "S-1-5-18" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "12292" }, "host": { "hostname": "WindowsDesktop", "name": "WindowsDesktop" }, - "user": { - "id": "S-1-5-18", - "domain": "WORKGROUP", - "name": "WindowsDesktop$" + "log": { + "hostname": "WindowsDesktop" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { + "pid": 704, "thread": { "id": 6864 - }, - "pid": 704 - }, - "azure_windows": { - "task": "12292", - "opcode": "0", - "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "WindowsDesktop$", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "ClientProcessId": "5396", - "ClientCreationTime": "2019-06-24T09:18:43.902454200Z", - "ProviderName": "Microsoft Software Key Storage Provider", - "AlgorithmName": "UNKNOWN", - "KeyName": "{3F1E0FA6-ACA6-4152-803B-976EF5816428}", - "KeyType": "%%2499", - "KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b", - "Operation": "%%2458", - "ReturnCode": "0x0" - } - }, - "action": { - "type": "Security", - "id": 5058, - "record_id": 249096, - "properties": [ - { - "opcode": 0 - } - ], - "name": "Key file operation", - "outcome": "success" + } }, "related": { "hosts": [ @@ -313,6 +308,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "WindowsDesktop$" ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WindowsDesktop$" } } @@ -329,60 +329,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4634", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" - }, - "log": { - "hostname": "AZNTPI-01.acme.local" - }, - "host": { - "hostname": "AZNTPI-01.acme.local", - "name": "AZNTPI-01.acme.local" - }, - "process": { - "thread": { - "id": 3136 - }, - "pid": 632 + "action": { + "id": 4634, + "name": "An account was logged off", + "outcome": "success", + "properties": [ + { + "domain": "ACME", + "id": "S-1-5-18", + "name": "AZNTPI-01$", + "opcode": 0, + "type": "targetedUser" + } + ], + "record_id": 10036511, + "target": "user", + "type": "Security" }, "azure_windows": { - "task": "12545", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", "event_data": { - "TargetUserSid": "S-1-5-18", - "TargetUserName": "AZNTPI-01$", + "LogonType": "3", "TargetDomainName": "ACME", "TargetLogonId": "0x686007f9", - "LogonType": "3" + "TargetUserName": "AZNTPI-01$", + "TargetUserSid": "S-1-5-18" }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "12545", "user": { - "identifier": "S-1-5-18", - "type": "targetedUser", - "name": "AZNTPI-01$", "domain": { "name": "ACME" - } + }, + "identifier": "S-1-5-18", + "name": "AZNTPI-01$", + "type": "targetedUser" } }, - "action": { - "type": "Security", - "id": 4634, - "record_id": 10036511, - "properties": [ - { - "opcode": 0, - "id": "S-1-5-18", - "name": "AZNTPI-01$", - "type": "targetedUser", - "domain": "ACME" - } - ], - "target": "user", - "name": "An account was logged off", - "outcome": "success" + "host": { + "hostname": "AZNTPI-01.acme.local", + "name": "AZNTPI-01.acme.local" + }, + "log": { + "hostname": "AZNTPI-01.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "pid": 632, + "thread": { + "id": 3136 + } }, "related": { "hosts": [ @@ -404,73 +404,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 4688, + "name": "A new process has been created", + "outcome": "success", + "properties": [ + { + "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "opcode": 0 + } + ], + "record_id": 3892523, + "type": "Security" }, - "log": { - "hostname": "AZNTPI-02.acme.local" + "azure_windows": { + "event_data": { + "CommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe\" -PerfMode optimize -quickscan -event -json", + "MandatoryLabel": "S-1-16-16384", + "NewProcessId": "0x50", + "NewProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe", + "ParentProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "ProcessId": "0x1568", + "SubjectDomainName": "ACME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "AZNTPI-02$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1936" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "13312" }, "host": { "hostname": "AZNTPI-02.acme.local", "name": "AZNTPI-02.acme.local" }, - "user": { - "id": "S-1-5-18", - "domain": "ACME", - "name": "AZNTPI-02$" + "log": { + "hostname": "AZNTPI-02.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 8060 - }, - "pid": 80, - "name": "pmfexe.exe", - "working_directory": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696", - "executable": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696\\pmfexe.exe", "command_line": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696\\pmfexe.exe -perfmode optimize -quickscan -event -json", + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696\\pmfexe.exe", + "name": "pmfexe.exe", "parent": { - "name": "monitoringhost.exe", - "working_directory": "c:\\program files\\microsoft monitoring agent\\agent", "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", - "pid": 5480 - } - }, - "azure_windows": { - "task": "13312", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "AZNTPI-02$", - "SubjectDomainName": "ACME", - "SubjectLogonId": "0x3e7", - "NewProcessId": "0x50", - "NewProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe", - "TokenElevationType": "%%1936", - "ProcessId": "0x1568", - "CommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe\" -PerfMode optimize -quickscan -event -json", - "TargetUserSid": "S-1-0-0", - "TargetUserName": "-", - "TargetDomainName": "-", - "TargetLogonId": "0x0", - "ParentProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", - "MandatoryLabel": "S-1-16-16384" - } - }, - "action": { - "type": "Security", - "id": 4688, - "record_id": 3892523, - "properties": [ - { - "opcode": 0, - "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe" - } - ], - "name": "A new process has been created", - "outcome": "success" + "name": "monitoringhost.exe", + "pid": 5480, + "working_directory": "c:\\program files\\microsoft monitoring agent\\agent" + }, + "pid": 80, + "thread": { + "id": 8060 + }, + "working_directory": "c:\\program files\\microsoft monitoring agent\\agent\\health service state\\monitoring host temporary files 52\\696" }, "related": { "hosts": [ @@ -479,6 +474,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AZNTPI-02$" ] + }, + "user": { + "domain": "ACME", + "id": "S-1-5-18", + "name": "AZNTPI-02$" } } @@ -495,67 +495,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 4688, + "name": "A new process has been created", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 4948641, + "type": "Security" }, - "log": { - "hostname": "AZSQL-02.acme.local" + "azure_windows": { + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-ExecutionPolicy\" \"Unrestricted\" \"-Noninteractive\" \"-NoProfile\" \"-NoLogo\" \"-File\" \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\AzureMetadata.ps1\"", + "NewProcessId": "0x17b4", + "NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ProcessId": "0x1788", + "SubjectDomainName": "ACME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "AZSQL-02$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1936" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "13312" }, "host": { "hostname": "AZSQL-02.acme.local", "name": "AZSQL-02.acme.local" }, - "user": { - "id": "S-1-5-18", - "domain": "ACME", - "name": "AZSQL-02$" + "log": { + "hostname": "AZSQL-02.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 9396 - }, - "pid": 6068, - "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0", - "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -executionpolicy unrestricted -noninteractive -noprofile -nologo -file c:\\program files\\microsoft dependency agent\\plugins\\azuremetadata.ps1", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "name": "powershell.exe", "parent": { "pid": 6024 - } - }, - "azure_windows": { - "task": "13312", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "AZSQL-02$", - "SubjectDomainName": "ACME", - "SubjectLogonId": "0x3e7", - "NewProcessId": "0x17b4", - "NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "TokenElevationType": "%%1936", - "ProcessId": "0x1788", - "CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-ExecutionPolicy\" \"Unrestricted\" \"-Noninteractive\" \"-NoProfile\" \"-NoLogo\" \"-File\" \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\AzureMetadata.ps1\"", - "TargetUserSid": "S-1-0-0", - "TargetUserName": "-", - "TargetDomainName": "-", - "TargetLogonId": "0x0" - } - }, - "action": { - "type": "Security", - "id": 4688, - "record_id": 4948641, - "properties": [ - { - "opcode": 0 - } - ], - "name": "A new process has been created", - "outcome": "success" + }, + "pid": 6068, + "thread": { + "id": 9396 + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" }, "related": { "hosts": [ @@ -564,6 +559,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AZSQL-02$" ] + }, + "user": { + "domain": "ACME", + "id": "S-1-5-18", + "name": "AZSQL-02$" } } @@ -580,40 +580,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "10001", "provider": "Microsoft-Windows-RestartManager" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 10001, + "name": "no match", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 9379, + "type": "Application" }, - "log": { - "hostname": "lab-vm" + "azure_windows": { + "opcode": "0", + "provider_guid": "0888e5ef-9b98-4695-979d-e92ce4247224", + "provider_name": "Microsoft-Windows-RestartManager", + "task": "0" }, "host": { "hostname": "lab-vm", "name": "lab-vm" }, + "log": { + "hostname": "lab-vm" + }, + "os": { + "family": "windows", + "platform": "windows" + }, "process": { + "pid": 3732, "thread": { "id": 2144 - }, - "pid": 3732 - }, - "azure_windows": { - "task": "0", - "opcode": "0", - "provider_guid": "0888e5ef-9b98-4695-979d-e92ce4247224", - "provider_name": "Microsoft-Windows-RestartManager" - }, - "action": { - "type": "Application", - "id": 10001, - "record_id": 9379, - "properties": [ - { - "opcode": 0 - } - ], - "name": "no match", - "outcome": "success" + } }, "related": { "hosts": [ @@ -635,84 +635,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "1", "provider": "Microsoft-Windows-Sysmon" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 1, + "name": "Process creation", + "outcome": "success", + "properties": [ + { + "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "opcode": 0 + } + ], + "record_id": 120166, + "type": "Microsoft-Windows-Sysmon/Operational" }, - "log": { - "hostname": "WindowsDesktop" + "azure_windows": { + "event_data": { + "CommandLine": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "Company": "Microsoft Corporation", + "CurrentDirectory": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 3\\507\\", + "Description": "Microsoft \u00ae Console Based Script Host", + "FileVersion": "5.812.10240.16384", + "Hashes": "MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC", + "Image": "C:\\Windows\\System32\\cscript.exe", + "IntegrityLevel": "System", + "LogonGuid": "{f67648d5-e752-5d68-0000-0020e7030000}", + "LogonId": "0x3e7", + "OriginalFileName": "cscript.exe", + "ParentCommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", + "ParentImage": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "ParentProcessGuid": "{f67648d5-e7c8-5d68-0000-00109ed81e00}", + "ParentProcessId": "10068", + "ProcessGuid": "{f67648d5-384f-5d69-0000-00101bd8b501}", + "ProcessId": "6272", + "Product": "Microsoft \u00ae Windows Script Host", + "RuleName": null, + "TerminalSessionId": "0", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-08-30 14:53:03.012" + }, + "opcode": "0", + "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "1" }, "host": { "hostname": "WindowsDesktop", "name": "WindowsDesktop" }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" + "log": { + "hostname": "WindowsDesktop" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 5036 - }, - "pid": 3272, + "command_line": "c:\\windows\\system32\\cscript.exe /nologo monitorknowledgediscovery.vbs", + "executable": "c:\\windows\\system32\\cscript.exe", "hash": { "md5": "a45586b3a5a291516cd10ef4fd3ee768", "sha256": "59d3cdc7d51fa34c6b27b8b04ea17992955466eb25022b7bd64880ab35df0bbc" }, "name": "cscript.exe", - "working_directory": "c:\\windows\\system32", - "executable": "c:\\windows\\system32\\cscript.exe", - "command_line": "c:\\windows\\system32\\cscript.exe /nologo monitorknowledgediscovery.vbs", "parent": { - "name": "monitoringhost.exe", - "working_directory": "c:\\program files\\microsoft monitoring agent\\agent", - "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", "command_line": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe -embedding", - "pid": 6272 - } - }, - "azure_windows": { - "task": "1", - "opcode": "0", - "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", - "provider_name": "Microsoft-Windows-Sysmon", - "event_data": { - "RuleName": null, - "UtcTime": "2019-08-30 14:53:03.012", - "ProcessGuid": "{f67648d5-384f-5d69-0000-00101bd8b501}", - "ProcessId": "6272", - "Image": "C:\\Windows\\System32\\cscript.exe", - "FileVersion": "5.812.10240.16384", - "Description": "Microsoft \u00ae Console Based Script Host", - "Product": "Microsoft \u00ae Windows Script Host", - "Company": "Microsoft Corporation", - "OriginalFileName": "cscript.exe", - "CommandLine": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", - "CurrentDirectory": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 3\\507\\", - "User": "NT AUTHORITY\\SYSTEM", - "LogonGuid": "{f67648d5-e752-5d68-0000-0020e7030000}", - "LogonId": "0x3e7", - "TerminalSessionId": "0", - "IntegrityLevel": "System", - "Hashes": "MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC", - "ParentProcessGuid": "{f67648d5-e7c8-5d68-0000-00109ed81e00}", - "ParentProcessId": "10068", - "ParentImage": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", - "ParentCommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding" - } - }, - "action": { - "type": "Microsoft-Windows-Sysmon/Operational", - "id": 1, - "record_id": 120166, - "properties": [ - { - "opcode": 0, - "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe" - } - ], - "name": "Process creation", - "outcome": "success" + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "name": "monitoringhost.exe", + "pid": 6272, + "working_directory": "c:\\program files\\microsoft monitoring agent\\agent" + }, + "pid": 3272, + "thread": { + "id": 5036 + }, + "working_directory": "c:\\windows\\system32" }, "related": { "hash": [ @@ -725,6 +721,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -741,60 +741,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "11", "provider": "Microsoft-Windows-Sysmon" }, - "os": { - "family": "windows", - "platform": "windows" - }, - "log": { - "hostname": "AZNTPI-01.acme.local" + "action": { + "id": 11, + "name": "FileCreate", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 121811, + "type": "Microsoft-Windows-Sysmon/Operational" }, - "host": { - "hostname": "AZNTPI-01.acme.local", - "name": "AZNTPI-01.acme.local" + "azure_windows": { + "event_data": { + "CreationUtcTime": "2019-11-27 15:25:45.117", + "Image": "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ProcessGuid": "{4A43FA81-9578-5DDE-0000-0010490B8303}", + "ProcessId": "4000", + "RuleName": null, + "TargetFilename": "C:\\Windows\\Temp\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1", + "UtcTime": "2019-11-27 15:25:45.117" + }, + "opcode": "0", + "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "11" }, "file": { "created": "2019-11-27T15:25:45.117000Z", "name": "__psscriptpolicytest_tnklb3sm.oxn.ps1", "path": "c:\\windows\\temp" }, + "host": { + "hostname": "AZNTPI-01.acme.local", + "name": "AZNTPI-01.acme.local" + }, + "log": { + "hostname": "AZNTPI-01.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" + }, "process": { - "thread": { - "id": 3592 - }, - "pid": 2232, - "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0", "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "name": "powershell.exe", "parent": { "pid": 4000 - } - }, - "azure_windows": { - "task": "11", - "opcode": "0", - "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", - "provider_name": "Microsoft-Windows-Sysmon", - "event_data": { - "RuleName": null, - "UtcTime": "2019-11-27 15:25:45.117", - "ProcessGuid": "{4A43FA81-9578-5DDE-0000-0010490B8303}", - "ProcessId": "4000", - "Image": "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", - "TargetFilename": "C:\\Windows\\Temp\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1", - "CreationUtcTime": "2019-11-27 15:25:45.117" - } - }, - "action": { - "type": "Microsoft-Windows-Sysmon/Operational", - "id": 11, - "record_id": 121811, - "properties": [ - { - "opcode": 0 - } - ], - "name": "FileCreate", - "outcome": "success" + }, + "pid": 2232, + "thread": { + "id": 3592 + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" }, "related": { "hosts": [ @@ -816,68 +816,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "13", "provider": "Microsoft-Windows-Sysmon" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 13, + "name": "RegistryEvent (Value Set)", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 530135, + "type": "Microsoft-Windows-Sysmon/Operational" }, - "log": { - "hostname": "AZNTPI-01.acme.local" + "azure_windows": { + "event_data": { + "Details": "Microsoft Print to PDF (redirected 5)", + "EventType": "SetValue", + "Image": "System", + "ProcessGuid": "{4A43FA81-9258-5E74-0000-0010EB030000}", + "ProcessId": "4", + "RuleName": null, + "TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName", + "UtcTime": "2020-04-01 06:34:15.158" + }, + "opcode": "0", + "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "13" }, "host": { "hostname": "AZNTPI-01.acme.local", "name": "AZNTPI-01.acme.local" }, + "log": { + "hostname": "AZNTPI-01.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "system", + "name": "system", + "parent": { + "pid": 4 + }, + "pid": 2140, + "thread": { + "id": 3628 + } + }, "registry": { - "path": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName", "data": { - "type": "REG_SZ", "strings": [ "Microsoft Print to PDF (redirected 5)" - ] + ], + "type": "REG_SZ" }, "hive": "HKLM", "key": "System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}", + "path": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName", "value": "FriendlyName" }, - "process": { - "thread": { - "id": 3628 - }, - "pid": 2140, - "name": "system", - "executable": "system", - "parent": { - "pid": 4 - } - }, - "azure_windows": { - "task": "13", - "opcode": "0", - "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", - "provider_name": "Microsoft-Windows-Sysmon", - "event_data": { - "RuleName": null, - "EventType": "SetValue", - "UtcTime": "2020-04-01 06:34:15.158", - "ProcessGuid": "{4A43FA81-9258-5E74-0000-0010EB030000}", - "ProcessId": "4", - "Image": "System", - "TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName", - "Details": "Microsoft Print to PDF (redirected 5)" - } - }, - "action": { - "type": "Microsoft-Windows-Sysmon/Operational", - "id": 13, - "record_id": 530135, - "properties": [ - { - "opcode": 0 - } - ], - "name": "RegistryEvent (Value Set)", - "outcome": "success" - }, "related": { "hosts": [ "AZNTPI-01.acme.local" @@ -898,27 +898,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "22", "provider": "Microsoft-Windows-Sysmon" }, - "os": { - "family": "windows", - "platform": "windows" - }, - "log": { - "hostname": "WinAzureTest" - }, - "host": { - "hostname": "WinAzureTest", - "name": "WinAzureTest" + "action": { + "id": 22, + "name": "DNS query", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 136242, + "type": "Microsoft-Windows-Sysmon/Operational" }, - "dns": { - "response_code": "0", - "question": { - "name": "v10.events.data.microsoft.com", - "top_level_domain": "com", - "subdomain": "v10.events.data", - "registered_domain": "microsoft.com" + "azure_windows": { + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{f67648d5-4d39-5e56-0000-0010ec220200}", + "ProcessId": "3676", + "QueryName": "v10.events.data.microsoft.com", + "QueryResults": "type: 5 v10.events.data.microsoft.com.aria.akadns.net;type: 5 onecollector.cloudapp.aria.akadns.net;::ffff:52.114.132.20;", + "QueryStatus": "0", + "RuleName": null, + "UtcTime": "2020-02-26 11:08:09.059" }, - "size_in_char": 29, - "type": "answer", + "opcode": "0", + "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "22" + }, + "dns": { "answers": [ { "name": "v10.events.data.microsoft.com.aria.akadns.net", @@ -932,47 +940,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "::ffff:52.114.132.20", "type": "AAAA" } - ] + ], + "question": { + "name": "v10.events.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "v10.events.data", + "top_level_domain": "com" + }, + "response_code": "0", + "size_in_char": 29, + "type": "answer" + }, + "host": { + "hostname": "WinAzureTest", + "name": "WinAzureTest" + }, + "log": { + "hostname": "WinAzureTest" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 9096 - }, - "pid": 3780, - "name": "svchost.exe", - "working_directory": "c:\\windows\\system32", "executable": "c:\\windows\\system32\\svchost.exe", + "name": "svchost.exe", "parent": { "pid": 3676 - } - }, - "azure_windows": { - "task": "22", - "opcode": "0", - "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", - "provider_name": "Microsoft-Windows-Sysmon", - "event_data": { - "RuleName": null, - "UtcTime": "2020-02-26 11:08:09.059", - "ProcessGuid": "{f67648d5-4d39-5e56-0000-0010ec220200}", - "ProcessId": "3676", - "QueryName": "v10.events.data.microsoft.com", - "QueryStatus": "0", - "QueryResults": "type: 5 v10.events.data.microsoft.com.aria.akadns.net;type: 5 onecollector.cloudapp.aria.akadns.net;::ffff:52.114.132.20;", - "Image": "C:\\Windows\\System32\\svchost.exe" - } - }, - "action": { - "type": "Microsoft-Windows-Sysmon/Operational", - "id": 22, - "record_id": 136242, - "properties": [ - { - "opcode": 0 - } - ], - "name": "DNS query", - "outcome": "success" + }, + "pid": 3780, + "thread": { + "id": 9096 + }, + "working_directory": "c:\\windows\\system32" }, "related": { "hosts": [ @@ -995,88 +995,76 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "3", "provider": "Microsoft-Windows-Sysmon" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 3, + "name": "Network connection", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 189923, + "target": "network-traffic", + "type": "Microsoft-Windows-Sysmon/Operational" }, - "log": { - "hostname": "AZNTPI-01.acme.local" + "azure_windows": { + "event_data": { + "DestinationHostname": null, + "DestinationIp": "169.254.169.254", + "DestinationIsIpv6": "false", + "DestinationPort": "80", + "DestinationPortName": "http", + "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "Initiated": "true", + "ProcessGuid": "{4A43FA81-5A68-5DFA-0000-0010A992AC18}", + "ProcessId": "4364", + "Protocol": "tcp", + "RuleName": null, + "SourceHostname": "AZNTPI-01.acme.local", + "SourceIp": "10.100.8.36", + "SourceIsIpv6": "false", + "SourcePort": "55664", + "SourcePortName": null, + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-12-18 16:57:18.516" + }, + "opcode": "0", + "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", + "provider_name": "Microsoft-Windows-Sysmon", + "task": "3" + }, + "destination": { + "address": "169.254.169.254", + "ip": "169.254.169.254", + "port": 80 }, "host": { "hostname": "AZNTPI-01.acme.local", "name": "AZNTPI-01.acme.local" }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "destination": { - "port": 80, - "ip": "169.254.169.254", - "address": "169.254.169.254" + "log": { + "hostname": "AZNTPI-01.acme.local" }, "network": { "transport": "tcp", "type": "ipv4" }, - "source": { - "domain": "AZNTPI-01.acme.local", - "port": 55664, - "ip": "10.100.8.36", - "size_in_char": 20, - "address": "AZNTPI-01.acme.local", - "subdomain": "AZNTPI-01.acme" + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 3760 - }, - "pid": 2116, - "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0", "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "name": "powershell.exe", "parent": { "pid": 4364 - } - }, - "azure_windows": { - "task": "3", - "opcode": "0", - "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", - "provider_name": "Microsoft-Windows-Sysmon", - "event_data": { - "RuleName": null, - "UtcTime": "2019-12-18 16:57:18.516", - "ProcessGuid": "{4A43FA81-5A68-5DFA-0000-0010A992AC18}", - "ProcessId": "4364", - "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "User": "NT AUTHORITY\\SYSTEM", - "Protocol": "tcp", - "Initiated": "true", - "SourceIsIpv6": "false", - "SourceIp": "10.100.8.36", - "SourceHostname": "AZNTPI-01.acme.local", - "SourcePort": "55664", - "SourcePortName": null, - "DestinationIsIpv6": "false", - "DestinationIp": "169.254.169.254", - "DestinationHostname": null, - "DestinationPort": "80", - "DestinationPortName": "http" - } - }, - "action": { - "type": "Microsoft-Windows-Sysmon/Operational", - "id": 3, - "record_id": 189923, - "properties": [ - { - "opcode": 0 - } - ], - "target": "network-traffic", - "name": "Network connection", - "outcome": "success" + }, + "pid": 2116, + "thread": { + "id": 3760 + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" }, "related": { "hosts": [ @@ -1089,6 +1077,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "source": { + "address": "AZNTPI-01.acme.local", + "domain": "AZNTPI-01.acme.local", + "ip": "10.100.8.36", + "port": 55664, + "size_in_char": 20, + "subdomain": "AZNTPI-01.acme" + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -1105,67 +1105,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "os": { - "family": "windows", - "platform": "windows" + "action": { + "id": 4688, + "name": "A new process has been created", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 13259890, + "type": "Security" }, - "log": { - "hostname": "AZSQL-02.acme.local" + "azure_windows": { + "event_data": { + "CommandLine": "C:\\Windows\\system32\\svchost.exe -k wsappx", + "NewProcessId": "0x12f0", + "NewProcessName": "C:\\Windows\\System32\\svchost.exe", + "ProcessId": "0x25c", + "SubjectDomainName": "ACME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "AZSQL-02$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1936" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "13312" }, "host": { "hostname": "AZSQL-02.acme.local", "name": "AZSQL-02.acme.local" }, - "user": { - "id": "S-1-5-18", - "domain": "ACME", - "name": "AZSQL-02$" + "log": { + "hostname": "AZSQL-02.acme.local" + }, + "os": { + "family": "windows", + "platform": "windows" }, "process": { - "thread": { - "id": 8568 - }, - "pid": 4848, - "name": "svchost.exe", - "working_directory": "c:\\windows\\system32", - "executable": "c:\\windows\\system32\\svchost.exe", "command_line": "c:\\windows\\system32\\svchost.exe -k wsappx", + "executable": "c:\\windows\\system32\\svchost.exe", + "name": "svchost.exe", "parent": { "pid": 604 - } - }, - "azure_windows": { - "task": "13312", - "opcode": "0", - "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "provider_name": "Microsoft-Windows-Security-Auditing", - "event_data": { - "SubjectUserSid": "S-1-5-18", - "SubjectUserName": "AZSQL-02$", - "SubjectDomainName": "ACME", - "SubjectLogonId": "0x3e7", - "NewProcessId": "0x12f0", - "NewProcessName": "C:\\Windows\\System32\\svchost.exe", - "TokenElevationType": "%%1936", - "ProcessId": "0x25c", - "CommandLine": "C:\\Windows\\system32\\svchost.exe -k wsappx", - "TargetUserSid": "S-1-0-0", - "TargetUserName": "-", - "TargetDomainName": "-", - "TargetLogonId": "0x0" - } - }, - "action": { - "type": "Security", - "id": 4688, - "record_id": 13259890, - "properties": [ - { - "opcode": 0 - } - ], - "name": "A new process has been created", - "outcome": "success" + }, + "pid": 4848, + "thread": { + "id": 8568 + }, + "working_directory": "c:\\windows\\system32" }, "related": { "hosts": [ @@ -1174,6 +1169,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AZSQL-02$" ] + }, + "user": { + "domain": "ACME", + "id": "S-1-5-18", + "name": "AZSQL-02$" } } diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index 5291c748fa..1f90f0e056 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -41,25 +41,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Disconnected from user root 1.2.3.4 port 33398", "event": { - "kind": "event", "category": [ "authentication" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "port": 33398, - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -68,6 +60,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 33398 + }, + "user": { + "name": "root" } } @@ -81,25 +81,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " Connection closed by authenticating user root 1.2.3.4 port 60292 [preauth]", "event": { - "kind": "event", "category": [ "authentication" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "port": 60292, - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -108,6 +100,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 60292 + }, + "user": { + "name": "root" } } @@ -121,27 +121,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Received disconnect from 1.2.3.4 port 33398:11: disconnected by user", "event": { - "kind": "event", "category": [ "authentication" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "source": { - "ip": "1.2.3.4", - "port": 33398, - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 33398 } } @@ -155,25 +155,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Accepted publickey for root from 1.2.3.4 port 33398 ssh2: RSA SHA256:qzkqJPyBUdiJUC4i/wbJzkYLTcUWwXRArUT90bUw2E0", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "port": 33398, - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -182,6 +174,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 33398 + }, + "user": { + "name": "root" } } @@ -195,36 +195,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info hostd[2099656] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxcli-76-ecbf] Event 975279 : User root@127.0.0.1 logged in as pyvmomi", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, - "user": { - "name": "pyvmomi" + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "pyvmomi", + "root" + ] }, "source": { + "address": "127.0.0.1", "ip": "127.0.0.1", "user": { "name": "root" - }, - "address": "127.0.0.1" + } }, - "related": { - "user": [ - "pyvmomi", - "root" - ], - "ip": [ - "127.0.0.1" - ] + "user": { + "name": "pyvmomi" } } @@ -238,46 +238,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info hostd[2099656] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxcli-76-ecbf] Event 975279 : User root@127.0.0.1 logged in as pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64)", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, - "user": { - "name": "pyvmomi" + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "pyvmomi", + "root" + ] }, "source": { + "address": "127.0.0.1", "ip": "127.0.0.1", "user": { "name": "root" - }, - "address": "127.0.0.1" + } + }, + "user": { + "name": "pyvmomi" }, "user_agent": { - "original": "Python/3.8.13 (VMkernel; 7.0.3; x86_64)", "device": { "name": "Other" }, "name": "Other", + "original": "Python/3.8.13 (VMkernel; 7.0.3; x86_64)", "os": { "name": "Other" } - }, - "related": { - "user": [ - "pyvmomi", - "root" - ], - "ip": [ - "127.0.0.1" - ] } } @@ -291,25 +291,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "pam_unix(sshd:session): session closed for user root", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" + "product": "ESXi", + "vendor": "VMware" }, "related": { "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -323,25 +323,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "pam_unix(sshd:session): session opened for user root by (uid=0)", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "start" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" + "product": "ESXi", + "vendor": "VMware" }, "related": { "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -355,25 +355,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info hostd[2099656] [Originator@6876 sub=Vimsvc opID=esxcli-a5-20ae] [Auth]: User root", "event": { - "kind": "event", "category": [ "authentication" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" + "product": "ESXi", + "vendor": "VMware" }, "related": { "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -387,24 +387,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info hostd[2099656] [Originator@6876 sub=Default opID=esxcli-76-ecbf] Accepted password for user root from 127.0.0.1", "event": { - "kind": "event", "category": [ "configuration" ], + "kind": "event", "type": [ "change" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -413,6 +406,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "name": "root" } } @@ -426,24 +426,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " [GenericCorrelator] 3087878379676us: [vob.user.ssh.session.closed] SSH session was closed for 'root@1.2.3.4'.", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -452,6 +445,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "root" } } @@ -465,24 +465,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " [GenericCorrelator] 3087878318715us: [vob.user.ssh.session.opened] SSH session was opened for 'root@1.2.3.4'.", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "start" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -491,6 +484,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "root" } } @@ -504,24 +504,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " error hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr] Event 974676 : SSH session was closed for 'root@1.2.3.4'.", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "end" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -530,6 +523,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "root" } } @@ -543,24 +543,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr] Event 974676 : SSH session was opened for 'root@1.2.3.4'.", "event": { - "kind": "event", "category": [ "session" ], + "kind": "event", "type": [ "start" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ @@ -569,6 +562,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "root" } } @@ -582,27 +582,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " DHCPDISCOVER on vmk1 to 255.255.255.255 port 67 interval 1", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "source": { - "ip": "255.255.255.255", - "port": 67, - "address": "255.255.255.255" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ "255.255.255.255" ] + }, + "source": { + "address": "255.255.255.255", + "ip": "255.255.255.255", + "port": 67 } } @@ -616,27 +616,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Connection from 1.2.3.4 port 33398", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "connection" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "source": { - "ip": "1.2.3.4", - "port": 33398, - "address": "1.2.3.4" + "product": "ESXi", + "vendor": "VMware" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 33398 } } @@ -650,17 +650,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Executing 'vsanmgmtd -s -c /etc/vmware/vsan/vsanmgmt-config.xml'", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, "process": { "command_line": "vsanmgmtd -s -c /etc/vmware/vsan/vsanmgmt-config.xml" @@ -677,20 +677,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "USER root pid 9919303 cmd /bin/hostd-probe.sh ++group=host/vim/vmvisor/hostd-probe/stats/sh", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" + "product": "ESXi", + "vendor": "VMware" }, "process": { "command_line": "/bin/hostd-probe.sh ++group=host/vim/vmvisor/hostd-probe/stats/sh", @@ -700,6 +697,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -713,20 +713,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "User 'root' running command 'USER=vpxuser python ++group=host/vim/vmvisor/ntnx /get_one_time_password.py'", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" - }, - "user": { - "name": "root" + "product": "ESXi", + "vendor": "VMware" }, "process": { "command_line": "USER=vpxuser python ++group=host/vim/vmvisor/ntnx /get_one_time_password.py" @@ -735,6 +732,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -748,21 +748,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "error fdm[7599783] [Originator@6876 sub=Cluster opID=SWI-3cc8cdca] stat(/vmfs/volumes/aaaaaaaa-bbbbbbbb/.vSphere-HA/FDM-ffffffff-1111-4444-5555-666666666666-7-9999999-lnpvcr02) failed with Permission denied", "event": { - "kind": "event", - "reason": "Permission denied", "category": [ "process" ], + "kind": "event", + "reason": "Permission denied", "type": [ "info" ] }, - "observer": { - "vendor": "VMware", - "product": "ESXi" - }, "host": { "name": "fdm" + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" } } @@ -776,21 +776,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Unlocked esx.conf", "event": { - "kind": "event", - "reason": "Unlocked", "category": [ "file" ], + "kind": "event", + "reason": "Unlocked", "type": [ "info" ] }, - "observer": { - "vendor": "VMware", - "product": "ESXi" - }, "file": { "name": "esx.conf" + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" } } @@ -804,20 +804,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " Event [1201736] [2-3] (fileName = \"ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk\", datastore = 'vim.Datastore:d6543eda-9347-4b38-b803-6f5048248ea8:datastore-2809', backingObjectId = \"\", diskMode = \"independent_nonpersistent\", split = , writeThrough = , thinProvisioned = false, eagerlyScrub = false, uuid = \"6000C299-dd5c-07cb-b868-3600b53d2781\", contentId = \"5c1d0d8547e8b15283e287f5cb18ef5e\", changeId = , parent = null, deltaDiskFormat = , digestEnabled = false, deltaGrainSize = , deltaDiskFormatVariant = , sharing = , keyId = null, cryptoIntegrityProtectionType = ), deltaDiskFormat = \"seSparseFormat\", digestEnabled = false, deltaGrainSize = 4, deltaDiskFormatVariant = , sharing = \"sharingNone\", keyId = null, cryptoIntegrityProtectionType = ), connectable = null, slotInfo = null, controllerKey = 1000, unitNumber = 3, numaNode = , capacityInKB = 104857600, capacityInBytes = 107374182400, shar", "event": { - "kind": "event", "category": [ "file" ], + "kind": "event", "type": [ "info" ] }, - "observer": { - "vendor": "VMware", - "product": "ESXi" - }, "file": { "name": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk" + }, + "observer": { + "product": "ESXi", + "vendor": "VMware" } } @@ -831,18 +831,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Using key ID 527683eb-be00-ae48-b12d-06e5cffe4c7e to encrypt", "event": { - "kind": "event", - "reason": "encrypt", "category": [ "process" ], + "kind": "event", + "reason": "encrypt", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, "wmware": { "esxi": { @@ -863,18 +863,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " [iscsiCorrelator] 3087813295957us: [vob.iscsi.connection.stopped] iScsi connection 0 stopped for vmhba64:C0:T3", "event": { - "kind": "event", - "reason": "iScsi connection 0 stopped for vmhba64:C0:T3", "category": [ "process" ], + "kind": "event", + "reason": "iScsi connection 0 stopped for vmhba64:C0:T3", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -888,18 +888,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " info fdm[7599763] [Originator@6876 sub=Invt opID=SWI-1b24a1a7] Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "event": { - "kind": "event", - "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "category": [ "process" ], + "kind": "event", + "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -913,18 +913,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " connection 4:0 (iqn.2010-06.com.nutanix:iscsi-dump-c086c177-a1f4-48be-a3b2-b5f2b6517fa6 if=default addr=1.2.3.4:3260 (TPGT:1 ISID:0x1) (T3 C0)) has recovered (2 attempts)", "event": { - "kind": "event", - "reason": "has recovered (2 attempts)", "category": [ "network" ], + "kind": "event", + "reason": "has recovered (2 attempts)", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -938,18 +938,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " info hostd[2099655] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=233816e0 user=vpxuser] Event 974626 : User vpxuser@10.79.50.22 logged out (login time: Tuesday, 18 April, 2023 07:14:36 AM, number of API invocations: 3, user agent: pyvmomi)", "event": { - "kind": "event", - "reason": "Event 974626 : User vpxuser@10.79.50.22 logged out (login time: Tuesday, 18 April, 2023 07:14:36 AM, number of API invocations: 3, user agent: pyvmomi)", "category": [ "process" ], + "kind": "event", + "reason": "Event 974626 : User vpxuser@10.79.50.22 logged out (login time: Tuesday, 18 April, 2023 07:14:36 AM, number of API invocations: 3, user agent: pyvmomi)", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -963,18 +963,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " info rhttpproxy[2102807] [Originator@6876 sub=IO.Connection] Failed to shutdown socket; , >, e: 104(shutdown: Connection reset by peer)", "event": { - "kind": "event", - "reason": "Failed to shutdown socket; , >, e: 104(shutdown: Connection reset by peer)", "category": [ "process" ], + "kind": "event", + "reason": "Failed to shutdown socket; , >, e: 104(shutdown: Connection reset by peer)", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -988,18 +988,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " verbose rhttpproxy[2099165] [Originator@6876 sub=Proxy Req 06028] Connected to localhost:8307 (/sdk) over , >", "event": { - "kind": "event", - "reason": "Connected to localhost:8307 (/sdk) over , >", "category": [ "process" ], + "kind": "event", + "reason": "Connected to localhost:8307 (/sdk) over , >", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -1013,18 +1013,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " error kmxa[2098475] [Originator@6876 sub=Libs opID=InitCache-52a74d0e-554c-1fc3-1b1f-bd3c439fd0a3-0] Trust Authority Components not configured.", "event": { - "kind": "event", - "reason": "Trust Authority Components not configured.", "category": [ "process" ], + "kind": "event", + "reason": "Trust Authority Components not configured.", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -1038,18 +1038,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " verbose fdm[7599763] [Originator@6876 sub=Invt opID=SWI-1361339f] Healthstatus of VM /vmfs/volumes/0ced57f7-f5da65c8/ntpnim02/ntpnim02.vmx on live hostId host-103 : true", "event": { - "kind": "event", - "reason": "Healthstatus of VM /vmfs/volumes/0ced57f7-f5da65c8/ntpnim02/ntpnim02.vmx on live hostId host-103 : true", "category": [ "process" ], + "kind": "event", + "reason": "Healthstatus of VM /vmfs/volumes/0ced57f7-f5da65c8/ntpnim02/ntpnim02.vmx on live hostId host-103 : true", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -1063,18 +1063,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " info hostd[2099655] [Originator@6876 sub=Libs opID=2338d373 user=vpxuser] NetstackInstanceImpl: congestion control algorithm: newreno", "event": { - "kind": "event", - "reason": "NetstackInstanceImpl: congestion control algorithm: newreno", "category": [ "process" ], + "kind": "event", + "reason": "NetstackInstanceImpl: congestion control algorithm: newreno", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -1088,18 +1088,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "info fdm[7599763] [Originator@6876 sub=Invt opID=SWI-1b24a1a7] Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "event": { - "kind": "event", - "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "category": [ "process" ], + "kind": "event", + "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" } } @@ -1113,17 +1113,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " QuerySerialNumber --- real serial number is 1111222233334444", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, "wmware": { "esxi": { @@ -1144,17 +1144,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " get_serial_num_of_SATA_SAS_disk---serial num is 1111222233334444", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "type": [ "info" ] }, "observer": { - "vendor": "VMware", - "product": "ESXi" + "product": "ESXi", + "vendor": "VMware" }, "wmware": { "esxi": { diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md index 4db85ba5a2..17e34b69f3 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md @@ -28,62 +28,94 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.2-004|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=FFFFFFFFFFFF-AAAAAAAAAAA ESAMID=111111 ESAICID=2222222 ESADCID=444444 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Fri Jun 23 15:56:47 2023 ESADKIMVerdict=pass ESADMARCVerdict=Skipped dvc=5.6.7.8 ESAAttachmentDetails={\"sreenshot.jpg\": {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'}}, \"schermata.jpg\": {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': ['01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b', '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b']}}, \"Capture d'\\xc3\\xa9cran.jpg\": {'BodyScanner': {}}, \"Capture d'\\xc3\\xa9cran 2.jpg\": {'BodyScanner': {}}} ESAFriendlyFrom=\"John Doe\" ESAGMVerdict=NEGATIVE startTime=Fri Jun 23 15:56:46 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=john.doe@example.org cs1Label=MailPolicy cs1=AdresseGenerique cs2Label=SenderCountry cs2=Italy ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=340614 ESAOFVerdict=NEGATIVE duser=jane.doe@example.com ESAHeloDomain=smtp.smtpout.example.org ESAHeloIP=5.6.7.8 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'john.doe@example.org'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@smtp.smtpout.example.org'}, 'pra': {'result': 'None', 'sender': 'john.doe@example.org'}} sourceHostName=smtp.smtpout.example.org ESASenderGroup=UNKNOWNLIST sourceAddress=1.2.3.4 msg='My subject' ESAURLDetails={'http://schemas.microsoft.com/office/2004/12/omml': {'WbrsScore': 9.1999999999999993}, 'http://www.w3.org/TR/REC-html40': {'WbrsScore': 9.1999999999999993}}\n", "event": { - "severity": 5, "action": "delivered", "end": "2023-06-23T15:56:47Z", + "severity": 5, "start": "2023-06-23T15:56:46Z" }, "@timestamp": "2023-06-23T15:56:46Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.2-004" + "cef": {}, + "cisco": { + "esa": { + "authentication": { + "dkim": { + "verdict": "pass" + }, + "dmarc": { + "verdict": "Skipped" + }, + "spf": { + "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@smtp.smtpout.example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"john.doe@example.org\"}}" + } + }, + "delivery": { + "connection_id": "444444" + }, + "email": { + "message_size": "340614" + }, + "helo": { + "domain": "smtp.smtpout.example.org", + "ip": "5.6.7.8" + }, + "injection": { + "connection_id": "2222222" + }, + "protection": { + "amp": { + "verdict": "UNKNOWN" + }, + "antivirus": { + "verdict": "NOT_EVALUATED" + }, + "spam": { + "verdict": "NEGATIVE" + } + }, + "sender_group": "UNKNOWNLIST", + "source": { + "domain": { + "age": "30 days (or greater)" + } + }, + "url": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ] + } }, "email": { - "subject": "My subject", - "from": { - "address": [ - "john.doe@example.org" - ] - }, - "to": { - "address": [ - "jane.doe@example.com" - ] - }, - "message_id": "aaaaaaaaaaaa$bbbbbbbb$cccccccc$@example.org", - "local_id": "111111", "attachments": [ { "file": { - "name": "sreenshot.jpg", "hash": { "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } + }, + "name": "sreenshot.jpg" } }, { "file": { - "name": "schermata.jpg", "hash": { "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } + }, + "name": "schermata.jpg" } }, { "file": { - "name": "schermata.jpg", "hash": { "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } + }, + "name": "schermata.jpg" } }, { "file": { - "name": "schermata.jpg", "hash": { "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } + }, + "name": "schermata.jpg" } }, { @@ -96,75 +128,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Capture d'\u00c3\u00a9cran 2.jpg" } } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "5.6.7.8" + ], + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "local_id": "111111", + "message_id": "aaaaaaaaaaaa$bbbbbbbb$cccccccc$@example.org", + "subject": "My subject", + "to": { + "address": [ + "jane.doe@example.com" + ] + } }, "host": { "hostname": "smtp.smtpout.example.org", "name": "smtp.smtpout.example.org" }, - "rule": { - "name": "AdresseGenerique" + "network": { + "direction": "inbound" }, - "cisco": { - "esa": { - "url": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ], - "delivery": { - "connection_id": "444444" - }, - "injection": { - "connection_id": "2222222" - }, - "protection": { - "spam": { - "verdict": "NEGATIVE" - }, - "antivirus": { - "verdict": "NOT_EVALUATED" - }, - "amp": { - "verdict": "UNKNOWN" - } - }, - "authentication": { - "dmarc": { - "verdict": "Skipped" - }, - "spf": { - "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@smtp.smtpout.example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"john.doe@example.org\"}}" - }, - "dkim": { - "verdict": "pass" - } - }, - "source": { - "domain": { - "age": "30 days (or greater)" - } - }, - "email": { - "message_size": "340614" - }, - "helo": { - "ip": "5.6.7.8", - "domain": "smtp.smtpout.example.org" - }, - "sender_group": "UNKNOWNLIST" - } + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.2-004" }, - "cef": {}, "related": { "hosts": [ "smtp.smtpout.example.org" @@ -173,6 +163,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "AdresseGenerique" + }, + "server": { + "ip": "5.6.7.8" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -186,96 +186,86 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C300V Email Security Virtual Appliance|13.0.0-392|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4202A33F31B0BAAB537A-FBD06D401234 ESAMID=1251793 ESAICID=7186532 ESADCID=925893 ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon May 11 16:56:58 2020 ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=Skipped dvc=1.2.3.4 ESAAttachmentDetails={'resume.docx': {'AMP': {'Verdict': 'MALICIOUS', 'fileHash': 'b26a1d694a9cebd742cfa5d09e5f5e4697f522cc12c2e9f23638c1078bb7b0c2'}, 'BodyScanner': {}}} ESAFriendlyFrom=senderexample@example.com ESAGMVerdict=NOT_EVALUATED startTime=Mon May 11 16:56:56 2020 deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=senderexample@example.com cs1Label=MailPolicy cs1=remove_webmail_quota_spam cs2Label=SenderCountry cs2=Spain ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAOFVerdict=NEGATIVE duser=example@otherexample.com ESAHeloDomain=mail.example.com ESAHeloIP=1.2.3.4 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=9 years 6 months 21 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict=None sourceHostName=mailhost.example.es ESASenderGroup=UNKNOWNLIST sourceAddress=1.2.3.4 msg='A cool subject 123' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2", "event": { - "severity": 5, "action": "delivered", "end": "2020-05-11T16:56:58Z", + "severity": 5, "start": "2020-05-11T16:56:56Z" }, "@timestamp": "2020-05-11T16:56:56Z", - "observer": { - "vendor": "Cisco", - "type": "C300V Email Security Virtual Appliance", - "version": "13.0.0-392" - }, - "email": { - "subject": "A cool subject 123", - "from": { - "address": [ - "senderexample@example.com" - ] - }, - "to": { - "address": [ - "example@otherexample.com" - ] - }, - "message_id": "ADR4500000227856433302E0EC2F783B1EEAA4F2E836DF8C5DBD@MAILERP.EXAMPLE.COM", - "local_id": "1251793", - "attachments": [ - { - "file": { - "name": "resume.docx", - "hash": { - "sha256": "b26a1d694a9cebd742cfa5d09e5f5e4697f522cc12c2e9f23638c1078bb7b0c2" - } - } - } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "1.2.3.4" - }, - "host": { - "hostname": "mailhost.example.es", - "name": "mailhost.example.es" - }, - "rule": { - "name": "remove_webmail_quota_spam" - }, + "cef": {}, "cisco": { "esa": { + "authentication": { + "dmarc": { + "verdict": "Skipped" + } + }, "delivery": { "connection_id": "925893" }, + "helo": { + "domain": "mail.example.com", + "ip": "1.2.3.4" + }, "injection": { "connection_id": "7186532" }, "protection": { - "spam": { - "verdict": "NEGATIVE" - }, "antivirus": { "verdict": "NOT_EVALUATED" }, "dlp": { "verdict": "NOT_EVALUATED" + }, + "spam": { + "verdict": "NEGATIVE" } }, - "authentication": { - "dmarc": { - "verdict": "Skipped" - } - }, + "sender_group": "UNKNOWNLIST", "source": { "domain": { "age": "9 years 6 months 21 days" } - }, - "helo": { - "ip": "1.2.3.4", - "domain": "mail.example.com" - }, - "sender_group": "UNKNOWNLIST" + } } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "b26a1d694a9cebd742cfa5d09e5f5e4697f522cc12c2e9f23638c1078bb7b0c2" + }, + "name": "resume.docx" + } + } + ], + "from": { + "address": [ + "senderexample@example.com" + ] + }, + "local_id": "1251793", + "message_id": "ADR4500000227856433302E0EC2F783B1EEAA4F2E836DF8C5DBD@MAILERP.EXAMPLE.COM", + "subject": "A cool subject 123", + "to": { + "address": [ + "example@otherexample.com" + ] + } + }, + "host": { + "hostname": "mailhost.example.es", + "name": "mailhost.example.es" + }, + "network": { + "direction": "inbound" + }, + "observer": { + "type": "C300V Email Security Virtual Appliance", + "vendor": "Cisco", + "version": "13.0.0-392" + }, "related": { "hosts": [ "mailhost.example.es" @@ -283,8 +273,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] - } - } + }, + "rule": { + "name": "remove_webmail_quota_spam" + }, + "server": { + "ip": "1.2.3.4" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } ``` @@ -296,112 +296,102 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C300V Email Security Virtual Appliance|13.0.0-252|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=420D4F36AAEBC0093B4F-B9E72189A021 ESAMID=4631 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH ESADCID=66096 endTime=Tue Aug 13 15:15:48 2019 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=pass dvc=3.4.5.6 ESAAttachmentDetails={'presentation.pptx': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4a4f9b7c4b4c7fb62b3df3c7e9e05811dc52c38eb8b76d3847f41ef299399e4'}, 'BodyScanner': {}}} ESAFriendlyFrom=no-reply@example.org ESAGMVerdict=NEGATIVE ESAICID=36050 startTime=Tue Aug 13 15:15:45 2019 deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=no-reply@example.org cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=BOUNCED ESAFinalActionDetails=5.1.0 - Unknown address error cs4Label=ExternalMsgID cs4='<5d528dcf33830_812b56878564dc@ip-10-22-10-56.mail>' ESAOFVerdict=NEGATIVE duser=john.doe@example.org ESAHeloDomain=mail.example.orgm ESAHeloIP=10.0.0.0 cfp1Label=SBRSScore cfp1=0.9 ESASDRDomainAge=9 years 3 months 14 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict=SoftFail sourceHostName=esa1.hc3033-47.iphmx.com ESASenderGroup=GREYLIST sourceAddress=1.2.3.4 msg=Cisco=20Advanced=20Phishing=20Protection=20System=20Notification=20for=20bce-demo ESATLSInCipher=ECDHE-RSA-AES128-GCM-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002': {'Category': 'Computers and Internet', 'WbrsScore': '7.3'}, 'http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506': {'Category': 'Computers and Internet', 'WbrsScore': '7.3'}} deviceInboundInterface=IncomingMail", "event": { - "severity": 5, "action": "bounced", "end": "2019-08-13T15:15:48Z", + "severity": 5, "start": "2019-08-13T15:15:45Z" }, "@timestamp": "2019-08-13T15:15:45Z", - "observer": { - "vendor": "Cisco", - "type": "C300V Email Security Virtual Appliance", - "version": "13.0.0-252" - }, - "email": { - "subject": "Cisco=20Advanced=20Phishing=20Protection=20System=20Notification=20for=20bce-demo", - "from": { - "address": [ - "no-reply@example.org" - ] - }, - "to": { - "address": [ - "john.doe@example.org" - ] - }, - "message_id": "5d528dcf33830_812b56878564dc@ip-10-22-10-56.mail", - "local_id": "4631", - "attachments": [ - { - "file": { - "name": "presentation.pptx", - "hash": { - "sha256": "e4a4f9b7c4b4c7fb62b3df3c7e9e05811dc52c38eb8b76d3847f41ef299399e4" - } - } - } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "3.4.5.6" - }, - "host": { - "hostname": "esa1.hc3033-47.iphmx.com", - "name": "esa1.hc3033-47.iphmx.com" - }, - "rule": { - "name": "DEFAULT" - }, + "cef": {}, "cisco": { "esa": { - "url": [ - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002", - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506" - ], + "authentication": { + "dkim": { + "verdict": "pass" + }, + "dmarc": { + "verdict": "pass" + }, + "spf": { + "verdict": "SoftFail" + } + }, "delivery": { "connection_id": "66096" }, + "event": { + "action_details": "5.1.0 - Unknown address error" + }, + "helo": { + "domain": "mail.example.orgm", + "ip": "10.0.0.0" + }, "injection": { "connection_id": "36050" }, "protection": { - "spam": { - "verdict": "NEGATIVE" + "amp": { + "verdict": "SKIPPED" }, "antivirus": { "verdict": "NEGATIVE" }, - "amp": { - "verdict": "SKIPPED" - }, "dlp": { "verdict": "NOT_EVALUATED" - } - }, - "authentication": { - "dmarc": { - "verdict": "pass" - }, - "spf": { - "verdict": "SoftFail" }, - "dkim": { - "verdict": "pass" + "spam": { + "verdict": "NEGATIVE" } }, + "sender_group": "GREYLIST", "source": { "domain": { "age": "9 years 3 months 14 days" } }, - "event": { - "action_details": "5.1.0 - Unknown address error" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.orgm" - }, - "sender_group": "GREYLIST" + "url": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ] } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "e4a4f9b7c4b4c7fb62b3df3c7e9e05811dc52c38eb8b76d3847f41ef299399e4" + }, + "name": "presentation.pptx" + } + } + ], + "from": { + "address": [ + "no-reply@example.org" + ] + }, + "local_id": "4631", + "message_id": "5d528dcf33830_812b56878564dc@ip-10-22-10-56.mail", + "subject": "Cisco=20Advanced=20Phishing=20Protection=20System=20Notification=20for=20bce-demo", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "host": { + "hostname": "esa1.hc3033-47.iphmx.com", + "name": "esa1.hc3033-47.iphmx.com" + }, + "network": { + "direction": "inbound" + }, + "observer": { + "type": "C300V Email Security Virtual Appliance", + "vendor": "Cisco", + "version": "13.0.0-252" + }, "related": { "hosts": [ "esa1.hc3033-47.iphmx.com" @@ -410,6 +400,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "3.4.5.6" ] + }, + "rule": { + "name": "DEFAULT" + }, + "server": { + "ip": "3.4.5.6" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -423,89 +423,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=254be28187994bc7a37f496ceac54edd ESAMID=11111111 ESAICID=333333 ESADCID=2222222 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Wed Mar 1 19:02:03 2023 dvc=3.4.5.6 ESAAttachmentDetails={'resume.pdf': {'AMP': {'Verdict': 'HIGHRISK', 'fileHash': 'f41c7c5d8e3b3c2b5d5b787bc5e5f9e5e5c23d60933a24d8c36df3847c61ef1'}, 'BodyScanner': {}}} ESAFriendlyFrom=no-reply@example.org ESAGMVerdict=NOT_EVALUATED startTime=Wed Mar 1 19:02:03 2023 deviceOutboundInterface=OutgoingMail deviceDirection=1 ESAMailFlowPolicy=RELAY suser=no-reply@example.org cs1Label=MailPolicy cs1=RestrictionEmetteur cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<11111111.2222222222222222222.JavaMail.ccccccccccc@dddddddddddddddd>' ESAMsgSize=3762 ESAOFVerdict=NOT_EVALUATED duser=john.doe@example.org ESAHeloDomain=mail.example.org ESAHeloIP=10.0.0.0 ESAReplyTo=no-reply@example.org cfp1Label=SBRSScore cfp1=not enabled sourceHostName=unknown ESASenderGroup=RELAYLIST sourceAddress=1.2.3.4 msg='\\=?UTF-8?Q?Nice to Meet you?\\='\n", "event": { - "severity": 5, "action": "delivered", "end": "2023-03-01T19:02:03Z", + "severity": 5, "start": "2023-03-01T19:02:03Z" }, "@timestamp": "2023-03-01T19:02:03Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" - }, - "email": { - "subject": "'\\=?UTF-8?Q?Nice to Meet you?\\='", - "from": { - "address": [ - "no-reply@example.org" - ] - }, - "to": { - "address": [ - "john.doe@example.org" - ] - }, - "message_id": "11111111.2222222222222222222.JavaMail.ccccccccccc@dddddddddddddddd", - "local_id": "11111111", - "attachments": [ - { - "file": { - "name": "resume.pdf", - "hash": { - "sha256": "f41c7c5d8e3b3c2b5d5b787bc5e5f9e5e5c23d60933a24d8c36df3847c61ef1" - } - } - } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "outbound" - }, - "server": { - "ip": "3.4.5.6" - }, - "host": { - "hostname": "unknown", - "name": "unknown" - }, - "rule": { - "name": "RestrictionEmetteur" - }, + "cef": {}, "cisco": { "esa": { "delivery": { "connection_id": "2222222" }, + "email": { + "message_size": "3762" + }, + "helo": { + "domain": "mail.example.org", + "ip": "10.0.0.0" + }, "injection": { "connection_id": "333333" }, "protection": { - "spam": { + "amp": { "verdict": "NOT_EVALUATED" }, "antivirus": { "verdict": "NOT_EVALUATED" }, - "amp": { + "spam": { "verdict": "NOT_EVALUATED" } }, - "email": { - "message_size": "3762" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.org" - }, "sender_group": "RELAYLIST" } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "f41c7c5d8e3b3c2b5d5b787bc5e5f9e5e5c23d60933a24d8c36df3847c61ef1" + }, + "name": "resume.pdf" + } + } + ], + "from": { + "address": [ + "no-reply@example.org" + ] + }, + "local_id": "11111111", + "message_id": "11111111.2222222222222222222.JavaMail.ccccccccccc@dddddddddddddddd", + "subject": "'\\=?UTF-8?Q?Nice to Meet you?\\='", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "host": { + "hostname": "unknown", + "name": "unknown" + }, + "network": { + "direction": "outbound" + }, + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" + }, "related": { "hosts": [ "unknown" @@ -514,6 +504,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "3.4.5.6" ] + }, + "rule": { + "name": "RestrictionEmetteur" + }, + "server": { + "ip": "3.4.5.6" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -527,89 +527,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=254be28187994bc7a37f496ceac54edd ESAMID=11111111 ESAICID=333333 ESADCID=2222222 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Wed Mar 1 19:02:03 2023 dvc=3.4.5.6 ESAAttachmentDetails={'invoice.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'}, 'BodyScanner': {}}} ESAFriendlyFrom=JOHN DOE ESAGMVerdict=NOT_EVALUATED startTime=Wed Mar 1 19:02:03 2023 deviceOutboundInterface=OutgoingMail deviceDirection=1 ESAMailFlowPolicy=RELAY suser=veuillez-ne-pas-repondre@example.org cs1Label=MailPolicy cs1=RestrictionEmetteur cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<11111111111111111111111111111@ddddddd>' ESAMsgSize=111066 ESAOFVerdict=NOT_EVALUATED duser=jane.doe@example.org ESAHeloDomain=mail.example.org ESAHeloIP=10.0.0.0 cfp1Label=SBRSScore cfp1=not enabled sourceHostName=unknown ESASenderGroup=RELAYLISTTELEDEP sourceAddress=1.2.3.4 msg='\\=?utf-8?Q?For the meeting?\\='", "event": { - "severity": 5, "action": "delivered", "end": "2023-03-01T19:02:03Z", + "severity": 5, "start": "2023-03-01T19:02:03Z" }, "@timestamp": "2023-03-01T19:02:03Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" - }, - "email": { - "subject": "\\=?utf-8?Q?For the meeting?\\=", - "from": { - "address": [ - "veuillez-ne-pas-repondre@example.org" - ] - }, - "to": { - "address": [ - "jane.doe@example.org" - ] - }, - "message_id": "11111111111111111111111111111@ddddddd", - "local_id": "11111111", - "attachments": [ - { - "file": { - "name": "invoice.pdf", - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - } - } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "outbound" - }, - "server": { - "ip": "3.4.5.6" - }, - "host": { - "hostname": "unknown", - "name": "unknown" - }, - "rule": { - "name": "RestrictionEmetteur" - }, + "cef": {}, "cisco": { "esa": { "delivery": { "connection_id": "2222222" }, + "email": { + "message_size": "111066" + }, + "helo": { + "domain": "mail.example.org", + "ip": "10.0.0.0" + }, "injection": { "connection_id": "333333" }, "protection": { - "spam": { + "amp": { "verdict": "NOT_EVALUATED" }, "antivirus": { "verdict": "NOT_EVALUATED" }, - "amp": { + "spam": { "verdict": "NOT_EVALUATED" } }, - "email": { - "message_size": "111066" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.org" - }, "sender_group": "RELAYLISTTELEDEP" } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "invoice.pdf" + } + } + ], + "from": { + "address": [ + "veuillez-ne-pas-repondre@example.org" + ] + }, + "local_id": "11111111", + "message_id": "11111111111111111111111111111@ddddddd", + "subject": "\\=?utf-8?Q?For the meeting?\\=", + "to": { + "address": [ + "jane.doe@example.org" + ] + } + }, + "host": { + "hostname": "unknown", + "name": "unknown" + }, + "network": { + "direction": "outbound" + }, + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" + }, "related": { "hosts": [ "unknown" @@ -618,6 +608,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "3.4.5.6" ] + }, + "rule": { + "name": "RestrictionEmetteur" + }, + "server": { + "ip": "3.4.5.6" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -631,107 +631,97 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=254be28187994bc7a37f496ceac54edd ESAMID=11111111 ESAICID=333333 ESADCID=2222222 ESAAMPVerdict=LOW_RISK ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Wed Mar 1 19:02:04 2023 ESADMARCVerdict=pass dvc=3.4.5.6 ESAAttachmentDetails={'invoice.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'}, 'BodyScanner': {}}} ESAFriendlyFrom=John Doe ESAGMVerdict=NEGATIVE startTime=Wed Mar 1 19:02:02 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=john.doe@example.org cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Netherlands ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<44444444444444444444444444444444444444@77777777777777777777777777.EXAMPLE.COM>' ESAMsgSize=1197675 ESAOFVerdict=NEGATIVE duser=jane.doe@example.fr ESAHeloDomain=mail.example.org ESAHeloIP=10.0.0.0 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'john.doe@example.org'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.org'}, 'pra': {'result': 'None', 'sender': 'john.doe@example.org'}} sourceHostName=outbound.example.com ESASenderGroup=UNKNOWNLIST sourceAddress=1.2.3.4 msg='Perso' ESAURLDetails={'https://tinyurl.es/tbdra': {'WbrsScore': 9.1999999999999993, 'ExpandedUrl': 'https://facebook.com/u/john.doe'}, 'www.twitter.com': {'WbrsScore': 0.0, 'AttachmentWithUrl': 'My document.pdf'}, 'https://tiktok.com': {'WbrsScore': 4.9000000000000004}}", "event": { - "severity": 5, "action": "delivered", "end": "2023-03-01T19:02:04Z", + "severity": 5, "start": "2023-03-01T19:02:02Z" }, "@timestamp": "2023-03-01T19:02:02Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" - }, - "email": { - "subject": "Perso", - "from": { - "address": [ - "john.doe@example.org" - ] - }, - "to": { - "address": [ - "jane.doe@example.fr" - ] - }, - "message_id": "44444444444444444444444444444444444444@77777777777777777777777777.EXAMPLE.COM", - "local_id": "11111111", - "attachments": [ - { - "file": { - "name": "invoice.pdf", - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } - } - } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "3.4.5.6" - }, - "host": { - "hostname": "outbound.example.com", - "name": "outbound.example.com" - }, - "rule": { - "name": "DEFAULT" - }, + "cef": {}, "cisco": { "esa": { - "url": [ - "https://facebook.com/u/john.doe", - "www.twitter.com", - "https://tiktok.com" - ], + "authentication": { + "dmarc": { + "verdict": "pass" + }, + "spf": { + "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"john.doe@example.org\"}}" + } + }, "delivery": { "connection_id": "2222222" }, + "email": { + "message_size": "1197675" + }, + "helo": { + "domain": "mail.example.org", + "ip": "10.0.0.0" + }, "injection": { "connection_id": "333333" }, "protection": { - "spam": { - "verdict": "NEGATIVE" + "amp": { + "verdict": "LOW_RISK" }, "antivirus": { "verdict": "NOT_EVALUATED" }, - "amp": { - "verdict": "LOW_RISK" - } - }, - "authentication": { - "dmarc": { - "verdict": "pass" - }, - "spf": { - "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"john.doe@example.org\"}}" + "spam": { + "verdict": "NEGATIVE" } }, + "sender_group": "UNKNOWNLIST", "source": { "domain": { "age": "30 days (or greater)" } }, - "email": { - "message_size": "1197675" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.org" - }, - "sender_group": "UNKNOWNLIST" + "url": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "www.twitter.com" + ] } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "invoice.pdf" + } + } + ], + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "local_id": "11111111", + "message_id": "44444444444444444444444444444444444444@77777777777777777777777777.EXAMPLE.COM", + "subject": "Perso", + "to": { + "address": [ + "jane.doe@example.fr" + ] + } + }, + "host": { + "hostname": "outbound.example.com", + "name": "outbound.example.com" + }, + "network": { + "direction": "inbound" + }, + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" + }, "related": { "hosts": [ "outbound.example.com" @@ -740,6 +730,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "3.4.5.6" ] + }, + "rule": { + "name": "DEFAULT" + }, + "server": { + "ip": "3.4.5.6" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -753,99 +753,93 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=254be28187994bc7a37f496ceac54edd ESAMID=11111111 ESAICID=333333 ESADCID=2222222 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Wed Mar 1 19:02:05 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=3.4.5.6 ESAAttachmentDetails={'unknown': {'AMP': {'Verdict': ['FILE UNKNOWN'], 'fileHash': ['87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7']}}} ESAFriendlyFrom=John Doe ESAGMVerdict=NEGATIVE startTime=Wed Mar 1 19:02:02 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=john.doe@example.org cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<111111111111111111111@mal.example.org>' ESAMsgSize=73748 ESAOFVerdict=NEGATIVE duser=jane.doe@example.org ESAHeloDomain=mail.example.org ESAHeloIP=10.0.0.0 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'john.doe@example.org'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.org'}, 'pra': {'result': 'None', 'sender': 'no-reply@example.org'}} sourceHostName=outboun", "event": { - "severity": 5, "action": "delivered", "end": "2023-03-01T19:02:05Z", + "severity": 5, "start": "2023-03-01T19:02:02Z" }, "@timestamp": "2023-03-01T19:02:02Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" - }, - "email": { - "from": { - "address": [ - "john.doe@example.org" - ] - }, - "to": { - "address": [ - "jane.doe@example.org" - ] - }, - "message_id": "111111111111111111111@mal.example.org", - "local_id": "11111111", - "attachments": [ - { - "file": { - "name": "unknown", - "hash": { - "sha256": "87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7" - } - } - } - ] - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "3.4.5.6" - }, - "host": { - "hostname": "outboun", - "name": "outboun" - }, - "rule": { - "name": "DEFAULT" - }, + "cef": {}, "cisco": { "esa": { + "authentication": { + "dkim": { + "verdict": "pass" + }, + "dmarc": { + "verdict": "pass" + }, + "spf": { + "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"no-reply@example.org\"}}" + } + }, "delivery": { "connection_id": "2222222" }, + "email": { + "message_size": "73748" + }, + "helo": { + "domain": "mail.example.org", + "ip": "10.0.0.0" + }, "injection": { "connection_id": "333333" }, "protection": { - "spam": { - "verdict": "NEGATIVE" - }, - "antivirus": { - "verdict": "NOT_EVALUATED" - }, "amp": { "verdict": "UNKNOWN" - } - }, - "authentication": { - "dmarc": { - "verdict": "pass" }, - "spf": { - "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"no-reply@example.org\"}}" + "antivirus": { + "verdict": "NOT_EVALUATED" }, - "dkim": { - "verdict": "pass" + "spam": { + "verdict": "NEGATIVE" } }, "source": { "domain": { "age": "30 days (or greater)" } - }, - "email": { - "message_size": "73748" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.org" } } }, - "cef": {}, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7" + }, + "name": "unknown" + } + } + ], + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "local_id": "11111111", + "message_id": "111111111111111111111@mal.example.org", + "to": { + "address": [ + "jane.doe@example.org" + ] + } + }, + "host": { + "hostname": "outboun", + "name": "outboun" + }, + "network": { + "direction": "inbound" + }, + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" + }, "related": { "hosts": [ "outboun" @@ -853,6 +847,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "3.4.5.6" ] + }, + "rule": { + "name": "DEFAULT" + }, + "server": { + "ip": "3.4.5.6" } } @@ -866,138 +866,128 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=254be28187994bc7a37f496ceac54edd ESAMID=11111111 ESAICID=333333 ESAAMPVerdict=FA_PENDING ESAASVerdict=BULK_MAIL ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Wed Mar 1 19:01:47 2023 ESADKIMVerdict=pass ESADMARCVerdict=Skipped dvc=3.4.5.6 ESAAttachmentDetails={'twitter.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b'}, 'BodyScanner': {}}, 'appointement.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7'}}, 'icon-linkedin.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a3a5e715f0cc574a73c3f9bebb6bc24f32ffd5b67b387244c2c909da779a1478'}, 'BodyScanner': {}}, 'fond-gris.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '8d74beec1be996322ad76813bafb92d40839895d6dd7ee808b17ca201eac98be'}, 'BodyScanner': {}}, 'bg-desktop-default-header.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '768c71d785bf6bbbf8c4d6af6582041f2659027140a962cd0c55b11eddfd5e3d'}, 'BodyScanner': {}}} ESAFriendlyFrom=John Doe ESAGMVerdict=POSITIVE startTime=Wed Mar 1 19:01:45 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=john.doe@example.org cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=France ESAMFVerdict=NO_MATCH act=DQ ESAFinalActionDetails=Message held temporarily in Delay Quarantine cs4Label=ExternalMsgID cs4='<111111111111111111111@mal.example.org>' ESAMsgSize=174552 ESAOFVerdict=NEGATIVE duser=jane.doe@example.org ESAHeloDomain=mail.example.org ESAHeloIP=10.0.0.0 cfp1Label=SBRSScore cfp1=5.4 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'john.doe@example.org'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.org'}, 'pra': {'result': 'None', 'sender': 'no-reply@example.org'}} sourceHostName=outbound.example.com ESASenderGroup=UNKNOWNLIST sourceAddress=1.2.3.4 msg='Validation of your request' ESAURLDetails={}", "event": { - "severity": 5, "action": "dq", "end": "2023-03-01T19:01:47Z", + "severity": 5, "start": "2023-03-01T19:01:45Z" }, "@timestamp": "2023-03-01T19:01:45Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" + "cef": {}, + "cisco": { + "esa": { + "authentication": { + "dkim": { + "verdict": "pass" + }, + "dmarc": { + "verdict": "Skipped" + }, + "spf": { + "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"no-reply@example.org\"}}" + } + }, + "email": { + "message_size": "174552" + }, + "event": { + "action_details": "Message held temporarily in Delay Quarantine" + }, + "helo": { + "domain": "mail.example.org", + "ip": "10.0.0.0" + }, + "injection": { + "connection_id": "333333" + }, + "protection": { + "amp": { + "verdict": "FA_PENDING" + }, + "antivirus": { + "verdict": "NOT_EVALUATED" + }, + "spam": { + "verdict": "BULK_MAIL" + } + }, + "sender_group": "UNKNOWNLIST", + "source": { + "domain": { + "age": "30 days (or greater)" + } + }, + "url": [] + } }, "email": { - "subject": "Validation of your request", - "from": { - "address": [ - "john.doe@example.org" - ] - }, - "to": { - "address": [ - "jane.doe@example.org" - ] - }, - "message_id": "111111111111111111111@mal.example.org", - "local_id": "11111111", "attachments": [ { "file": { - "name": "twitter.png", "hash": { "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - } + }, + "name": "twitter.png" } }, { "file": { - "name": "appointement.ics", "hash": { "sha256": "87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7" - } + }, + "name": "appointement.ics" } }, { "file": { - "name": "icon-linkedin.png", "hash": { "sha256": "a3a5e715f0cc574a73c3f9bebb6bc24f32ffd5b67b387244c2c909da779a1478" - } + }, + "name": "icon-linkedin.png" } }, { "file": { - "name": "fond-gris.png", "hash": { "sha256": "8d74beec1be996322ad76813bafb92d40839895d6dd7ee808b17ca201eac98be" - } + }, + "name": "fond-gris.png" } }, { "file": { - "name": "bg-desktop-default-header.png", "hash": { "sha256": "768c71d785bf6bbbf8c4d6af6582041f2659027140a962cd0c55b11eddfd5e3d" - } + }, + "name": "bg-desktop-default-header.png" } } - ] - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "3.4.5.6" + ], + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "local_id": "11111111", + "message_id": "111111111111111111111@mal.example.org", + "subject": "Validation of your request", + "to": { + "address": [ + "jane.doe@example.org" + ] + } }, "host": { "hostname": "outbound.example.com", "name": "outbound.example.com" }, - "rule": { - "name": "DEFAULT" + "network": { + "direction": "inbound" }, - "cisco": { - "esa": { - "url": [], - "injection": { - "connection_id": "333333" - }, - "protection": { - "spam": { - "verdict": "BULK_MAIL" - }, - "antivirus": { - "verdict": "NOT_EVALUATED" - }, - "amp": { - "verdict": "FA_PENDING" - } - }, - "authentication": { - "dmarc": { - "verdict": "Skipped" - }, - "spf": { - "verdict": "{\"helo\": {\"result\": \"Pass\", \"sender\": \"postmaster@example.org\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"john.doe@example.org\"}, \"pra\": {\"result\": \"None\", \"sender\": \"no-reply@example.org\"}}" - }, - "dkim": { - "verdict": "pass" - } - }, - "source": { - "domain": { - "age": "30 days (or greater)" - } - }, - "email": { - "message_size": "174552" - }, - "event": { - "action_details": "Message held temporarily in Delay Quarantine" - }, - "helo": { - "ip": "10.0.0.0", - "domain": "mail.example.org" - }, - "sender_group": "UNKNOWNLIST" - } + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" }, - "cef": {}, "related": { "hosts": [ "outbound.example.com" @@ -1006,6 +996,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "3.4.5.6" ] + }, + "rule": { + "name": "DEFAULT" + }, + "server": { + "ip": "3.4.5.6" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1021,14 +1021,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "severity": 5 }, - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" - }, - "email": { - "local_id": "11111111" - }, + "cef": {}, "cisco": { "esa": { "delivery": { @@ -1037,7 +1030,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status": "QUEUED" } }, - "cef": {} + "email": { + "local_id": "11111111" + }, + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" + } } ``` @@ -1050,121 +1050,111 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=00F66XXXX-FCH2025V2LQ ESAMID=351452154 ESAICID=317589723 ESADCID=192175459 ESADLPVerdict=NOT EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Jun 13 08:02:06 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=192.168.128.137 ESAAttachmentDetails={'bob.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed'}, 'BodyScanner': {}}, 'Signature Jean Dupont.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4'}, 'BodyScanner': {}}, 'FICHE.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354'}, 'BodyScanner': {}}} ESAFriendlyFrom=Marc Dupont ESAGMVerdict=NEGATIVE startTime=Mon Jun 13 08:02:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=m.dupont@corp.fr cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Switzerland ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr>' ESAMsgSize=418081 ESAOFVerdict=POSITIVE duser=evil@corp.fr ESAHeloDomain=ov-3bd8ca.ch2.telecom.com ESAHeloIP=192.168.10.244 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'lol@evil.fr'}, 'helo': {'result': 'None', 'sender': 'postmaster@ov-3bd8ca.ch2.telecom.com'}, 'pra': {'result': 'None', 'sender': 'm.dupont@corp.fr'}} sourceHostName=ov-3bd8ca.ch2.telecom.com ESASenderGroup=SUSPECTLIST sourceAddress=192.168.1.244 msg='\\=?UTF-8?Q?N\\=c2\\=b0_CORP\\= \\=?UTF-8?Q?020?\\='", "event": { - "severity": 5, "action": "delivered", "end": "2023-06-13T08:02:06Z", + "severity": 5, "start": "2023-06-13T08:02:04Z" }, "@timestamp": "2023-06-13T08:02:04Z", - "observer": { - "vendor": "Cisco", - "type": "C390 Email Security Appliance", - "version": "14.2.1-015" + "cef": {}, + "cisco": { + "esa": { + "authentication": { + "dkim": { + "verdict": "pass" + }, + "dmarc": { + "verdict": "pass" + }, + "spf": { + "verdict": "{\"helo\": {\"result\": \"None\", \"sender\": \"postmaster@ov-3bd8ca.ch2.telecom.com\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"lol@evil.fr\"}, \"pra\": {\"result\": \"None\", \"sender\": \"m.dupont@corp.fr\"}}" + } + }, + "delivery": { + "connection_id": "192175459" + }, + "email": { + "message_size": "418081" + }, + "helo": { + "domain": "ov-3bd8ca.ch2.telecom.com", + "ip": "192.168.10.244" + }, + "injection": { + "connection_id": "317589723" + }, + "protection": { + "antivirus": { + "verdict": "NOT_EVALUATED" + }, + "dlp": { + "verdict": "NOT EVALUATED" + }, + "spam": { + "verdict": "NOT_EVALUATED" + } + }, + "sender_group": "SUSPECTLIST", + "source": { + "domain": { + "age": "30 days (or greater)" + } + } + } }, "email": { - "subject": "\\=?UTF-8?Q?N\\=c2\\=b0_CORP\\= \\=?UTF-8?Q?020?\\=", - "from": { - "address": [ - "m.dupont@corp.fr" - ] - }, - "to": { - "address": [ - "evil@corp.fr" - ] - }, - "message_id": "17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr", - "local_id": "351452154", "attachments": [ { "file": { - "name": "bob.png", "hash": { "sha256": "2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed" - } + }, + "name": "bob.png" } }, { "file": { - "name": "Signature Jean Dupont.png", "hash": { "sha256": "a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4" - } + }, + "name": "Signature Jean Dupont.png" } }, { "file": { - "name": "FICHE.pdf", "hash": { "sha256": "e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354" - } + }, + "name": "FICHE.pdf" } } - ] - }, - "source": { - "ip": "192.168.1.244", - "address": "192.168.1.244" - }, - "network": { - "direction": "inbound" - }, - "server": { - "ip": "192.168.128.137" + ], + "from": { + "address": [ + "m.dupont@corp.fr" + ] + }, + "local_id": "351452154", + "message_id": "17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr", + "subject": "\\=?UTF-8?Q?N\\=c2\\=b0_CORP\\= \\=?UTF-8?Q?020?\\=", + "to": { + "address": [ + "evil@corp.fr" + ] + } }, "host": { "hostname": "ov-3bd8ca.ch2.telecom.com", "name": "ov-3bd8ca.ch2.telecom.com" }, - "rule": { - "name": "DEFAULT" + "network": { + "direction": "inbound" }, - "cisco": { - "esa": { - "delivery": { - "connection_id": "192175459" - }, - "injection": { - "connection_id": "317589723" - }, - "protection": { - "spam": { - "verdict": "NOT_EVALUATED" - }, - "antivirus": { - "verdict": "NOT_EVALUATED" - }, - "dlp": { - "verdict": "NOT EVALUATED" - } - }, - "authentication": { - "dmarc": { - "verdict": "pass" - }, - "spf": { - "verdict": "{\"helo\": {\"result\": \"None\", \"sender\": \"postmaster@ov-3bd8ca.ch2.telecom.com\"}, \"mailfrom\": {\"result\": \"Pass\", \"sender\": \"lol@evil.fr\"}, \"pra\": {\"result\": \"None\", \"sender\": \"m.dupont@corp.fr\"}}" - }, - "dkim": { - "verdict": "pass" - } - }, - "source": { - "domain": { - "age": "30 days (or greater)" - } - }, - "email": { - "message_size": "418081" - }, - "helo": { - "ip": "192.168.10.244", - "domain": "ov-3bd8ca.ch2.telecom.com" - }, - "sender_group": "SUSPECTLIST" - } + "observer": { + "type": "C390 Email Security Appliance", + "vendor": "Cisco", + "version": "14.2.1-015" }, - "cef": {}, "related": { "hosts": [ "ov-3bd8ca.ch2.telecom.com" @@ -1173,6 +1163,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "192.168.1.244", "192.168.128.137" ] + }, + "rule": { + "name": "DEFAULT" + }, + "server": { + "ip": "192.168.128.137" + }, + "source": { + "address": "192.168.1.244", + "ip": "192.168.1.244" } } diff --git a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md index f8e2b33b13..18a7750936 100644 --- a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md +++ b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md @@ -36,34 +36,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "timestamp=\"2012-12-01T11:02:24+0200\" device_model=\"XGU9800\" device_serial_id=\"X43210EDABC1D23\" log_id=\"058404404404\" log_type=\"Content Filtering\" log_component=\"SSL\" log_subtype=\"Do not decrypt\" log_version=1 severity=\"Information\" src_ip=\"12.12.68.9\" dst_ip=\"12.12.200.123\" src_country=\"R1\" dst_country=\"FRA\" src_port=53999 dst_port=123 app_name=\"Office 365\" con_id=\"4282777777\" rule_id=2 profile_id=4 rule_name=\"SAMPLE RULE\" profile_name=\"SAMPLE PROFIL\" bitmask=\"Valid\" key_type=\"KEY_TYPE__RSA\" key_param=\"RSA 2048 bits\" fingerprint=\"12:34:56:78:90:12:34:56:78:90:12:34:56:78:90:12:34:56:78:90\" cert_chain_served=\"TRUE\" cipher_suite=\"TLS_RSA_WITH_AES_256_GCM_SHA384\" sni=\"address.com\" tls_version=\"TLS1.2\" exceptions=\"av,https,validation\" src_zone_type=\"LAN\" src_zone=\"LAN\" dst_zone_type=\"WAN\" dst_zone=\"WAN\" category=\"[sample]exclusion\" ", "event": { - "kind": "event", "category": [ "network" - ] - }, - "log": { - "level": "Information" - }, - "sophos": { - "log_type": "Content Filtering", - "log_subtype": "Do not decrypt" + ], + "kind": "event" }, "destination": { + "address": "address.com", "domain": "address.com", - "port": 123, "ip": "12.12.200.123", - "address": "address.com", - "top_level_domain": "com", - "registered_domain": "address.com" - }, - "source": { - "ip": "12.12.68.9", - "port": 53999, - "address": "12.12.68.9" + "port": 123, + "registered_domain": "address.com", + "top_level_domain": "com" }, - "rule": { - "name": "SAMPLE RULE", - "id": "2" + "log": { + "level": "Information" }, "related": { "hosts": [ @@ -73,6 +60,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "12.12.200.123", "12.12.68.9" ] + }, + "rule": { + "id": "2", + "name": "SAMPLE RULE" + }, + "sophos": { + "log_subtype": "Do not decrypt", + "log_type": "Content Filtering" + }, + "source": { + "address": "12.12.68.9", + "ip": "12.12.68.9", + "port": 53999 } } @@ -86,17 +86,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "timestamp=\"2012-12-01T11:02:44+0200\" device_model=\"XGU9800\" device_serial_id=\"F65012JJABC1E23\" log_id=158923789025 log_type=\"SD-WAN\" log_component=\"SLA\" log_subtype=\"Information\" log_version=1 severity=\"Information\" profile_id=3 profile_name=\"WAN Multiple\" gw_id=1 gw_name=\"External (PCS-F2000Mo)_ipv4\" latency=2 start=\"2012-12-01T10:57:36+0200\" end=\"2012-12-01T11:02:44+0200\" gw_status=\"up\" sla_status=\"SLA met\"", "event": { - "kind": "event", "category": [ "network" - ] + ], + "kind": "event" }, "log": { "level": "Information" }, "sophos": { - "log_type": "SD-WAN", - "log_subtype": "Information" + "log_subtype": "Information", + "log_type": "SD-WAN" } } @@ -110,55 +110,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "device=\"SFW\" date=2020-05-16 time=02:54:39 timezone=\"+11\" device_name=\"SG330\" device_id=S3105611453B86C log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=6 user_name=\"F.Saquet@ACME.coyotte\" user_gp=\"ACME - Proxy - Filtrage All\u00e9g\u00e9\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA\" contenttype=\"application/octet-stream\" override_token=\"\" httpresponsecode=\"\" src_ip=10.0.5.23 dst_ip=216.58.203.100 protocol=\"TCP\" src_port=56332 dst_port=80 sent_bytes=310 recv_bytes=4563 domain=www.google.com exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"Microsoft BITS/7.8\" status_code=\"416\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=484085624 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", "event": { - "kind": "event", "category": [ "network" - ] - }, - "log": { - "level": "Information" - }, - "observer": { - "name": "SG330" - }, - "sophos": { - "log_type": "Content Filtering", - "log_subtype": "Allowed" - }, - "url": { - "original": "http://www.google.com/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA", - "domain": "www.google.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "google.com", - "path": "/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA", - "scheme": "http", - "port": 80 + ], + "kind": "event" }, - "source": { - "bytes": 310, - "ip": "10.0.5.23", - "port": 56332, - "address": "10.0.5.23" + "action": { + "name": "allow" }, "destination": { + "address": "www.google.com", "bytes": 4563, "domain": "www.google.com", - "port": 80, "ip": "216.58.203.100", - "address": "www.google.com", - "top_level_domain": "com", + "port": 80, + "registered_domain": "google.com", "subdomain": "www", - "registered_domain": "google.com" + "top_level_domain": "com" + }, + "log": { + "level": "Information" }, "network": { "transport": "TCP" }, - "user": { - "name": "F.Saquet@ACME.coyotte" - }, - "action": { - "name": "allow" + "observer": { + "name": "SG330" }, "related": { "hosts": [ @@ -171,6 +148,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "F.Saquet@ACME.coyotte" ] + }, + "sophos": { + "log_subtype": "Allowed", + "log_type": "Content Filtering" + }, + "source": { + "address": "10.0.5.23", + "bytes": 310, + "ip": "10.0.5.23", + "port": 56332 + }, + "url": { + "domain": "www.google.com", + "original": "http://www.google.com/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA", + "path": "/dl/release2/TnV3rQKAz82ODPFMuxq1wQ_1089/f9YORelAF3Z1VnI84ysPJA", + "port": 80, + "registered_domain": "google.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" + }, + "user": { + "name": "F.Saquet@ACME.coyotte" } } @@ -184,35 +184,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=\"2002\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet accepted\" action=\"accept\" fwrule=\"20\" initf=\"lag1.600\" outitf=\"eth1\" srcmac=\"f8:0f:6f:9c:5e:2d\" dstmac=\"00:1a:8c:f0:3f:a4\" srcip=\"10.1.0.10\" dstip=\"8.8.8.8\" proto=\"17\" length=\"103\" tos=\"0x00\" prec=\"0x00\" ttl=\"127\" srcport=\"51208\" dstport=\"53\"", "event": { - "kind": "event", "category": [ "network" - ] + ], + "kind": "event" + }, + "destination": { + "address": "8.8.8.8", + "ip": "8.8.8.8", + "mac": "00:1a:8c:f0:3f:a4", + "port": 53 }, "log": { "level": "info" }, + "related": { + "ip": [ + "10.1.0.10", + "8.8.8.8" + ] + }, "sophos": { "action": "accept", "sub": "packetfilter" }, "source": { - "mac": "f8:0f:6f:9c:5e:2d", + "address": "10.1.0.10", "ip": "10.1.0.10", - "port": 51208, - "address": "10.1.0.10" - }, - "destination": { - "mac": "00:1a:8c:f0:3f:a4", - "port": 53, - "ip": "8.8.8.8", - "address": "8.8.8.8" - }, - "related": { - "ip": [ - "10.1.0.10", - "8.8.8.8" - ] + "mac": "f8:0f:6f:9c:5e:2d", + "port": 51208 } } @@ -226,35 +226,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=\"2014\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"DNS request\" action=\"DNS request\" fwrule=\"60011\" initf=\"lag1.600\" srcmac=\"f8:0f:6f:9c:5e:2d\" dstmac=\"00:1a:8c:f0:3f:a4\" srcip=\"10.1.0.10\" dstip=\"8.8.8.8\" proto=\"17\" length=\"103\" tos=\"0x00\" prec=\"0x00\" ttl=\"128\" srcport=\"51208\" dstport=\"53\"", "event": { - "kind": "event", "category": [ "network" - ] + ], + "kind": "event" + }, + "destination": { + "address": "8.8.8.8", + "ip": "8.8.8.8", + "mac": "00:1a:8c:f0:3f:a4", + "port": 53 }, "log": { "level": "info" }, + "related": { + "ip": [ + "10.1.0.10", + "8.8.8.8" + ] + }, "sophos": { "action": "DNS request", "sub": "packetfilter" }, "source": { - "mac": "f8:0f:6f:9c:5e:2d", + "address": "10.1.0.10", "ip": "10.1.0.10", - "port": 51208, - "address": "10.1.0.10" - }, - "destination": { - "mac": "00:1a:8c:f0:3f:a4", - "port": 53, - "ip": "8.8.8.8", - "address": "8.8.8.8" - }, - "related": { - "ip": [ - "10.1.0.10", - "8.8.8.8" - ] + "mac": "f8:0f:6f:9c:5e:2d", + "port": 51208 } } @@ -268,35 +268,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=\"2001\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet dropped\" action=\"drop\" fwrule=\"60002\" initf=\"eth1\" outitf=\"eth1\" srcmac=\"d8:94:03:g6:cd:27\" dstmac=\"00:1a:8c:g0:62:69\" srcip=\"103.188.113.55\" dstip=\"133.222.233.233\" proto=\"6\" length=\"40\" tos=\"0x00\" prec=\"0x00\" ttl=\"242\" srcport=\"54040\" dstport=\"52938\" tcpflags=\"SYN\"", "event": { - "kind": "event", "category": [ "network" - ] + ], + "kind": "event" + }, + "destination": { + "address": "133.222.233.233", + "ip": "133.222.233.233", + "mac": "00:1a:8c:g0:62:69", + "port": 52938 }, "log": { "level": "info" }, + "related": { + "ip": [ + "103.188.113.55", + "133.222.233.233" + ] + }, "sophos": { "action": "drop", "sub": "packetfilter" }, "source": { - "mac": "d8:94:03:g6:cd:27", + "address": "103.188.113.55", "ip": "103.188.113.55", - "port": 54040, - "address": "103.188.113.55" - }, - "destination": { - "mac": "00:1a:8c:g0:62:69", - "port": 52938, - "ip": "133.222.233.233", - "address": "133.222.233.233" - }, - "related": { - "ip": [ - "103.188.113.55", - "133.222.233.233" - ] + "mac": "d8:94:03:g6:cd:27", + "port": 54040 } } @@ -310,49 +310,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "device=\"SFW\" date=2020-04-23 time=19:36:57 timezone=\"+11\" device_name=\"SG330\" device_id=S3105611453B86C log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=22 policy_type=1 user_name=\"-\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"PortE0\" out_interface=\"PortE4\" src_mac=00:00:00:00:00:00 src_ip=10.0.215.3 src_country_code=R1 dst_ip=195.35.245.30 dst_country_code=NLD protocol=\"UDP\" src_port=38413 dst_port=62384 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=61.5.213.97 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"LAN\" dstzone=\"WAN_RF\" dir_disp=\"\" connevent=\"Start\" connid=\"1950158712\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", "event": { - "kind": "event", "category": [ "network" - ] - }, - "log": { - "level": "Information" - }, - "observer": { - "name": "SG330" - }, - "sophos": { - "status": "Allow", - "log_type": "Firewall", - "log_subtype": "Allowed" + ], + "kind": "event" }, - "source": { - "bytes": 0, - "packets": 0, - "mac": "00:00:00:00:00:00", - "ip": "10.0.215.3", - "port": 38413, - "nat": { - "ip": "61.5.213.97", - "port": 0 - }, - "address": "10.0.215.3" + "action": { + "name": "allow" }, "destination": { + "address": "195.35.245.30", "bytes": 0, - "packets": 0, - "port": 62384, + "ip": "195.35.245.30", "nat": { "port": 0 }, - "ip": "195.35.245.30", - "address": "195.35.245.30" + "packets": 0, + "port": 62384 + }, + "log": { + "level": "Information" }, "network": { "transport": "UDP" }, - "action": { - "name": "allow" + "observer": { + "name": "SG330" }, "related": { "ip": [ @@ -360,6 +343,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "195.35.245.30", "61.5.213.97" ] + }, + "sophos": { + "log_subtype": "Allowed", + "log_type": "Firewall", + "status": "Allow" + }, + "source": { + "address": "10.0.215.3", + "bytes": 0, + "ip": "10.0.215.3", + "mac": "00:00:00:00:00:00", + "nat": { + "ip": "61.5.213.97", + "port": 0 + }, + "packets": 0, + "port": 38413 } } diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md index e60048c121..e3f5e4d66e 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md @@ -35,31 +35,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 fd=31 ACCEPT from IP=1.2.3.4:45181 (IP=5.6.7.8:389)", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], + "kind": "event", "type": [ "connection", "info" - ], - "action": "accept" - }, - "source": { - "port": 45181, - "ip": "1.2.3.4", - "address": "1.2.3.4" + ] }, "destination": { - "port": 389, + "address": "5.6.7.8", "ip": "5.6.7.8", - "address": "5.6.7.8" + "port": 389 }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45181 } } @@ -73,23 +73,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=1 BIND dn=\"uid=user1,ou=people,dc=example,dc=com\" method=128", "event": { - "kind": "event", + "action": "bind", "category": [ "authentication" ], + "kind": "event", "type": [ "start" - ], - "action": "bind" - }, - "user": { - "name": "user1", - "domain": "people.example.com" + ] }, "related": { "user": [ "user1" ] + }, + "user": { + "domain": "people.example.com", + "name": "user1" } } @@ -103,23 +103,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=1 BIND dn=\"uid=user1,ou=People,dc=example,dc=com\" mech=SIMPLE ssf=0", "event": { - "kind": "event", + "action": "bind", "category": [ "authentication" ], + "kind": "event", "type": [ "start" - ], - "action": "bind" - }, - "user": { - "name": "user1", - "domain": "People.example.com" + ] }, "related": { "user": [ "user1" ] + }, + "user": { + "domain": "People.example.com", + "name": "user1" } } @@ -133,14 +133,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=0 STARTTLS", "event": { - "kind": "event", + "action": "starttls", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "starttls" + ] } } @@ -154,14 +154,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=0 RESULT oid= err=0 text=", "event": { - "kind": "event", + "action": "result", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "result" + ] } } @@ -175,14 +175,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 fd=31 TLS established tls_ssf=256 ssf=256", "event": { - "kind": "event", + "action": "tls", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "tls" + ] } } @@ -196,14 +196,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=1 RESULT tag=97 err=0 text=", "event": { - "kind": "event", + "action": "result", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "result" + ] } } @@ -217,14 +217,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=3 UNBIND", "event": { - "kind": "event", + "action": "unbind", "category": [ "authentication" ], + "kind": "event", "type": [ "end" - ], - "action": "unbind" + ] } } @@ -238,14 +238,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 fd=31 closed", "event": { - "kind": "event", + "action": "closed", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "closed" + ] } } @@ -259,23 +259,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=2 MOD dn=\"uid=user1,ou=People,dc=example,dc=com\"", "event": { - "kind": "event", + "action": "mod", "category": [ "configuration" ], + "kind": "event", "type": [ "change" - ], - "action": "mod" - }, - "user": { - "name": "user1", - "domain": "People.example.com" + ] }, "related": { "user": [ "user1" ] + }, + "user": { + "domain": "People.example.com", + "name": "user1" } } @@ -289,14 +289,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=11 op=2 MOD attr=mail", "event": { - "kind": "event", + "action": "mod", "category": [ "configuration" ], + "kind": "event", "type": [ "change" - ], - "action": "mod" + ] }, "openldap": { "attribute": "mail" @@ -313,14 +313,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\" conn=6521 op=3 SRCH base=\"\"ou=people,ou=IN,o=example\"\" scope=2 deref=0 filter=\"\"(&(exampleRole=example_admin)(uid=mhs))\"\"\"", "event": { - "kind": "event", + "action": "srch", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "srch" + ] }, "user": { "domain": "people.IN.example" @@ -337,14 +337,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "conn=6521 op=3 SRCH attr=uid cn", "event": { - "kind": "event", + "action": "srch", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "srch" + ] }, "openldap": { "attribute": "uid cn" @@ -361,14 +361,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " conn=6521 op=2 SRCH attr=examplerole", "event": { - "kind": "event", + "action": "srch", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "srch" + ] }, "openldap": { "attribute": "examplerole" @@ -385,14 +385,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\" conn=6521 op=2 SRCH base=\"\"o=example\"\" scope=2 deref=0 filter=\"\"(uid=mhs)\"\"\"", "event": { - "kind": "event", + "action": "srch", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "srch" + ] }, "user": { "domain": "example" @@ -409,14 +409,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " conn=6521 op=1 SRCH attr=mail telephonenumber cn uid l givenname sn title department", "event": { - "kind": "event", + "action": "srch", "category": [ "network" ], + "kind": "event", "type": [ "info" - ], - "action": "srch" + ] }, "openldap": { "attribute": "mail telephonenumber cn uid l givenname sn title department" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 9960252800..6d88eb1aa7 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -49,76 +49,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"aggregation_key\":\"40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1\",\"type\":\"rtlogs\",\"agent\":{\"osversion\":\"10.0.19041\",\"domainname\":\"WORKGROUP\",\"agentid\":\"8cb8fb07-ecb4-4537-8a44-451ef855a874\",\"osproducttype\":\"Windows 10 Pro\",\"hostname\":\"REDACTED\",\"domain\":null},\"level\":\"high\",\"msg\":\"Binary was found malicious by 2 rule(s) with a score of 120\",\"tags\":[],\"rule_name\":\"YARA binary check\",\"process\":{\"signature_info\":{\"root_info\":{\"display_name\":\"\",\"thumbprint\":\"\",\"serial_number\":\"\",\"issuer_name\":\"\"},\"signed_catalog\":false,\"signer_info\":{\"display_name\":\"\",\"thumbprint\":\"\",\"serial_number\":\"\",\"issuer_name\":\"\"},\"signed_authenticode\":false},\"commandline\":\"\\\"C:\\\\Users\\\\valves\\\\Desktop\\\\mimikatz.exe\\\"\",\"matched_rules_count\":2,\"fake_parent_commandline\":null,\"dont_create_process\":true,\"session\":2,\"pid\":5736,\"process_name\":\"mimikatz.exe\",\"score\":120,\"pe_info\":{\"product_version\":\"2.2.0.0\",\"file_description\":\"mimikatz for Windows\",\"original_filename\":\"mimikatz.exe\",\"internal_name\":\"mimikatz\",\"file_version\":\"2.2.0.0\",\"company_name\":\"Braveheart\",\"legal_copyright\":\"Copyright (c) 2007 - 2020 Braveheart\",\"product_name\":\"mimikatz\"},\"fake_parent_image\":null,\"username\":\"REDACTED\\\\valves\",\"pe_timestamp_int\":1619768223,\"image_name\":\"C:\\\\Users\\\\valves\\\\Desktop\\\\mimikatz.exe\",\"parent_integrity_level\":\"High\",\"fake_parent_unique_id\":null,\"status_msg\":\"Binary was found potentially malicious on the endpoint by Yara with a score of 120 , but it is running in alert only mode\",\"log_type\":\"process\",\"logonid\":1121594,\"process_unique_id\":\"ab376ee3-ecb4-4537-1668-00993e12c556\",\"usersid\":\"S-1-5-21-794873159-2603523847-3490392889-500\",\"error_msg\":\"\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"fake_ppid\":null,\"integrity_level\":\"High\",\"current_directory\":\"C:\\\\Users\\\\valves\\\\Desktop\",\"pe_timestamp\":\"2021-04-30T07:37:03.000Z\",\"parent_unique_id\":\"ab376ee3-ecb4-4537-06a4-0031a7bc3d13\",\"pe_imphash\":\"B6BC868F5046CE7764D0627266AF0200\",\"hashes\":{\"md5\":\"46f3fa15de36a0825df4dbfd94614566\",\"sha256\":\"79dd65171cdbc3a1505d11921babf62ffcab4d725ab4a28813c02a6f3a2760ff\",\"sha1\":\"41453d9b0ae75f687c7720373d7586bc0a9d1607\"},\"size\":1430016,\"matched_rules\":[{\"namespace\":\"mimikatz.yar\",\"rulename\":\"mimikatz_clear_string_markers\",\"source\":\"default\"},{\"namespace\":\"mimikatz.yar\",\"rulename\":\"mimikatz_patches_x64\",\"source\":\"default\"}],\"create_time\":\"2021/04/30 13:20:54.315189\",\"parent_commandline\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \",\"rule_revision\":81,\"signed\":false,\"ppid\":1700,\"status\":0},\"alert_time\":\"2021-04-30T13:21:20.704+00:00\",\"alert_subtype\":\"process\",\"execution\":0,\"alert_type\":\"yara\",\"rule_id\":\"YARA binary check\",\"@version\":\"1\",\"@timestamp\":\"2021-04-30T13:21:20.717Z\",\"@event_create_date\":\"2021-04-30T13:21:20.704Z\",\"log_type\":\"alert\",\"status\":\"new\",\"alert_unique_id\":\"bd13fef8-a8fd-4d28-ad97-928a83b96085\"}", "event": { - "dataset": "alert", "category": [ "process" ], + "dataset": "alert", + "kind": "alert", "type": [ "start" - ], - "kind": "alert" + ] }, "@timestamp": "2021-04-30T13:21:20.704000Z", "agent": { "id": "8cb8fb07-ecb4-4537-8a44-451ef855a874", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" - }, - "host": { - "hostname": "REDACTED", - "domain": "WORKGROUP", - "os": { - "version": "10.0.19041", - "full": "Windows 10 Pro" - }, - "name": "REDACTED" + "file": { + "hash": { + "md5": "46f3fa15de36a0825df4dbfd94614566", + "sha1": "41453d9b0ae75f687c7720373d7586bc0a9d1607", + "sha256": "79dd65171cdbc3a1505d11921babf62ffcab4d725ab4a28813c02a6f3a2760ff" + } }, "harfanglab": { - "level": "high", + "aggregation_key": "40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1", + "alert_subtype": "process", "alert_time": "2021-04-30T13:21:20.704+00:00", "alert_unique_id": "bd13fef8-a8fd-4d28-ad97-928a83b96085", - "alert_subtype": "process", "execution": 0, - "status": "new", - "aggregation_key": "40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1" + "level": "high", + "status": "new" }, - "rule": { - "description": "Binary was found malicious by 2 rule(s) with a score of 120", - "name": "YARA binary check", - "category": "yara", - "id": "YARA binary check" + "host": { + "domain": "WORKGROUP", + "hostname": "REDACTED", + "name": "REDACTED", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19041" + } + }, + "log": { + "hostname": "REDACTED" }, "process": { "command_line": "\"C:\\Users\\valves\\Desktop\\mimikatz.exe\"", - "pid": 5736, + "executable": "C:\\Users\\valves\\Desktop\\mimikatz.exe", "name": "mimikatz.exe", + "parent": { + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, "pe": { + "company": "Braveheart", "description": "mimikatz for Windows", - "original_file_name": "mimikatz.exe", "file_version": "2.2.0.0", - "company": "Braveheart", - "product": "mimikatz", - "imphash": "B6BC868F5046CE7764D0627266AF0200" - }, - "executable": "C:\\Users\\valves\\Desktop\\mimikatz.exe", - "parent": { - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" " + "imphash": "B6BC868F5046CE7764D0627266AF0200", + "original_file_name": "mimikatz.exe", + "product": "mimikatz" }, + "pid": 5736, "working_directory": "C:\\Users\\valves\\Desktop" }, - "user": { - "name": "REDACTED\\valves" - }, - "file": { - "hash": { - "md5": "46f3fa15de36a0825df4dbfd94614566", - "sha256": "79dd65171cdbc3a1505d11921babf62ffcab4d725ab4a28813c02a6f3a2760ff", - "sha1": "41453d9b0ae75f687c7720373d7586bc0a9d1607" - } - }, "related": { "hash": [ "41453d9b0ae75f687c7720373d7586bc0a9d1607", @@ -131,6 +122,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "REDACTED\\valves" ] + }, + "rule": { + "category": "yara", + "description": "Binary was found malicious by 2 rule(s) with a score of 120", + "id": "YARA binary check", + "name": "YARA binary check" + }, + "user": { + "name": "REDACTED\\valves" } } @@ -144,76 +144,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"@version\": \"1\",\n \"agent\": {\n \"agentid\": \"00000000-0000-0000-0000-000000000000\",\n \"distroid\": null,\n \"domainname\": \"domain123\",\n \"ostype\": \"windows\",\n \"hostname\": \"pc123\",\n \"osversion\": \"10.0.19041\",\n \"osproducttype\": \"Windows 10 Pro\",\n \"domain\": null,\n \"version\": \"2.12.6\"\n },\n \"type\": \"rtlogs\",\n \"alert_subtype\": \"process\",\n \"log_type\": \"alert\",\n \"detection_origin\": \"agent\",\n \"tenant\": \"\",\n \"alert_time\": \"2022-03-15T07:26:01.276+00:00\",\n \"alert_type\": \"sigma\",\n \"status\": \"false_positive\",\n \"rule_id\": \"00000000-0000-0000-0000-000000000000\",\n \"@event_create_date\": \"2022-03-15T07:26:01.276Z\",\n \"alert_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"level\": \"low\",\n \"aggregation_key\": \"123456\",\n \"@timestamp\": \"2022-03-15T07:26:01.311Z\",\n \"tags\": [\n \"attack.discovery\",\n \"attack.t1057\",\n \"attack.s0057\"\n ],\n \"process\": {\n \"detection_timestamp\": \"2022/03/15 07:24:54.438105\",\n \"process_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"parent_integrity_level\": \"Medium\",\n \"log_platform_flag\": 0,\n \"fake_parent_image\": null,\n \"pid\": 11320,\n \"image_name\": \"C:\\\\Windows\\\\SysWOW64\\\\tasklist.exe\",\n \"username\": \"XXX\\\\XXX\",\n \"logonid\": 151210562,\n \"signature_info\": {\n \"signed_authenticode\": false,\n \"signed_catalog\": true,\n \"root_info\": {\n \"thumbprint\": \"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\n \"display_name\": \"Microsoft Root Certificate Authority 2010\",\n \"serial_number\": \"28cc3a25bfba44ac449a9b586b4339aa\",\n \"issuer_name\": \"Microsoft Root Certificate Authority 2010\"\n },\n \"signer_info\": {\n \"thumbprint\": \"f7c2f2c96a328c13cda8cdb57b715bdea2cbd1d9\",\n \"display_name\": \"Microsoft Windows\",\n \"serial_number\": \"33000002ec6579ad1e670890130000000002ec\",\n \"issuer_name\": \"Microsoft Windows Production PCA 2011\"\n }\n },\n \"current_directory\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\",\n \"error_msg\": \"\",\n \"status_msg\": \"sigma match detected this process but not configured to block it\",\n \"ppid\": 17808,\n \"fake_parent_commandline\": null,\n \"commandline\": \"tasklist\",\n \"signed\": true,\n \"grandparent_integrity_level\": \"Medium\",\n \"log_type\": \"process\",\n \"pe_imphash\": \"19BBD9C4E73C288A3645E163F4B82682\",\n \"create_time\": \"2022-03-15T07:24:54.260Z\",\n \"status\": 0,\n \"parent_image\": \"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\n \"integrity_level\": \"Medium\",\n \"usersid\": \"S-1-5-21-299502267-725345543-82448378-2366\",\n \"pe_info\": {\n \"product_version\": \"10.0.19041.1\",\n \"legal_copyright\": \"\u00a9 Microsoft Corporation. All rights reserved.\",\n \"original_filename\": \"tasklist.exe\",\n \"company_name\": \"Microsoft Corporation\",\n \"file_description\": \"Lists the current running tasks\",\n \"file_version\": \"10.0.19041.1 (WinBuild.160101.0800)\",\n \"internal_name\": \"tasklist.exe\",\n \"product_name\": \"Microsoft\u00ae Windows\u00ae Operating System\"\n },\n \"session\": 3,\n \"pe_timestamp\": \"1994-09-11T16:43:21.000Z\",\n \"parent_unique_id\": \"2332edf8-70c0-43c2-4590-00f912ab3d18\",\n \"process_name\": \"tasklist.exe\",\n \"grandparent_commandline\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\\\\EPOSConnect.exe 1\",\n \"pe_timestamp_int\": 779301801,\n \"grandparent_image\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\\\\EPOSConnect.exe\",\n \"parent_commandline\": \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c tasklist\",\n \"fake_parent_unique_id\": null,\n \"size\": 79360,\n \"fake_ppid\": null,\n \"hashes\": {\n \"sha1\": \"7f50d8c3cf3ec79122a876e969bdb65d939becd0\",\n \"sha256\": \"76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4\",\n \"md5\": \"0a4448b31ce7f83cb7691a2657f330f1\"\n }\n },\n \"execution\": 0,\n \"rule_name\": \"Discovery: Process list\",\n \"maturity\": \"stable\",\n \"msg\": \"Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.\"\n}\n", "event": { - "dataset": "alert", "category": [ "process" ], + "dataset": "alert", + "kind": "alert", "type": [ "start" - ], - "kind": "alert" + ] }, "@timestamp": "2022-03-15T07:26:01.276000Z", "agent": { "id": "00000000-0000-0000-0000-000000000000", "name": "harfanglab" }, - "log": { - "hostname": "pc123" - }, - "host": { - "hostname": "pc123", - "domain": "domain123", - "os": { - "version": "10.0.19041", - "full": "Windows 10 Pro" - }, - "name": "pc123" + "file": { + "hash": { + "md5": "0a4448b31ce7f83cb7691a2657f330f1", + "sha1": "7f50d8c3cf3ec79122a876e969bdb65d939becd0", + "sha256": "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4" + } }, "harfanglab": { - "level": "low", + "aggregation_key": "123456", + "alert_subtype": "process", "alert_time": "2022-03-15T07:26:01.276+00:00", "alert_unique_id": "00000000-0000-0000-0000-000000000000", - "alert_subtype": "process", "execution": 0, - "status": "false_positive", - "aggregation_key": "123456" + "level": "low", + "status": "false_positive" }, - "rule": { - "description": "Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.", - "name": "Discovery: Process list", - "category": "sigma", - "id": "00000000-0000-0000-0000-000000000000" + "host": { + "domain": "domain123", + "hostname": "pc123", + "name": "pc123", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19041" + } + }, + "log": { + "hostname": "pc123" }, "process": { "command_line": "tasklist", - "pid": 11320, + "executable": "C:\\Windows\\SysWOW64\\tasklist.exe", "name": "tasklist.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c tasklist", + "executable": "C:\\Windows\\SysWOW64\\cmd.exe" + }, "pe": { + "company": "Microsoft Corporation", "description": "Lists the current running tasks", - "original_file_name": "tasklist.exe", "file_version": "10.0.19041.1 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "19BBD9C4E73C288A3645E163F4B82682" - }, - "executable": "C:\\Windows\\SysWOW64\\tasklist.exe", - "parent": { - "executable": "C:\\Windows\\SysWOW64\\cmd.exe", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c tasklist" + "imphash": "19BBD9C4E73C288A3645E163F4B82682", + "original_file_name": "tasklist.exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" }, + "pid": 11320, "working_directory": "C:\\Program Files (x86)\\EPOS\\EPOS Connect" }, - "user": { - "name": "XXX\\XXX" - }, - "file": { - "hash": { - "md5": "0a4448b31ce7f83cb7691a2657f330f1", - "sha256": "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4", - "sha1": "7f50d8c3cf3ec79122a876e969bdb65d939becd0" - } - }, "related": { "hash": [ "0a4448b31ce7f83cb7691a2657f330f1", @@ -226,6 +217,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "XXX\\XXX" ] + }, + "rule": { + "category": "sigma", + "description": "Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.", + "id": "00000000-0000-0000-0000-000000000000", + "name": "Discovery: Process list" + }, + "user": { + "name": "XXX\\XXX" } } @@ -239,16 +239,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"request_method\":\"POST\",\"response_content\":\"[]\",\"@timestamp\":\"2023-05-09T09:11:09.296679Z\",\"action_title\":\"Login\",\"event\":{\"original\":\"{\\\"log_type\\\":\\\"auditlog\\\",\\\"log_slug\\\":\\\"mfa-authtoken-login-post\\\",\\\"log_creation_date\\\":\\\"2023-05-09T09:11:09.284452+00:00\\\",\\\"action_title\\\":\\\"Login\\\",\\\"log_description\\\":\\\"User User logged in\\\",\\\"username\\\":\\\"AnonymousUser\\\",\\\"ip_address\\\":\\\"10.42.0.36\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\\\",\\\"request_method\\\":\\\"POST\\\",\\\"request_path\\\":\\\"/api/auth/login/\\\",\\\"request_content\\\":\\\"[username:User]\\\",\\\"response_status_code\\\":\\\"200\\\",\\\"response_status_text\\\":\\\"OK\\\",\\\"response_content\\\":\\\"[]\\\"}\"},\"log_slug\":\"mfa-authtoken-login-post\",\"log_type\":\"auditlog\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\",\"request_path\":\"/api/auth/login/\",\"log_creation_date\":\"2023-05-09T09:11:09.284452+00:00\",\"response_status_code\":\"200\",\"response_status_text\":\"OK\",\"log_description\":\"User User logged in\",\"ip_address\":\"1.2.3.4\",\"tenant\":\"6685e0c99733744d\",\"request_content\":\"[username: user]\",\"username\":\"AnonymousUser\",\"@version\":\"1\"}", "event": { - "dataset": "auditlog", + "action": "mfa-authtoken-login-post", "category": [ "web" ], - "type": [ - "access" - ], + "dataset": "auditlog", "kind": "event", "reason": "User User logged in", - "action": "mfa-authtoken-login-post" + "type": [ + "access" + ] }, "agent": { "name": "harfanglab" @@ -261,38 +261,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "organization": { + "id": "6685e0c99733744d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "AnonymousUser" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "url": { "path": "/api/auth/login/" }, + "user": { + "name": "AnonymousUser" + }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "device": { "name": "Other" }, "name": "Firefox", - "version": "102.0", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "os": { "name": "Windows", "version": "10" - } - }, - "user": { - "name": "AnonymousUser" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "organization": { - "id": "6685e0c99733744d" - }, - "related": { - "ip": [ - "1.2.3.4" - ], - "user": [ - "AnonymousUser" - ] + }, + "version": "102.0" } } @@ -306,72 +306,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"@version\": \"1\", \"log_type\": \"authentication\", \"event_type\": \"login_failure\", \"@timestamp\": \"2023-03-31T06:38:45.597386Z\", \"process_name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"groups\": [ { \"name\": \"custom-group\", \"id\": \"0dd95277-37da-4ffe-9aec-0fc76beb2e5e\" } ], \"object_type\": \"login\", \"target_username\": \"work-laptop\\\\administrateur\", \"success\": false, \"auth_type\": \"Interactive\", \"technique\": \"Brute Force\", \"source_address\": \"127.0.0.1\", \"windows\": { \"workstation_name\": \"work-laptop\", \"source_sid\": \"S-1-5-18\", \"authentication_package_name\": \"Negotiate\", \"event_title\": \"An account failed to log on\", \"event_id\": 4625, \"logon_title\": \"Interactive\", \"target_sid\": \"S-1-0-0\", \"source_logon_id\": 999, \"logon_type\": 2, \"sub_status\": 0, \"process_name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"logon_process_name\": \"User32\", \"target_logon_id\": 0, \"ip_address\": \"127.0.0.1\", \"status\": 0, \"ip_port\": \"0\" }, \"utc_time\": \"2023-03-31T06:38:42.818Z\", \"source_username\": \"test-domain\\\\work-laptop$\", \"agent\": { \"osversion\": \"10.0.19045\", \"domainname\": \"test-domain\", \"hostname\": \"work-laptop\", \"dnsdomainname\": \"test-domain.local\", \"osproducttype\": \"Windows 10 Pro\", \"version\": \"2.24.4-post0\", \"ostype\": \"windows\", \"agentid\": \"2e822bcd-52cc-43e7-94fc-5a5d6f38506d\" }, \"auth_status\": \"Status OK\", \"@event_create_date\": \"2023-03-31T06:38:42.818Z\", \"tactic\": \"Credential Access\", \"tenant\": \"50e03aed1dbf33d4\", \"msg\": \"%%2313\"}", "event": { - "dataset": "authentication", + "action": "login", "category": [ "authentication" ], + "code": "4625", + "dataset": "authentication", + "kind": "event", + "reason": "An account failed to log on", "type": [ "end", "start" - ], - "kind": "event", - "reason": "An account failed to log on", - "code": "4625", - "action": "login" - }, - "sekoiaio": { - "server": { - "os": { - "type": "windows" - } - } + ] }, "@timestamp": "2023-03-31T06:38:42.818000Z", + "action": { + "id": 4625, + "outcome": "failure" + }, "agent": { "id": "2e822bcd-52cc-43e7-94fc-5a5d6f38506d", "name": "harfanglab", "version": "2.24.4-post0" }, - "log": { - "hostname": "work-laptop" - }, - "host": { - "hostname": "work-laptop", - "domain": "test-domain", - "os": { - "version": "10.0.19045", - "full": "Windows 10 Pro" - }, - "name": "work-laptop" - }, "harfanglab": { "groups": [ "{\"id\": \"0dd95277-37da-4ffe-9aec-0fc76beb2e5e\", \"name\": \"custom-group\"}" ] }, - "user": { - "roles": "custom-group", - "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", - "target": { - "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "host": { + "domain": "test-domain", + "hostname": "work-laptop", + "name": "work-laptop", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" } }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" - }, - "process": { - "name": "C:\\Windows\\System32\\svchost.exe" - }, - "action": { - "id": 4625, - "outcome": "failure" + "log": { + "hostname": "work-laptop" }, "organization": { "id": "50e03aed1dbf33d4" }, + "process": { + "name": "C:\\Windows\\System32\\svchost.exe" + }, "related": { "hosts": [ "work-laptop" @@ -382,6 +362,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-domain\\work-laptop$" ] + }, + "sekoiaio": { + "server": { + "os": { + "type": "windows" + } + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "id": "S-1-5-18", + "name": "test-domain\\work-laptop$", + "roles": "custom-group", + "target": { + "id": "S-1-0-0", + "name": "work-laptop\\administrateur" + } } } @@ -395,57 +395,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"@version\": \"1\",\n \"query_type\": \"AAAA\",\n \"log_type\": \"dns_resolution\",\n \"agent\": {\n \"osversion\": \"10.0.19045\",\n \"domainname\": \"test-domain\",\n \"hostname\": \"work-laptop\",\n \"dnsdomainname\": \"test-domain.local\",\n \"osproducttype\": \"Windows 10 Pro\",\n \"version\": \"2.24.4-post0\",\n \"ostype\": \"windows\",\n \"agentid\": \"2e822bcd-52cc-43e7-94fc-5a5d6f38506d\"\n },\n \"@timestamp\": \"2023-03-31T06:39:34.483980Z\",\n \"groups\": [\n {\n \"name\": \"custom-group\",\n \"id\": \"0dd95277-37da-4ffe-9aec-0fc76beb2e5e\"\n }\n ],\n \"ip_addresses\": [\n \"152.199.21.118\"\n ],\n \"process_image_path\": \"C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.Search_cw5n1h2txyewy\\\\SearchApp.exe\",\n \"@event_create_date\": \"2023-03-31T06:39:14.570000+00:00\",\n \"requested_name\": \"static-ecst.licdn.com\",\n \"raw_windows_resolver_results\": \"type: 5 cs1404.wpc.epsiloncdn.net;::ffff:152.199.21.118;\",\n \"event\": {\n \"original\": \"{\\\"utc_time\\\":\\\"2023-03-31T06:39:14.570000+00:00\\\",\\\"log_type\\\":\\\"dns_resolution\\\",\\\"requested_name\\\":\\\"static-ecst.licdn.com\\\",\\\"query_type\\\":\\\"AAAA\\\",\\\"status\\\":\\\"success\\\",\\\"ip_addresses\\\":[\\\"152.199.21.118\\\"],\\\"raw_windows_resolver_results\\\":\\\"type: 5 cs1404.wpc.epsiloncdn.net;::ffff:152.199.21.118;\\\",\\\"process_unique_id\\\":\\\"887d1052-52cc-43e7-7c30-00778b2ff016\\\",\\\"process_image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\SystemApps\\\\\\\\Microsoft.Windows.Search_cw5n1h2txyewy\\\\\\\\SearchApp.exe\\\",\\\"pid\\\":12412,\\\"username\\\":\\\"test-domain\\\\\\\\john.doe\\\",\\\"groups\\\":[{\\\"id\\\":\\\"0dd95277-37da-4ffe-9aec-0fc76beb2e5e\\\",\\\"name\\\":\\\"custom-group\\\"}],\\\"agent\\\":{\\\"hostname\\\":\\\"work-laptop\\\",\\\"domainname\\\":\\\"test-domain\\\",\\\"dnsdomainname\\\":\\\"test-domain.local\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"10.0.19045\\\",\\\"osproducttype\\\":\\\"Windows 10 Pro\\\",\\\"version\\\":\\\"2.24.4-post0\\\",\\\"agentid\\\":\\\"2e822bcd-52cc-43e7-94fc-5a5d6f38506d\\\"}}\"\n },\n \"tenant\": \"50e03aed1dbf33d4\",\n \"status\": \"success\",\n \"process_unique_id\": \"887d1052-52cc-43e7-7c30-00778b2ff016\",\n \"username\": \"test-domain\\\\john.doe\",\n \"pid\": 12412\n}", "event": { - "dataset": "dns_resolution", "category": [ "network" ], + "dataset": "dns_resolution", + "kind": "event", "type": [ "info" - ], - "kind": "event" + ] }, "@timestamp": "2023-03-31T06:39:14.570000Z", "agent": { "id": "2e822bcd-52cc-43e7-94fc-5a5d6f38506d", "name": "harfanglab" }, - "log": { - "hostname": "work-laptop" - }, - "host": { - "hostname": "work-laptop", - "domain": "test-domain", - "os": { - "version": "10.0.19045", - "full": "Windows 10 Pro" - }, - "name": "work-laptop" + "dns": { + "question": { + "name": "static-ecst.licdn.com", + "registered_domain": "licdn.com", + "subdomain": "static-ecst", + "top_level_domain": "com", + "type": "AAAA" + } }, "harfanglab": { "groups": [ "{\"id\": \"0dd95277-37da-4ffe-9aec-0fc76beb2e5e\", \"name\": \"custom-group\"}" ] }, - "user": { - "roles": "custom-group", - "name": "test-domain\\john.doe" - }, - "process": { - "pid": 12412, - "executable": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" - }, - "dns": { - "question": { - "type": "AAAA", - "name": "static-ecst.licdn.com", - "top_level_domain": "com", - "subdomain": "static-ecst", - "registered_domain": "licdn.com" + "host": { + "domain": "test-domain", + "hostname": "work-laptop", + "name": "work-laptop", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" } }, + "log": { + "hostname": "work-laptop" + }, "organization": { "id": "50e03aed1dbf33d4" }, + "process": { + "executable": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe", + "pid": 12412 + }, "related": { "hosts": [ "static-ecst.licdn.com", @@ -454,6 +450,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-domain\\john.doe" ] + }, + "user": { + "name": "test-domain\\john.doe", + "roles": "custom-group" } } @@ -477,35 +477,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "77af54c8-910f-455d-b887-87cbc87430a4", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" - }, - "host": { - "hostname": "REDACTED", - "domain": "WORKGROUP", - "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Datacenter" - }, - "name": "REDACTED" - }, "file": { - "path": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", "hash": { "md5": "8a0a29438052faed8a2532da50455756", "sha1": "a1385ce20ad79f55df235effd9780c31442aa234", "sha256": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6" }, + "name": "svchost.exe", + "path": "C:\\Windows\\System32\\svchost.exe", "pe": { + "company": "Microsoft Corporation", "description": "Host Process for Windows Services", - "original_file_name": "svchost.exe", "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "247B9220E5D9B720A82B2C8B5069AD69" + "imphash": "247B9220E5D9B720A82B2C8B5069AD69", + "original_file_name": "svchost.exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + } + }, + "host": { + "domain": "WORKGROUP", + "hostname": "REDACTED", + "name": "REDACTED", + "os": { + "full": "Windows Server 2019 Datacenter", + "version": "10.0.17763" } }, + "log": { + "hostname": "REDACTED" + }, "related": { "hash": [ "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6", @@ -528,48 +528,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"event_id\":3,\"dport\":2525,\"tenant\":\"\",\"initiated\":\"true\",\"image_name\":\"E:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Bin\\\\MSExchangeHMWorker.exe\",\"username\":\"NT AUTHORITY\\\\SYSTEM\",\"saddr\":\"192.168.120.41\",\"agent\":{\"distroid\":null,\"agentid\":\"f43cb847-8227-4104-b77f-7fc849789f8e\",\"domainname\":\"EXAMPLE\",\"ostype\":\"windows\",\"hostname\":\"EXCHANGE\",\"osversion\":\"10.0.17763\",\"domain\":null,\"osproducttype\":\"Windows Server 2019 Standard\"},\"is_ipv6\":\"false\",\"sport\":21955,\"pid\":14228,\"direction\":\"out\",\"conn_type\":0,\"daddr\":\"192.168.120.41\",\"@timestamp\":\"2021-11-21T19:38:44.461Z\",\"@version\":\"1\",\"log_type\":\"network\",\"@event_create_date\":\"2021-11-21T19:38:36.820Z\",\"process_unique_id\":\"2d1de721-5d5a-46b2-3794-0097821d2ab7\"}", "event": { - "dataset": "network", "category": [ "network" ], + "dataset": "network", + "kind": "event", "type": [ "connection" - ], - "kind": "event" + ] }, "@timestamp": "2021-11-21T19:38:36.820000Z", "agent": { "id": "f43cb847-8227-4104-b77f-7fc849789f8e", "name": "harfanglab" }, - "log": { - "hostname": "EXCHANGE" + "destination": { + "address": "192.168.120.41", + "ip": "192.168.120.41", + "port": 2525 }, "host": { - "hostname": "EXCHANGE", "domain": "EXAMPLE", + "hostname": "EXCHANGE", + "name": "EXCHANGE", "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Standard" - }, - "name": "EXCHANGE" - }, - "destination": { - "ip": "192.168.120.41", - "port": 2525, - "address": "192.168.120.41" + "full": "Windows Server 2019 Standard", + "version": "10.0.17763" + } }, - "source": { - "ip": "192.168.120.41", - "port": 21955, - "address": "192.168.120.41" + "log": { + "hostname": "EXCHANGE" }, "process": { - "pid": 14228, - "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MSExchangeHMWorker.exe" - }, - "user": { - "name": "NT AUTHORITY\\SYSTEM" + "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MSExchangeHMWorker.exe", + "pid": 14228 }, "related": { "hosts": [ @@ -581,6 +573,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\SYSTEM" ] + }, + "source": { + "address": "192.168.120.41", + "ip": "192.168.120.41", + "port": 21955 + }, + "user": { + "name": "NT AUTHORITY\\SYSTEM" } } @@ -594,48 +594,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"daddr\":\"172.31.9.222\",\"event_id\":3,\"dport\":3389,\"agent\":{\"osversion\":\"10.0.17763\",\"domainname\":\"WORKGROUP\",\"agentid\":\"d4e3bf36-929d-4ddf-8526-492e89955808\",\"osproducttype\":\"Windows Server 2019 Datacenter\",\"hostname\":\"REDACTED\",\"domain\":null},\"conn_type\":0,\"pid\":1004,\"sport\":42221,\"is_ipv6\":\"false\",\"username\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"@timestamp\":\"2021-05-01T09:55:44.688Z\",\"@version\":\"1\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"saddr\":\"185.202.2.238\",\"direction\":\"in\",\"initiated\":\"false\",\"log_type\":\"network\",\"@event_create_date\":\"2021-05-01T09:55:30.372Z\",\"process_unique_id\":\"9aad140d-929d-4ddf-03ec-008c68ef14a0\"}", "event": { - "dataset": "network", "category": [ "network" ], + "dataset": "network", + "kind": "event", "type": [ "connection" - ], - "kind": "event" + ] }, "@timestamp": "2021-05-01T09:55:30.372000Z", "agent": { "id": "d4e3bf36-929d-4ddf-8526-492e89955808", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" + "destination": { + "address": "172.31.9.222", + "ip": "172.31.9.222", + "port": 3389 }, "host": { - "hostname": "REDACTED", "domain": "WORKGROUP", + "hostname": "REDACTED", + "name": "REDACTED", "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Datacenter" - }, - "name": "REDACTED" - }, - "destination": { - "ip": "172.31.9.222", - "port": 3389, - "address": "172.31.9.222" + "full": "Windows Server 2019 Datacenter", + "version": "10.0.17763" + } }, - "source": { - "ip": "185.202.2.238", - "port": 42221, - "address": "185.202.2.238" + "log": { + "hostname": "REDACTED" }, "process": { - "pid": 1004, - "executable": "C:\\Windows\\System32\\svchost.exe" - }, - "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "executable": "C:\\Windows\\System32\\svchost.exe", + "pid": 1004 }, "related": { "hosts": [ @@ -648,6 +640,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\NETWORK SERVICE" ] + }, + "source": { + "address": "185.202.2.238", + "ip": "185.202.2.238", + "port": 42221 + }, + "user": { + "name": "NT AUTHORITY\\NETWORK SERVICE" } } @@ -661,68 +661,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"commandline\": \"C:\\\\windows\\\\system32\\\\cmd.exe /c wmic /namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender path MSFT_MpComputerStatus get /format:list\",\n \"ppid\": 10420,\n \"grandparent_commandline\": \"C:\\\\Program Files (x86)\\\\CentraStage\\\\CagServi.exe\",\n \"usersid\": \"S-1-5-20\",\n \"fake_ppid\": 0,\n \"integrity_level\": \"System\",\n \"parent_commandline\": \"C:\\\\ProgramData\\\\CentraStage\\\\AEMAgent\\\\AEMAge.exe\",\n \"signature_info\": {\n \"root_info\": {\n \"serial_number\": \"28cc3a25bfba44ac449a9b586b4339zz\",\n \"thumbprint_sha256\": \"df545bf919a2499c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e\",\n \"thumbprint\": \"3b1efd3a66ea99b16697394703a72ca340a05bd5\",\n \"issuer_name\": \"Microsoft Root Certificate Authority 2012\",\n \"display_name\": \"Microsoft Root Certificate Authority 2012\"\n },\n \"signer_info\": {\n \"serial_number\": \"330000038db0bfe1b0ca33b3d987500000038d\",\n \"thumbprint_sha256\": \"555ad75f46a698e6f8fe2f0f2503fb7a7aa25f505c02d9b52755f467a80183a7\",\n \"thumbprint\": \"d2b3b8f120152efc5415a10dbd7723b0c4531f0b\",\n \"issuer_name\": \"Microsoft Windows Production PCA 2011\",\n \"display_name\": \"Microsoft Windows\"\n },\n \"signed_authenticode\": false,\n \"signed_catalog\": true\n },\n \"pe_imphash\": \"272875E2988E1E430500B852C4FB5E18\",\n \"process_name\": \"cmd.exe\",\n \"grandparent_integrity_level\": \"System\",\n \"pe_timestamp_int\": 3788242003,\n \"groups\": [\n {\n \"name\": \"Group 1\",\n \"id\": \"16314dd0-e911-4350-bd96-8363a69d33c9\"\n }\n ],\n \"@Version\": \"1\",\n \"session\": 0,\n \"@event_create_date\": \"2023-02-20T14:48:58.984Z\",\n \"log_type\": \"process\",\n \"signed\": true,\n \"image_name\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"fake_parent_commandline\": \"\",\n \"@timestamp\": \"2023-02-20T14:50:04.011333Z\",\n \"parent_unique_id\": \"572c3308-18a0-4435-8fa4-e02e909cd099\",\n \"event\": {\n \"original\": \"{\\\"commandline\\\":\\\"C:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cmd.exe /c wmic /namespace:\\\\\\\\\\\\\\\\root\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Defender path LDKD_MpComputerStatus get /format:list\\\",\\\"create_time\\\":\\\"2023/04/20 14:48:58.984\\\",\\\"current_directory\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAge\\\\\\\\\\\",\\\"hashes\\\":{\\\"md5\\\":\\\"8a2122e8554dbef04694b9c3e0b6cdee\\\",\\\"sha1\\\":\\\"f1efb0fddc665e4c61c5f78a54700e4e7984d55d\\\",\\\"sha256\\\":\\\"b99d61d874728edc0918ca0eb10eab93d381e4456e377406e65963366c874450\\\"},\\\"image_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"log_type\\\":\\\"process\\\",\\\"parent_commandline\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAge\\\\\\\\AEMAge.exe\\\",\\\"parent_image\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAgent\\\\\\\\AEMAge.exe\\\",\\\"parent_unique_id\\\":\\\"572c3308-18a0-4435-8fa4-e02e909cd099\\\",\\\"pid\\\":13824,\\\"ppid\\\":10547,\\\"process_name\\\":\\\"cmd.exe\\\",\\\"process_unique_id\\\":\\\"43c20ef1-03c4-4af5-0036-00d767b57302\\\",\\\"size\\\":289792,\\\"username\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"grandparent_image\\\":\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Centrage\\\\\\\\CagSer.exe\\\",\\\"grandparent_commandline\\\":\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Centra\\\\\\\\CagServ.exe\\\",\\\"usersid\\\":\\\"S-1-5-87\\\",\\\"integrity_level\\\":\\\"System\\\",\\\"session\\\":0,\\\"logonid\\\":999,\\\"parent_integrity_level\\\":\\\"System\\\",\\\"grandparent_integrity_level\\\":\\\"System\\\",\\\"fake_ppid\\\":0,\\\"fake_parent_image\\\":\\\"\\\",\\\"fake_parent_commandline\\\":\\\"\\\",\\\"pe_info\\\":{\\\"company_name\\\":\\\"Microsoft Corporation\\\",\\\"file_description\\\":\\\"Windows Command Processor\\\",\\\"file_version\\\":\\\"10.0.19041.746 (WinBuild.160101.0800)\\\",\\\"internal_name\\\":\\\"cmd\\\",\\\"legal_copyright\\\":\\\"\u00a9 Microsoft Corporation. All rights reserved.\\\",\\\"original_filename\\\":\\\"Cmd.Exe\\\",\\\"pe_timestamp\\\":\\\"2090-01-16 09:26:43.000\\\",\\\"product_name\\\":\\\"Microsoft\u00ae Windows\u00ae Operating System\\\",\\\"product_version\\\":\\\"10.0.19041.746\\\"},\\\"signed\\\":true,\\\"signature_info\\\":{\\\"signer_info\\\":{\\\"serial_number\\\":\\\"330000038db0bfe1b0ca33b3d400000058748d\\\",\\\"thumbprint\\\":\\\"d2b3b8f124652efc5415a10dbd7723b0c9542f0b\\\",\\\"thumbprint_sha256\\\":\\\"974ad75f46a698e6f8fe2f0f2503fb7a7aa61f505c02d9b52755f467a80183a7\\\",\\\"issuer_name\\\":\\\"Microsoft Windows Production PCA 2011\\\",\\\"display_name\\\":\\\"Microsoft Windows\\\"},\\\"root_info\\\":{\\\"serial_number\\\":\\\"28cc3a25bfba44ac449a9b586b4024aa\\\",\\\"thumbprint\\\":\\\"3b1efd3a66ea28b16697394703a72ca965a05bd5\\\",\\\"thumbprint_sha256\\\":\\\"df545bf014a2439c36983b54cdfc903dfa4f37d3741d8d84b4c31eec6f3c163e\\\",\\\"issuer_name\\\":\\\"Microsoft Root Certificate Authority 2012\\\",\\\"display_name\\\":\\\"Microsoft Root Certificate Authority 2010\\\"},\\\"signed_authenticode\\\":false,\\\"signed_catalog\\\":true},\\\"pe_timestamp_int\\\":3788242003,\\\"pe_timestamp\\\":\\\"2090-01-16 09:26:43.000\\\",\\\"pe_imphash\\\":\\\"272245E2988E1E430500B852C4FB5E99\\\",\\\"log_platform_flag\\\":0,\\\"groups\\\":[{\\\"id\\\":\\\"572c3308-18a0-4435-8fa4-e02e909cd099\\\",\\\"name\\\":\\\"Group 1\\\"}],\\\"agent\\\":{\\\"agentid\\\":\\\"7bba20c2-03c4-4af5-9b27-9e7aab902c85\\\",\\\"hostname\\\":\\\"SFRTAOA\\\",\\\"domain\\\":null,\\\"domainname\\\":\\\"EXAMPLE\\\",\\\"dnsdomainname\\\":\\\"example.org\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"9.0.19544\\\",\\\"distroid\\\":null,\\\"osproducttype\\\":\\\"Windows 10 Pro\\\",\\\"version\\\":\\\"2.25.4-posy4\\\",\\\"additional_info\\\":null}}\"\n },\n \"parent_integrity_level\": \"System\",\n \"pid\": 13824,\n \"grandparent_image\": \"C:\\\\Program Files (x86)\\\\Centra\\\\CagServ.exe\",\n \"hashes\": {\n \"md5\": \"8a2122e8162dbef04620b9c3e0b6cdee\",\n \"sha1\": \"f1efb0fddc156e4c61c5f89a54700e4e7984d55d\",\n \"sha256\": \"b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"\n },\n \"log_platform_flag\": 0,\n \"tenant\": \"0198bff0ef04d4a8\",\n \"size\": 289792,\n \"username\": \"NT AUTHORITY\\\\SYSTEM\",\n \"agent\": {\n \"hostname\": \"SFRTAOA\",\n \"osversion\": \"10.0.19044\",\n \"version\": \"2.25.4-post0\",\n \"domainname\": \"EXAMPLE\",\n \"distroid\": null,\n \"additional_info\": null,\n \"agentid\": \"7bba20c2-03c4-4af5-9b27-9e7aab977c85\",\n \"osproducttype\": \"Windows 10 Pro\",\n \"dnsdomainname\": \"example.org\",\n \"ostype\": \"windows\",\n \"domain\": null\n },\n \"parent_image\": \"C:\\\\ProgramData\\\\Centra\\\\AEMAge\\\\AEMAge.exe\",\n \"pe_timestamp\": \"2090-01-16T09:26:43.000Z\",\n \"logonid\": 545,\n \"fake_parent_image\": \"\",\n \"process_unique_id\": \"653d2616-2068-48fa-9f89-83e4e546d8e5\",\n \"pe_info\": {\n \"legal_copyright\": \"\u00a9 Microsoft Corporation. All rights reserved.\",\n \"company_name\": \"Microsoft Corporation\",\n \"original_filename\": \"Cmd.Exe\",\n \"pe_timestamp\": \"2090-01-16T09:26:43.000Z\",\n \"product_name\": \"Microsoft\u00ae Windows\u00ae Operating System\",\n \"product_version\": \"10.0.19041.746\",\n \"internal_name\": \"cmd\",\n \"file_description\": \"Windows Command Processor\",\n \"file_version\": \"10.0.19041.746 (WinBuild.160101.0800)\"\n },\n \"current_directory\": \"C:\\\\ProgramData\\\\CentraStage\\\\AEMAgent\\\\\"\n}", "event": { - "dataset": "process", "category": [ "process" ], + "dataset": "process", + "kind": "event", "type": [ "start" - ], - "kind": "event" + ] }, "@timestamp": "2023-02-20T14:48:58.984000Z", "agent": { "id": "7bba20c2-03c4-4af5-9b27-9e7aab977c85", "name": "harfanglab" }, - "log": { - "hostname": "SFRTAOA" - }, - "host": { - "hostname": "SFRTAOA", - "domain": "EXAMPLE", - "os": { - "version": "10.0.19044", - "full": "Windows 10 Pro" - }, - "name": "SFRTAOA" + "file": { + "hash": { + "md5": "8a2122e8162dbef04620b9c3e0b6cdee", + "sha1": "f1efb0fddc156e4c61c5f89a54700e4e7984d55d", + "sha256": "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" + } }, "harfanglab": { "groups": [ "{\"id\": \"16314dd0-e911-4350-bd96-8363a69d33c9\", \"name\": \"Group 1\"}" ] }, - "user": { - "roles": "Group1", - "name": "NT AUTHORITY\\SYSTEM" + "host": { + "domain": "EXAMPLE", + "hostname": "SFRTAOA", + "name": "SFRTAOA", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19044" + } + }, + "log": { + "hostname": "SFRTAOA" }, "process": { "command_line": "C:\\windows\\system32\\cmd.exe /c wmic /namespace:\\\\root\\Microsoft\\Windows\\Defender path MSFT_MpComputerStatus get /format:list", - "pid": 13824, - "name": "cmd.exe", - "pe": { - "description": "Windows Command Processor", - "original_file_name": "Cmd.Exe", - "file_version": "10.0.19041.746 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "272875E2988E1E430500B852C4FB5E18" - }, "executable": "C:\\Windows\\System32\\cmd.exe", + "name": "cmd.exe", "parent": { - "executable": "C:\\ProgramData\\Centra\\AEMAge\\AEMAge.exe", "command_line": "C:\\ProgramData\\CentraStage\\AEMAgent\\AEMAge.exe", + "executable": "C:\\ProgramData\\Centra\\AEMAge\\AEMAge.exe", "name": "AEMAge.exe" }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows Command Processor", + "file_version": "10.0.19041.746 (WinBuild.160101.0800)", + "imphash": "272875E2988E1E430500B852C4FB5E18", + "original_file_name": "Cmd.Exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + }, + "pid": 13824, "working_directory": "C:\\ProgramData\\CentraStage\\AEMAgent\\" }, - "file": { - "hash": { - "md5": "8a2122e8162dbef04620b9c3e0b6cdee", - "sha256": "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", - "sha1": "f1efb0fddc156e4c61c5f89a54700e4e7984d55d" - } - }, "related": { "hash": [ "8a2122e8162dbef04620b9c3e0b6cdee", @@ -735,6 +731,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\SYSTEM" ] + }, + "user": { + "name": "NT AUTHORITY\\SYSTEM", + "roles": "Group1" } } @@ -748,62 +748,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"tenant\":\"\",\"usersid\":\"S-1-5-18\",\"hashes\":{\"sha256\":\"100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529\",\"md5\":\"4c7a9a333afb2b0896b4e8a948e58b79\",\"sha1\":\"948febd5456420916256fcc94e3ed19aafe5390b\"},\"status_msg\":\"\",\"username\":\"NT AUTHORITY\\\\SYSTEM\",\"agent\":{\"distroid\":null,\"agentid\":\"f43cb847-8227-4104-b77f-7fc849789f8e\",\"domainname\":\"NIVURA\",\"ostype\":\"windows\",\"hostname\":\"EXCHANGE\",\"osversion\":\"10.0.17763\",\"domain\":null,\"osproducttype\":\"Windows Server 2019 Standard\"},\"status\":0,\"fake_ppid\":null,\"integrity_level\":\"System\",\"signed\":true,\"signature_info\":{\"signed_catalog\":true,\"signer_info\":{\"display_name\":\"Microsoft Windows\",\"issuer_name\":\"Microsoft Windows Production PCA 2011\",\"serial_number\":\"33000002ed2c45e4c145cf48440000000002ed\",\"thumbprint\":\"312860d2047eb81f8f58c29ff19ecdb4c634cf6a\"},\"root_info\":{\"display_name\":\"Microsoft Root Certificate Authority 2010\",\"issuer_name\":\"Microsoft Root Certificate Authority 2010\",\"serial_number\":\"28cc3a25bfba44ac449a9b586b4339aa\",\"thumbprint\":\"3b1efd3a66ea28b16697394703a72ca340a05bd5\"},\"signed_authenticode\":false},\"parent_commandline\":\"E:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Bin\\\\Microsoft.Exchange.Diagnostics.Service.exe\",\"@timestamp\":\"2021-11-21T20:03:15.736Z\",\"parent_image\":\"E:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Bin\\\\Microsoft.Exchange.Diagnostics.Service.exe\",\"log_type\":\"process\",\"current_directory\":\"C:\\\\Windows\\\\system32\",\"pe_imphash\":\"6043170F48FA2A2802231975BB43BBDA\",\"process_unique_id\":\"2d1de721-5d5a-46b2-5ae8-00feb4cdcf56\",\"size\":53760,\"log_platform_flag\":0,\"commandline\":\"relog.exe E:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\Diagnostics\\\\PerformanceLogsToBeProcessed\\\\ExchangeDiagnosticsPerformanceLog_11212058.blg -f csv -o E:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\Diagnostics\\\\PerformanceLogsToBeProcessed\\\\ExchangeDiagnosticsPerformanceLog_11212058.csvtmp -y\",\"session\":0,\"process_name\":\"relog.exe\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\relog.exe\",\"parent_integrity_level\":\"System\",\"fake_parent_commandline\":null,\"pe_timestamp_int\":2652523548,\"error_msg\":\"\",\"parent_unique_id\":\"2d1de721-5d5a-46b2-0c78-009ac6cf01ea\",\"pid\":23272,\"ppid\":3192,\"fake_parent_image\":null,\"@event_create_date\":\"2021-11-21T20:03:08.226Z\",\"@version\":\"1\",\"pe_timestamp\":\"2054-01-20T12:05:48.000Z\",\"fake_parent_unique_id\":null,\"pe_info\":{\"product_version\":\"10.0.17763.1\",\"company_name\":\"Microsoft Corporation\",\"product_name\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"internal_name\":\"Relog.exe\",\"file_description\":\"Performance Relogging Utility\",\"legal_copyright\":\"\u00a9 Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.17763.1 (WinBuild.160101.0800)\",\"original_filename\":\"Relog.exe\"},\"logonid\":999}", "event": { - "dataset": "process", "category": [ "process" ], + "dataset": "process", + "kind": "event", "type": [ "start" - ], - "kind": "event" + ] }, "@timestamp": "2021-11-21T20:03:08.226000Z", "agent": { "id": "f43cb847-8227-4104-b77f-7fc849789f8e", "name": "harfanglab" }, - "log": { - "hostname": "EXCHANGE" + "file": { + "hash": { + "md5": "4c7a9a333afb2b0896b4e8a948e58b79", + "sha1": "948febd5456420916256fcc94e3ed19aafe5390b", + "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529" + } }, "host": { - "hostname": "EXCHANGE", "domain": "NIVURA", + "hostname": "EXCHANGE", + "name": "EXCHANGE", "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Standard" - }, - "name": "EXCHANGE" + "full": "Windows Server 2019 Standard", + "version": "10.0.17763" + } + }, + "log": { + "hostname": "EXCHANGE" }, "process": { "command_line": "relog.exe E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Diagnostics\\PerformanceLogsToBeProcessed\\ExchangeDiagnosticsPerformanceLog_11212058.blg -f csv -o E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Diagnostics\\PerformanceLogsToBeProcessed\\ExchangeDiagnosticsPerformanceLog_11212058.csvtmp -y", - "pid": 23272, - "name": "relog.exe", - "pe": { - "description": "Performance Relogging Utility", - "original_file_name": "Relog.exe", - "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "6043170F48FA2A2802231975BB43BBDA" - }, "executable": "C:\\Windows\\System32\\relog.exe", + "name": "relog.exe", "parent": { - "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe", "command_line": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe", + "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe", "name": "Microsoft.Exchange.Diagnostics.Service.exe" }, + "pe": { + "company": "Microsoft Corporation", + "description": "Performance Relogging Utility", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "6043170F48FA2A2802231975BB43BBDA", + "original_file_name": "Relog.exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + }, + "pid": 23272, "working_directory": "C:\\Windows\\system32" }, - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "file": { - "hash": { - "md5": "4c7a9a333afb2b0896b4e8a948e58b79", - "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529", - "sha1": "948febd5456420916256fcc94e3ed19aafe5390b" - } - }, "related": { "hash": [ "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529", @@ -816,6 +813,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\SYSTEM" ] + }, + "user": { + "name": "NT AUTHORITY\\SYSTEM" } } @@ -829,76 +829,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"@version\": \"1\",\n \"agent\": {\n \"agentid\": \"00000000-0000-0000-0000-000000000000\",\n \"distroid\": null,\n \"domainname\": \"domain123\",\n \"ostype\": \"windows\",\n \"hostname\": \"pc123\",\n \"osversion\": \"10.0.19041\",\n \"osproducttype\": \"Windows 10 Pro\",\n \"domain\": null,\n \"version\": \"2.12.6\"\n },\n \"type\": \"rtlogs\",\n \"alert_subtype\": \"process\",\n \"log_type\": \"alert\",\n \"detection_origin\": \"agent\",\n \"tenant\": \"\",\n \"alert_time\": \"2022-03-15T07:26:01.276+00:00\",\n \"alert_type\": \"sigma\",\n \"status\": \"false_positive\",\n \"rule_id\": \"00000000-0000-0000-0000-000000000000\",\n \"@event_create_date\": \"2022-03-15T07:26:01.276Z\",\n \"alert_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"level\": \"low\",\n \"aggregation_key\": \"123456\",\n \"@timestamp\": \"2022-03-15T07:26:01.311Z\",\n \"tags\": [\n \"attack.discovery\",\n \"attack.t1057\",\n \"attack.s0057\"\n ],\n \"process\": {\n \"detection_timestamp\": \"2022/03/15 07:24:54.438105\",\n \"process_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"parent_integrity_level\": \"Medium\",\n \"log_platform_flag\": 0,\n \"fake_parent_image\": null,\n \"pid\": 11320,\n \"image_name\": \"C:\\\\Windows\\\\SysWOW64\\\\tasklist.exe\",\n \"username\": \"XXX\\\\XXX\",\n \"logonid\": 151210562,\n \"signature_info\": {\n \"signed_authenticode\": false,\n \"signed_catalog\": true,\n \"root_info\": {\n \"thumbprint\": \"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\n \"display_name\": \"Microsoft Root Certificate Authority 2010\",\n \"serial_number\": \"28cc3a25bfba44ac449a9b586b4339aa\",\n \"issuer_name\": \"Microsoft Root Certificate Authority 2010\"\n },\n \"signer_info\": {\n \"thumbprint\": \"f7c2f2c96a328c13cda8cdb57b715bdea2cbd1d9\",\n \"display_name\": \"Microsoft Windows\",\n \"serial_number\": \"33000002ec6579ad1e670890130000000002ec\",\n \"issuer_name\": \"Microsoft Windows Production PCA 2011\"\n }\n },\n \"current_directory\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\",\n \"error_msg\": \"\",\n \"status_msg\": \"sigma match detected this process but not configured to block it\",\n \"ppid\": 17808,\n \"fake_parent_commandline\": null,\n \"commandline\": \"tasklist\",\n \"signed\": true,\n \"grandparent_integrity_level\": \"Medium\",\n \"log_type\": \"process\",\n \"pe_imphash\": \"19BBD9C4E73C288A3645E163F4B82682\",\n \"create_time\": \"2022-03-15T07:24:54.260Z\",\n \"status\": 0,\n \"parent_image\": \"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\n \"integrity_level\": \"Medium\",\n \"usersid\": \"S-1-5-21-299502267-725345543-82448378-2366\",\n \"pe_info\": {\n \"product_version\": \"10.0.19041.1\",\n \"legal_copyright\": \"\u00a9 Microsoft Corporation. All rights reserved.\",\n \"original_filename\": \"tasklist.exe\",\n \"company_name\": \"Microsoft Corporation\",\n \"file_description\": \"Lists the current running tasks\",\n \"file_version\": \"10.0.19041.1 (WinBuild.160101.0800)\",\n \"internal_name\": \"tasklist.exe\",\n \"product_name\": \"Microsoft\u00ae Windows\u00ae Operating System\"\n },\n \"session\": 3,\n \"pe_timestamp\": \"1994-09-11T16:43:21.000Z\",\n \"parent_unique_id\": \"2332edf8-70c0-43c2-4590-00f912ab3d18\",\n \"process_name\": \"tasklist.exe\",\n \"grandparent_commandline\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\\\\EPOSConnect.exe 1\",\n \"pe_timestamp_int\": 779301801,\n \"grandparent_image\": \"C:\\\\Program Files (x86)\\\\EPOS\\\\EPOS Connect\\\\EPOSConnect.exe\",\n \"parent_commandline\": \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c tasklist\",\n \"fake_parent_unique_id\": null,\n \"size\": 79360,\n \"fake_ppid\": null,\n \"hashes\": {\n \"sha1\": \"7f50d8c3cf3ec79122a876e969bdb65d939becd0\",\n \"sha256\": \"76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4\",\n \"md5\": \"0a4448b31ce7f83cb7691a2657f330f1\"\n }\n },\n \"execution\": 0,\n \"rule_name\": \"Discovery: Process list\",\n \"maturity\": \"stable\",\n \"msg\": \"Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.\"\n}\n", "event": { - "dataset": "alert", "category": [ "process" ], + "dataset": "alert", + "kind": "alert", "type": [ "start" - ], - "kind": "alert" + ] }, "@timestamp": "2022-03-15T07:26:01.276000Z", "agent": { "id": "00000000-0000-0000-0000-000000000000", "name": "harfanglab" }, - "log": { - "hostname": "pc123" - }, - "host": { - "hostname": "pc123", - "domain": "domain123", - "os": { - "version": "10.0.19041", - "full": "Windows 10 Pro" - }, - "name": "pc123" + "file": { + "hash": { + "md5": "0a4448b31ce7f83cb7691a2657f330f1", + "sha1": "7f50d8c3cf3ec79122a876e969bdb65d939becd0", + "sha256": "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4" + } }, "harfanglab": { - "level": "low", + "aggregation_key": "123456", + "alert_subtype": "process", "alert_time": "2022-03-15T07:26:01.276+00:00", "alert_unique_id": "00000000-0000-0000-0000-000000000000", - "alert_subtype": "process", "execution": 0, - "status": "false_positive", - "aggregation_key": "123456" + "level": "low", + "status": "false_positive" }, - "rule": { - "description": "Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.", - "name": "Discovery: Process list", - "category": "sigma", - "id": "00000000-0000-0000-0000-000000000000" + "host": { + "domain": "domain123", + "hostname": "pc123", + "name": "pc123", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19041" + } + }, + "log": { + "hostname": "pc123" }, "process": { "command_line": "tasklist", - "pid": 11320, + "executable": "C:\\Windows\\SysWOW64\\tasklist.exe", "name": "tasklist.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c tasklist", + "executable": "C:\\Windows\\SysWOW64\\cmd.exe" + }, "pe": { + "company": "Microsoft Corporation", "description": "Lists the current running tasks", - "original_file_name": "tasklist.exe", "file_version": "10.0.19041.1 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "19BBD9C4E73C288A3645E163F4B82682" - }, - "executable": "C:\\Windows\\SysWOW64\\tasklist.exe", - "parent": { - "executable": "C:\\Windows\\SysWOW64\\cmd.exe", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c tasklist" + "imphash": "19BBD9C4E73C288A3645E163F4B82682", + "original_file_name": "tasklist.exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" }, + "pid": 11320, "working_directory": "C:\\Program Files (x86)\\EPOS\\EPOS Connect" }, - "user": { - "name": "XXX\\XXX" - }, - "file": { - "hash": { - "md5": "0a4448b31ce7f83cb7691a2657f330f1", - "sha256": "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4", - "sha1": "7f50d8c3cf3ec79122a876e969bdb65d939becd0" - } - }, "related": { "hash": [ "0a4448b31ce7f83cb7691a2657f330f1", @@ -911,10 +902,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "XXX\\XXX" ] - } - } - - ``` + }, + "rule": { + "category": "sigma", + "description": "Detects the execution of tasklist.exe, a tool used to gather detailed information about a computer's active processes.", + "id": "00000000-0000-0000-0000-000000000000", + "name": "Discovery: Process list" + }, + "user": { + "name": "XXX\\XXX" + } + } + + ``` === "process3.json" @@ -924,62 +924,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"signature_info\":{\"root_info\":{\"display_name\":\"Microsoft Root Certificate Authority 2010\",\"thumbprint\":\"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\"serial_number\":\"28cc3a25bfba44ac449a9b586b4339aa\",\"issuer_name\":\"Microsoft Root Certificate Authority 2010\"},\"signed_catalog\":true,\"signer_info\":{\"display_name\":\"Microsoft Windows\",\"thumbprint\":\"ae9c1ae54763822eec42474983d8b635116c8452\",\"serial_number\":\"33000001c422b2f79b793dacb20000000001c4\",\"issuer_name\":\"Microsoft Windows Production PCA 2011\"},\"signed_authenticode\":false},\"commandline\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\",\"fake_parent_commandline\":null,\"session\":0,\"pid\":4028,\"process_name\":\"WmiPrvSE.exe\",\"pe_info\":{\"product_version\":\"10.0.17763.1\",\"file_description\":\"WMI Provider Host\",\"original_filename\":\"Wmiprvse.exe\",\"internal_name\":\"Wmiprvse.exe\",\"file_version\":\"10.0.17763.1 (WinBuild.160101.0800)\",\"company_name\":\"Microsoft Corporation\",\"legal_copyright\":\"\u00a9 Microsoft Corporation. All rights reserved.\",\"product_name\":\"Microsoft\u00ae Windows\u00ae Operating System\"},\"fake_parent_image\":null,\"@timestamp\":\"2021-05-02T19:52:34.492Z\",\"username\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"pe_timestamp_int\":3717952540,\"@version\":\"1\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\"parent_integrity_level\":\"System\",\"fake_parent_unique_id\":null,\"status_msg\":\"\",\"log_type\":\"process\",\"logonid\":996,\"process_unique_id\":\"9aad140d-929d-4ddf-0fbc-006fa79b94af\",\"usersid\":\"S-1-5-20\",\"error_msg\":\"\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"fake_ppid\":null,\"integrity_level\":\"System\",\"agent\":{\"osversion\":\"10.0.17763\",\"domainname\":\"WORKGROUP\",\"agentid\":\"d4e3bf36-929d-4ddf-8526-492e89955808\",\"osproducttype\":\"Windows Server 2019 Datacenter\",\"hostname\":\"REDACTED\",\"domain\":null},\"current_directory\":\"C:\\\\Windows\\\\system32\",\"pe_timestamp\":\"2087-10-25T20:35:40.000Z\",\"parent_unique_id\":\"9aad140d-929d-4ddf-0358-002a32b395aa\",\"pe_imphash\":\"CFECEDC01015A4FD1BAACAC9E592D88B\",\"hashes\":{\"md5\":\"06c66ff5ccdc2d22344a3eb761a4d38a\",\"sha256\":\"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15\",\"sha1\":\"67c25c8f28b5fa7f5baa85bf1d2726aed48e9cf0\"},\"size\":489472,\"parent_commandline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"@event_create_date\":\"2021-05-02T19:52:24.083Z\",\"signed\":true,\"ppid\":856,\"status\":0}", "event": { - "dataset": "process", "category": [ "process" ], + "dataset": "process", + "kind": "event", "type": [ "start" - ], - "kind": "event" + ] }, "@timestamp": "2021-05-02T19:52:24.083000Z", "agent": { "id": "d4e3bf36-929d-4ddf-8526-492e89955808", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" + "file": { + "hash": { + "md5": "06c66ff5ccdc2d22344a3eb761a4d38a", + "sha1": "67c25c8f28b5fa7f5baa85bf1d2726aed48e9cf0", + "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15" + } }, "host": { - "hostname": "REDACTED", "domain": "WORKGROUP", + "hostname": "REDACTED", + "name": "REDACTED", "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Datacenter" - }, - "name": "REDACTED" + "full": "Windows Server 2019 Datacenter", + "version": "10.0.17763" + } + }, + "log": { + "hostname": "REDACTED" }, "process": { "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", - "pid": 4028, - "name": "WmiPrvSE.exe", - "pe": { - "description": "WMI Provider Host", - "original_file_name": "Wmiprvse.exe", - "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "company": "Microsoft Corporation", - "product": "Microsoft\u00ae Windows\u00ae Operating System", - "imphash": "CFECEDC01015A4FD1BAACAC9E592D88B" - }, "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "name": "WmiPrvSE.exe", "parent": { - "executable": "C:\\Windows\\System32\\svchost.exe", "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe" }, + "pe": { + "company": "Microsoft Corporation", + "description": "WMI Provider Host", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "CFECEDC01015A4FD1BAACAC9E592D88B", + "original_file_name": "Wmiprvse.exe", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + }, + "pid": 4028, "working_directory": "C:\\Windows\\system32" }, - "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" - }, - "file": { - "hash": { - "md5": "06c66ff5ccdc2d22344a3eb761a4d38a", - "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15", - "sha1": "67c25c8f28b5fa7f5baa85bf1d2726aed48e9cf0" - } - }, "related": { "hash": [ "06c66ff5ccdc2d22344a3eb761a4d38a", @@ -992,6 +989,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\NETWORK SERVICE" ] + }, + "user": { + "name": "NT AUTHORITY\\NETWORK SERVICE" } } @@ -1005,70 +1005,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"user_data\": {},\n \"@timestamp\": \"2023-05-16T08:45:22.407186Z\",\n \"process_id\": 0,\n \"@event_create_date\": \"2023-05-16T08:46:54.000Z\",\n \"type\": \"wineventlog\",\n \"source_name\": \"Windows Error Reporting\",\n \"thread_id\": 0,\n \"event\": {\n \"original\": \"{\\\"computer_name\\\":\\\"SARTE03.example.org\\\",\\\"event_date\\\":\\\"2023/05/16 08:46:54.000\\\",\\\"event_id\\\":1001,\\\"keywords\\\":[\\\"EventlogClassic\\\"],\\\"level\\\":\\\"INFORMATION\\\",\\\"log_name\\\":\\\"Application\\\",\\\"log_type\\\":\\\"eventlog\\\",\\\"type\\\":\\\"wineventlog\\\",\\\"user\\\":{\\\"domain\\\":\\\"\\\",\\\"identifier\\\":\\\"\\\",\\\"name\\\":\\\"\\\",\\\"type\\\":\\\"unknown\\\"},\\\"event_data\\\":{\\\"param7\\\":\\\"00000000-0000-0000-0000-000000000000\\\",\\\"param10\\\":\\\"0\\\",\\\"param12\\\":\\\"AutomaticUpdates\\\",\\\"param0\\\":\\\"\\\",\\\"param16\\\":\\\"\\\",\\\"param4\\\":\\\"0\\\",\\\"param8\\\":\\\"Scan\\\",\\\"param13\\\":\\\"{581473F3-A4DC-4D00-8245-D203EAA9B5A9}\\\",\\\"param15\\\":\\\"C:\\\\\\\\Windows\\\\\\\\WindowsUpdate.log\\\\r\\\\nC:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\ReportingEvents.log\\\",\\\"param9\\\":\\\"0\\\",\\\"param11\\\":\\\"8024500b\\\",\\\"param20\\\":\\\"262144\\\",\\\"param6\\\":\\\"80072ee2\\\",\\\"param2\\\":\\\"WindowsUpdateFailure3\\\",\\\"param3\\\":\\\"Non disponible\\\",\\\"param21\\\":\\\"\\\",\\\"param1\\\":\\\"0\\\",\\\"param17\\\":\\\"\\\",\\\"param18\\\":\\\"0\\\",\\\"param14\\\":\\\"0\\\",\\\"param5\\\":\\\"7.9.9600.19915\\\",\\\"param19\\\":\\\"3e7b694e-4cf1-45cc-93ff-f30da6e8f683\\\"},\\\"process_id\\\":0,\\\"record_number\\\":26500965,\\\"source_name\\\":\\\"Windows Error Reporting\\\",\\\"thread_id\\\":0,\\\"user_data\\\":{},\\\"groups\\\":[{\\\"id\\\":\\\"bced64f1-9d22-4001-9425-604e45a14d66\\\",\\\"name\\\":\\\"Group 1\\\"}],\\\"destination\\\":\\\"syslog\\\",\\\"agent\\\":{\\\"agentid\\\":\\\"adbd57f0-3bf7-4b33-9845-eb489b1b0eea\\\",\\\"hostname\\\":\\\"SARTE03\\\",\\\"domain\\\":null,\\\"domainname\\\":\\\"EXA_0342\\\",\\\"dnsdomainname\\\":\\\"ipline.ovh\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"6.3.9600\\\",\\\"distroid\\\":null,\\\"osproducttype\\\":\\\"Windows Server 2012 R2 Standard\\\",\\\"version\\\":\\\"2.25.13-post0\\\",\\\"additional_info\\\":null}}\"\n },\n \"event_data\": {\n \"param11\": \"8024500b\",\n \"param8\": \"Scan\",\n \"param7\": \"00000000-0000-0000-0000-000000000000\",\n \"param12\": \"AutomaticUpdates\",\n \"param13\": \"{581473F3-A4DC-4D00-8245-D203EAA9B5A9}\",\n \"param18\": \"0\",\n \"param16\": \"\",\n \"param1\": \"0\",\n \"param17\": \"\",\n \"param0\": \"\",\n \"param4\": \"0\",\n \"param10\": \"0\",\n \"param19\": \"3e7b694e-4cf1-45cc-93ff-f30da6e8f683\",\n \"param15\": \"C:\\\\Windows\\\\WindowsUpdate.log\\r\\nC:\\\\Windows\\\\SoftwareDistribution\\\\ReportingEvents.log\",\n \"param20\": \"262144\",\n \"param2\": \"WindowsUpdateFailure3\",\n \"param21\": \"\",\n \"param14\": \"0\",\n \"param5\": \"7.9.9600.19915\",\n \"param9\": \"0\",\n \"param6\": \"80072ee2\",\n \"param3\": \"Non disponible\"\n },\n \"@version\": \"1\",\n \"keywords\": [\n \"EventlogClassic\"\n ],\n \"destination\": \"syslog\",\n \"log_name\": \"Application\",\n \"log_type\": \"eventlog\",\n \"user\": {\n \"name\": \"\",\n \"domain\": \"\",\n \"identifier\": \"\",\n \"type\": \"unknown\"\n },\n \"agent\": {\n \"agentid\": \"adbd57f0-3bf7-4b33-9845-eb489b1b0eea\",\n \"hostname\": \"SARTE03\",\n \"osversion\": \"6.3.9600\",\n \"additional_info\": null,\n \"osproducttype\": \"Windows Server 2012 R2 Standard\",\n \"domain\": null,\n \"version\": \"2.25.13-post0\",\n \"dnsdomainname\": \"example.org\",\n \"ostype\": \"windows\",\n \"distroid\": null,\n \"domainname\": \"EXA_0342\"\n },\n \"level\": \"INFORMATION\",\n \"event_id\": 1001,\n \"groups\": [\n {\n \"id\": \"bced64f1-9d22-4001-9425-604e45a14d66\",\n \"name\": \"Group 1\"\n }\n ],\n \"tenant\": \"8029547657723b01\",\n \"computer_name\": \"SARTE03.example.org\",\n \"record_number\": 26500965\n}", "event": { + "code": "1001", "dataset": "eventlog", "kind": "event", + "provider": "Windows Error Reporting", "type": [ "info" - ], - "provider": "Windows Error Reporting", - "code": "1001" - }, - "@timestamp": "2023-05-16T08:46:54Z", - "agent": { - "id": "adbd57f0-3bf7-4b33-9845-eb489b1b0eea", - "name": "harfanglab" - }, - "log": { - "hostname": "SARTE03" - }, - "host": { - "hostname": "SARTE03", - "domain": "EXA_0342", - "os": { - "version": "6.3.9600", - "full": "Windows Server 2012 R2 Standard" - }, - "name": "SARTE03" - }, - "harfanglab": { - "groups": [ - "{\"id\": \"bced64f1-9d22-4001-9425-604e45a14d66\", \"name\": \"Group 1\"}" ] }, - "user": { - "roles": "Group1" - }, + "@timestamp": "2023-05-16T08:46:54Z", "action": { + "id": 1001, "properties": { + "param0": "", + "param1": "0", + "param10": "0", "param11": "8024500b", - "param8": "Scan", - "param7": "00000000-0000-0000-0000-000000000000", "param12": "AutomaticUpdates", "param13": "{581473F3-A4DC-4D00-8245-D203EAA9B5A9}", - "param18": "0", + "param14": "0", + "param15": "C:\\Windows\\WindowsUpdate.log\r\nC:\\Windows\\SoftwareDistribution\\ReportingEvents.log", "param16": "", - "param1": "0", "param17": "", - "param0": "", - "param4": "0", - "param10": "0", + "param18": "0", "param19": "3e7b694e-4cf1-45cc-93ff-f30da6e8f683", - "param15": "C:\\Windows\\WindowsUpdate.log\r\nC:\\Windows\\SoftwareDistribution\\ReportingEvents.log", - "param20": "262144", "param2": "WindowsUpdateFailure3", + "param20": "262144", "param21": "", - "param14": "0", + "param3": "Non disponible", + "param4": "0", "param5": "7.9.9600.19915", - "param9": "0", "param6": "80072ee2", - "param3": "Non disponible" - }, - "id": 1001 + "param7": "00000000-0000-0000-0000-000000000000", + "param8": "Scan", + "param9": "0" + } + }, + "agent": { + "id": "adbd57f0-3bf7-4b33-9845-eb489b1b0eea", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [ + "{\"id\": \"bced64f1-9d22-4001-9425-604e45a14d66\", \"name\": \"Group 1\"}" + ] + }, + "host": { + "domain": "EXA_0342", + "hostname": "SARTE03", + "name": "SARTE03", + "os": { + "full": "Windows Server 2012 R2 Standard", + "version": "6.3.9600" + } + }, + "log": { + "hostname": "SARTE03" }, "related": { "hosts": [ "SARTE03" ] + }, + "user": { + "roles": "Group1" } } @@ -1082,25 +1082,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"level\": \"LOG_ALWAYS\",\n \"@Version\": \"1\",\n \"@event_create_date\": \"2023-04-20T14:48:59.809Z\",\n \"groups\": [\n {\n \"name\": \"Group 1\",\n \"id\": \"954bc41c-bfae-4d24-9606-add4e1ab4280\"\n },\n {\n \"name\": \"Group 2\",\n \"id\": \"a9458e5a-fbd1-466a-8e0a-d25c2948aa61\"\n }\n ],\n \"source_name\": \"Microsoft-Windows-Security-Auditing\",\n \"log_type\": \"eventlog\",\n \"event_data\": {\n \"IpPort\": \"17780\",\n \"ProcessName\": \"-\",\n \"SubjectDomainName\": \"-\",\n \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\",\n \"LogonProcessName\": \"Kerbe\",\n \"RestrictedAdminMode\": \"-\",\n \"LogonType\": \"3\",\n \"ElevatedToken\": \"%%1842\",\n \"TargetOutboundDomainName\": \"-\",\n \"SubjectUserName\": \"-\",\n \"AuthenticationPackageName\": \"Kerberos\",\n \"VirtualAccount\": \"%%1843\",\n \"WorkstationName\": \"-\",\n \"IpAddress\": \"1.2.3.4\",\n \"LogonGuid\": \"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\",\n \"TargetLinkedLogonId\": \"0x0\",\n \"SubjectLogonId\": \"0x0\",\n \"TransmittedServices\": \"-\",\n \"TargetLogonId\": \"0x6accabcc3\",\n \"TargetDomainName\": \"example.org\",\n \"TargetOutboundUserName\": \"-\",\n \"LmPackageName\": \"-\",\n \"TargetUserName\": \"john.doe$\",\n \"ProcessId\": \"0x0\",\n \"ImpersonationLevel\": \"%%1833\",\n \"KeyLength\": \"0\",\n \"SubjectUserSid\": \"S-1-0-0\"\n },\n \"@timestamp\": \"2023-04-20T14:49:02.914471Z\",\n \"thread_id\": 11111,\n \"provider_guid\": \"4d8dc5df-a605-4c76-b699-bc72464a8114\",\n \"event\": {\n \"original\": \"{\\\"computer_name\\\":\\\"sfreort.gosis.lan\\\",\\\"event_date\\\":\\\"2023/04/20 14:48:59.809\\\",\\\"event_id\\\":4624,\\\"keywords\\\":[\\\"AuditSuccess\\\",\\\"ReservedKeyword63\\\"],\\\"level\\\":\\\"LOG_ALWAYS\\\",\\\"log_name\\\":\\\"Security\\\",\\\"log_type\\\":\\\"eventlog\\\",\\\"type\\\":\\\"wineventlog\\\",\\\"user\\\":{\\\"domain\\\":\\\"\\\",\\\"identifier\\\":\\\"\\\",\\\"name\\\":\\\"\\\",\\\"type\\\":\\\"unknown\\\"},\\\"event_data\\\":{\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"LogonType\\\":\\\"3\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"TargetLogonId\\\":\\\"0x6accabcc3\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"SubjectDomainName\\\":\\\"-\\\",\\\"AuthenticationPackageName\\\":\\\"Kerbes\\\",\\\"WorkstationName\\\":\\\"-\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"IpAddress\\\":\\\"1.2.3.4\\\",\\\"LogonGuid\\\":\\\"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TargetUserSid\\\":\\\"S-1-5-21-11111111111-111111111111-11111111-111\\\",\\\"TargetDomainName\\\":\\\"example.org\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"IpPort\\\":\\\"17780\\\",\\\"TargetUserName\\\":\\\"john.doe$\\\",\\\"ProcessName\\\":\\\"-\\\"},\\\"process_id\\\":772,\\\"provider_guid\\\":\\\"54849625-5478-4994-a5ba-3e3b0328c30d\\\",\\\"record_number\\\":1069291078,\\\"source_name\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"thread_id\\\":29956,\\\"user_data\\\":{},\\\"groups\\\":[{\\\"id\\\":\\\"2dccd722-6db5-4727-88d2-042b0d8655c3\\\",\\\"name\\\":\\\"Group 1\\\"},{\\\"id\\\":\\\"a9458e5a-fbd1-466a-8e0a-d25c2955aa61\\\",\\\"name\\\":\\\"Group 2\\\"}],\\\"destination\\\":\\\"sys\\\",\\\"agent\\\":{\\\"agentid\\\":\\\"ef3cd644-1867-4917-ac79-148c2ccd55d5\\\",\\\"hostname\\\":\\\"sfreart\\\",\\\"domain\\\":null,\\\"domainname\\\":\\\"EXAMPLE\\\",\\\"dnsdomainname\\\":\\\"example.org\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"10.0.14393\\\",\\\"distroid\\\":null,\\\"osproducttype\\\":\\\"Windows Server 2016 Standard\\\",\\\"version\\\":\\\"2.25.4-post0\\\",\\\"additional_info\\\":null}}\"\n },\n \"type\": \"wineventlog\",\n \"keywords\": [\n \"AuditSuccess\",\n \"ReservedKeyword63\"\n ],\n \"tenant\": \"2222222222222222\",\n \"destination\": \"sys\",\n \"agent\": {\n \"hostname\": \"sfreort\",\n \"osversion\": \"10.0.14393\",\n \"version\": \"2.25.4-post0\",\n \"domainname\": \"EXAMPLE\",\n \"distroid\": null,\n \"additional_info\": null,\n \"agentid\": \"3f17a3fe-3490-4b8f-8de4-9dcdf92c68b0\",\n \"osproducttype\": \"Windows Server 2016 Standard\",\n \"dnsdomainname\": \"example.org\",\n \"ostype\": \"windows\",\n \"domain\": null\n },\n \"log_name\": \"Security\",\n \"event_id\": 4624,\n \"user\": {\n \"name\": \"\",\n \"identifier\": \"\",\n \"domain\": \"\",\n \"type\": \"unknown\"\n },\n \"user_data\": {},\n \"computer_name\": \"sfreort.example.org\",\n \"process_id\": 772,\n \"record_number\": 1069291078\n}", "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", "dataset": "eventlog", "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "info", "start" - ], - "provider": "Microsoft-Windows-Security-Auditing", - "code": "4624", - "category": [ - "authentication" - ], - "action": "authentication_network" + ] + }, + "@timestamp": "2023-04-20T14:48:59.809000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "Kerberos", + "ElevatedToken": "%%1842", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "17780", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}", + "LogonProcessName": "Kerbe", + "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", + "RestrictedAdminMode": "-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "example.org", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "john.doe$", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "-" + } + }, + "agent": { + "id": "3f17a3fe-3490-4b8f-8de4-9dcdf92c68b0", + "name": "harfanglab" + }, + "client": { + "domain": "EXAMPLE" + }, + "harfanglab": { + "groups": [ + "{\"id\": \"954bc41c-bfae-4d24-9606-add4e1ab4280\", \"name\": \"Group 1\"}", + "{\"id\": \"a9458e5a-fbd1-466a-8e0a-d25c2948aa61\", \"name\": \"Group 2\"}" + ] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "sfreort", + "name": "sfreort", + "os": { + "full": "Windows Server 2016 Standard", + "version": "10.0.14393" + } + }, + "log": { + "hostname": "sfreort" + }, + "process": { + "name": "Kerbe" + }, + "related": { + "hosts": [ + "sfreort" + ] }, "sekoiaio": { "client": { + "name": "sfreort", "os": { "type": "windows" }, - "name": "sfreort", "user": { "id": "S-1-0-0" } @@ -1112,127 +1179,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "@timestamp": "2023-04-20T14:48:59.809000Z", - "agent": { - "id": "3f17a3fe-3490-4b8f-8de4-9dcdf92c68b0", - "name": "harfanglab" - }, - "log": { - "hostname": "sfreort" - }, - "host": { - "hostname": "sfreort", - "domain": "EXAMPLE", - "os": { - "version": "10.0.14393", - "full": "Windows Server 2016 Standard" - }, - "name": "sfreort" - }, - "harfanglab": { - "groups": [ - "{\"id\": \"954bc41c-bfae-4d24-9606-add4e1ab4280\", \"name\": \"Group 1\"}", - "{\"id\": \"a9458e5a-fbd1-466a-8e0a-d25c2948aa61\", \"name\": \"Group 2\"}" - ] + "server": { + "domain": "EXAMPLE" }, "user": { "roles": "Group1,Group2", "target": { - "name": "john.doe$", "domain": "example.org", - "id": "S-1-5-21-11111111111-111111111111-11111111-111" + "id": "S-1-5-21-11111111111-111111111111-11111111-111", + "name": "john.doe$" } + } + } + + ``` + + +=== "wineventlog.json" + + ```json + + { + "message": "{\"tenant\":\"\",\"type\":\"wineventlog\",\"@event_create_date\":\"2021-11-21T13:11:49.837Z\",\"log_name\":\"Microsoft-Windows-PowerShell/Operational\",\"event_data\":{\"param1\":\"7092\",\"param2\":\"DefaultAppDomain\"},\"agent\":{\"osversion\":\"10.0.19041\",\"hostname\":\"DESKTOP-9U3171J\",\"ostype\":\"windows\",\"agentid\":\"f43cb847-8227-4104-b77f-7fc849789f8e\",\"osproducttype\":\"Windows 10 Pro\",\"domainname\":\"WORKGROUP\",\"distroid\":null,\"domain\":null},\"keywords\":[],\"log_type\":\"eventlog\",\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-PowerShell\",\"@timestamp\":\"2021-11-21T13:12:10.929Z\",\"process_id\":7092,\"task\":null,\"level\":\"Information\",\"provider_guid\":\"{A1A1853B-5C40-4B15-8766-3CF1C58F985A}\",\"user\":{\"name\":\"oliver\",\"type\":\"User\",\"domain\":\"DESKTOP-9U3171J\",\"identifier\":\"S-1-5-21-975228105-2966123187-4141390122-1001\"},\"record_number\":104780,\"computer_name\":\"DESKTOP-9U3171J\",\"thread_id\":6744,\"event_id\":53504,\"opcode\":null,\"user_data\":{}}", + "event": { + "code": "53504", + "dataset": "eventlog", + "kind": "event", + "provider": "Microsoft-Windows-PowerShell", + "type": [ + "info" + ] }, + "@timestamp": "2021-11-21T13:11:49.837000Z", "action": { + "id": 53504, "properties": { - "IpPort": "17780", - "ProcessName": "-", - "SubjectDomainName": "-", - "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", - "LogonProcessName": "Kerbe", - "RestrictedAdminMode": "-", - "LogonType": "3", - "ElevatedToken": "%%1842", - "TargetOutboundDomainName": "-", - "SubjectUserName": "-", - "AuthenticationPackageName": "Kerberos", - "VirtualAccount": "%%1843", - "WorkstationName": "-", - "IpAddress": "1.2.3.4", - "LogonGuid": "{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}", - "TargetLinkedLogonId": "0x0", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", - "TargetLogonId": "0x6accabcc3", - "TargetDomainName": "example.org", - "TargetOutboundUserName": "-", - "LmPackageName": "-", - "TargetUserName": "john.doe$", - "ProcessId": "0x0", - "ImpersonationLevel": "%%1833", - "KeyLength": "0", - "SubjectUserSid": "S-1-0-0" - }, - "id": 4624, - "outcome": "success" - }, - "related": { - "hosts": [ - "sfreort" - ] - }, - "server": { - "domain": "EXAMPLE" - }, - "client": { - "domain": "EXAMPLE" - }, - "process": { - "name": "Kerbe" - } - } - - ``` - - -=== "wineventlog.json" - - ```json - - { - "message": "{\"tenant\":\"\",\"type\":\"wineventlog\",\"@event_create_date\":\"2021-11-21T13:11:49.837Z\",\"log_name\":\"Microsoft-Windows-PowerShell/Operational\",\"event_data\":{\"param1\":\"7092\",\"param2\":\"DefaultAppDomain\"},\"agent\":{\"osversion\":\"10.0.19041\",\"hostname\":\"DESKTOP-9U3171J\",\"ostype\":\"windows\",\"agentid\":\"f43cb847-8227-4104-b77f-7fc849789f8e\",\"osproducttype\":\"Windows 10 Pro\",\"domainname\":\"WORKGROUP\",\"distroid\":null,\"domain\":null},\"keywords\":[],\"log_type\":\"eventlog\",\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-PowerShell\",\"@timestamp\":\"2021-11-21T13:12:10.929Z\",\"process_id\":7092,\"task\":null,\"level\":\"Information\",\"provider_guid\":\"{A1A1853B-5C40-4B15-8766-3CF1C58F985A}\",\"user\":{\"name\":\"oliver\",\"type\":\"User\",\"domain\":\"DESKTOP-9U3171J\",\"identifier\":\"S-1-5-21-975228105-2966123187-4141390122-1001\"},\"record_number\":104780,\"computer_name\":\"DESKTOP-9U3171J\",\"thread_id\":6744,\"event_id\":53504,\"opcode\":null,\"user_data\":{}}", - "event": { - "dataset": "eventlog", - "kind": "event", - "type": [ - "info" - ], - "provider": "Microsoft-Windows-PowerShell", - "code": "53504" + "param1": "7092", + "param2": "DefaultAppDomain" + } }, - "@timestamp": "2021-11-21T13:11:49.837000Z", "agent": { "id": "f43cb847-8227-4104-b77f-7fc849789f8e", "name": "harfanglab" }, - "log": { - "hostname": "DESKTOP-9U3171J" - }, "host": { - "hostname": "DESKTOP-9U3171J", "domain": "WORKGROUP", + "hostname": "DESKTOP-9U3171J", + "name": "DESKTOP-9U3171J", "os": { - "version": "10.0.19041", - "full": "Windows 10 Pro" - }, - "name": "DESKTOP-9U3171J" + "full": "Windows 10 Pro", + "version": "10.0.19041" + } }, - "action": { - "properties": { - "param1": "7092", - "param2": "DefaultAppDomain" - }, - "id": 53504 + "log": { + "hostname": "DESKTOP-9U3171J" }, "related": { "hosts": [ @@ -1251,98 +1251,98 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"log_name\":\"Security\",\"type\":\"wineventlog\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"event_id\":4625,\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"level\":\"Information\",\"opcode\":null,\"agent\":{\"osversion\":\"10.0.17763\",\"domainname\":\"WORKGROUP\",\"agentid\":\"77af54c8-910f-455d-b887-87cbc87430a4\",\"osproducttype\":\"Windows Server 2019 Datacenter\",\"hostname\":\"REDACTED\",\"domain\":null},\"user\":null,\"event_date\":\"2021-05-08T12:18:58.996Z\",\"process_id\":760,\"@timestamp\":\"2021-05-08T12:19:10.711Z\",\"user_data\":{},\"@version\":\"1\",\"event_data\":{\"IpPort\":\"0\",\"AuthenticationPackageName\":\"NTLM\",\"TransmittedServices\":\"-\",\"TargetUserSid\":\"S-1-0-0\",\"SubjectUserName\":\"-\",\"SubStatus\":\"0xc000006a\",\"IpAddress\":\"166.88.151.58\",\"SubjectLogonId\":\"0x0\",\"FailureReason\":\"%%2313\",\"WorkstationName\":\"-\",\"SubjectUserSid\":\"S-1-0-0\",\"LogonProcessName\":\"NtLmSsp \",\"TargetUserName\":\"ADMINISTRATOR\",\"ProcessName\":\"-\",\"TargetDomainName\":null,\"Status\":\"0xc000006d\",\"LmPackageName\":\"-\",\"KeyLength\":\"0\",\"SubjectDomainName\":\"-\",\"LogonType\":\"3\",\"ProcessId\":\"0x0\"},\"keywords\":[\"Audit Failure\"],\"task\":null,\"record_number\":5089212,\"thread_id\":1768,\"log_type\":\"eventlog\",\"computer_name\":\"REDACTED\"}", "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", "dataset": "eventlog", "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "info", "start" - ], - "provider": "Microsoft-Windows-Security-Auditing", - "code": "4625", - "category": [ - "authentication" - ], - "action": "authentication_network" + ] }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "REDACTED", - "user": { - "id": "S-1-0-0" - } - }, - "server": { - "name": "REDACTED", - "os": { - "type": "windows" - } + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "NTLM", + "FailureReason": "%%2313", + "IpAddress": "166.88.151.58", + "IpPort": "0", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", + "Status": "0xc000006d", + "SubStatus": "0xc000006a", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": null, + "TargetUserName": "ADMINISTRATOR", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "-" } }, "agent": { "id": "77af54c8-910f-455d-b887-87cbc87430a4", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" + "client": { + "domain": "WORKGROUP" }, "host": { - "hostname": "REDACTED", "domain": "WORKGROUP", + "hostname": "REDACTED", + "name": "REDACTED", "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Datacenter" - }, - "name": "REDACTED" + "full": "Windows Server 2019 Datacenter", + "version": "10.0.17763" + } }, - "action": { - "properties": { - "IpPort": "0", - "AuthenticationPackageName": "NTLM", - "TransmittedServices": "-", - "TargetUserSid": "S-1-0-0", - "SubjectUserName": "-", - "SubStatus": "0xc000006a", - "IpAddress": "166.88.151.58", - "SubjectLogonId": "0x0", - "FailureReason": "%%2313", - "WorkstationName": "-", - "SubjectUserSid": "S-1-0-0", - "LogonProcessName": "NtLmSsp ", - "TargetUserName": "ADMINISTRATOR", - "ProcessName": "-", - "TargetDomainName": null, - "Status": "0xc000006d", - "LmPackageName": "-", - "KeyLength": "0", - "SubjectDomainName": "-", - "LogonType": "3", - "ProcessId": "0x0" - }, - "id": 4625, - "outcome": "failure" + "log": { + "hostname": "REDACTED" }, - "user": { - "target": { - "name": "ADMINISTRATOR", - "id": "S-1-0-0" - } + "process": { + "name": "NtLmSsp " }, "related": { "hosts": [ "REDACTED" ] }, - "server": { - "domain": "WORKGROUP" + "sekoiaio": { + "client": { + "name": "REDACTED", + "os": { + "type": "windows" + }, + "user": { + "id": "S-1-0-0" + } + }, + "server": { + "name": "REDACTED", + "os": { + "type": "windows" + } + } }, - "client": { + "server": { "domain": "WORKGROUP" }, - "process": { - "name": "NtLmSsp " + "user": { + "target": { + "id": "S-1-0-0", + "name": "ADMINISTRATOR" + } } } @@ -1356,77 +1356,77 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"computer_name\":\"REDACTED\",\"process_id\":3464,\"provider_guid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"type\":\"wineventlog\",\"log_name\":\"Microsoft-Windows-Windows Defender/Operational\",\"task\":null,\"user\":{\"identifier\":\"S-1-5-18\",\"domain\":\"AUTORITE NT\",\"type\":\"User\",\"name\":\"Syst\u00e8me\"},\"log_type\":\"eventlog\",\"@version\":\"1\",\"tenant\":\"\",\"keywords\":[],\"@event_create_date\":\"2022-01-03T05:44:57.331Z\",\"thread_id\":23768,\"record_number\":2300,\"event_id\":1116,\"event_data\":{\"Unused4\":null,\"Threat Name\":\"Exploit:O97M/CVE-2017-11882.SMK\",\"Post Clean Status\":\"0\",\"Product Version\":\"4.18.2111.5\",\"Detection Time\":\"2022-01-03T05:44:57.284Z\",\"Detection User\":\"AUTORITE NT\\\\Syst\u00e8me\",\"Status Code\":\"1\",\"Origin ID\":\"1\",\"Category ID\":\"30\",\"FWLink\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:O97M/CVE-2017-11882.SMK!MTB&threatid=2147772194&enterprise=0\",\"Path\":\"file:_C:\\\\Program Files\\\\Avast\\\\Amex\\\\temp\\\\TMMSG_45AD4A29-D7BD-AE8F-FFBC-4115652291C2\",\"Process Name\":\"C:\\\\Program Files\\\\Avast\\\\Amex\\\\AMEX_secondary.exe\",\"Origin Name\":\"Ordinateur local\",\"Execution ID\":\"1\",\"Remediation User\":null,\"Status Description\":null,\"Category Name\":\"Attaque\",\"Type Name\":\"Concret\",\"State\":\"1\",\"Pre Execution Status\":\"0\",\"Type ID\":\"0\",\"Action Name\":\"Non applicable\",\"Unused6\":null,\"Additional Actions String\":\"No additional actions required\",\"Threat ID\":\"2147772194\",\"Execution Name\":\"Suspendu\",\"Severity ID\":\"5\",\"Error Description\":\"L\u2019op\u00e9ration a r\u00e9ussi. \",\"Engine Version\":\"AM: 1.1.18800.4, NIS: 1.1.18800.4\",\"Unused3\":null,\"Detection ID\":\"{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}\",\"Security intelligence Version\":\"AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0\",\"Product Name\":\"Antivirus Microsoft Defender\",\"Unused\":null,\"Action ID\":\"9\",\"Source ID\":\"3\",\"Additional Actions ID\":\"0\",\"Source Name\":\"Protection en temps r\u00e9el\",\"Unused5\":null,\"Severity Name\":\"Grave\",\"Error Code\":\"0x00000000\",\"Unused2\":null},\"level\":\"Warning\",\"source_name\":\"Microsoft-Windows-Windows Defender\",\"opcode\":null,\"@timestamp\":\"2022-01-03T05:45:12.816Z\",\"user_data\":{},\"agent\":{\"agentid\":\"06d70013-58c7-46e3-9231-452a383af90b\",\"domain\":null,\"osproducttype\":\"Windows Server 2019 Datacenter\",\"ostype\":\"windows\",\"osversion\":\"10.0.17763\",\"version\":\"2.12.2\",\"domainname\":\"REDACTED\",\"distroid\":null,\"hostname\":\"REDACTED\"}}", "event": { + "code": "1116", "dataset": "eventlog", "kind": "event", + "provider": "Microsoft-Windows-Windows Defender", "type": [ "info" - ], - "provider": "Microsoft-Windows-Windows Defender", - "code": "1116" + ] }, "@timestamp": "2022-01-03T05:44:57.331000Z", - "agent": { - "id": "06d70013-58c7-46e3-9231-452a383af90b", - "name": "harfanglab" - }, - "log": { - "hostname": "REDACTED" - }, - "host": { - "hostname": "REDACTED", - "domain": "REDACTED", - "os": { - "version": "10.0.17763", - "full": "Windows Server 2019 Datacenter" - }, - "name": "REDACTED" - }, "action": { + "id": 1116, "properties": { - "Unused4": null, - "Threat Name": "Exploit:O97M/CVE-2017-11882.SMK", - "Post Clean Status": "0", - "Product Version": "4.18.2111.5", + "Action ID": "9", + "Action Name": "Non applicable", + "Additional Actions ID": "0", + "Additional Actions String": "No additional actions required", + "Category ID": "30", + "Category Name": "Attaque", + "Detection ID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}", "Detection Time": "2022-01-03T05:44:57.284Z", "Detection User": "AUTORITE NT\\Syst\u00e8me", - "Status Code": "1", - "Origin ID": "1", - "Category ID": "30", + "Engine Version": "AM: 1.1.18800.4, NIS: 1.1.18800.4", + "Error Code": "0x00000000", + "Error Description": "L\u2019op\u00e9ration a r\u00e9ussi. ", + "Execution ID": "1", + "Execution Name": "Suspendu", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:O97M/CVE-2017-11882.SMK!MTB&threatid=2147772194&enterprise=0", + "Origin ID": "1", + "Origin Name": "Ordinateur local", "Path": "file:_C:\\Program Files\\Avast\\Amex\\temp\\TMMSG_45AD4A29-D7BD-AE8F-FFBC-4115652291C2", + "Post Clean Status": "0", + "Pre Execution Status": "0", "Process Name": "C:\\Program Files\\Avast\\Amex\\AMEX_secondary.exe", - "Origin Name": "Ordinateur local", - "Execution ID": "1", + "Product Name": "Antivirus Microsoft Defender", + "Product Version": "4.18.2111.5", "Remediation User": null, - "Status Description": null, - "Category Name": "Attaque", - "Type Name": "Concret", - "State": "1", - "Pre Execution Status": "0", - "Type ID": "0", - "Action Name": "Non applicable", - "Unused6": null, - "Additional Actions String": "No additional actions required", - "Threat ID": "2147772194", - "Execution Name": "Suspendu", - "Severity ID": "5", - "Error Description": "L\u2019op\u00e9ration a r\u00e9ussi. ", - "Engine Version": "AM: 1.1.18800.4, NIS: 1.1.18800.4", - "Unused3": null, - "Detection ID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}", "Security intelligence Version": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0", - "Product Name": "Antivirus Microsoft Defender", - "Unused": null, - "Action ID": "9", + "Severity ID": "5", + "Severity Name": "Grave", "Source ID": "3", - "Additional Actions ID": "0", "Source Name": "Protection en temps r\u00e9el", + "State": "1", + "Status Code": "1", + "Status Description": null, + "Threat ID": "2147772194", + "Threat Name": "Exploit:O97M/CVE-2017-11882.SMK", + "Type ID": "0", + "Type Name": "Concret", + "Unused": null, + "Unused2": null, + "Unused3": null, + "Unused4": null, "Unused5": null, - "Severity Name": "Grave", - "Error Code": "0x00000000", - "Unused2": null - }, - "id": 1116 + "Unused6": null + } + }, + "agent": { + "id": "06d70013-58c7-46e3-9231-452a383af90b", + "name": "harfanglab" + }, + "host": { + "domain": "REDACTED", + "hostname": "REDACTED", + "name": "REDACTED", + "os": { + "full": "Windows Server 2019 Datacenter", + "version": "10.0.17763" + } + }, + "log": { + "hostname": "REDACTED" }, "related": { "hosts": [ @@ -1445,52 +1445,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":null,\"opcode\":null,\"agent\":{\"distroid\":null,\"hostname\":\"REDACTED\",\"ostype\":\"windows\",\"domain\":null,\"osproducttype\":\"Windows Server 2012 Standard\",\"agentid\":\"aa7cf2c6-5c46-45c4-b918-ba5cd7082e53\",\"osversion\":\"6.2.9200\",\"domainname\":\"REDACTED\",\"version\":\"2.19.5\"},\"@event_create_date\":\"2022-11-14T08:41:03.066Z\",\"level\":\"Information\",\"destination\":\"syslog\",\"record_number\":1475418032,\"keywords\":[\"Audit Success\"],\"event_id\":5145,\"computer_name\":\"REDACTED.LOCAL\",\"tenant\":\"\",\"type\":\"wineventlog\",\"log_name\":\"Security\",\"process_id\":720,\"@version\":\"1\",\"thread_id\":728,\"event_data\":{\"SubjectDomainName\":\"AUTORITE NT\",\"IpAddress\":\"10.84.128.186\",\"ShareLocalPath\":null,\"SubjectUserSid\":\"S-1-5-7\",\"AccessList\":\"%%1538\\n\\t\\t\\t\\t%%1541\\n\\t\\t\\t\\t%%4416\\n\\t\\t\\t\\t%%4417\\n\\t\\t\\t\\t%%4418\\n\\t\\t\\t\\t%%4419\\n\\t\\t\\t\\t%%4420\\n\\t\\t\\t\\t%%4423\\n\\t\\t\\t\\t%%4424\\n\\t\\t\\t\\t\",\"ShareName\":\"\\\\\\\\*\\\\IPC$\",\"AccessReason\":\"-\",\"SubjectUserName\":\"ANONYMOUS LOGON\",\"ObjectType\":\"File\",\"IpPort\":\"50846\",\"SubjectLogonId\":\"0x3ad88f7f3\",\"AccessMask\":\"0x12019f\",\"RelativeTargetName\":\"NETLOGON\"},\"log_type\":\"eventlog\",\"@timestamp\":\"2022-11-14T08:41:05.337Z\",\"user_data\":{},\"user\":null,\"source_name\":\"Microsoft-Windows-Security-Auditing\"}", "event": { + "code": "5145", "dataset": "eventlog", "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "info" - ], - "provider": "Microsoft-Windows-Security-Auditing", - "code": "5145" + ] }, "@timestamp": "2022-11-14T08:41:03.066000Z", + "action": { + "id": 5145, + "properties": { + "AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t", + "AccessMask": "0x12019f", + "AccessReason": "-", + "IpAddress": "10.84.128.186", + "IpPort": "50846", + "ObjectType": "File", + "RelativeTargetName": "NETLOGON", + "ShareLocalPath": null, + "ShareName": "\\\\*\\IPC$", + "SubjectDomainName": "AUTORITE NT", + "SubjectLogonId": "0x3ad88f7f3", + "SubjectUserName": "ANONYMOUS LOGON", + "SubjectUserSid": "S-1-5-7" + } + }, "agent": { "id": "aa7cf2c6-5c46-45c4-b918-ba5cd7082e53", "name": "harfanglab" }, - "log": { - "hostname": "REDACTED" - }, "host": { - "hostname": "REDACTED", "domain": "REDACTED", + "hostname": "REDACTED", + "name": "REDACTED", "os": { - "version": "6.2.9200", - "full": "Windows Server 2012 Standard" - }, - "name": "REDACTED" - }, - "action": { - "properties": { - "SubjectDomainName": "AUTORITE NT", - "IpAddress": "10.84.128.186", - "ShareLocalPath": null, - "SubjectUserSid": "S-1-5-7", - "AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t", - "ShareName": "\\\\*\\IPC$", - "AccessReason": "-", - "SubjectUserName": "ANONYMOUS LOGON", - "ObjectType": "File", - "IpPort": "50846", - "SubjectLogonId": "0x3ad88f7f3", - "AccessMask": "0x12019f", - "RelativeTargetName": "NETLOGON" - }, - "id": 5145 + "full": "Windows Server 2012 Standard", + "version": "6.2.9200" + } }, - "user": { - "name": "ANONYMOUS LOGON", - "domain": "AUTORITE NT" + "log": { + "hostname": "REDACTED" }, "related": { "hosts": [ @@ -1499,6 +1495,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "ANONYMOUS LOGON" ] + }, + "user": { + "domain": "AUTORITE NT", + "name": "ANONYMOUS LOGON" } } diff --git a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md index 3d46fb5b06..0358127ee9 100644 --- a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md +++ b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md @@ -37,97 +37,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"16dd674a4cb5437c9a66d14f11839b02\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/16dd674a4cb5437c9a66d14f11839b02\",\"type\":\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\",\"resource\":{\"resourceType\":\"AccessKey\",\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"IAMUser\",\"userName\":\"GeneratedFindingUserName\"},\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstaceTag1\",\"value\":\"GeneratedFindingInstaceValue1\"},{\"key\":\"GeneratedFindingInstaceTag2\",\"value\":\"GeneratedFindingInstaceTagValue2\"},{\"key\":\"GeneratedFindingInstaceTag3\",\"value\":\"GeneratedFindingInstaceTagValue3\"},{\"key\":\"GeneratedFindingInstaceTag4\",\"value\":\"GeneratedFindingInstaceTagValue4\"},{\"key\":\"GeneratedFindingInstaceTag5\",\"value\":\"GeneratedFindingInstaceTagValue5\"},{\"key\":\"GeneratedFindingInstaceTag6\",\"value\":\"GeneratedFindingInstaceTagValue6\"},{\"key\":\"GeneratedFindingInstaceTag7\",\"value\":\"GeneratedFindingInstaceTagValue7\"},{\"key\":\"GeneratedFindingInstaceTag8\",\"value\":\"GeneratedFindingInstaceTagValue8\"},{\"key\":\"GeneratedFindingInstaceTag9\",\"value\":\"GeneratedFindingInstaceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstaceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstaceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"AWS_API_CALL\",\"awsApiCallAction\":{\"api\":\"GeneratedFindingAPIName\",\"serviceName\":\"GeneratedFindingAPIServiceName\",\"callerType\":\"Remote IP\",\"errorCode\":\"AccessDenied\",\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"affectedResources\":{}}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"apiCalls\":[{\"name\":\"GeneratedFindingAPIName1\",\"count\":18,\"firstSeen\":1512692639,\"lastSeen\":1512692839},{\"name\":\"GeneratedFindingAPIName1\",\"count\":8,\"firstSeen\":1512692639,\"lastSeen\":1512692837},{\"name\":\"GeneratedFindingAPIName1\",\"count\":2,\"firstSeen\":1512692637,\"lastSeen\":1512692637}],\"sample\":true,\"value\":\"{\\\"apiCalls\\\":[{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":18,\\\"firstSeen\\\":1512692639,\\\"lastSeen\\\":1512692839},{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":8,\\\"firstSeen\\\":1512692639,\\\"lastSeen\\\":1512692837},{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":2,\\\"firstSeen\\\":1512692637,\\\"lastSeen\\\":1512692637}],\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":5,\"createdAt\":\"2023-03-20T15:33:12.406Z\",\"updatedAt\":\"2023-03-20T15:33:12.406Z\",\"title\":\"API GeneratedFindingAPIName was invoked from a known malicious IP address.\",\"description\":\"API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0.\"}", "event": { "action": "UnauthorizedAccess", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 5, "type": [ "indicator" - ], - "severity": 5 + ] }, "@timestamp": "2023-03-20T15:33:12.406000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" - }, - "machine": { - "type": "m3.xlarge" - } - }, "agent": { "version": "2.0" }, - "user": { - "name": "GeneratedFindingUserName" - }, - "threat": { - "indicator": { - "description": "API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0." - }, - "group": { - "name": "MaliciousIPCaller" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { - "threats": { - "evidence": [ - "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" - ] - }, "finding": { - "id": "16dd674a4cb5437c9a66d14f11839b02", - "type": "UnauthorizedAccess:IAMUser/MaliciousIPCaller", - "region": "eu-west-2", - "principal": { - "id": "GeneratedFindingPrincipalId" - }, "accesskey": { "accessKeyId": "GeneratedFindingAccessKeyId", "principalId": "GeneratedFindingPrincipalId", "userType": "IAMUser" }, + "id": "16dd674a4cb5437c9a66d14f11839b02", + "principal": { + "id": "GeneratedFindingPrincipalId" + }, + "region": "eu-west-2", "service": { "action": { "type": "AWS_API_CALL" } - } + }, + "type": "UnauthorizedAccess:IAMUser/MaliciousIPCaller" + }, + "threats": { + "evidence": [ + "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" + ] } } }, - "source": { - "geo": { - "country_name": "GeneratedFindingCountryName", - "location": { - "lat": 0, - "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + "cloud": { + "account": { + "id": "111111111111" }, - "ip": "198.51.100.0", - "address": "198.51.100.0" + "instance": { + "id": "i-99999999" + }, + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" }, "error": { "code": "AccessDenied" }, - "service": { - "name": "GeneratedFindingAPIServiceName" - }, "related": { "ip": [ "198.51.100.0" @@ -135,6 +100,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "GeneratedFindingUserName" ] + }, + "service": { + "name": "GeneratedFindingAPIServiceName" + }, + "source": { + "address": "198.51.100.0", + "geo": { + "city_name": "GeneratedFindingCityName", + "country_name": "GeneratedFindingCountryName", + "location": { + "lat": 0, + "lon": 0 + } + }, + "ip": "198.51.100.0" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" + } + } + ], + "group": { + "name": "MaliciousIPCaller" + }, + "indicator": { + "description": "API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0." + } + }, + "user": { + "name": "GeneratedFindingUserName" } } @@ -149,66 +149,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"53a87f7e55ce432c833e952613829048\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/53a87f7e55ce432c833e952613829048\",\"type\":\"Exfiltration:IAMUser/AnomalousBehavior\",\"resource\":{\"resourceType\":\"AccessKey\",\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"GeneratedFindingUserType\",\"userName\":\"GeneratedFindingUserName\"},\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstaceTag1\",\"value\":\"GeneratedFindingInstaceValue1\"},{\"key\":\"GeneratedFindingInstaceTag2\",\"value\":\"GeneratedFindingInstaceTagValue2\"},{\"key\":\"GeneratedFindingInstaceTag3\",\"value\":\"GeneratedFindingInstaceTagValue3\"},{\"key\":\"GeneratedFindingInstaceTag4\",\"value\":\"GeneratedFindingInstaceTagValue4\"},{\"key\":\"GeneratedFindingInstaceTag5\",\"value\":\"GeneratedFindingInstaceTagValue5\"},{\"key\":\"GeneratedFindingInstaceTag6\",\"value\":\"GeneratedFindingInstaceTagValue6\"},{\"key\":\"GeneratedFindingInstaceTag7\",\"value\":\"GeneratedFindingInstaceTagValue7\"},{\"key\":\"GeneratedFindingInstaceTag8\",\"value\":\"GeneratedFindingInstaceTagValue8\"},{\"key\":\"GeneratedFindingInstaceTag9\",\"value\":\"GeneratedFindingInstaceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstaceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstaceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"AWS_API_CALL\",\"awsApiCallAction\":{\"api\":\"GeneratedFindingAPIName\",\"serviceName\":\"GeneratedFindingAPIServiceName\",\"callerType\":\"Remote IP\",\"errorCode\":\"AccessDenied\",\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingOrg\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"affectedResources\":{}}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"userAgent\":{\"fullUserAgent\":\"GeneratedFindingFullUserAgent\",\"userAgentCategory\":\"GeneratedFindingUserAgentCategory\"},\"anomalies\":{\"anomalousAPIs\":\"GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]\"},\"profiledBehavior\":{\"rareProfiledAPIsAccountProfiling\":\"GeneratedFindingAPINameTwo , GeneratedFindingAPINameThree\",\"infrequentProfiledAPIsAccountProfiling\":\"GeneratedFindingAPINameFour\",\"frequentProfiledAPIsAccountProfiling\":\"GeneratedFindingAPINameFive , GeneratedFindingAPINameSix\",\"rareProfiledAPIsUserIdentityProfiling\":\"GeneratedFindingAPINameTwo\",\"infrequentProfiledAPIsUserIdentityProfiling\":\"GeneratedFindingAPINameSix\",\"frequentProfiledAPIsUserIdentityProfiling\":\"GeneratedFindingAPINameFive\",\"rareProfiledUserTypesAccountProfiling\":\"GeneratedFindingUserType\",\"infrequentProfiledUserTypesAccountProfiling\":\"\",\"frequentProfiledUserTypesAccountProfiling\":\"ASSUMED_ROLE\",\"rareProfiledUserNamesAccountProfiling\":\"GeneratedFindingUserName , GeneratedFindingUserNameTwo\",\"infrequentProfiledUserNamesAccountProfiling\":\"\",\"frequentProfiledUserNamesAccountProfiling\":\"GeneratedFindingUserNameTwoThree\",\"rareProfiledASNsAccountProfiling\":\"\",\"infrequentProfiledASNsAccountProfiling\":\"\",\"frequentProfiledASNsAccountProfiling\":\"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne\",\"rareProfiledASNsUserIdentityProfiling\":\"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne\",\"infrequentProfiledASNsUserIdentityProfiling\":\"\",\"frequentProfiledASNsUserIdentityProfiling\":\"\",\"rareProfiledUserAgentsAccountProfiling\":\"GeneratedFindingUserAgentOne , GeneratedFindingUserAgentTwo , GeneratedFindingUserAgentThree\",\"infrequentProfiledUserAgentsAccountProfiling\":\"\",\"frequentProfiledUserAgentsAccountProfiling\":\"AWS Service , AWS Internal\",\"rareProfiledUserAgentsUserIdentityProfiling\":\"GeneratedFindingUserAgentOne\",\"infrequentProfiledUserAgentsUserIdentityProfiling\":\"\",\"frequentProfiledUserAgentsUserIdentityProfiling\":\"\"},\"unusualBehavior\":{\"unusualAPIsAccountProfiling\":\"GeneratedFindingAPIName\",\"unusualAPIsUserIdentityProfiling\":\"GeneratedFindingAPIName\",\"unusualUserTypesAccountProfiling\":\"\",\"unusualUserNamesAccountProfiling\":\"\",\"unusualASNsAccountProfiling\":\"asnNumber: -1 asnOrg: GeneratedFindingASNOrg\",\"unusualASNsUserIdentityProfiling\":\"asnNumber: -1 asnOrg: GeneratedFindingASNOrg\",\"unusualUserAgentsAccountProfiling\":\"GeneratedFindingUserAgentCategory\",\"unusualUserAgentsUserIdentityProfiling\":\"GeneratedFindingUserAgentCategory\",\"isUnusualUserIdentity\":\"false\"},\"sample\":true,\"value\":\"{\\\"userAgent\\\":{\\\"fullUserAgent\\\":\\\"GeneratedFindingFullUserAgent\\\",\\\"userAgentCategory\\\":\\\"GeneratedFindingUserAgentCategory\\\"},\\\"anomalies\\\":{\\\"anomalousAPIs\\\":\\\"GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]\\\"},\\\"profiledBehavior\\\":{\\\"rareProfiledAPIsAccountProfiling\\\":\\\"GeneratedFindingAPINameTwo , GeneratedFindingAPINameThree\\\",\\\"infrequentProfiledAPIsAccountProfiling\\\":\\\"GeneratedFindingAPINameFour\\\",\\\"frequentProfiledAPIsAccountProfiling\\\":\\\"GeneratedFindingAPINameFive , GeneratedFindingAPINameSix\\\",\\\"rareProfiledAPIsUserIdentityProfiling\\\":\\\"GeneratedFindingAPINameTwo\\\",\\\"infrequentProfiledAPIsUserIdentityProfiling\\\":\\\"GeneratedFindingAPINameSix\\\",\\\"frequentProfiledAPIsUserIdentityProfiling\\\":\\\"GeneratedFindingAPINameFive\\\",\\\"rareProfiledUserTypesAccountProfiling\\\":\\\"GeneratedFindingUserType\\\",\\\"infrequentProfiledUserTypesAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledUserTypesAccountProfiling\\\":\\\"ASSUMED_ROLE\\\",\\\"rareProfiledUserNamesAccountProfiling\\\":\\\"GeneratedFindingUserName , GeneratedFindingUserNameTwo\\\",\\\"infrequentProfiledUserNamesAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledUserNamesAccountProfiling\\\":\\\"GeneratedFindingUserNameTwoThree\\\",\\\"rareProfiledASNsAccountProfiling\\\":\\\"\\\",\\\"infrequentProfiledASNsAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledASNsAccountProfiling\\\":\\\"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne\\\",\\\"rareProfiledASNsUserIdentityProfiling\\\":\\\"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne\\\",\\\"infrequentProfiledASNsUserIdentityProfiling\\\":\\\"\\\",\\\"frequentProfiledASNsUserIdentityProfiling\\\":\\\"\\\",\\\"rareProfiledUserAgentsAccountProfiling\\\":\\\"GeneratedFindingUserAgentOne , GeneratedFindingUserAgentTwo , GeneratedFindingUserAgentThree\\\",\\\"infrequentProfiledUserAgentsAccountProfiling\\\":\\\"\\\",\\\"frequentProfiledUserAgentsAccountProfiling\\\":\\\"AWS Service , AWS Internal\\\",\\\"rareProfiledUserAgentsUserIdentityProfiling\\\":\\\"GeneratedFindingUserAgentOne\\\",\\\"infrequentProfiledUserAgentsUserIdentityProfiling\\\":\\\"\\\",\\\"frequentProfiledUserAgentsUserIdentityProfiling\\\":\\\"\\\"},\\\"unusualBehavior\\\":{\\\"unusualAPIsAccountProfiling\\\":\\\"GeneratedFindingAPIName\\\",\\\"unusualAPIsUserIdentityProfiling\\\":\\\"GeneratedFindingAPIName\\\",\\\"unusualUserTypesAccountProfiling\\\":\\\"\\\",\\\"unusualUserNamesAccountProfiling\\\":\\\"\\\",\\\"unusualASNsAccountProfiling\\\":\\\"asnNumber: -1 asnOrg: GeneratedFindingASNOrg\\\",\\\"unusualASNsUserIdentityProfiling\\\":\\\"asnNumber: -1 asnOrg: GeneratedFindingASNOrg\\\",\\\"unusualUserAgentsAccountProfiling\\\":\\\"GeneratedFindingUserAgentCategory\\\",\\\"unusualUserAgentsUserIdentityProfiling\\\":\\\"GeneratedFindingUserAgentCategory\\\",\\\"isUnusualUserIdentity\\\":\\\"false\\\"},\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":null,\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\n\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.403Z\",\"updatedAt\":\"2023-03-20T15:33:12.403Z\",\"title\":\"User GeneratedFindingUserType : GeneratedFindingUserName is anomalously invoking APIs commonly used in Exfiltration tactics.\",\"description\":\"APIs commonly used in Exfiltration tactics were invoked by user GeneratedFindingUserType : GeneratedFindingUserName, under anomalous circumstances. Such activity is not typically seen from this user.\"}", "event": { "action": "Exfiltration", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 8, "type": [ "indicator" - ], - "severity": 8 + ] }, "@timestamp": "2023-03-20T15:33:12.403000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" - }, - "machine": { - "type": "m3.xlarge" - } - }, "agent": { "version": "2.0" }, - "user": { - "name": "GeneratedFindingUserName" - }, - "threat": { - "indicator": { - "description": "APIs commonly used in Exfiltration tactics were invoked by user GeneratedFindingUserType : GeneratedFindingUserName, under anomalous circumstances. Such activity is not typically seen from this user." - }, - "group": { - "name": "AnomalousBehavior" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { "finding": { - "id": "53a87f7e55ce432c833e952613829048", - "type": "Exfiltration:IAMUser/AnomalousBehavior", - "region": "eu-west-2", - "principal": { - "id": "GeneratedFindingPrincipalId" - }, "accesskey": { "accessKeyId": "GeneratedFindingAccessKeyId", "principalId": "GeneratedFindingPrincipalId", "userType": "GeneratedFindingUserType" }, + "id": "53a87f7e55ce432c833e952613829048", + "principal": { + "id": "GeneratedFindingPrincipalId" + }, + "region": "eu-west-2", "service": { "action": { "type": "AWS_API_CALL" @@ -216,38 +182,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "additional_info": { "anomalousAPIs": "GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]" } - } + }, + "type": "Exfiltration:IAMUser/AnomalousBehavior" } } }, - "user_agent": { - "original": "GeneratedFindingFullUserAgent", - "device": { - "name": "Generic Feature Phone" + "cloud": { + "account": { + "id": "111111111111" }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "source": { - "geo": { - "country_name": "GeneratedFindingCountryName", - "location": { - "lat": 0, - "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + "instance": { + "id": "i-99999999" }, - "ip": "198.51.100.0", - "address": "198.51.100.0" + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" }, "error": { "code": "AccessDenied" }, - "service": { - "name": "GeneratedFindingAPIServiceName" - }, "related": { "ip": [ "198.51.100.0" @@ -255,6 +210,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "GeneratedFindingUserName" ] + }, + "service": { + "name": "GeneratedFindingAPIServiceName" + }, + "source": { + "address": "198.51.100.0", + "geo": { + "city_name": "GeneratedFindingCityName", + "country_name": "GeneratedFindingCountryName", + "location": { + "lat": 0, + "lon": 0 + } + }, + "ip": "198.51.100.0" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" + } + } + ], + "group": { + "name": "AnomalousBehavior" + }, + "indicator": { + "description": "APIs commonly used in Exfiltration tactics were invoked by user GeneratedFindingUserType : GeneratedFindingUserName, under anomalous circumstances. Such activity is not typically seen from this user." + } + }, + "user": { + "name": "GeneratedFindingUserName" + }, + "user_agent": { + "device": { + "name": "Generic Feature Phone" + }, + "name": "Other", + "original": "GeneratedFindingFullUserAgent", + "os": { + "name": "Other" + } } } @@ -269,103 +269,103 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"16f05caa14654697a0725be23b9e1a0f\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/16f05caa14654697a0725be23b9e1a0f\",\"type\":\"Execution:Container/SuspiciousFile\",\"resource\":{\"resourceType\":\"Container\",\"containerDetails\":{\"id\":\"e6cf2e24515c1df7f4\",\"name\":\"GeneratedFindingContainerName\",\"image\":\"GeneratedFindingContainerImage\"},\"ebsVolumeDetails\":{\"scannedVolumeDetails\":[{\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"volumeType\":\"GeneratedScannedVolumeType\",\"deviceName\":\"GeneratedScannedDeviceName\",\"volumeSizeInGB\":8,\"encryptionType\":\"UNENCRYPTED\",\"snapshotArn\":\"arn:aws:ec2:us-east-2:123456789000:snapshot/snap-12345678901234567\",\"kmsKeyArn\":null}],\"skippedVolumeDetails\":null}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"featureName\":\"EbsVolumeScan\",\"ebsVolumeScanDetails\":{\"scanId\":\"bd6ce77dcacb163330a1a40ec143f557\",\"scanStartedAt\":1.639010703E9,\"scanCompletedAt\":1.639011226E9,\"scanType\":\"ON_DEMAND\",\"triggerFindingId\":\"aebf726700725c2ffe5a2418d71b95ca\",\"sources\":[\"Bitdefender\"],\"scanDetections\":{\"scannedItemCount\":{\"totalGb\":1,\"files\":65226,\"volumes\":1},\"threatsDetectedItemCount\":{\"files\":2},\"highestSeverityThreatDetails\":{\"severity\":\"MEDIUM\",\"threatName\":\"EICAR-Test-File\",\"count\":2},\"threatDetectedByName\":{\"itemCount\":2,\"uniqueThreatNameCount\":1,\"shortened\":false,\"threatNames\":[{\"name\":\"EICAR-Test-File\",\"severity\":\"MEDIUM\",\"itemCount\":2,\"filePaths\":[{\"filePath\":\"tmp/eicar.com\",\"fileName\":\"eicar.com\",\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"hash\":\"275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f\"},{\"filePath\":\"tmp/eicar-2.txt\",\"fileName\":\"eicar-2.txt\",\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"hash\":\"275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x\"}]}]}}},\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":null,\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":6,\"createdAt\":\"2023-03-20T15:33:12.398Z\",\"updatedAt\":\"2023-03-20T15:33:12.398Z\",\"title\":\"2 security risk(s) detected including EICAR-Test-File on Container e6cf2e24515c1df7f4.\",\"description\":\"2 security risk(s) detected including EICAR-Test-File on Container e6cf2e24515c1df7f4.\"}", "event": { "action": "Execution", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 6, "type": [ "indicator" - ], - "severity": 6 + ] }, "@timestamp": "2023-03-20T15:33:12.398000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws" - }, "agent": { "version": "2.0" }, - "threat": { - "indicator": { - "description": "2 security risk(s) detected including EICAR-Test-File on Container e6cf2e24515c1df7f4." - }, - "group": { - "name": "SuspiciousFile" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1", - "type": "file", - "file": { - "name": "eicar.com", - "path": "tmp/eicar.com", - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f" - } - } - } - }, - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1", - "type": "file", - "file": { - "name": "eicar-2.txt", - "path": "tmp/eicar-2.txt", - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x" - } - } - } - } - ] - }, "aws": { "guardduty": { "finding": { "id": "16f05caa14654697a0725be23b9e1a0f", - "type": "Execution:Container/SuspiciousFile", "region": "eu-west-2", "resource": { "type": "Container" }, + "type": "Execution:Container/SuspiciousFile", "volume": { "details": [ { - "volumeArn": "arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d", - "volumeType": "GeneratedScannedVolumeType", "deviceName": "GeneratedScannedDeviceName", - "volumeSizeInGB": 8, "encryptionType": "UNENCRYPTED", + "kmsKeyArn": null, "snapshotArn": "arn:aws:ec2:us-east-2:123456789000:snapshot/snap-12345678901234567", - "kmsKeyArn": null + "volumeArn": "arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d", + "volumeSizeInGB": 8, + "volumeType": "GeneratedScannedVolumeType" } ] } }, "threats": { "threat": { + "itemCount": 2, "name": "EICAR-Test-File", - "severity": "MEDIUM", - "itemCount": 2 + "severity": "MEDIUM" } } } }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "eu-west-2" + }, "container": { "id": "e6cf2e24515c1df7f4", - "name": "GeneratedFindingContainerName", "image": { "name": "GeneratedFindingContainerImage" + }, + "name": "GeneratedFindingContainerName" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f" + }, + "name": "eicar.com", + "path": "tmp/eicar.com" + }, + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1", + "type": "file" + } + }, + { + "indicator": { + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x" + }, + "name": "eicar-2.txt", + "path": "tmp/eicar-2.txt" + }, + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1", + "type": "file" + } + } + ], + "group": { + "name": "SuspiciousFile" + }, + "indicator": { + "description": "2 security risk(s) detected including EICAR-Test-File on Container e6cf2e24515c1df7f4." } } } @@ -381,115 +381,115 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"cfa85e08f16d4f0bad271c90a1fae771\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/cfa85e08f16d4f0bad271c90a1fae771\",\"type\":\"Execution:ECS/MaliciousFile\",\"resource\":{\"resourceType\":\"ECSCluster\",\"ecsClusterDetails\":{\"arn\":\"arn:aws:ecs:region:123456789000:cluster/clusterName\",\"name\":\"GeneratedFindingECSClusterName\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"GeneratedFindingECSClusterTag1\",\"value\":\"GeneratedFindingECSClusterTagValue1\"},{\"key\":\"GeneratedFindingECSClusterTag2\",\"value\":\"GeneratedFindingECSClusterTagValue2\"},{\"key\":\"GeneratedFindingECSClusterTag3\",\"value\":\"GeneratedFindingECSClusterTagValue3\"}],\"taskDetails\":{\"arn\":\"arn:aws:ecs:region:123456789000:task/mycluster/043de9ab3\",\"definitionArn\":\"arn:aws:ecs:region:123456789000:task-definition/mycluster/76f1f1asdf\",\"version\":\"1\",\"createdAt\":1.63900583E9,\"startedAt\":1.63900583E9,\"startedBy\":\"GeneratedFindingECSTaskStartedBy\",\"containers\":[{\"name\":\"GeneratedFindingContainerName\",\"image\":\"GeneratedFindingContainerImage\"}]}},\"ebsVolumeDetails\":{\"scannedVolumeDetails\":[{\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"volumeType\":\"GeneratedScannedVolumeType\",\"deviceName\":\"GeneratedScannedDeviceName\",\"volumeSizeInGB\":8,\"encryptionType\":\"UNENCRYPTED\",\"snapshotArn\":\"arn:aws:ec2:us-east-2:123456789000:snapshot/snap-12345678901234567\",\"kmsKeyArn\":null}],\"skippedVolumeDetails\":null}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"featureName\":\"EbsVolumeScan\",\"ebsVolumeScanDetails\":{\"scanId\":\"bd6ce77dcacb163330a1a40ec143f851\",\"scanStartedAt\":1.639010703E9,\"scanCompletedAt\":1.639011226E9,\"scanType\":\"ON_DEMAND\",\"triggerFindingId\":\"aebf726700725c2ffe5a2418d71b91wd\",\"sources\":[\"Bitdefender\"],\"scanDetections\":{\"scannedItemCount\":{\"totalGb\":1,\"files\":65226,\"volumes\":1},\"threatsDetectedItemCount\":{\"files\":2},\"highestSeverityThreatDetails\":{\"severity\":\"HIGH\",\"threatName\":\"EICAR-Test-File\",\"count\":2},\"threatDetectedByName\":{\"itemCount\":2,\"uniqueThreatNameCount\":1,\"shortened\":false,\"threatNames\":[{\"name\":\"EICAR-Test-File\",\"severity\":\"HIGH\",\"itemCount\":2,\"filePaths\":[{\"filePath\":\"tmp/eicar.com\",\"fileName\":\"eicar.com\",\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"hash\":\"275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f\"},{\"filePath\":\"tmp/eicar-2.txt\",\"fileName\":\"eicar-2.txt\",\"volumeArn\":\"arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d\",\"hash\":\"275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x\"}]}]}}},\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":null,\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.414Z\",\"updatedAt\":\"2023-03-20T15:33:12.414Z\",\"title\":\"2 security risk(s) detected including EICAR-Test-File on ECS Cluster GeneratedFindingECSClusterName.\",\"description\":\"2 security risk(s) detected including EICAR-Test-File on ECS Cluster GeneratedFindingECSClusterName.\"}", "event": { "action": "Execution", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 8, "type": [ "indicator" - ], - "severity": 8 + ] }, "@timestamp": "2023-03-20T15:33:12.414000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws" - }, "agent": { "version": "2.0" }, - "threat": { - "indicator": { - "description": "2 security risk(s) detected including EICAR-Test-File on ECS Cluster GeneratedFindingECSClusterName." - }, - "group": { - "name": "MaliciousFile" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1", - "type": "file", - "file": { - "name": "eicar.com", - "path": "tmp/eicar.com", - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f" - } - } - } - }, - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1", - "type": "file", - "file": { - "name": "eicar-2.txt", - "path": "tmp/eicar-2.txt", - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x" - } - } - } - } - ] - }, "aws": { "guardduty": { "finding": { - "id": "cfa85e08f16d4f0bad271c90a1fae771", - "type": "Execution:ECS/MaliciousFile", - "region": "eu-west-2", - "resource": { - "type": "ECSCluster" - }, "ecs": { "arn": "arn:aws:ecs:region:123456789000:cluster/clusterName", "name": "GeneratedFindingECSClusterName", "status": "ACTIVE", "taskDetails": { "arn": "arn:aws:ecs:region:123456789000:task/mycluster/043de9ab3", - "definitionArn": "arn:aws:ecs:region:123456789000:task-definition/mycluster/76f1f1asdf", - "version": "1", - "createdAt": 1639005830.0, - "startedAt": 1639005830.0, - "startedBy": "GeneratedFindingECSTaskStartedBy", "containers": [ { - "name": "GeneratedFindingContainerName", - "image": "GeneratedFindingContainerImage" + "image": "GeneratedFindingContainerImage", + "name": "GeneratedFindingContainerName" } - ] + ], + "createdAt": 1639005830.0, + "definitionArn": "arn:aws:ecs:region:123456789000:task-definition/mycluster/76f1f1asdf", + "startedAt": 1639005830.0, + "startedBy": "GeneratedFindingECSTaskStartedBy", + "version": "1" } }, + "id": "cfa85e08f16d4f0bad271c90a1fae771", + "region": "eu-west-2", + "resource": { + "type": "ECSCluster" + }, + "type": "Execution:ECS/MaliciousFile", "volume": { "details": [ { - "volumeArn": "arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d", - "volumeType": "GeneratedScannedVolumeType", "deviceName": "GeneratedScannedDeviceName", - "volumeSizeInGB": 8, "encryptionType": "UNENCRYPTED", + "kmsKeyArn": null, "snapshotArn": "arn:aws:ec2:us-east-2:123456789000:snapshot/snap-12345678901234567", - "kmsKeyArn": null + "volumeArn": "arn:aws:ec2:us-west-2:123456789000:volume/vol-09d5050dea915943d", + "volumeSizeInGB": 8, + "volumeType": "GeneratedScannedVolumeType" } ] } }, "threats": { "threat": { + "itemCount": 2, "name": "EICAR-Test-File", - "severity": "HIGH", - "itemCount": 2 + "severity": "HIGH" + } + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "eu-west-2" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc345ec2fe2a2c4538aabf651fd0f" + }, + "name": "eicar.com", + "path": "tmp/eicar.com" + }, + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1", + "type": "file" + } + }, + { + "indicator": { + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d2363fc345ec2fe2a2c4538aabf651ad0x" + }, + "name": "eicar-2.txt", + "path": "tmp/eicar-2.txt" + }, + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1", + "type": "file" } } + ], + "group": { + "name": "MaliciousFile" + }, + "indicator": { + "description": "2 security risk(s) detected including EICAR-Test-File on ECS Cluster GeneratedFindingECSClusterName." } } } @@ -505,60 +505,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"df2295bd4966407b84223c9a4ae09eab\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/df2295bd4966407b84223c9a4ae09eab\",\"type\":\"Policy:Kubernetes/AdminAccessToDefaultServiceAccount\",\"resource\":{\"resourceType\":\"EKSCluster\",\"eksClusterDetails\":{\"name\":\"GeneratedFindingEKSClusterName\",\"arn\":\"GeneratedFindingEKSClusterArn\",\"createdAt\":1.636625755218E9,\"vpcId\":\"GeneratedFindingEKSClusterVpcId\",\"status\":\"ACTIVE\",\"tags\":[{\"key\":\"GeneratedFindingEKSClusterTag1\",\"value\":\"GeneratedFindingEKSClusterTagValue1\"},{\"key\":\"GeneratedFindingEKSClusterTag2\",\"value\":\"GeneratedFindingEKSClusterTagValue2\"},{\"key\":\"GeneratedFindingEKSClusterTag3\",\"value\":\"GeneratedFindingEKSClusterTagValue3\"}]},\"kubernetesDetails\":{\"kubernetesWorkloadDetails\":null,\"kubernetesUserDetails\":{\"username\":\"GeneratedFindingUserName\",\"uid\":\"GeneratedFindingUID\",\"groups\":[\"GeneratedFindingUserGroup\"]}},\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"Role\",\"userName\":\"GeneratedFindingUserName\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"KUBERNETES_API_CALL\",\"kubernetesApiCallAction\":{\"requestUri\":\"GeneratedFindingRequestURI\",\"verb\":\"create\",\"sourceIPs\":[\"10.0.0.23\"],\"userAgent\":\"\",\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"0\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"parameters\":\"GeneratedFindingActionParameters\",\"statusCode\":201}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":null,\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.399Z\",\"updatedAt\":\"2023-03-20T15:33:12.399Z\",\"title\":\"The default service account was granted admin privileges.\",\"description\":\"The default service account in EKS Cluster GeneratedFindingEKSClusterName was granted admin privileges. This may result in pods unintentionally launched with admin privileges. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised.\"}", "event": { "action": "Policy", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 8, "type": [ "indicator" - ], - "severity": 8 + ] }, "@timestamp": "2023-03-20T15:33:12.399000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws" - }, "agent": { "version": "2.0" }, - "user": { - "name": "GeneratedFindingUserName", - "group": { - "name": [ - "GeneratedFindingUserGroup" - ] - } - }, - "threat": { - "indicator": { - "description": "The default service account in EKS Cluster GeneratedFindingEKSClusterName was granted admin privileges. This may result in pods unintentionally launched with admin privileges. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised." - }, - "group": { - "name": "AdminAccessToDefaultServiceAccount" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { "finding": { - "id": "df2295bd4966407b84223c9a4ae09eab", - "type": "Policy:Kubernetes/AdminAccessToDefaultServiceAccount", - "region": "eu-west-2", - "principal": { - "id": "GeneratedFindingPrincipalId" - }, "accesskey": { "accessKeyId": "GeneratedFindingAccessKeyId", "principalId": "GeneratedFindingPrincipalId", @@ -566,33 +528,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "eks": { "details": { - "name": "GeneratedFindingEKSClusterName", "arn": "GeneratedFindingEKSClusterArn", "createdAt": 1636625755.218, - "vpcId": "GeneratedFindingEKSClusterVpcId", - "status": "ACTIVE" + "name": "GeneratedFindingEKSClusterName", + "status": "ACTIVE", + "vpcId": "GeneratedFindingEKSClusterVpcId" }, "user_uid": "GeneratedFindingUID" }, + "id": "df2295bd4966407b84223c9a4ae09eab", + "principal": { + "id": "GeneratedFindingPrincipalId" + }, + "region": "eu-west-2", "service": { "action": { "type": "KUBERNETES_API_CALL" } - } + }, + "type": "Policy:Kubernetes/AdminAccessToDefaultServiceAccount" } } }, - "source": { - "geo": { - "country_name": "GeneratedFindingCountryName", - "location": { - "lat": 0, - "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + "cloud": { + "account": { + "id": "111111111111" }, - "ip": "198.51.100.0", - "address": "198.51.100.0" + "provider": "aws", + "region": "eu-west-2" }, "related": { "ip": [ @@ -601,58 +564,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "GeneratedFindingUserName" ] - } - } - - ``` - - -=== "event_instance_network.json" - - ```json - - { - "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"00f996e6c7804e4c8b4b61e60f5fc423\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/00f996e6c7804e4c8b4b61e60f5fc423\",\"type\":\"UnauthorizedAccess:EC2/TorRelay\",\"resource\":{\"resourceType\":\"Instance\",\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstanceTag1\",\"value\":\"GeneratedFindingInstanceValue1\"},{\"key\":\"GeneratedFindingInstanceTag2\",\"value\":\"GeneratedFindingInstanceTagValue2\"},{\"key\":\"GeneratedFindingInstanceTag3\",\"value\":\"GeneratedFindingInstanceTagValue3\"},{\"key\":\"GeneratedFindingInstanceTag4\",\"value\":\"GeneratedFindingInstanceTagValue4\"},{\"key\":\"GeneratedFindingInstanceTag5\",\"value\":\"GeneratedFindingInstanceTagValue5\"},{\"key\":\"GeneratedFindingInstanceTag6\",\"value\":\"GeneratedFindingInstanceTagValue6\"},{\"key\":\"GeneratedFindingInstanceTag7\",\"value\":\"GeneratedFindingInstanceTagValue7\"},{\"key\":\"GeneratedFindingInstanceTag8\",\"value\":\"GeneratedFindingInstanceTagValue8\"},{\"key\":\"GeneratedFindingInstanceTag9\",\"value\":\"GeneratedFindingInstanceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstanceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstanceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"NETWORK_CONNECTION\",\"networkConnectionAction\":{\"connectionDirection\":\"OUTBOUND\",\"localIpDetails\":{\"ipAddressV4\":\"10.0.0.23\"},\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"remotePortDetails\":{\"port\":80,\"portName\":\"HTTP\"},\"localPortDetails\":{\"port\":39677,\"portName\":\"Unknown\"},\"protocol\":\"TCP\",\"blocked\":false}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.408Z\",\"updatedAt\":\"2023-03-20T15:33:12.408Z\",\"title\":\"EC2 instance i-99999999 is communicating with a Tor Exit node.\",\"description\":\"EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network.\"}", - "event": { - "action": "UnauthorizedAccess", - "kind": "alert", - "category": [ - "threat" - ], - "type": [ - "indicator" - ], - "severity": 8 }, - "@timestamp": "2023-03-20T15:33:12.408000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" + "source": { + "address": "198.51.100.0", + "geo": { + "city_name": "GeneratedFindingCityName", + "country_name": "GeneratedFindingCountryName", + "location": { + "lat": 0, + "lon": 0 + } }, - "machine": { - "type": "m3.xlarge" - } - }, - "agent": { - "version": "2.0" - }, - "destination": { - "ip": "10.0.0.23", - "port": 39677, - "address": "10.0.0.23" + "ip": "198.51.100.0" }, "threat": { - "indicator": { - "description": "EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network." - }, - "group": { - "name": "TorRelay" - }, "enrichments": [ { "indicator": { @@ -661,52 +586,127 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sightings": "1" } } + ], + "group": { + "name": "AdminAccessToDefaultServiceAccount" + }, + "indicator": { + "description": "The default service account in EKS Cluster GeneratedFindingEKSClusterName was granted admin privileges. This may result in pods unintentionally launched with admin privileges. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised." + } + }, + "user": { + "group": { + "name": [ + "GeneratedFindingUserGroup" + ] + }, + "name": "GeneratedFindingUserName" + } + } + + ``` + + +=== "event_instance_network.json" + + ```json + + { + "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"00f996e6c7804e4c8b4b61e60f5fc423\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/00f996e6c7804e4c8b4b61e60f5fc423\",\"type\":\"UnauthorizedAccess:EC2/TorRelay\",\"resource\":{\"resourceType\":\"Instance\",\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstanceTag1\",\"value\":\"GeneratedFindingInstanceValue1\"},{\"key\":\"GeneratedFindingInstanceTag2\",\"value\":\"GeneratedFindingInstanceTagValue2\"},{\"key\":\"GeneratedFindingInstanceTag3\",\"value\":\"GeneratedFindingInstanceTagValue3\"},{\"key\":\"GeneratedFindingInstanceTag4\",\"value\":\"GeneratedFindingInstanceTagValue4\"},{\"key\":\"GeneratedFindingInstanceTag5\",\"value\":\"GeneratedFindingInstanceTagValue5\"},{\"key\":\"GeneratedFindingInstanceTag6\",\"value\":\"GeneratedFindingInstanceTagValue6\"},{\"key\":\"GeneratedFindingInstanceTag7\",\"value\":\"GeneratedFindingInstanceTagValue7\"},{\"key\":\"GeneratedFindingInstanceTag8\",\"value\":\"GeneratedFindingInstanceTagValue8\"},{\"key\":\"GeneratedFindingInstanceTag9\",\"value\":\"GeneratedFindingInstanceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstanceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstanceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"NETWORK_CONNECTION\",\"networkConnectionAction\":{\"connectionDirection\":\"OUTBOUND\",\"localIpDetails\":{\"ipAddressV4\":\"10.0.0.23\"},\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"remotePortDetails\":{\"port\":80,\"portName\":\"HTTP\"},\"localPortDetails\":{\"port\":39677,\"portName\":\"Unknown\"},\"protocol\":\"TCP\",\"blocked\":false}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"sample\":true,\"value\":\"{\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.408Z\",\"updatedAt\":\"2023-03-20T15:33:12.408Z\",\"title\":\"EC2 instance i-99999999 is communicating with a Tor Exit node.\",\"description\":\"EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network.\"}", + "event": { + "action": "UnauthorizedAccess", + "category": [ + "threat" + ], + "kind": "alert", + "severity": 8, + "type": [ + "indicator" ] }, + "@timestamp": "2023-03-20T15:33:12.408000Z", + "agent": { + "version": "2.0" + }, "aws": { "guardduty": { - "threats": { - "evidence": [ - "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" - ] - }, "finding": { "id": "00f996e6c7804e4c8b4b61e60f5fc423", - "type": "UnauthorizedAccess:EC2/TorRelay", "region": "eu-west-2", "service": { "action": { - "type": "NETWORK_CONNECTION", "target": { "blocked": "false" - } + }, + "type": "NETWORK_CONNECTION" } - } + }, + "type": "UnauthorizedAccess:EC2/TorRelay" + }, + "threats": { + "evidence": [ + "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" + ] } } }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "i-99999999" + }, + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" + }, + "destination": { + "address": "10.0.0.23", + "ip": "10.0.0.23", + "port": 39677 + }, "network": { "direction": "outbound", "transport": "tcp" }, + "related": { + "ip": [ + "10.0.0.23", + "198.51.100.0" + ] + }, "source": { + "address": "198.51.100.0", "geo": { + "city_name": "GeneratedFindingCityName", "country_name": "GeneratedFindingCountryName", "location": { "lat": 0, "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + } }, - "port": 80, "ip": "198.51.100.0", - "address": "198.51.100.0" + "port": 80 }, - "related": { - "ip": [ - "10.0.0.23", - "198.51.100.0" - ] + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" + } + } + ], + "group": { + "name": "TorRelay" + }, + "indicator": { + "description": "EC2 instance i-99999999 is communicating with IP address 198.51.100.0 on the Tor Anonymizing Proxy network." + } } } @@ -721,127 +721,127 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"ae7f69675d8744f78ab7ab2aab229d30\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/ae7f69675d8744f78ab7ab2aab229d30\",\"type\":\"Recon:EC2/PortProbeUnprotectedPort\",\"resource\":{\"resourceType\":\"Instance\",\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstanceTag1\",\"value\":\"GeneratedFindingInstanceValue1\"},{\"key\":\"GeneratedFindingInstanceTag2\",\"value\":\"GeneratedFindingInstanceTagValue2\"},{\"key\":\"GeneratedFindingInstanceTag3\",\"value\":\"GeneratedFindingInstanceTagValue3\"},{\"key\":\"GeneratedFindingInstanceTag4\",\"value\":\"GeneratedFindingInstanceTagValue4\"},{\"key\":\"GeneratedFindingInstanceTag5\",\"value\":\"GeneratedFindingInstanceTagValue5\"},{\"key\":\"GeneratedFindingInstanceTag6\",\"value\":\"GeneratedFindingInstanceTagValue6\"},{\"key\":\"GeneratedFindingInstanceTag7\",\"value\":\"GeneratedFindingInstanceTagValue7\"},{\"key\":\"GeneratedFindingInstanceTag8\",\"value\":\"GeneratedFindingInstanceTagValue8\"},{\"key\":\"GeneratedFindingInstanceTag9\",\"value\":\"GeneratedFindingInstanceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstanceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstanceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"PORT_PROBE\",\"portProbeAction\":{\"portProbeDetails\":[{\"localPortDetails\":{\"port\":80,\"portName\":\"HTTP\"},\"localIpDetails\":{\"ipAddressV4\":\"10.0.0.23\"},\"remoteIpDetails\":{\"country\":{\"countryName\":\"GeneratedFindingCountryName1\"},\"city\":{\"cityName\":\"GeneratedFindingCityName1\"},\"geoLocation\":{\"lon\":0,\"lat\":0},\"organization\":{\"asnOrg\":\"GeneratedFindingASNOrg1\",\"org\":\"GeneratedFindingORG1\",\"isp\":\"GeneratedFindingISP1\",\"asn\":\"9808\"},\"ipAddressV4\":\"198.51.100.0\"}},{\"localPortDetails\":{\"port\":443,\"portName\":\"HTTPS\"},\"localIpDetails\":{\"ipAddressV4\":\"10.0.0.23\"},\"remoteIpDetails\":{\"country\":{\"countryName\":\"GeneratedFindingCountryName2\"},\"city\":{\"cityName\":\"GeneratedFindingCityName2\"},\"geoLocation\":{\"lon\":0,\"lat\":0},\"organization\":{\"asnOrg\":\"GeneratedFindingASNOrg2\",\"org\":\"GeneratedFindingORG2\",\"isp\":\"GeneratedFindingISP2\",\"asn\":\"29073\"},\"ipAddressV4\":\"198.51.100.1\"}}],\"blocked\":false}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"threatName\":\"GeneratedFindingThreatName\",\"threatListName\":\"GeneratedFindingThreatListName\",\"sample\":true,\"value\":\"{\\\"threatName\\\":\\\"GeneratedFindingThreatName\\\",\\\"threatListName\\\":\\\"GeneratedFindingThreatListName\\\",\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":2,\"createdAt\":\"2023-03-20T15:33:12.424Z\",\"updatedAt\":\"2023-03-20T15:33:12.424Z\",\"title\":\"Unprotected port on EC2 instance i-99999999 is being probed.\",\"description\":\"EC2 instance has an unprotected port which is being probed by a known malicious host.\"}", "event": { "action": "Recon", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 2, "type": [ "indicator" - ], - "severity": 2 + ] }, "@timestamp": "2023-03-20T15:33:12.424000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" - }, - "machine": { - "type": "m3.xlarge" - } - }, "agent": { "version": "2.0" }, - "threat": { - "indicator": { - "description": "EC2 instance has an unprotected port which is being probed by a known malicious host." - }, - "group": { - "name": "PortProbeUnprotectedPort" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { - "threats": { - "evidence": [ - "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" - ] - }, "finding": { "id": "ae7f69675d8744f78ab7ab2aab229d30", - "type": "Recon:EC2/PortProbeUnprotectedPort", "region": "eu-west-2", "service": { "action": { - "type": "PORT_PROBE", "port_probe_details": [ { + "localIpDetails": { + "ipAddressV4": "10.0.0.23" + }, "localPortDetails": { "port": 80, "portName": "HTTP" }, - "localIpDetails": { - "ipAddressV4": "10.0.0.23" - }, "remoteIpDetails": { - "country": { - "countryName": "GeneratedFindingCountryName1" - }, "city": { "cityName": "GeneratedFindingCityName1" }, + "country": { + "countryName": "GeneratedFindingCountryName1" + }, "geoLocation": { - "lon": 0, - "lat": 0 + "lat": 0, + "lon": 0 }, + "ipAddressV4": "198.51.100.0", "organization": { + "asn": "9808", "asnOrg": "GeneratedFindingASNOrg1", - "org": "GeneratedFindingORG1", "isp": "GeneratedFindingISP1", - "asn": "9808" - }, - "ipAddressV4": "198.51.100.0" + "org": "GeneratedFindingORG1" + } } }, { + "localIpDetails": { + "ipAddressV4": "10.0.0.23" + }, "localPortDetails": { "port": 443, "portName": "HTTPS" }, - "localIpDetails": { - "ipAddressV4": "10.0.0.23" - }, "remoteIpDetails": { - "country": { - "countryName": "GeneratedFindingCountryName2" - }, "city": { "cityName": "GeneratedFindingCityName2" }, + "country": { + "countryName": "GeneratedFindingCountryName2" + }, "geoLocation": { - "lon": 0, - "lat": 0 + "lat": 0, + "lon": 0 }, + "ipAddressV4": "198.51.100.1", "organization": { + "asn": "29073", "asnOrg": "GeneratedFindingASNOrg2", - "org": "GeneratedFindingORG2", "isp": "GeneratedFindingISP2", - "asn": "29073" - }, - "ipAddressV4": "198.51.100.1" + "org": "GeneratedFindingORG2" + } } } ], "target": { "blocked": "false" - } + }, + "type": "PORT_PROBE" } + }, + "type": "Recon:EC2/PortProbeUnprotectedPort" + }, + "threats": { + "evidence": [ + "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" + ] + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "i-99999999" + }, + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" } } + ], + "group": { + "name": "PortProbeUnprotectedPort" + }, + "indicator": { + "description": "EC2 instance has an unprotected port which is being probed by a known malicious host." } } } @@ -857,97 +857,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"16dd674a4cb5437c9a66d14f11839b02\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/16dd674a4cb5437c9a66d14f11839b02\",\"type\":\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\",\"resource\":{\"resourceType\":\"AccessKey\",\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"IAMUser\",\"userName\":\"GeneratedFindingUserName\"},\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstaceTag1\",\"value\":\"GeneratedFindingInstaceValue1\"},{\"key\":\"GeneratedFindingInstaceTag2\",\"value\":\"GeneratedFindingInstaceTagValue2\"},{\"key\":\"GeneratedFindingInstaceTag3\",\"value\":\"GeneratedFindingInstaceTagValue3\"},{\"key\":\"GeneratedFindingInstaceTag4\",\"value\":\"GeneratedFindingInstaceTagValue4\"},{\"key\":\"GeneratedFindingInstaceTag5\",\"value\":\"GeneratedFindingInstaceTagValue5\"},{\"key\":\"GeneratedFindingInstaceTag6\",\"value\":\"GeneratedFindingInstaceTagValue6\"},{\"key\":\"GeneratedFindingInstaceTag7\",\"value\":\"GeneratedFindingInstaceTagValue7\"},{\"key\":\"GeneratedFindingInstaceTag8\",\"value\":\"GeneratedFindingInstaceTagValue8\"},{\"key\":\"GeneratedFindingInstaceTag9\",\"value\":\"GeneratedFindingInstaceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstaceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstaceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"AWS_API_CALL\",\"awsApiCallAction\":{\"api\":\"GeneratedFindingAPIName\",\"serviceName\":\"GeneratedFindingAPIServiceName\",\"callerType\":\"Remote IP\",\"errorCode\":\"AccessDenied\",\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"affectedResources\":{}}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"apiCalls\":[{\"name\":\"GeneratedFindingAPIName1\",\"count\":18,\"firstSeen\":1512692639,\"lastSeen\":1512692839},{\"name\":\"GeneratedFindingAPIName1\",\"count\":8,\"firstSeen\":1512692639,\"lastSeen\":1512692837},{\"name\":\"GeneratedFindingAPIName1\",\"count\":2,\"firstSeen\":1512692637,\"lastSeen\":1512692637}],\"sample\":true,\"value\":\"{\\\"apiCalls\\\":[{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":18,\\\"firstSeen\\\":1512692639,\\\"lastSeen\\\":1512692839},{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":8,\\\"firstSeen\\\":1512692639,\\\"lastSeen\\\":1512692837},{\\\"name\\\":\\\"GeneratedFindingAPIName1\\\",\\\"count\\\":2,\\\"firstSeen\\\":1512692637,\\\"lastSeen\\\":1512692637}],\\\"sample\\\":true}\",\"type\":\"default\"},\"evidence\":{\"threatIntelligenceDetails\":[{\"threatListName\":\"GeneratedFindingThreatListName\",\"threatNames\":[\"GeneratedFindingThreatName\"]}]},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":5,\"createdAt\":\"2023-03-20T15:33:12.406Z\",\"updatedAt\":\"2023-03-20T15:33:12.406Z\",\"title\":\"API GeneratedFindingAPIName was invoked from a known malicious IP address.\",\"description\":\"API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0.\"}", "event": { "action": "UnauthorizedAccess", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 5, "type": [ "indicator" - ], - "severity": 5 + ] }, "@timestamp": "2023-03-20T15:33:12.406000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" - }, - "machine": { - "type": "m3.xlarge" - } - }, "agent": { "version": "2.0" }, - "user": { - "name": "GeneratedFindingUserName" - }, - "threat": { - "indicator": { - "description": "API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0." - }, - "group": { - "name": "MaliciousIPCaller" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { - "threats": { - "evidence": [ - "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" - ] - }, "finding": { - "id": "16dd674a4cb5437c9a66d14f11839b02", - "type": "UnauthorizedAccess:IAMUser/MaliciousIPCaller", - "region": "eu-west-2", - "principal": { - "id": "GeneratedFindingPrincipalId" - }, "accesskey": { "accessKeyId": "GeneratedFindingAccessKeyId", "principalId": "GeneratedFindingPrincipalId", "userType": "IAMUser" }, + "id": "16dd674a4cb5437c9a66d14f11839b02", + "principal": { + "id": "GeneratedFindingPrincipalId" + }, + "region": "eu-west-2", "service": { "action": { "type": "AWS_API_CALL" } - } + }, + "type": "UnauthorizedAccess:IAMUser/MaliciousIPCaller" + }, + "threats": { + "evidence": [ + "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" + ] } } }, - "source": { - "geo": { - "country_name": "GeneratedFindingCountryName", - "location": { - "lat": 0, - "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + "cloud": { + "account": { + "id": "111111111111" }, - "ip": "198.51.100.0", - "address": "198.51.100.0" + "instance": { + "id": "i-99999999" + }, + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" }, "error": { "code": "AccessDenied" }, - "service": { - "name": "GeneratedFindingAPIServiceName" - }, "related": { "ip": [ "198.51.100.0" @@ -955,6 +920,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "GeneratedFindingUserName" ] + }, + "service": { + "name": "GeneratedFindingAPIServiceName" + }, + "source": { + "address": "198.51.100.0", + "geo": { + "city_name": "GeneratedFindingCityName", + "country_name": "GeneratedFindingCountryName", + "location": { + "lat": 0, + "lon": 0 + } + }, + "ip": "198.51.100.0" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" + } + } + ], + "group": { + "name": "MaliciousIPCaller" + }, + "indicator": { + "description": "API GeneratedFindingAPIName was invoked from a malicious IP address 198.51.100.0." + } + }, + "user": { + "name": "GeneratedFindingUserName" } } @@ -969,105 +969,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"schemaVersion\":\"2.0\",\"accountId\":\"111111111111\",\"region\":\"eu-west-2\",\"partition\":\"aws\",\"id\":\"3941673a580340dcb61648a3e15def75\",\"arn\":\"arn:aws:guardduty:eu-west-2:111111111111:detector/4b85f358-65e7-49b6-b9ae-b3816303fb12/finding/3941673a580340dcb61648a3e15def75\",\"type\":\"Discovery:S3/MaliciousIPCaller.Custom\",\"resource\":{\"resourceType\":\"S3Bucket\",\"accessKeyDetails\":{\"accessKeyId\":\"GeneratedFindingAccessKeyId\",\"principalId\":\"GeneratedFindingPrincipalId\",\"userType\":\"IAMUser\",\"userName\":\"GeneratedFindingUserName\"},\"s3BucketDetails\":[{\"arn\":\"arn:aws:s3:::bucketName\",\"name\":\"bucketName\",\"type\":\"Destination\",\"createdAt\":1.513612691551E9,\"owner\":{\"id\":\"CanonicalId of Owner\"},\"tags\":[{\"key\":\"foo\",\"value\":\"bar\"}],\"defaultServerSideEncryption\":{\"encryptionType\":\"SSEAlgorithm\",\"kmsMasterKeyArn\":\"arn:aws:kms:region:123456789012:key/key-id\"},\"publicAccess\":{\"permissionConfiguration\":{\"bucketLevelPermissions\":{\"accessControlList\":{\"allowsPublicReadAccess\":false,\"allowsPublicWriteAccess\":false},\"bucketPolicy\":{\"allowsPublicReadAccess\":false,\"allowsPublicWriteAccess\":false},\"blockPublicAccess\":{\"ignorePublicAcls\":false,\"restrictPublicBuckets\":false,\"blockPublicAcls\":false,\"blockPublicPolicy\":false}},\"accountLevelPermissions\":{\"blockPublicAccess\":{\"ignorePublicAcls\":false,\"restrictPublicBuckets\":false,\"blockPublicAcls\":false,\"blockPublicPolicy\":false}}},\"effectivePermission\":\"NOT_PUBLIC\"}}],\"instanceDetails\":{\"instanceId\":\"i-99999999\",\"instanceType\":\"m3.xlarge\",\"outpostArn\":\"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3\",\"launchTime\":\"2016-08-02T02:05:06.000Z\",\"platform\":null,\"productCodes\":[{\"productCodeId\":\"GeneratedFindingProductCodeId\",\"productCodeType\":\"GeneratedFindingProductCodeType\"}],\"iamInstanceProfile\":{\"arn\":\"arn:aws:iam::111111111111:example/instance/profile\",\"id\":\"GeneratedFindingInstanceProfileId\"},\"networkInterfaces\":[{\"ipv6Addresses\":[],\"networkInterfaceId\":\"eni-bfcffe88\",\"privateDnsName\":\"GeneratedFindingPrivateDnsName\",\"privateIpAddress\":\"10.0.0.1\",\"privateIpAddresses\":[{\"privateDnsName\":\"GeneratedFindingPrivateName\",\"privateIpAddress\":\"10.0.0.1\"}],\"subnetId\":\"GeneratedFindingSubnetId\",\"vpcId\":\"GeneratedFindingVPCId\",\"securityGroups\":[{\"groupName\":\"GeneratedFindingSecurityGroupName\",\"groupId\":\"GeneratedFindingSecurityId\"}],\"publicDnsName\":\"GeneratedFindingPublicDNSName\",\"publicIp\":\"198.51.100.0\"}],\"tags\":[{\"key\":\"GeneratedFindingInstaceTag1\",\"value\":\"GeneratedFindingInstaceValue1\"},{\"key\":\"GeneratedFindingInstaceTag2\",\"value\":\"GeneratedFindingInstaceTagValue2\"},{\"key\":\"GeneratedFindingInstaceTag3\",\"value\":\"GeneratedFindingInstaceTagValue3\"},{\"key\":\"GeneratedFindingInstaceTag4\",\"value\":\"GeneratedFindingInstaceTagValue4\"},{\"key\":\"GeneratedFindingInstaceTag5\",\"value\":\"GeneratedFindingInstaceTagValue5\"},{\"key\":\"GeneratedFindingInstaceTag6\",\"value\":\"GeneratedFindingInstaceTagValue6\"},{\"key\":\"GeneratedFindingInstaceTag7\",\"value\":\"GeneratedFindingInstaceTagValue7\"},{\"key\":\"GeneratedFindingInstaceTag8\",\"value\":\"GeneratedFindingInstaceTagValue8\"},{\"key\":\"GeneratedFindingInstaceTag9\",\"value\":\"GeneratedFindingInstaceTagValue9\"}],\"instanceState\":\"running\",\"availabilityZone\":\"GeneratedFindingInstaceAvailabilityZone\",\"imageId\":\"ami-99999999\",\"imageDescription\":\"GeneratedFindingInstaceImageDescription\"}},\"service\":{\"serviceName\":\"guardduty\",\"detectorId\":\"4b85f358-65e7-49b6-b9ae-b3816303fb12\",\"action\":{\"actionType\":\"AWS_API_CALL\",\"awsApiCallAction\":{\"api\":\"GeneratedFindingAPIName\",\"serviceName\":\"GeneratedFindingAPIServiceName\",\"callerType\":\"Remote IP\",\"errorCode\":\"AccessDenied\",\"remoteIpDetails\":{\"ipAddressV4\":\"198.51.100.0\",\"organization\":{\"asn\":\"-1\",\"asnOrg\":\"GeneratedFindingASNOrg\",\"isp\":\"GeneratedFindingISP\",\"org\":\"GeneratedFindingORG\"},\"country\":{\"countryName\":\"GeneratedFindingCountryName\"},\"city\":{\"cityName\":\"GeneratedFindingCityName\"},\"geoLocation\":{\"lat\":0,\"lon\":0}},\"affectedResources\":{\"AWS::S3::Bucket\":\"GeneratedFindingS3Bucket\"}}},\"resourceRole\":\"TARGET\",\"additionalInfo\":{\"unusual\":{\"hoursOfDay\":[1513609200000],\"userNames\":[\"GeneratedFindingUserName\"]},\"sample\":true,\"value\":\"{\\\"unusual\\\":{\\\"hoursOfDay\\\":[1513609200000],\\\"userNames\\\":[\\\"GeneratedFindingUserName\\\"]},\\\"sample\\\":true}\",\"type\":\"default\"},\"eventFirstSeen\":\"2023-03-20T15:33:12.000Z\",\"eventLastSeen\":\"2023-03-20T15:33:12.000Z\",\"archived\":false,\"count\":1},\"severity\":8,\"createdAt\":\"2023-03-20T15:33:12.393Z\",\"updatedAt\":\"2023-03-20T15:33:12.393Z\",\"title\":\"Resource discovery API GeneratedFindingAPIName was invoked from an IP address on a custom threat list.\",\"description\":\"An API commonly used in resource discovery was used to access a bucket from an IP address on a custom threat list. Unauthorized actors perform such activity to gather information about your Amazon S3 buckets and objects in order to further tailor the attack.\"}", "event": { "action": "Discovery", - "kind": "alert", "category": [ "threat" ], + "kind": "alert", + "severity": 8, "type": [ "indicator" - ], - "severity": 8 + ] }, "@timestamp": "2023-03-20T15:33:12.393000Z", - "cloud": { - "account": { - "id": "111111111111" - }, - "region": "eu-west-2", - "provider": "aws", - "instance": { - "id": "i-99999999" - }, - "machine": { - "type": "m3.xlarge" - } - }, "agent": { "version": "2.0" }, - "user": { - "name": "GeneratedFindingUserName" - }, - "threat": { - "indicator": { - "description": "An API commonly used in resource discovery was used to access a bucket from an IP address on a custom threat list. Unauthorized actors perform such activity to gather information about your Amazon S3 buckets and objects in order to further tailor the attack." - }, - "group": { - "name": "MaliciousIPCaller" - }, - "enrichments": [ - { - "indicator": { - "first_seen": "2023-03-20T15:33:12.000Z", - "last_seen": "2023-03-20T15:33:12.000Z", - "sightings": "1" - } - } - ] - }, "aws": { "guardduty": { "finding": { - "id": "3941673a580340dcb61648a3e15def75", - "type": "Discovery:S3/MaliciousIPCaller.Custom", - "region": "eu-west-2", - "principal": { - "id": "GeneratedFindingPrincipalId" - }, "accesskey": { "accessKeyId": "GeneratedFindingAccessKeyId", "principalId": "GeneratedFindingPrincipalId", "userType": "IAMUser" }, + "id": "3941673a580340dcb61648a3e15def75", + "principal": { + "id": "GeneratedFindingPrincipalId" + }, + "region": "eu-west-2", "s3bucket": { "arn": "arn:aws:s3:::bucketName", - "name": "bucketName", - "type": "Destination", "createdAt": 1513612691.551, - "owner": { - "id": "CanonicalId of Owner" - }, "defaultServerSideEncryption": { "encryptionType": "SSEAlgorithm", "kmsMasterKeyArn": "arn:aws:kms:region:123456789012:key/key-id" - } + }, + "name": "bucketName", + "owner": { + "id": "CanonicalId of Owner" + }, + "type": "Destination" }, "service": { "action": { "type": "AWS_API_CALL" } - } + }, + "type": "Discovery:S3/MaliciousIPCaller.Custom" } } }, - "source": { - "geo": { - "country_name": "GeneratedFindingCountryName", - "location": { - "lat": 0, - "lon": 0 - }, - "city_name": "GeneratedFindingCityName" + "cloud": { + "account": { + "id": "111111111111" }, - "ip": "198.51.100.0", - "address": "198.51.100.0" + "instance": { + "id": "i-99999999" + }, + "machine": { + "type": "m3.xlarge" + }, + "provider": "aws", + "region": "eu-west-2" }, "error": { "code": "AccessDenied" }, - "service": { - "name": "GeneratedFindingAPIServiceName" - }, "related": { "ip": [ "198.51.100.0" @@ -1075,6 +1040,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "GeneratedFindingUserName" ] + }, + "service": { + "name": "GeneratedFindingAPIServiceName" + }, + "source": { + "address": "198.51.100.0", + "geo": { + "city_name": "GeneratedFindingCityName", + "country_name": "GeneratedFindingCountryName", + "location": { + "lat": 0, + "lon": 0 + } + }, + "ip": "198.51.100.0" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "first_seen": "2023-03-20T15:33:12.000Z", + "last_seen": "2023-03-20T15:33:12.000Z", + "sightings": "1" + } + } + ], + "group": { + "name": "MaliciousIPCaller" + }, + "indicator": { + "description": "An API commonly used in resource discovery was used to access a bucket from an IP address on a custom threat list. Unauthorized actors perform such activity to gather information about your Amazon S3 buckets and objects in order to further tailor the attack." + } + }, + "user": { + "name": "GeneratedFindingUserName" } } diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index dec7bfe7c0..31ab92dff3 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -37,13 +37,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Application::Blocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Controlled application blocked: Google Software Reporter Tool (Security tool)\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"APPLICATION_CONTROL\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "Controlled application blocked: Google Software Reporter Tool (Security tool)", - "code": "Event::Endpoint::Application::Blocked", "category": [ "file" ], + "code": "Event::Endpoint::Application::Blocked", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "Controlled application blocked: Google Software Reporter Tool (Security tool)", "type": [ "denied" ] @@ -62,18 +62,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "title": "Google Software Reporter Tool (Security tool)" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "APPLICATION_CONTROL" - } - }, "related": { "hosts": [ "DOMAIN-1234" @@ -81,6 +69,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "computer" + }, + "event": { + "group": "APPLICATION_CONTROL" + } } } @@ -94,23 +94,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Enc::DiskNotEncryptedEvent\",\"name\":\"Device is not encrypted.\",\"id\":\"f7c7e65a-a452-429c-9e0a-cdc16c5b50e9\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:23:07.981Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:24:08.662Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"Elon Musk\"}", "event": { - "end": "2022-04-27T13:23:07.981000Z", - "kind": "event", - "reason": "Device is not encrypted.", - "code": "Event::Endpoint::Enc::DiskNotEncryptedEvent", "category": [ "file", "process" ], + "code": "Event::Endpoint::Enc::DiskNotEncryptedEvent", + "end": "2022-04-27T13:23:07.981000Z", + "kind": "event", + "reason": "Device is not encrypted.", "type": [ "info" ] }, "@timestamp": "2022-04-27T13:24:08.662000Z", - "user": { - "id": "574fcff42ead810f5e43b0fc", - "name": "Elon Musk" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -121,18 +117,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "DENC" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -143,6 +127,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Elon Musk" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "DENC" + } + }, + "user": { + "id": "574fcff42ead810f5e43b0fc", + "name": "Elon Musk" } } @@ -156,19 +156,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", - "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", + "action": "allow file transfer", "category": [ "file" ], + "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", "type": [ "allowed" - ], - "action": "allow file transfer" + ] }, "@timestamp": "2022-04-25T03:15:31.777000Z", + "file": { + "directory": "C:\\Users\\XXXXXXXX\\Downloads", + "name": "YYYYYYYYYYYYYYYYY.mp4", + "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", + "size": 559316722 + }, "host": { "hostname": "DOMAIN-1234", "name": "DOMAIN-1234" @@ -179,34 +185,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "file": { - "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", - "size": 559316722, - "name": "YYYYYYYYYYYYYYYYY.mp4", - "directory": "C:\\Users\\XXXXXXXX\\Downloads" + "related": { + "hosts": [ + "DOMAIN-1234" + ], + "ip": [ + "1.2.3.4" + ] }, "rule": { "name": "Multimedia file" }, "sophos": { - "endpoint": { - "type": "computer", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, "customer": { "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "computer" + }, "event": { "group": "DATA_LOSS_PREVENTION" } - }, - "related": { - "hosts": [ - "DOMAIN-1234" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -220,19 +220,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::DataLossPreventionAutomaticallyAllowed\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\\\Users\\\\XXXXXXXX\\\\Downloads\\\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\\\XXXXXXXXXXXXXXX\\\\Documents\\\\Videos\\\\YYYYY.mp4 Destination type: Removable storage\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"DATA_LOSS_PREVENTION\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage", - "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", + "action": "allow file transfer", "category": [ "file" ], + "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage", "type": [ "allowed" - ], - "action": "allow file transfer" + ] }, "@timestamp": "2022-04-25T03:15:31.777000Z", + "file": { + "directory": "C:\\Users\\XXXXXXXX\\Downloads", + "name": "YYYYYYYYYYYYYYYYY.mp4", + "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", + "size": 559316722 + }, "host": { "hostname": "DOMAIN-1234", "name": "DOMAIN-1234" @@ -243,40 +249,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "file": { - "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", - "size": 559316722, - "name": "YYYYYYYYYYYYYYYYY.mp4", - "directory": "C:\\Users\\XXXXXXXX\\Downloads" + "related": { + "hosts": [ + "DOMAIN-1234" + ], + "ip": [ + "1.2.3.4" + ] }, "rule": { "name": "Multimedia file" }, "sophos": { - "endpoint": { - "type": "computer", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, "customer": { "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" }, - "event": { - "group": "DATA_LOSS_PREVENTION" - }, "destination": { - "type": "Removable storage", "file": { "path": "D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4" - } + }, + "type": "Removable storage" + }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "computer" + }, + "event": { + "group": "DATA_LOSS_PREVENTION" } - }, - "related": { - "hosts": [ - "DOMAIN-1234" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -290,24 +290,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::DiskEncryptionInformation\",\"name\":\"Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.\",\"id\":\"55726d81-213b-43b6-be18-48dee3add6f8\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"c0e1e239-8912-4cc9-a6ed-245a964dec10\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:48.808Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:48.809Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\user\"}", "event": { - "end": "2022-04-27T08:48:48.808000Z", - "kind": "event", - "reason": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.", - "code": "Event::Endpoint::Enc::DiskEncryptionInformation", "category": [ "file", "process" ], + "code": "Event::Endpoint::Enc::DiskEncryptionInformation", + "end": "2022-04-27T08:48:48.808000Z", + "kind": "event", + "reason": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.", "type": [ "info" ] }, "@timestamp": "2022-04-27T08:48:48.809000Z", - "user": { - "id": "62690353b62561118508746f", - "name": "user", - "domain": "TESLA" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -318,18 +313,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "c0e1e239-8912-4cc9-a6ed-245a964dec10" - }, - "event": { - "group": "DENC" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -340,6 +323,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user" ] + }, + "sophos": { + "customer": { + "id": "c0e1e239-8912-4cc9-a6ed-245a964dec10" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "DENC" + } + }, + "user": { + "domain": "TESLA", + "id": "62690353b62561118508746f", + "name": "user" } } @@ -353,24 +353,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"medium\",\"type\":\"Event::Endpoint::Denc::EncryptionSuspendedEvent\",\"name\":\"Device Encryption is suspended\",\"id\":\"80130549-e09e-46d3-ab98-919fbd625884\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:47:16.490Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.320Z\",\"duid\":\"624aabf253f2e60fda590556\",\"suser\":\"TESLA\\\\admin\"}", "event": { - "end": "2022-04-27T08:47:16.490000Z", - "kind": "event", - "reason": "Device Encryption is suspended", - "code": "Event::Endpoint::Denc::EncryptionSuspendedEvent", "category": [ "file", "process" ], + "code": "Event::Endpoint::Denc::EncryptionSuspendedEvent", + "end": "2022-04-27T08:47:16.490000Z", + "kind": "event", + "reason": "Device Encryption is suspended", "type": [ "info" ] }, "@timestamp": "2022-04-27T08:48:19.320000Z", - "user": { - "id": "624aabf253f2e60fda590556", - "name": "admin", - "domain": "TESLA" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -381,18 +376,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "DENC" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -403,6 +386,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "DENC" + } + }, + "user": { + "domain": "TESLA", + "id": "624aabf253f2e60fda590556", + "name": "admin" } } @@ -416,13 +416,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::HmpaExploitPrevented\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"'CodeCave' exploit prevented in Essential Objects Worker Process\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"RUNTIME_DETECTIONS\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "'CodeCave' exploit prevented in Essential Objects Worker Process", - "code": "Event::Endpoint::HmpaExploitPrevented", "category": [ "file" ], + "code": "Event::Endpoint::HmpaExploitPrevented", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "'CodeCave' exploit prevented in Essential Objects Worker Process", "type": [ "info" ] @@ -438,28 +438,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, + "related": { + "hosts": [ + "DOMAIN-1234" + ], + "ip": [ + "1.2.3.4" + ] + }, "sophos": { - "endpoint": { - "type": "computer", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, "customer": { "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "computer" + }, "event": { "group": "RUNTIME_DETECTIONS" }, "threat": { "name": "CodeCave" } - }, - "related": { - "hosts": [ - "DOMAIN-1234" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -473,23 +473,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Enc::Recovery::KeyReceived\",\"name\":\"A BitLocker recovery key has been received from: DESKTOP-1234.\",\"id\":\"c8e0b5c9-69d0-4885-8964-5cefaa8ef13e\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:08.749Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.565Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}", "event": { - "end": "2022-04-27T13:22:08.749000Z", - "kind": "event", - "reason": "A BitLocker recovery key has been received from: DESKTOP-1234.", - "code": "Event::Endpoint::Enc::Recovery::KeyReceived", "category": [ "file", "process" ], + "code": "Event::Endpoint::Enc::Recovery::KeyReceived", + "end": "2022-04-27T13:22:08.749000Z", + "kind": "event", + "reason": "A BitLocker recovery key has been received from: DESKTOP-1234.", "type": [ "info" ] }, "@timestamp": "2022-04-27T13:22:13.565000Z", - "user": { - "id": "574fcff42ead810f5e43b0fc", - "name": "admin tech" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -500,18 +496,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "DENC" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -522,6 +506,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin tech" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "DENC" + } + }, + "user": { + "id": "574fcff42ead810f5e43b0fc", + "name": "admin tech" } } @@ -535,23 +535,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Denc::OutlookPluginEnabledEvent\",\"name\":\"Outlook add-in is enabled\",\"id\":\"37d8c083-2342-4e88-9da6-4f47e3143c9d\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"DENC\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:22:06.909Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:22:13.226Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}", "event": { - "end": "2022-04-27T13:22:06.909000Z", - "kind": "event", - "reason": "Outlook add-in is enabled", - "code": "Event::Endpoint::Denc::OutlookPluginEnabledEvent", "category": [ "file", "process" ], + "code": "Event::Endpoint::Denc::OutlookPluginEnabledEvent", + "end": "2022-04-27T13:22:06.909000Z", + "kind": "event", + "reason": "Outlook add-in is enabled", "type": [ "info" ] }, "@timestamp": "2022-04-27T13:22:13.226000Z", - "user": { - "id": "574fcff42ead810f5e43b0fc", - "name": "admin tech" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -562,18 +558,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "DENC" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -584,6 +568,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin tech" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "DENC" + } + }, + "user": { + "id": "574fcff42ead810f5e43b0fc", + "name": "admin tech" } } @@ -597,19 +597,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::CorePuaDetection\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"PUA detected: 'Rule Generic PUA' at 'C:\\\\Users\\\\XXXXXXXXXX\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempc'\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"PUA\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'", - "code": "Event::Endpoint::CorePuaDetection", + "action": "detected", "category": [ "file" ], + "code": "Event::Endpoint::CorePuaDetection", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'", "type": [ "info" - ], - "action": "detected" + ] }, "@timestamp": "2022-04-25T03:15:31.777000Z", + "file": { + "directory": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp", + "name": "tempc", + "path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc" + }, "host": { "hostname": "DOMAIN-1234", "name": "DOMAIN-1234" @@ -620,33 +625,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "file": { - "path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc", - "name": "tempc", - "directory": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp" + "related": { + "hosts": [ + "DOMAIN-1234" + ], + "ip": [ + "1.2.3.4" + ] }, "rule": { "name": "Rule Generic PUA" }, "sophos": { - "endpoint": { - "type": "computer", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, "customer": { "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "computer" + }, "event": { "group": "PUA" } - }, - "related": { - "hosts": [ - "DOMAIN-1234" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -660,22 +660,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::Registered\",\"name\":\"New computer registered: DESKTOP-1234\",\"id\":\"b3c9c053-6037-469d-9bee-49d39f7932d0\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T13:17:10.188Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T13:17:10.197Z\",\"duid\":\"574fcff42ead810f5e43b0fc\",\"suser\":\"admin tech\"}", "event": { - "end": "2022-04-27T13:17:10.188000Z", - "kind": "event", - "reason": "New computer registered: DESKTOP-1234", - "code": "Event::Endpoint::Registered", "category": [ "iam" ], + "code": "Event::Endpoint::Registered", + "end": "2022-04-27T13:17:10.188000Z", + "kind": "event", + "reason": "New computer registered: DESKTOP-1234", "type": [ "info" ] }, "@timestamp": "2022-04-27T13:17:10.197000Z", - "user": { - "id": "574fcff42ead810f5e43b0fc", - "name": "admin tech" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -686,18 +682,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "PROTECTION" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -708,6 +692,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin tech" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "PROTECTION" + } + }, + "user": { + "id": "574fcff42ead810f5e43b0fc", + "name": "admin tech" } } @@ -721,22 +721,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::SavScanComplete\",\"name\":\"Scan 'Sophos Cloud Scheduled Scan' completed\",\"id\":\"fca84bd1-44df-4c30-ab79-103b971e714a\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"92d4ef41-9c13-4041-bbed-952011796812\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:59:59.000Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T09:00:03.548Z\",\"duid\":\"611cda48cf87290e90dfc1d1\",\"suser\":\"Elon Musk\"}", "event": { - "end": "2022-04-27T08:59:59Z", - "kind": "event", - "reason": "Scan 'Sophos Cloud Scheduled Scan' completed", - "code": "Event::Endpoint::SavScanComplete", "category": [ "iam" ], + "code": "Event::Endpoint::SavScanComplete", + "end": "2022-04-27T08:59:59Z", + "kind": "event", + "reason": "Scan 'Sophos Cloud Scheduled Scan' completed", "type": [ "info" ] }, "@timestamp": "2022-04-27T09:00:03.548000Z", - "user": { - "id": "611cda48cf87290e90dfc1d1", - "name": "Elon Musk" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -747,18 +743,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "92d4ef41-9c13-4041-bbed-952011796812" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "PROTECTION" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -769,6 +753,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Elon Musk" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "92d4ef41-9c13-4041-bbed-952011796812", + "type": "computer" + }, + "event": { + "group": "PROTECTION" + } + }, + "user": { + "id": "611cda48cf87290e90dfc1d1", + "name": "Elon Musk" } } @@ -782,14 +782,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateFailure\",\"endpoint_type\":\"server\",\"endpoint_id\":\"350e274b-777f-4b67-b34b-10d17a6c6193\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.\",\"id\":\"f68abcb6-c87f-46ae-a82a-7919bf313a66\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T07:41:03.101Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T07:41:03.118Z\",\"dhost\":\"DESKTOP-1234\"}", "event": { - "end": "2022-04-25T07:41:03.101000Z", - "kind": "event", - "reason": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.", - "code": "Event::Endpoint::UpdateFailure", "category": [ "file", "process" ], + "code": "Event::Endpoint::UpdateFailure", + "end": "2022-04-25T07:41:03.101000Z", + "kind": "event", + "reason": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.", "type": [ "info" ] @@ -805,18 +805,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "server", - "id": "350e274b-777f-4b67-b34b-10d17a6c6193" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "UPDATING" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -824,6 +812,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "350e274b-777f-4b67-b34b-10d17a6c6193", + "type": "server" + }, + "event": { + "group": "UPDATING" + } } } @@ -837,14 +837,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateRebootRequired\",\"endpoint_type\":\"server\",\"endpoint_id\":\"5da7691b-cc01-4330-bb8b-358362c3a5f1\",\"source_info\":{\"ip\":\"1.2.3.4\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Reboot to complete update; computer stays protected in the meantime\",\"id\":\"bc60c18b-dc21-43a3-bfd5-f28963f288e2\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T03:15:31.760Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T03:15:31.777Z\",\"dhost\":\"DOMAIN-1234\"}", "event": { - "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", - "reason": "Reboot to complete update; computer stays protected in the meantime", - "code": "Event::Endpoint::UpdateRebootRequired", "category": [ "file", "process" ], + "code": "Event::Endpoint::UpdateRebootRequired", + "end": "2022-04-25T03:15:31.760000Z", + "kind": "event", + "reason": "Reboot to complete update; computer stays protected in the meantime", "type": [ "info" ] @@ -860,18 +860,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.2.3.4" }, - "sophos": { - "endpoint": { - "type": "server", - "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "UPDATING" - } - }, "related": { "hosts": [ "DOMAIN-1234" @@ -879,6 +867,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "5da7691b-cc01-4330-bb8b-358362c3a5f1", + "type": "server" + }, + "event": { + "group": "UPDATING" + } } } @@ -892,14 +892,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UpdateSuccess\",\"endpoint_type\":\"server\",\"endpoint_id\":\"2ddff78e-27a1-40ff-8478-6c9be62e3b29\",\"source_info\":{\"ip\":\"4.5.6.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Update succeeded\",\"id\":\"a4c6776e-2f47-4bea-b5b3-7f1914c03a70\",\"group\":\"UPDATING\",\"datastream\":\"event\",\"end\":\"2022-04-25T04:57:09.886Z\",\"suser\":\"n/a\",\"rt\":\"2022-04-25T04:57:09.900Z\",\"dhost\":\"ACLOUD-2K22\"}", "event": { - "end": "2022-04-25T04:57:09.886000Z", - "kind": "event", - "reason": "Update succeeded", - "code": "Event::Endpoint::UpdateSuccess", "category": [ "file", "process" ], + "code": "Event::Endpoint::UpdateSuccess", + "end": "2022-04-25T04:57:09.886000Z", + "kind": "event", + "reason": "Update succeeded", "type": [ "info" ] @@ -915,18 +915,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "4.5.6.7" }, - "sophos": { - "endpoint": { - "type": "server", - "id": "2ddff78e-27a1-40ff-8478-6c9be62e3b29" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "UPDATING" - } - }, "related": { "hosts": [ "ACLOUD-2K22" @@ -934,6 +922,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "4.5.6.7" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "2ddff78e-27a1-40ff-8478-6c9be62e3b29", + "type": "server" + }, + "event": { + "group": "UPDATING" + } } } @@ -947,23 +947,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::UserAutoCreated\",\"name\":\"New user added automatically: TESLA\\\\e.musk\",\"id\":\"1498e255-e9c1-4835-b0b9-8ae7b44ae6f7\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"endpoint_type\":\"computer\",\"group\":\"PROTECTION\",\"datastream\":\"event\",\"end\":\"2022-04-27T08:48:19.449Z\",\"dhost\":\"DESKTOP-1234\",\"rt\":\"2022-04-27T08:48:19.456Z\",\"duid\":\"62690353b62561118508746f\",\"suser\":\"TESLA\\\\e.musk\"}", "event": { - "end": "2022-04-27T08:48:19.449000Z", - "kind": "event", - "reason": "New user added automatically: TESLA\\e.musk", - "code": "Event::Endpoint::UserAutoCreated", "category": [ "iam" ], + "code": "Event::Endpoint::UserAutoCreated", + "end": "2022-04-27T08:48:19.449000Z", + "kind": "event", + "reason": "New user added automatically: TESLA\\e.musk", "type": [ "creation" ] }, "@timestamp": "2022-04-27T08:48:19.456000Z", - "user": { - "id": "62690353b62561118508746f", - "name": "e.musk", - "domain": "TESLA" - }, "host": { "hostname": "DESKTOP-1234", "name": "DESKTOP-1234" @@ -974,18 +969,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.3.3.7" }, - "sophos": { - "endpoint": { - "type": "computer", - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "customer": { - "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" - }, - "event": { - "group": "PROTECTION" - } - }, "related": { "hosts": [ "DESKTOP-1234" @@ -996,6 +979,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "e.musk" ] + }, + "sophos": { + "customer": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" + }, + "endpoint": { + "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b", + "type": "computer" + }, + "event": { + "group": "PROTECTION" + } + }, + "user": { + "domain": "TESLA", + "id": "62690353b62561118508746f", + "name": "e.musk" } } @@ -1009,22 +1009,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"severity\":\"low\",\"type\":\"Event::Endpoint::WebFilteringBlocked\",\"endpoint_type\":\"computer\",\"endpoint_id\":\"3205420f-f05c-4f03-bb10-3ff6bf97b6ab\",\"source_info\":{\"ip\":\"1.3.3.7\"},\"customer_id\":\"36d5cd97-169e-490b-a2c4-bcd9d5d2a54b\",\"name\":\"Access was blocked to \\\"www.malicious-site.com\\\" because of \\\"Rulename\\\".\",\"id\":\"a91e11e2-1739-4f01-bf33-2dfd165e5ca3\",\"group\":\"WEB\",\"datastream\":\"event\",\"end\":\"2022-04-25T09:35:54.000Z\",\"suser\":\"Elon Musk\",\"rt\":\"2022-04-25T09:35:55.764Z\",\"duid\":\"615ff633eae9110e824c07b7\",\"dhost\":\"TESLA-SUPPORT\"}", "event": { - "end": "2022-04-25T09:35:54Z", - "kind": "event", - "reason": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".", - "code": "Event::Endpoint::WebFilteringBlocked", "category": [ "network" ], + "code": "Event::Endpoint::WebFilteringBlocked", + "end": "2022-04-25T09:35:54Z", + "kind": "event", + "reason": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".", "type": [ "denied" ] }, "@timestamp": "2022-04-25T09:35:55.764000Z", - "user": { - "id": "615ff633eae9110e824c07b7", - "name": "Elon Musk" - }, "host": { "hostname": "TESLA-SUPPORT", "name": "TESLA-SUPPORT" @@ -1035,35 +1031,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "ip": "1.3.3.7" }, + "related": { + "hosts": [ + "TESLA-SUPPORT" + ], + "ip": [ + "1.3.3.7" + ], + "user": [ + "Elon Musk" + ] + }, "rule": { "name": "Rulename" }, - "url": { - "original": "www.malicious-site.com", - "path": "www.malicious-site.com" - }, "sophos": { - "endpoint": { - "type": "computer", - "id": "3205420f-f05c-4f03-bb10-3ff6bf97b6ab" - }, "customer": { "id": "36d5cd97-169e-490b-a2c4-bcd9d5d2a54b" }, + "endpoint": { + "id": "3205420f-f05c-4f03-bb10-3ff6bf97b6ab", + "type": "computer" + }, "event": { "group": "WEB" } }, - "related": { - "hosts": [ - "TESLA-SUPPORT" - ], - "ip": [ - "1.3.3.7" - ], - "user": [ - "Elon Musk" - ] + "url": { + "original": "www.malicious-site.com", + "path": "www.malicious-site.com" + }, + "user": { + "id": "615ff633eae9110e824c07b7", + "name": "Elon Musk" } } diff --git a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md index 41f02d042d..51d1684e4c 100644 --- a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md +++ b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md @@ -37,22 +37,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "date=\"2022-03-11T10:39:16.390Z\" hostname=\"mwgproxy\" username=\"\" source_ip=1.2.3.4 destination_ip=2.2.2.41 destination_host=\"www.forbiddensite.com\" http_status_code=403 media_type=\"\" source_bytes=131 destination_bytes=0 http_request_first_line=\"GET http://www.forbiddensite.com/ HTTP/1.1\" url_categories=\"Pornography\" url_reputation_string=\"Minimal Risk\" url_reputation_code=-28 ruleset_name=\"Default\" rule_name=\"Block URLs Whose Category Is in Category Blocklist for Default Groups\" block_id=10 block_reason=\"Blocked by URL filtering\" body_infected=false virus_names=\"\" body_modified=false application_reputation=\"Unverified\" application_name=\"forbiddenapp\" http_referer=\"\" user_agent=\"curl/7.77.0\"", "event": { - "start": "2022-03-11T10:39:16.390000Z", + "action": "denied", "category": [ "network" ], "code": "10", "kind": "event", "reason": "Blocked by URL filtering", - "action": "denied" + "start": "2022-03-11T10:39:16.390000Z" }, "destination": { + "address": "www.forbiddensite.com", "domain": "www.forbiddensite.com", "ip": "2.2.2.41", - "address": "www.forbiddensite.com", - "top_level_domain": "com", + "registered_domain": "forbiddensite.com", "subdomain": "www", - "registered_domain": "forbiddensite.com" + "top_level_domain": "com" }, "http": { "request": { @@ -64,72 +64,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 403 } }, + "network": { + "direction": "egress" + }, "observer": { "hostname": "mwgproxy", + "product": "McAfee Web Gateway", "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" + "vendor": "McAfee Corp." + }, + "related": { + "hosts": [ + "mwgproxy", + "www.forbiddensite.com" + ], + "ip": [ + "1.2.3.4", + "2.2.2.41" + ] }, "rule": { - "ruleset": "Default", - "name": "Block URLs Whose Category Is in Category Blocklist for Default Groups" + "name": "Block URLs Whose Category Is in Category Blocklist for Default Groups", + "ruleset": "Default" }, - "network": { - "direction": "egress" + "skyhighsecurity": { + "application": { + "name": "forbiddenapp", + "reputation": "Unverified" + }, + "http": { + "body": { + "infected": "false", + "modified": "false" + } + }, + "url": { + "categories": [ + "Pornography" + ], + "reputation": "Minimal Risk", + "reputation_code": -28 + } }, "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "www.forbiddensite.com", + "original": "http://www.forbiddensite.com/", + "path": "/", + "port": 80, + "registered_domain": "forbiddensite.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" }, "user_agent": { - "original": "curl/7.77.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.77.0", + "original": "curl/7.77.0", "os": { "name": "Other" - } - }, - "url": { - "original": "http://www.forbiddensite.com/", - "domain": "www.forbiddensite.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "forbiddensite.com", - "path": "/", - "scheme": "http", - "port": 80 - }, - "skyhighsecurity": { - "application": { - "reputation": "Unverified", - "name": "forbiddenapp" - }, - "url": { - "reputation": "Minimal Risk", - "reputation_code": -28, - "categories": [ - "Pornography" - ] }, - "http": { - "body": { - "infected": "false", - "modified": "false" - } - } - }, - "related": { - "hosts": [ - "mwgproxy", - "www.forbiddensite.com" - ], - "ip": [ - "1.2.3.4", - "2.2.2.41" - ] + "version": "7.77.0" } } @@ -143,23 +143,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "date=\"2022-03-17T13:14:39.134Z\" hostname=\"mwgproxy\" username=\"\" source_ip=1.2.3.4 destination_ip=2.2.2.2 destination_host=\"slscr.update.microsoft.com\" http_status_code=407 media_type=\"\" source_bytes=173 destination_bytes=0 http_request_first_line=\"CONNECT slscr.update.microsoft.com:443 HTTP/1.1\" url_categories=\"Business, Software/Hardware\" url_reputation_string=\"Minimal Risk\" url_reputation_code=-42 ruleset_name=\"Authentication: Direct Proxy\" rule_name=\"Authenticate: Active Directory\" block_id=81 block_reason=\"Authentication Required\" body_infected=false virus_names=\"\" body_modified=false application_reputation=\"Unverified\" application_name=\"\" http_referer=\"\" user_agent=\"\"", "event": { - "start": "2022-03-17T13:14:39.134000Z", + "action": "denied", "category": [ "network" ], "code": "81", "kind": "event", "reason": "Authentication Required", - "action": "denied" + "start": "2022-03-17T13:14:39.134000Z" }, "destination": { + "address": "slscr.update.microsoft.com", "domain": "slscr.update.microsoft.com", "ip": "2.2.2.2", "port": 443, - "address": "slscr.update.microsoft.com", - "top_level_domain": "com", + "registered_domain": "microsoft.com", "subdomain": "slscr.update", - "registered_domain": "microsoft.com" + "top_level_domain": "com" }, "http": { "request": { @@ -171,58 +171,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 407 } }, + "network": { + "direction": "egress" + }, "observer": { "hostname": "mwgproxy", + "product": "McAfee Web Gateway", "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" + "vendor": "McAfee Corp." }, - "rule": { - "ruleset": "Authentication: Direct Proxy", - "name": "Authenticate: Active Directory" - }, - "network": { - "direction": "egress" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "related": { + "hosts": [ + "mwgproxy", + "slscr.update.microsoft.com" + ], + "ip": [ + "1.2.3.4", + "2.2.2.2" + ] }, - "url": { - "domain": "slscr.update.microsoft.com", - "port": 443, - "top_level_domain": "com", - "subdomain": "slscr.update", - "registered_domain": "microsoft.com" + "rule": { + "name": "Authenticate: Active Directory", + "ruleset": "Authentication: Direct Proxy" }, "skyhighsecurity": { "application": { "reputation": "Unverified" }, - "url": { - "reputation": "Minimal Risk", - "reputation_code": -42, - "categories": [ - "Business", - "Software/Hardware" - ] - }, "http": { "body": { "infected": "false", "modified": "false" } + }, + "url": { + "categories": [ + "Business", + "Software/Hardware" + ], + "reputation": "Minimal Risk", + "reputation_code": -42 } }, - "related": { - "hosts": [ - "mwgproxy", - "slscr.update.microsoft.com" - ], - "ip": [ - "1.2.3.4", - "2.2.2.2" - ] + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "slscr.update.microsoft.com", + "port": 443, + "registered_domain": "microsoft.com", + "subdomain": "slscr.update", + "top_level_domain": "com" } } @@ -236,14 +236,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "date=\"2022-03-24T13:54:02.740Z\" hostname=\"mwgproxy\" username=\"myusername\" source_ip=1.2.3.4 destination_ip=255.255.255.255 destination_host=\"\" http_status_code=400 media_type=\"\" source_bytes=316 destination_bytes=0 http_request_first_line=\"CONNECT :80 HTTP/1.1\" url_categories=\"Business, Software/Hardware\" url_reputation_string=\"Minimal Risk\" url_reputation_code=-3 ruleset_name=\"Exception DFS\" rule_name=\"Forbidden Access\" block_id=10 block_reason=\"Blocked by URL filtering\" body_infected=false virus_names=\"\" body_modified=false application_reputation=\"Unverified\" application_name=\"\" http_referer=\"\" user_agent=\"\"", "event": { - "start": "2022-03-24T13:54:02.740000Z", + "action": "denied", "category": [ "network" ], "code": "10", "kind": "event", "reason": "Blocked by URL filtering", - "action": "denied" + "start": "2022-03-24T13:54:02.740000Z" + }, + "destination": { + "address": "255.255.255.255", + "ip": "255.255.255.255" }, "http": { "request": { @@ -255,60 +259,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 400 } }, - "observer": { - "hostname": "mwgproxy", - "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" - }, - "rule": { - "ruleset": "Exception DFS", - "name": "Forbidden Access" - }, "network": { "direction": "egress" }, - "destination": { - "ip": "255.255.255.255", - "address": "255.255.255.255" + "observer": { + "hostname": "mwgproxy", + "product": "McAfee Web Gateway", + "type": "proxy", + "vendor": "McAfee Corp." }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "related": { + "hosts": [ + "mwgproxy" + ], + "ip": [ + "1.2.3.4", + "255.255.255.255" + ], + "user": [ + "myusername" + ] }, - "user": { - "name": "myusername" + "rule": { + "name": "Forbidden Access", + "ruleset": "Exception DFS" }, "skyhighsecurity": { "application": { "reputation": "Unverified" }, - "url": { - "reputation": "Minimal Risk", - "reputation_code": -3, - "categories": [ - "Business", - "Software/Hardware" - ] - }, "http": { "body": { "infected": "false", "modified": "false" } + }, + "url": { + "categories": [ + "Business", + "Software/Hardware" + ], + "reputation": "Minimal Risk", + "reputation_code": -3 } }, - "related": { - "hosts": [ - "mwgproxy" - ], - "ip": [ - "1.2.3.4", - "255.255.255.255" - ], - "user": [ - "myusername" - ] + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "myusername" } } @@ -322,26 +322,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "date=\"2022-03-11T09:50:47.399Z\" hostname=\"mwgproxy\" username=\"myusername\" source_ip=1.2.3.4 destination_ip=142.250.178.131 destination_host=\"www.google.fr\" http_status_code=200 media_type=\"\" source_bytes=127 destination_bytes=14678 http_request_first_line=\"GET http://www.google.fr/ HTTP/1.1\" url_categories=\"Search Engines\" url_reputation_string=\"Minimal Risk\" url_reputation_code=0 ruleset_name=\"Dynamic Content Classification\" rule_name=\"Block URLs Whose Category Is in Category Blocklist\" block_id=0 block_reason=\"\" body_infected=false virus_names=\"\" body_modified=false application_reputation=\"Unverified\" application_name=\"\" http_referer=\"\" user_agent=\"curl/7.77.0\"", "event": { - "start": "2022-03-11T09:50:47.399000Z", + "action": "allowed", "category": [ "network" ], "code": "0", "kind": "event", - "action": "allowed", + "start": "2022-03-11T09:50:47.399000Z", "type": [ - "connection", "access", - "allowed" + "allowed", + "connection" ] }, "destination": { + "address": "www.google.fr", "domain": "www.google.fr", "ip": "142.250.178.131", - "address": "www.google.fr", - "top_level_domain": "fr", + "registered_domain": "google.fr", "subdomain": "www", - "registered_domain": "google.fr" + "top_level_domain": "fr" }, "http": { "request": { @@ -353,77 +353,77 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "network": { + "direction": "egress" + }, "observer": { "hostname": "mwgproxy", + "product": "McAfee Web Gateway", "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" - }, - "rule": { - "ruleset": "Dynamic Content Classification", - "name": "Block URLs Whose Category Is in Category Blocklist" + "vendor": "McAfee Corp." }, - "network": { - "direction": "egress" + "related": { + "hosts": [ + "mwgproxy", + "www.google.fr" + ], + "ip": [ + "1.2.3.4", + "142.250.178.131" + ], + "user": [ + "myusername" + ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "rule": { + "name": "Block URLs Whose Category Is in Category Blocklist", + "ruleset": "Dynamic Content Classification" }, - "user_agent": { - "original": "curl/7.77.0", - "device": { - "name": "Other" + "skyhighsecurity": { + "application": { + "reputation": "Unverified" }, - "name": "curl", - "version": "7.77.0", - "os": { - "name": "Other" + "http": { + "body": { + "infected": "false", + "modified": "false" + } + }, + "url": { + "categories": [ + "Search Engines" + ], + "reputation": "Minimal Risk", + "reputation_code": 0 } }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "url": { - "original": "http://www.google.fr/", "domain": "www.google.fr", - "top_level_domain": "fr", - "subdomain": "www", - "registered_domain": "google.fr", + "original": "http://www.google.fr/", "path": "/", + "port": 80, + "registered_domain": "google.fr", "scheme": "http", - "port": 80 + "subdomain": "www", + "top_level_domain": "fr" }, "user": { "name": "myusername" }, - "skyhighsecurity": { - "application": { - "reputation": "Unverified" + "user_agent": { + "device": { + "name": "Other" }, - "url": { - "reputation": "Minimal Risk", - "reputation_code": 0, - "categories": [ - "Search Engines" - ] + "name": "curl", + "original": "curl/7.77.0", + "os": { + "name": "Other" }, - "http": { - "body": { - "infected": "false", - "modified": "false" - } - } - }, - "related": { - "hosts": [ - "mwgproxy", - "www.google.fr" - ], - "ip": [ - "1.2.3.4", - "142.250.178.131" - ], - "user": [ - "myusername" - ] + "version": "7.77.0" } } @@ -437,79 +437,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "user_id=-1 username=foo source_ip=37.171.139.5 http_action=CERTVERIFY server_to_client_bytes=0 client_to_server_bytes=0 requested_host=ping-edge.smartscreen.microsoft.com requested_path=/ result=OBSERVED virus= request_timestamp_epoch=1661260270 request_timestamp=2022-08-23 13:11:10 uri_scheme=https category=Business, Software/Hardware media_type=application/x-empty application_type= reputation=Minimal Risk last_rule=Allow http_status_code=200 client_ip=10.0.2.15 location= block_reason= user_agent_product=Other user_agent_version= user_agent_comment= process_name=msedge.exe destination_ip=20.108.130.238 destination_port=443 pop_country_code=FR referer= ssl_scanned=t av_scanned_up=t av_scanned_down=f rbi=f dlp=f client_system_name=desktop-rles2a6 filename= pop_egress_ip=161.69.108.44 pop_ingress_ip=10.42.47.222 proxy_port=8080", "event": { + "action": "allowed", "category": [ "network" ], "kind": "event", - "action": "allowed", "type": [ - "connection", "access", - "allowed" + "allowed", + "connection" ] }, "@timestamp": "2022-08-23T13:11:10Z", - "source": { - "bytes": 0, - "nat": { - "ip": "37.171.139.5" - }, - "ip": "10.0.2.15", - "address": "10.0.2.15" - }, "destination": { - "domain": "ping-edge.smartscreen.microsoft.com", + "address": "ping-edge.smartscreen.microsoft.com", "bytes": 0, - "port": 443, + "domain": "ping-edge.smartscreen.microsoft.com", "ip": "20.108.130.238", - "address": "ping-edge.smartscreen.microsoft.com", - "top_level_domain": "com", + "port": 443, + "registered_domain": "microsoft.com", "subdomain": "ping-edge.smartscreen", - "registered_domain": "microsoft.com" + "top_level_domain": "com" + }, + "host": { + "name": "desktop-rles2a6" }, "http": { - "response": { - "status_code": 200, + "request": { + "method": "CERTVERIFY", "mime_type": "application/x-empty" }, - "request": { + "response": { "mime_type": "application/x-empty", - "method": "CERTVERIFY" + "status_code": 200 } }, - "url": { - "scheme": "https", - "path": "/" - }, - "host": { - "name": "desktop-rles2a6" - }, - "process": { - "name": "msedge.exe" - }, - "observer": { - "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" - }, - "rule": { - "name": "Allow", - "category": "Business, Software/Hardware" - }, "network": { "direction": "egress" }, - "user": { - "name": "foo" + "observer": { + "product": "McAfee Web Gateway", + "type": "proxy", + "vendor": "McAfee Corp." }, - "skyhighsecurity": { - "proxy_port": 8080, - "dlp": "false", - "rbi": "false", - "av_scanned_down": "false", - "av_scanned_up": "true", - "ssl_scanned": "true", - "reputation": "Minimal Risk" + "process": { + "name": "msedge.exe" }, "related": { "hosts": [ @@ -523,6 +495,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "foo" ] + }, + "rule": { + "category": "Business, Software/Hardware", + "name": "Allow" + }, + "skyhighsecurity": { + "av_scanned_down": "false", + "av_scanned_up": "true", + "dlp": "false", + "proxy_port": 8080, + "rbi": "false", + "reputation": "Minimal Risk", + "ssl_scanned": "true" + }, + "source": { + "address": "10.0.2.15", + "bytes": 0, + "ip": "10.0.2.15", + "nat": { + "ip": "37.171.139.5" + } + }, + "url": { + "path": "/", + "scheme": "https" + }, + "user": { + "name": "foo" } } @@ -536,78 +536,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=-1 username=autorite nt\\\\service r\u00c9seau source_ip=1.1.1.1 http_action=GET server_to_client_bytes=3160 client_to_server_bytes=1137 requested_host=ctldl.windowsupdate.com requested_path=/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab result=DENIED virus= request_timestamp_epoch=1661266553 request_timestamp=2022-08-23 14:55:53 uri_scheme=http category=Software/Hardware media_type= application_type= reputation=Minimal Risk last_rule=Block if MCP Authentication Failed http_status_code=403 client_ip=1.1.1.1 location= block_reason=Authentication Required user_agent_product=Other user_agent_version= user_agent_comment= process_name=svchost.exe destination_ip=1.1.1.1 destination_port=80 pop_country_code=fr referer= ssl_scanned=f av_scanned_up=f av_scanned_down=f rbi=f dlp=f client_system_name= filename=pinrulesstl.cab pop_egress_ip=1.1.1.1pop_ingress_ip=1.1.1.1 proxy_port=80", "event": { + "action": "denied", "category": [ "network" ], "kind": "event", - "action": "denied", "reason": "Authentication Required", "type": [ - "connection", "access", + "connection", "denied" ] }, "@timestamp": "2022-08-23T14:55:53Z", - "source": { - "bytes": 1137, - "nat": { - "ip": "1.1.1.1" - }, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "destination": { - "domain": "ctldl.windowsupdate.com", + "address": "ctldl.windowsupdate.com", "bytes": 3160, - "port": 80, + "domain": "ctldl.windowsupdate.com", "ip": "1.1.1.1", - "address": "ctldl.windowsupdate.com", - "top_level_domain": "com", + "port": 80, + "registered_domain": "windowsupdate.com", "subdomain": "ctldl", - "registered_domain": "windowsupdate.com" + "top_level_domain": "com" + }, + "file": { + "name": "pinrulesstl.cab" }, "http": { - "response": { - "status_code": 403 - }, "request": { "method": "GET" + }, + "response": { + "status_code": 403 } }, - "url": { - "scheme": "http", - "path": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab" - }, - "process": { - "name": "svchost.exe" - }, - "observer": { - "type": "proxy", - "vendor": "McAfee Corp.", - "product": "McAfee Web Gateway" - }, - "file": { - "name": "pinrulesstl.cab" - }, - "rule": { - "name": "Block if MCP Authentication Failed", - "category": "Software/Hardware" - }, "network": { "direction": "egress" }, - "user": { - "name": "autorite nt\\\\service r\u00c9seau" + "observer": { + "product": "McAfee Web Gateway", + "type": "proxy", + "vendor": "McAfee Corp." }, - "skyhighsecurity": { - "proxy_port": 80, - "dlp": "false", - "rbi": "false", - "av_scanned_down": "false", - "av_scanned_up": "false", - "ssl_scanned": "false", - "reputation": "Minimal Risk" + "process": { + "name": "svchost.exe" }, "related": { "hosts": [ @@ -619,6 +591,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "autorite nt\\\\service r\u00c9seau" ] + }, + "rule": { + "category": "Software/Hardware", + "name": "Block if MCP Authentication Failed" + }, + "skyhighsecurity": { + "av_scanned_down": "false", + "av_scanned_up": "false", + "dlp": "false", + "proxy_port": 80, + "rbi": "false", + "reputation": "Minimal Risk", + "ssl_scanned": "false" + }, + "source": { + "address": "1.1.1.1", + "bytes": 1137, + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1" + } + }, + "url": { + "path": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "scheme": "http" + }, + "user": { + "name": "autorite nt\\\\service r\u00c9seau" } } diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index 25464ef405..8d0a85c331 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -36,15 +36,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"command_script\",\"tgt.file.modificationTime\":-11644473600000,\"osSrc.process.parent.sessionId\":0,\"src.process.parent.image.sha1\":\"9b77e09375790ea1ea0a9ca9fc1d69e8e32fe597\",\"site.id\":\"1640744535583677559\",\"tgt.file.location\":\"Local\",\"src.process.parent.displayName\":\"Host Process for Windows Tasks\",\"src.process.image.binaryIsExecutable\":true,\"osSrc.process.parent.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"osSrc.process.parent.name\":\"svchost.exe\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"osSrc.process.parent.startTime\":1680169387386,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":272,\"src.process.parent.name\":\"taskhostw.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1680184001306,\"src.process.image.md5\":\"e610d62f73d68a280d364d1ccd6fea30\",\"src.process.indicatorReconnaissanceCount\":5,\"src.process.storyline.id\":\"3ED9E6E7AB538ED5\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"cmdScript.isComplete\":true,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"SCRIPTS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"osSrc.process.parent.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"3ED9E6E7AB538ED5\",\"tgt.file.creationTime\":-11644473600000,\"src.process.integrityLevel\":\"HIGH\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680183967040,\"osSrc.process.parent.isStorylineRoot\":true,\"timestamp\":\"2023-03-30T13:46:07.040Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":2593,\"src.process.image.sha1\":\"9b1d2f446cdb7d412775dffe05ebf35db5f12ccd\",\"src.process.isStorylineRoot\":false,\"cmdScript.applicationName\":\"PowerShell_C:\\\\Windows\\\\System32\\\\sdiagnhost.exe_10.0.19041.1\",\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\taskhostw.exe\",\"tgt.file.sha1\":\"6f8e508526af2f5a9ab618ebb26b140e8b2811b4\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":7488,\"osSrc.process.parent.integrityLevel\":\"SYSTEM\",\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe -Embedding\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"sca:ingestTime\":1680184006,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"osSrc.process.parent.signedStatus\":\"signed\",\"tgt.file.isExecutable\":false,\"event.id\":\"01GWSCAFNK8CGJZYXP5JNDA8VW_166\",\"src.process.parent.cmdline\":\"taskhostw.exe\",\"osSrc.process.parent.displayName\":\"Host Process for Windows Services\",\"cmdScript.content\":\"{(Format-DiskSpaceMB $_.Space) + \\\"MB\\\"}\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\",\"src.process.tgtFileModificationCount\":2,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"C:\\\\Windows\\\\Temp\\\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\\\TS_DiagnosticHistory.ps1\",\"cmdScript.sha256\":\"6f7db8ffe9379313fda22bcf6b6888ca8405dbab4a6ee58504b2bb34cda3def6\",\"tgt.file.extension\":\"ps1\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1680183962201,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"tgt.file.type\":\"UNKNOWN\",\"osSrc.process.parent.isNative64Bit\":false,\"src.process.displayName\":\"Scripted Diagnostics Native Host\",\"tgt.file.sha256\":\"00915c9baba87359a458d23e18f412647852a3260280a0d64af5e91307c01bce\",\"src.process.parent.sessionId\":2,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"64D9E6E7AB538ED5\",\"src.process.parent.image.md5\":\"a00bf82660835224cd6606a248321c5d\",\"osSrc.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.parent.isRedirectCmdProcessor\":false,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"64D9E6E7AB538ED5\",\"cmdScript.originalSize\":76,\"osSrc.process.parent.storyline.id\":\"0F91E6E7AB538ED5\",\"osSrc.process.parent.pid\":832,\"src.process.parent.uid\":\"3DD9E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"e63709209d09bc0247e785f075ddb28a98c348206109e2b8ba321ad958402728\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"3ED9E6E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1680183961002,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSCAFNK8CGJZYXP5JNDA8VW\",\"src.process.name\":\"sdiagnhost.exe\",\"tgt.file.md5\":\"6f42efe37f2f73bc4d5531a5906844c5\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.parent.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.image.sha256\":\"e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4\",\"osSrc.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.indicatorGeneralCount\":4,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"7F72001C135D479586722BA2913C81E1\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"tgt.file.id\":\"59D9E6E7AB538ED5\",\"osSrc.process.parent.uid\":\"0E91E6E7AB538ED5\",\"event.type\":\"Command Script\",\"task.path\":\"C:\\\\Windows\\\\Temp\\\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\\\TS_DiagnosticHistory.ps1\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":6276}", "event": { "action": "Command Script", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "process" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-30T13:46:07.040000Z", "agent": { "version": "22.3.2.373" }, @@ -55,8 +56,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Command Script", - "category": "command_script" + "category": "command_script", + "type": "Command Script" + }, + "file": { + "location": "Local", + "type": "UNKNOWN" }, "host": { "os": { @@ -65,14 +70,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 2, - "child_process": 1, "module_load": 272, "net_conn": 0, "net_conn_in": 0, @@ -83,56 +88,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "HIGH", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 2, - "storyline_id": "3ED9E6E7AB538ED5", - "uid": "64D9E6E7AB538ED5", + "ossrc": { + "parent": { + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": "0", + "storyline_id": "0F91E6E7AB538ED5", + "uid": "0E91E6E7AB538ED5" + } + }, "parent": { - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "3ED9E6E7AB538ED5", - "uid": "3DD9E6E7AB538ED5", + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "taskhostw.exe", "executable": { "name": "C:\\Windows\\System32\\taskhostw.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "a00bf82660835224cd6606a248321c5d", "sha1": "9b77e09375790ea1ea0a9ca9fc1d69e8e32fe597", "sha256": "e63709209d09bc0247e785f075ddb28a98c348206109e2b8ba321ad958402728" }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "taskhostw.exe", "pid": "6276", + "root": "True", + "session_id": 2, + "start": "2023-03-30T13:46:01.002000Z", + "storyline_id": "3ED9E6E7AB538ED5", "title": "Host Process for Windows Tasks", + "uid": "3DD9E6E7AB538ED5", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-30T13:46:01.002000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows\\System32" }, - "ossrc": { - "parent": { - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": "0", - "storyline_id": "0F91E6E7AB538ED5", - "uid": "0E91E6E7AB538ED5" - } - } - }, - "file": { - "location": "Local", - "type": "UNKNOWN" + "root": "False", + "session_id": 2, + "storyline_id": "3ED9E6E7AB538ED5", + "uid": "64D9E6E7AB538ED5" }, "script": { "app_name": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1", @@ -140,6 +141,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "is_complete": true } }, + "file": { + "code_signature": { + "exists": false + }, + "created": "1966-04-24T06:14:24Z", + "directory": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57", + "hash": { + "md5": "6f42efe37f2f73bc4d5531a5906844c5", + "sha1": "6f8e508526af2f5a9ab618ebb26b140e8b2811b4", + "sha256": "6f7db8ffe9379313fda22bcf6b6888ca8405dbab4a6ee58504b2bb34cda3def6" + }, + "mtime": "1966-04-24T06:14:24Z", + "name": "TS_DiagnosticHistory.ps1", + "path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1", + "size": 76 + }, "host": { "name": "desktop-jdoe", "os": { @@ -151,8 +168,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T13:46:07.040000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\System32\\sdiagnhost.exe -Embedding", "executable": "C:\\Windows\\System32\\sdiagnhost.exe", "hash": { @@ -161,60 +181,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4" }, "name": "sdiagnhost.exe", - "pid": 7488, - "title": "Scripted Diagnostics Native Host", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-30T13:46:02.201000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, "name": "svchost.exe", "process": { "pid": "832" }, + "start": "2023-03-30T09:43:07.386000Z", "title": "Host Process for Windows Services", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "start": "2023-03-30T09:43:07.386000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" - }, - "file": { - "path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1", - "hash": { - "md5": "6f42efe37f2f73bc4d5531a5906844c5", - "sha1": "6f8e508526af2f5a9ab618ebb26b140e8b2811b4", - "sha256": "6f7db8ffe9379313fda22bcf6b6888ca8405dbab4a6ee58504b2bb34cda3def6" + "working_directory": "C:\\Windows\\System32" }, - "size": 76, - "created": "1966-04-24T06:14:24Z", - "mtime": "1966-04-24T06:14:24Z", - "code_signature": { - "exists": false + "pid": 7488, + "start": "2023-03-30T13:46:02.201000Z", + "title": "Scripted Diagnostics Native Host", + "user": { + "name": "desktop-jdoe\\john.doe" }, - "name": "TS_DiagnosticHistory.ps1", - "directory": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57" + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -231,6 +227,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -245,15 +245,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"dns\",\"osSrc.process.parent.sessionId\":0,\"src.process.parent.image.sha1\":\"5310ba14a05256e4d93e0b04338f53b4e1d680cb\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.parent.displayName\":\"Shell Infrastructure Host\",\"src.process.image.binaryIsExecutable\":true,\"osSrc.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"osSrc.process.parent.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.parent.name\":\"svchost.exe\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"osSrc.process.parent.startTime\":1679394829780,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.tgtFileCreationCount\":0,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":13,\"src.process.moduleCount\":183,\"src.process.parent.name\":\"sihost.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1679402348269,\"src.process.image.md5\":\"da7063b17dbb8bbb3015351016868006\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"6EB4E5E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":215,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"DNS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"osSrc.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"osSrc.process.parent.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"BE98E5E7AB538ED5\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"LOW\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":1560,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679402338819,\"event.dns.response\":\"type: 5 arc.trafficmanager.net;type: 5 iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com;20.82.209.183;\",\"osSrc.process.parent.isStorylineRoot\":true,\"timestamp\":\"2023-03-21T12:38:58.819Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\sihost.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":3844,\"osSrc.process.parent.integrityLevel\":\"SYSTEM\",\"osSrc.process.uid\":\"AB96E5E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679402353,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Windows\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"osSrc.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"osSrc.process.parent.signedStatus\":\"signed\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"event.id\":\"01GW22WAJV99Z1NW9K3F6QFVZW_89\",\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"sihost.exe\",\"osSrc.process.parent.displayName\":\"Host Process for Windows Services\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":2,\"osSrc.process.startTime\":1679394831656,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":5,\"osSrc.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679402333356,\"osSrc.process.indicatorRansomwareCount\":0,\"mgmt.id\":\"16964\",\"osSrc.process.netConnCount\":5,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":7,\"osSrc.process.parent.isNative64Bit\":false,\"src.process.displayName\":\"Background Task Host\",\"osSrc.process.dnsCount\":5,\"event.dns.request\":\"arc.msn.com\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"6DB4E5E7AB538ED5\",\"src.process.parent.image.md5\":\"a21e7719d73d0322e2e7d61802cb8f80\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService -p\",\"osSrc.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.parent.isRedirectCmdProcessor\":false,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"6DB4E5E7AB538ED5\",\"osSrc.process.parent.storyline.id\":\"5696E5E7AB538ED5\",\"osSrc.process.parent.pid\":852,\"src.process.parent.uid\":\"BD98E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00\",\"src.process.sessionId\":2,\"src.process.netConnCount\":2,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"group.id\":\"6EB4E5E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1679394873882,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":2,\"osSrc.process.tgtFileDeletionCount\":0,\"osSrc.process.indicatorEvasionCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW22WAJV99Z1NW9K3F6QFVZW\",\"src.process.name\":\"backgroundTaskHost.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.parent.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"osSrc.process.displayName\":\"Host Process for Windows Services\",\"src.process.image.sha256\":\"20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50\",\"osSrc.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.indicatorGeneralCount\":5,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"75E7BCB69CB14C3DA5B6290CF70ECE02\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"osSrc.process.parent.uid\":\"5596E5E7AB538ED5\",\"osSrc.process.storyline.id\":\"AC96E5E7AB538ED5\",\"event.type\":\"DNS Resolved\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4164}", "event": { "action": "DNS Resolved", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "network" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-21T12:38:58.819000Z", "agent": { "version": "22.3.2.373" }, @@ -264,8 +265,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "DNS Resolved", - "category": "dns" + "category": "dns", + "type": "DNS Resolved" }, "host": { "os": { @@ -273,91 +274,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 2, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 183, "net_conn": 2, "net_conn_in": 0, "net_conn_out": 2, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "LOW", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "6EB4E5E7AB538ED5", - "uid": "6DB4E5E7AB538ED5", - "command_line": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", "executable": { "name": "C:\\Windows\\System32\\backgroundTaskHost.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "da7063b17dbb8bbb3015351016868006", "sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09", "sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50" }, + "integrity_level": "LOW", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "backgroundTaskHost.exe", - "pid": "3844", - "title": "Background Task Host", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T12:38:53.356000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "BE98E5E7AB538ED5", - "uid": "BD98E5E7AB538ED5", - "command_line": "sihost.exe", - "executable": { - "name": "C:\\Windows\\System32\\sihost.exe" - }, - "hash": { - "md5": "a21e7719d73d0322e2e7d61802cb8f80", - "sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb", - "sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00" - }, - "name": "sihost.exe", - "pid": "4164", - "title": "Shell Infrastructure Host", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T10:34:33.882000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - } - }, "ossrc": { "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 5, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 215, "net_conn": 5, "net_conn_in": 0, @@ -368,10 +327,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": "0", - "storyline_id": "AC96E5E7AB538ED5", - "uid": "AB96E5E7AB538ED5", "parent": { "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", @@ -380,78 +335,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": "0", "storyline_id": "5696E5E7AB538ED5", "uid": "5596E5E7AB538ED5" - } - } - } - }, - "host": { - "name": "desktop-jdoe", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "desktop" - }, - "observer": { - "vendor": "SentinelOne" - }, - "@timestamp": "2023-03-21T12:38:58.819000Z", - "process": { - "command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 1560, - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" - }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "start": "2023-03-21T10:33:51.656000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "process": { - "pid": "852" + }, + "root": "True", + "session_id": "0", + "storyline_id": "AC96E5E7AB538ED5", + "uid": "AB96E5E7AB538ED5" }, - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\SYSTEM" + "parent": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "sihost.exe", + "executable": { + "name": "C:\\Windows\\System32\\sihost.exe" + }, + "family": "SYS_WIN32", + "hash": { + "md5": "a21e7719d73d0322e2e7d61802cb8f80", + "sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb", + "sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00" + }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "name": "sihost.exe", + "pid": "4164", + "root": "True", + "session_id": 2, + "start": "2023-03-21T10:34:33.882000Z", + "storyline_id": "BE98E5E7AB538ED5", + "title": "Shell Infrastructure Host", + "uid": "BD98E5E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows\\System32" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + "pid": "3844", + "root": "True", + "session_id": 2, + "start": "2023-03-21T12:38:53.356000Z", + "storyline_id": "6EB4E5E7AB538ED5", + "title": "Background Task Host", + "uid": "6DB4E5E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" }, - "start": "2023-03-21T10:33:49.780000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows\\System32" } }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY" - }, "dns": { - "question": { - "name": "arc.msn.com", - "top_level_domain": "com", - "subdomain": "arc", - "registered_domain": "msn.com" - }, - "type": "answer", "answers": [ { "name": "arc.trafficmanager.net", @@ -465,7 +399,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "20.82.209.183", "type": "A" } - ] + ], + "question": { + "name": "arc.msn.com", + "registered_domain": "msn.com", + "subdomain": "arc", + "top_level_domain": "com" + }, + "type": "answer" + }, + "host": { + "name": "desktop-jdoe", + "os": { + "family": "windows", + "name": "Windows 10 Pro" + }, + "type": "desktop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "svchost.exe", + "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "svchost.exe", + "process": { + "pid": "852" + }, + "start": "2023-03-21T10:33:49.780000Z", + "title": "Host Process for Windows Services", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" + }, + "pid": 1560, + "start": "2023-03-21T10:33:51.656000Z", + "title": "Host Process for Windows Services", + "user": { + "name": "NT AUTHORITY\\NETWORK SERVICE" + }, + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -473,12 +469,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", "b7f884c1b74a263f746ee12a5f7c9f6a" ], - "user": [ - "NETWORK SERVICE" - ], "hosts": [ "arc.msn.com" + ], + "user": [ + "NETWORK SERVICE" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } @@ -493,15 +493,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"driver\",\"tgt.file.modificationTime\":-11644473600000,\"src.process.parent.image.sha1\":\"f00f4ab908ec90b3a6a5939d340df144046b6e91\",\"site.id\":\"1640744535583677559\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"NT Kernel & System\",\"src.process.user\":\"SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":0,\"src.process.parent.name\":\"ntoskrnl.exe\",\"i.version\":\"preprocess-lib-1.0\",\"driver.startType\":7,\"sca:atlantisIngestTime\":1680604015448,\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"4735E7E7AB538ED5\",\"src.process.childProcCount\":2,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"DRIVERLOAD\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"4735E7E7AB538ED5\",\"driver.peSha1\":\"2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75\",\"tgt.file.creationTime\":-11644473600000,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680603997497,\"timestamp\":\"2023-04-04T10:26:37.497Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":47104,\"src.process.image.sha1\":\"f00f4ab908ec90b3a6a5939d340df144046b6e91\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\ntoskrnl.exe\",\"tgt.file.sha1\":\"3f558347c2750e2a7e512e32870f04d917b936b7\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":4,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1680604021,\"dataSource.category\":\"security\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"tgt.file.description\":\"Indirect displays kernel-mode filter driver\",\"driver.certificate.thumbprintAlgorithm\":1704979472,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"tgt.file.isExecutable\":false,\"event.id\":\"01GX5WW9NEJCT67Y7FV3YKQGAC_104\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\ntoskrnl.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\IndirectKmd.sys\",\"tgt.file.extension\":\"sys\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1680601639956,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"tgt.file.type\":\"UNKNOWN\",\"src.process.displayName\":\"NT Kernel & System\",\"tgt.file.sha256\":\"2f4fe50c3abb7a37e0adb4429f18b8067ede0608bc4539bac626c2c6d75844b7\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"4635E7E7AB538ED5\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"4635E7E7AB538ED5\",\"driver.peSha256\":\"415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"4635E7E7AB538ED5\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"driver.isLoadedBeforeMonitor\":false,\"group.id\":\"4735E7E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1680601639956,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GX5WW9NEJCT67Y7FV3YKQGAC\",\"src.process.name\":\"ntoskrnl.exe\",\"tgt.file.md5\":\"9b943585ef2a4917e1bc2186045e4b64\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.indicatorGeneralCount\":0,\"tgt.file.internalName\":\"IndirectKmd.sys\",\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1E58F722484E4850B02469C4B6DDEBF3\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"SYSTEM\",\"tgt.file.id\":\"5382E3E7AB538ED5\",\"driver.loadVerdict\":\"BENIGN\",\"event.type\":\"Driver Load\",\"task.path\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\IndirectKmd.sys\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4}", "event": { "action": "Driver Load", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "driver" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-04-04T10:26:37.497000Z", "agent": { "version": "22.3.2.373" }, @@ -511,9 +512,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "trace_id": "01GX5WW9NEJCT67Y7FV3YKQGAC", "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, + "driver": { + "hash": { + "sha1": "2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75", + "sha256": "415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce" + }, + "isloadedbeforemonitor": "False", + "start_code": "7", + "start_type": "Invalid or unknown", + "verdict": "BENIGN" + }, "event": { - "type": "Driver Load", - "category": "driver" + "category": "driver", + "type": "Driver Load" + }, + "file": { + "type": "UNKNOWN" }, "host": { "os": { @@ -522,14 +536,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 2, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 2, "module_load": 0, "net_conn": 0, "net_conn_in": 0, @@ -540,10 +554,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "4735E7E7AB538ED5", - "uid": "4635E7E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -553,22 +563,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "4735E7E7AB538ED5", "uid": "4635E7E7AB538ED5" - } - }, - "driver": { - "verdict": "BENIGN", - "isloadedbeforemonitor": "False", - "hash": { - "sha1": "2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75", - "sha256": "415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce" }, - "start_code": "7", - "start_type": "Invalid or unknown" - }, - "file": { - "type": "UNKNOWN" + "root": "True", + "session_id": 0, + "storyline_id": "4735E7E7AB538ED5", + "uid": "4635E7E7AB538ED5" } }, + "file": { + "code_signature": { + "exists": false + }, + "created": "1966-04-24T06:14:24Z", + "directory": "C:\\Windows\\System32\\drivers", + "hash": { + "md5": "9b943585ef2a4917e1bc2186045e4b64", + "sha1": "3f558347c2750e2a7e512e32870f04d917b936b7", + "sha256": "2f4fe50c3abb7a37e0adb4429f18b8067ede0608bc4539bac626c2c6d75844b7" + }, + "mtime": "1966-04-24T06:14:24Z", + "name": "IndirectKmd.sys", + "path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys", + "size": 47104 + }, "host": { "name": "desktop-jdoe", "os": { @@ -580,61 +597,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-04-04T10:26:37.497000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "executable": "C:\\Windows\\System32\\ntoskrnl.exe", "hash": { "sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91" }, "name": "ntoskrnl.exe", - "pid": 4, - "title": "NT Kernel & System", - "user": { - "name": "SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-04-04T09:47:19.956000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "executable": "C:\\Windows\\System32\\ntoskrnl.exe", "hash": { "sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91" }, "name": "ntoskrnl.exe", "pid": 4, + "start": "2023-04-04T09:47:19.956000Z", "title": "NT Kernel & System", "user": { "name": "SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-04-04T09:47:19.956000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "SYSTEM" - }, - "file": { - "path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys", - "hash": { - "md5": "9b943585ef2a4917e1bc2186045e4b64", - "sha1": "3f558347c2750e2a7e512e32870f04d917b936b7", - "sha256": "2f4fe50c3abb7a37e0adb4429f18b8067ede0608bc4539bac626c2c6d75844b7" + "working_directory": "C:\\Windows\\System32" }, - "size": 47104, - "created": "1966-04-24T06:14:24Z", - "mtime": "1966-04-24T06:14:24Z", - "code_signature": { - "exists": false + "pid": 4, + "start": "2023-04-04T09:47:19.956000Z", + "title": "NT Kernel & System", + "user": { + "name": "SYSTEM" }, - "name": "IndirectKmd.sys", - "directory": "C:\\Windows\\System32\\drivers" + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -646,6 +643,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "name": "SYSTEM" } } @@ -660,15 +660,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"file\",\"tgt.file.modificationTime\":1679329231269,\"src.process.parent.image.sha1\":\"08a3589a9016172702c75f16fe3c694b90942514\",\"site.id\":\"1640744535583677559\",\"tgt.file.location\":\"Local\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Windows Explorer\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":2,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":34,\"src.process.parent.name\":\"explorer.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679329289765,\"src.process.image.md5\":\"8a2122e8162dbef04694b9c3e0b6cdee\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"DA84E5E7AB538ED5\",\"src.process.childProcCount\":2,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"FILECREATION\",\"src.process.parent.integrityLevel\":\"HIGH\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"0447E5E7AB538ED5\",\"tgt.file.creationTime\":1679329231269,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679329231269,\"timestamp\":\"2023-03-20T16:20:31.269Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":0,\"src.process.image.sha1\":\"f1efb0fddc156e4c61c5f78a54700e4e7984d55d\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\explorer.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":7620,\"sca:ingestTime\":1679329295,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"tgt.file.isExecutable\":false,\"event.id\":\"01GVZX6RZEB3094AVABXWGMYP4_0\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\Explorer.EXE\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":2,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"C:\\\\Users\\\\john.doe\\\\Desktop\\\\TEST FILE ARY_2\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679328877107,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"tgt.file.type\":\"UNKNOWN\",\"src.process.displayName\":\"Windows Command Processor\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"src.process.uid\":\"D984E5E7AB538ED5\",\"src.process.parent.image.md5\":\"b5da026b38c9e98a6f6d4061b6c3b4f3\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"D984E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"0347E5E7AB538ED5\",\"src.process.parent.image.sha256\":\"5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"DA84E5E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679328586417,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GVZX6RZEB3094AVABXWGMYP4\",\"src.process.name\":\"cmd.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\"src.process.indicatorGeneralCount\":12,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"E0C3EB49976C4B329FC386C214376CA6\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"tgt.file.id\":\"2E85E5E7AB538ED5\",\"event.type\":\"File Creation\",\"task.path\":\"C:\\\\Users\\\\john.doe\\\\Desktop\\\\TEST FILE ARY_2\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2280}", "event": { "action": "File Creation", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "file" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "creation" ] }, + "@timestamp": "2023-03-20T16:20:31.269000Z", "agent": { "version": "22.3.2.373" }, @@ -679,8 +680,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "File Creation", - "category": "file" + "category": "file", + "type": "File Creation" + }, + "file": { + "location": "Local", + "type": "UNKNOWN" }, "host": { "os": { @@ -689,14 +694,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 2, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 2, "file_deletion": 0, "file_modification": 0, - "child_process": 2, "module_load": 34, "net_conn": 0, "net_conn_in": 0, @@ -707,10 +712,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "HIGH", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "DA84E5E7AB538ED5", - "uid": "D984E5E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "HIGH", @@ -720,15 +721,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 2, "storyline_id": "0447E5E7AB538ED5", "uid": "0347E5E7AB538ED5" - } - }, - "file": { - "location": "Local", - "type": "UNKNOWN" + }, + "root": "True", + "session_id": 2, + "storyline_id": "DA84E5E7AB538ED5", + "uid": "D984E5E7AB538ED5" } }, - "host": { - "name": "desktop-jdoe", + "file": { + "code_signature": { + "exists": false + }, + "created": "2023-03-20T16:20:31.269000Z", + "directory": "C:\\Users\\john.doe\\Desktop", + "mtime": "2023-03-20T16:20:31.269000Z", + "name": "TEST FILE ARY_2", + "path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2", + "size": 0 + }, + "host": { + "name": "desktop-jdoe", "os": { "family": "windows", "name": "Windows 10 Pro" @@ -738,8 +750,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-20T16:20:31.269000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", "executable": "C:\\Windows\\System32\\cmd.exe", "hash": { @@ -748,18 +763,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" }, "name": "cmd.exe", - "pid": 7620, - "title": "Windows Command Processor", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-20T16:14:37.107000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "hash": { @@ -769,32 +777,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "explorer.exe", "pid": 2280, + "start": "2023-03-20T16:09:46.417000Z", "title": "Windows Explorer", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows", - "start": "2023-03-20T16:09:46.417000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" - }, - "file": { - "path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2", - "size": 0, - "created": "2023-03-20T16:20:31.269000Z", - "mtime": "2023-03-20T16:20:31.269000Z", - "code_signature": { - "exists": false + "working_directory": "C:\\Windows" }, - "name": "TEST FILE ARY_2", - "directory": "C:\\Users\\john.doe\\Desktop" + "pid": 7620, + "start": "2023-03-20T16:14:37.107000Z", + "title": "Windows Command Processor", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -808,6 +804,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -822,15 +822,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"file\",\"tgt.file.modificationTime\":1680183665718,\"src.process.parent.image.sha1\":\"08a3589a9016172702c75f16fe3c694b90942514\",\"site.id\":\"1640744535583677559\",\"tgt.file.location\":\"Local\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.parent.displayName\":\"Windows Explorer\",\"src.process.image.binaryIsExecutable\":true,\"osSrc.process.image.md5\":\"fbbcd4101d9daa064e2686834b1296be\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFT CORPORATION\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":587,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"c54490a0e8a6c9e665f081f3d55847f32d7cb25e\",\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":235,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":0,\"src.process.moduleCount\":755,\"src.process.parent.name\":\"explorer.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1680203775822,\"src.process.image.md5\":\"fbbcd4101d9daa064e2686834b1296be\",\"src.process.indicatorReconnaissanceCount\":1,\"src.process.storyline.id\":\"14C2E6E7AB538ED5\",\"src.process.childProcCount\":25,\"osSrc.process.activeContentType\":\"FILE\",\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":89,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"FILEDELETION\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"desktop-jdoe\\\\john.doe\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":2,\"src.process.indicatorExploitationCount\":1,\"osSrc.process.registryChangeCount\":1,\"src.process.parent.storyline.id\":\"96BFE6E7AB538ED5\",\"tgt.file.creationTime\":1680183598071,\"osSrc.process.netConnInCount\":0,\"src.process.integrityLevel\":\"HIGH\",\"i.scheme\":\"edr\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":6348,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680203773098,\"timestamp\":\"2023-03-30T19:16:13.098Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":1385914,\"src.process.image.sha1\":\"c54490a0e8a6c9e665f081f3d55847f32d7cb25e\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\explorer.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":6384,\"osSrc.process.uid\":\"9AC2E6E7AB538ED5\",\"src.process.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start \\/prefetch:5\",\"src.process.publisher\":\"MICROSOFT CORPORATION\",\"sca:ingestTime\":1680203781,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"LOW\",\"src.process.crossProcessCount\":606,\"src.process.signedStatus\":\"signed\",\"osSrc.process.subsystem\":\"SYS_WIN32\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"tgt.file.isExecutable\":false,\"event.id\":\"01GWSZ5Z9090XZJD6DMNCG2SZ3_29\",\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\Explorer.EXE\",\"src.process.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"src.process.tgtFileModificationCount\":246,\"osSrc.process.name\":\"msedge.exe\",\"src.process.indicatorEvasionCount\":19,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp\",\"osSrc.process.startTime\":1680183591983,\"tgt.file.extension\":\"tmp\",\"src.process.crossProcessDupThreadHandleCount\":19,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":0,\"osSrc.process.image.sha256\":\"db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa\",\"src.process.tgtFileDeletionCount\":60,\"src.process.startTime\":1680183585577,\"osSrc.process.indicatorRansomwareCount\":0,\"mgmt.id\":\"16964\",\"osSrc.process.netConnCount\":0,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":6,\"tgt.file.type\":\"UNKNOWN\",\"src.process.displayName\":\"Microsoft Edge\",\"osSrc.process.dnsCount\":0,\"src.process.parent.sessionId\":2,\"src.process.isNative64Bit\":false,\"osSrc.process.sessionId\":2,\"src.process.uid\":\"13C2E6E7AB538ED5\",\"src.process.parent.image.md5\":\"b5da026b38c9e98a6f6d4061b6c3b4f3\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --type=renderer --instant-process --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --time-ticks-at-unix-epoch=-1680169371680820 --launch-time-ticks=14220180564 --mojo-platform-channel-handle=4512 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 \\/prefetch:1\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"13C2E6E7AB538ED5\",\"src.process.parent.uid\":\"95BFE6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"group.id\":\"14C2E6E7AB538ED5\",\"osSrc.process.activeContent.signedStatus\":\"unsigned\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1680183557249,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":0,\"osSrc.process.indicatorEvasionCount\":1,\"osSrc.process.tgtFileDeletionCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSZ5Z9090XZJD6DMNCG2SZ3\",\"src.process.name\":\"msedge.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.displayName\":\"Microsoft Edge\",\"src.process.image.sha256\":\"db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa\",\"src.process.indicatorGeneralCount\":168,\"src.process.crossProcessOutOfStorylineCount\":11,\"src.process.registryChangeCount\":35,\"packet.id\":\"6E623DBE96C14642980FE486FCC335F2\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"tgt.file.id\":\"00C3E6E7AB538ED5\",\"osSrc.process.storyline.id\":\"14C2E6E7AB538ED5\",\"event.type\":\"File Deletion\",\"task.path\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4492}", "event": { "action": "File Deletion", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "file" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "deletion" ] }, + "@timestamp": "2023-03-30T19:16:13.098000Z", "agent": { "version": "22.3.2.373" }, @@ -841,8 +842,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "File Deletion", - "category": "file" + "category": "file", + "type": "File Deletion" + }, + "file": { + "location": "Local", + "type": "UNKNOWN" }, "host": { "os": { @@ -850,76 +855,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT CORPORATION" + }, + "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", "counters": { + "child_process": 25, + "cross_process": 606, "cross_process_dup_process_handle": 587, "cross_process_dup_thread_handle": 19, - "cross_process": 606, "dns_lookups": 0, "file_creation": 235, "file_deletion": 60, "file_modification": 246, - "child_process": 25, "module_load": 755, "net_conn": 0, "net_conn_in": 0, "net_conn_out": 0, "registry_modification": 35 }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "14C2E6E7AB538ED5", - "uid": "13C2E6E7AB538ED5", - "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", "executable": { "name": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "fbbcd4101d9daa064e2686834b1296be", "sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e", "sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa" }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "msedge.exe", - "pid": "6384", - "title": "Microsoft Edge", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "start": "2023-03-30T13:39:45.577000Z", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - }, - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT CORPORATION" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "96BFE6E7AB538ED5", - "uid": "95BFE6E7AB538ED5" - }, "ossrc": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 2, - "child_process": 0, "module_load": 89, "net_conn": 0, "net_conn_in": 0, @@ -933,20 +923,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "root": "False", "session_id": "2", "storyline_id": "14C2E6E7AB538ED5", - "uid": "9AC2E6E7AB538ED5", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - } - } - }, - "file": { - "location": "Local", - "type": "UNKNOWN" + "uid": "9AC2E6E7AB538ED5" + }, + "parent": { + "family": "SYS_WIN32", + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": 2, + "storyline_id": "96BFE6E7AB538ED5", + "uid": "95BFE6E7AB538ED5" + }, + "pid": "6384", + "root": "True", + "session_id": 2, + "start": "2023-03-30T13:39:45.577000Z", + "storyline_id": "14C2E6E7AB538ED5", + "title": "Microsoft Edge", + "uid": "13C2E6E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" } }, + "file": { + "code_signature": { + "exists": false + }, + "created": "2023-03-30T13:39:58.071000Z", + "directory": "C:\\Users\\john.doe\\AppData\\Local\\Temp", + "mtime": "2023-03-30T13:41:05.718000Z", + "name": "4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp", + "path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp", + "size": 1385914 + }, "host": { "name": "desktop-jdoe", "os": { @@ -958,9 +970,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T19:16:13.098000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT CORPORATION" + }, + "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --instant-process --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --time-ticks-at-unix-epoch=-1680169371680820 --launch-time-ticks=14220180564 --mojo-platform-channel-handle=4512 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:1", + "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "hash": { + "md5": "fbbcd4101d9daa064e2686834b1296be", + "sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e", + "sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa" + }, + "name": "msedge.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "hash": { @@ -970,51 +997,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "explorer.exe", "pid": 4492, + "start": "2023-03-30T13:39:17.249000Z", "title": "Windows Explorer", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows", - "start": "2023-03-30T13:39:17.249000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows" }, - "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --instant-process --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --time-ticks-at-unix-epoch=-1680169371680820 --launch-time-ticks=14220180564 --mojo-platform-channel-handle=4512 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:1", - "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "name": "msedge.exe", "pid": 6348, + "start": "2023-03-30T13:39:51.983000Z", "title": "Microsoft Edge", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "hash": { - "md5": "fbbcd4101d9daa064e2686834b1296be", - "sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e", - "sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa" - }, - "start": "2023-03-30T13:39:51.983000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT CORPORATION" - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" - }, - "file": { - "path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp", - "size": 1385914, - "created": "2023-03-30T13:39:58.071000Z", - "mtime": "2023-03-30T13:41:05.718000Z", - "code_signature": { - "exists": false - }, - "name": "4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp", - "directory": "C:\\Users\\john.doe\\AppData\\Local\\Temp" + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, "related": { "hash": [ @@ -1028,6 +1024,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -1042,15 +1042,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"file\",\"tgt.file.modificationTime\":-11644473600000,\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"tgt.file.location\":\"Local\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Services and Controller app\",\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":5,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":288,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679577677249,\"src.process.image.md5\":\"88cbcd6927355b5dccd9827aeb1e6dbd\",\"src.process.indicatorReconnaissanceCount\":7,\"src.process.storyline.id\":\"85D1E5E7AB538ED5\",\"src.process.childProcCount\":5,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"FILERENAME\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"D7D0E5E7AB538ED5\",\"tgt.file.creationTime\":-11644473600000,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679577675272,\"timestamp\":\"2023-03-23T13:21:15.272Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":2048,\"src.process.image.sha1\":\"c6ef4c5e8090a4913fbfd8372c9df08450fe8005\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":2484,\"sca:ingestTime\":1679577682,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WindowsAzureGuestAgent.exe\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":5,\"tgt.file.isExecutable\":false,\"event.id\":\"01GW7A2YG38DG8CTD6M5WV2DZH_68\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"src.process.image.path\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WindowsAzureGuestAgent.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":19,\"tgt.file.path\":\"C:\\\\WindowsAzure\\\\Logs\\\\AggregateStatus\\\\aggregatestatus_20230323132115270.json\",\"tgt.file.extension\":\"json\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679577547094,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"tgt.file.type\":\"UNKNOWN\",\"src.process.displayName\":\"WindowsAzureGuestAgent\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"84D1E5E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"84D1E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"D6D0E5E7AB538ED5\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"src.process.sessionId\":0,\"src.process.netConnCount\":19,\"mgmt.osRevision\":\"19044\",\"group.id\":\"85D1E5E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679577539634,\"src.process.dnsCount\":0,\"tgt.file.oldPath\":\"C:\\\\WindowsAzure\\\\Logs\\\\AggregateStatus\\\\aggregatestatus.json\",\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW7A2YG38DG8CTD6M5WV2DZH\",\"src.process.name\":\"WindowsAzureGuestAgent.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"4779d3eecbc47b0a389187ef411c727920a5898c9c0785e33aabf7338c994364\",\"src.process.indicatorGeneralCount\":6,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"AABF3FC035554DC3A72C57304DE3131B\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"tgt.file.id\":\"F7D2E5E7AB538ED5\",\"event.type\":\"File Rename\",\"task.path\":\"C:\\\\WindowsAzure\\\\Logs\\\\AggregateStatus\\\\aggregatestatus_20230323132115270.json\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":676}", "event": { "action": "File Rename", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "file" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "change" ] }, + "@timestamp": "2023-03-23T13:21:15.272000Z", "agent": { "version": "22.3.2.373" }, @@ -1061,8 +1062,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "File Rename", - "category": "file" + "category": "file", + "type": "File Rename" + }, + "file": { + "location": "Local", + "old_path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json", + "type": "UNKNOWN" }, "host": { "os": { @@ -1071,14 +1077,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 5, + "cross_process": 5, "cross_process_dup_process_handle": 5, "cross_process_dup_thread_handle": 0, - "cross_process": 5, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 5, "module_load": 288, "net_conn": 19, "net_conn_in": 0, @@ -1089,10 +1095,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "85D1E5E7AB538ED5", - "uid": "84D1E5E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -1102,14 +1104,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "D7D0E5E7AB538ED5", "uid": "D6D0E5E7AB538ED5" - } - }, - "file": { - "location": "Local", - "old_path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json", - "type": "UNKNOWN" + }, + "root": "True", + "session_id": 0, + "storyline_id": "85D1E5E7AB538ED5", + "uid": "84D1E5E7AB538ED5" } }, + "file": { + "code_signature": { + "exists": false + }, + "created": "1966-04-24T06:14:24Z", + "directory": "C:\\WindowsAzure\\Logs\\AggregateStatus", + "mtime": "1966-04-24T06:14:24Z", + "name": "aggregatestatus_20230323132115270.json", + "path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json", + "size": 2048 + }, "host": { "name": "desktop-jdoe", "os": { @@ -1121,8 +1133,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-23T13:21:15.272000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe", "executable": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe", "hash": { @@ -1131,18 +1146,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "4779d3eecbc47b0a389187ef411c727920a5898c9c0785e33aabf7338c994364" }, "name": "WindowsAzureGuestAgent.exe", - "pid": 2484, - "title": "WindowsAzureGuestAgent", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252", - "start": "2023-03-23T13:19:07.094000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -1152,32 +1160,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 676, + "start": "2023-03-23T13:18:59.634000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-23T13:18:59.634000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "file": { - "path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json", - "size": 2048, - "created": "1966-04-24T06:14:24Z", - "mtime": "1966-04-24T06:14:24Z", - "code_signature": { - "exists": false + "working_directory": "C:\\Windows\\System32" }, - "name": "aggregatestatus_20230323132115270.json", - "directory": "C:\\WindowsAzure\\Logs\\AggregateStatus" + "pid": 2484, + "start": "2023-03-23T13:19:07.094000Z", + "title": "WindowsAzureGuestAgent", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252" }, "related": { "hash": [ @@ -1191,6 +1187,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -1208,6 +1208,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "cloud-funnel-2.0", "kind": "event" }, + "@timestamp": "2023-03-30T15:35:43.346000Z", "agent": { "version": "22.3.2.373" }, @@ -1218,8 +1219,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Group Creation", - "category": "group" + "category": "group", + "type": "Group Creation" }, "host": { "os": { @@ -1227,15 +1228,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "hash": { + "sha1": "8b3d7f4397dd79d66b753745a676da89439ed38e" + }, + "path": "C:\\Users\\john.doe\\Desktop\\test.reg", + "type": "FILE" + }, "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 66, "net_conn": 0, "net_conn_in": 0, @@ -1246,20 +1257,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "HIGH", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "8EE6E6E7AB538ED5", - "uid": "8DE6E6E7AB538ED5", - "activecontent": { - "type": "FILE", - "path": "C:\\Users\\john.doe\\Desktop\\test.reg", - "hash": { - "sha1": "8b3d7f4397dd79d66b753745a676da89439ed38e" - }, - "code_signature": { - "exists": "false" - } - }, "parent": { "family": "SYS_WIN32", "integrity_level": "HIGH", @@ -1269,7 +1266,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 2, "storyline_id": "96BFE6E7AB538ED5", "uid": "95BFE6E7AB538ED5" - } + }, + "root": "True", + "session_id": 2, + "storyline_id": "8EE6E6E7AB538ED5", + "uid": "8DE6E6E7AB538ED5" } }, "host": { @@ -1283,8 +1284,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T15:35:43.346000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "\"regedit.exe\" \"C:\\Users\\john.doe\\Desktop\\test.reg\"", "executable": "C:\\Windows\\regedit.exe", "hash": { @@ -1293,18 +1297,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170" }, "name": "regedit.exe", - "pid": 7400, - "title": "Registry Editor", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows", - "start": "2023-03-30T15:35:43.341000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "hash": { @@ -1314,21 +1311,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "explorer.exe", "pid": 4492, + "start": "2023-03-30T13:39:17.249000Z", "title": "Windows Explorer", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows", - "start": "2023-03-30T13:39:17.249000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" + "working_directory": "C:\\Windows" + }, + "pid": 7400, + "start": "2023-03-30T15:35:43.341000Z", + "title": "Registry Editor", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows" }, "related": { "hash": [ @@ -1342,6 +1338,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -1359,6 +1359,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "cloud-funnel-2.0", "kind": "event" }, + "@timestamp": "2023-03-24T09:56:39.952000Z", "agent": { "version": "22.3.2.373" }, @@ -1369,24 +1370,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Behavioral Indicators", - "category": "indicators" + "category": "indicators", + "type": "Behavioral Indicators" }, "host": { "os": { "revision": "19044" } }, + "indicator": { + "category": "Evasion", + "description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}", + "metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"", + "name": "PreloadInjection" + }, "process": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 3, - "child_process": 0, "module_load": 84, "net_conn": 0, "net_conn_in": 0, @@ -1397,17 +1410,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "LOW", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 2, - "storyline_id": "2D1EE6E7AB538ED5", - "uid": "F328E6E7AB538ED5", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - }, "parent": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, "family": "SYS_WIN32", "integrity_level": "HIGH", "is_redirected_command_processor": "False", @@ -1415,20 +1424,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "root": "True", "session_id": 2, "storyline_id": "2D1EE6E7AB538ED5", - "uid": "2C1EE6E7AB538ED5", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - } - } - }, - "indicator": { - "name": "PreloadInjection", - "description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}", - "category": "Evasion", - "metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"" + "uid": "2C1EE6E7AB538ED5" + }, + "root": "False", + "session_id": 2, + "storyline_id": "2D1EE6E7AB538ED5", + "uid": "F328E6E7AB538ED5" } }, "host": { @@ -1442,8 +1443,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T09:56:39.952000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT CORPORATION" + }, "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4272 --field-trial-handle=1904,i,13954562701905874655,10086179210364072054,131072 /prefetch:8", "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "hash": { @@ -1452,18 +1456,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693" }, "name": "msedge.exe", - "pid": 8064, - "title": "Microsoft Edge", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "start": "2023-03-24T09:56:39.947000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT CORPORATION" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT CORPORATION" + }, "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "hash": { @@ -1473,21 +1470,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "msedge.exe", "pid": 6728, + "start": "2023-03-24T09:46:14.169000Z", "title": "Microsoft Edge", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "start": "2023-03-24T09:46:14.169000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT CORPORATION" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" + }, + "pid": 8064, + "start": "2023-03-24T09:56:39.947000Z", + "title": "Microsoft Edge", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, "related": { "hash": [ @@ -1498,6 +1494,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -1512,15 +1512,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"ip\",\"src.process.parent.image.sha1\":\"68d7290a70ae3a396a0bd5164919694346047384\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"Microsoft Azure\u00c2\u00ae\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":168,\"src.process.parent.name\":\"WaAppAgent.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679405948601,\"src.process.image.md5\":\"c15e04000a62f18f0f726991d1d032dc\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"EE96E5E7AB538ED5\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"TCPV4\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.port.number\":50755,\"event.network.protocolName\":\"http\",\"src.process.indicatorExploitationCount\":1,\"src.process.parent.storyline.id\":\"EE96E5E7AB538ED5\",\"src.process.integrityLevel\":\"SYSTEM\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679405946954,\"timestamp\":\"2023-03-21T13:39:06.954Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"410ddcff4d90f02fe4878a6b37f0766d33892b04\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"dst.port.number\":80,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":7020,\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"\\\"CollectGuestLogs.exe\\\" -Mode:ga -FileName:D:\\\\CollectGuestLogsTemp\\\\VMAgentLogs.zip\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"sca:ingestTime\":1679405954,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"event.id\":\"01GW26A6QWPJXQ3NZRZTVMTMWZ_13\",\"src.process.parent.cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"src.process.image.path\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\CollectGuestLogs.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":1,\"event.network.direction\":\"OUTGOING\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.ip.address\":\"10.0.0.11\",\"src.process.startTime\":1679405934712,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"CollectGuestLogs\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"60B6E5E7AB538ED5\",\"src.process.parent.image.md5\":\"ec038f4fd73993de139b889e7bcf2f66\",\"event.network.connectionStatus\":\"SUCCESS\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"60B6E5E7AB538ED5\",\"src.process.parent.uid\":\"ED96E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9\",\"src.process.sessionId\":0,\"src.process.netConnCount\":1,\"mgmt.osRevision\":\"19044\",\"dst.ip.address\":\"168.63.129.16\",\"group.id\":\"EE96E5E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1679394836723,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW26A6QWPJXQ3NZRZTVMTMWZ\",\"src.process.name\":\"CollectGuestLogs.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"b3c6abea2eed98449416fd9942afeddff9960c9dd55e2268657c7d2003bfcf72\",\"src.process.indicatorGeneralCount\":2,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1701C18FFEE943BAB1EA019E610E9D8B\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"event.type\":\"IP Connect\",\"event.repetitionCount\":1,\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2304}", "event": { "action": "IP Connect", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "network" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-21T13:39:06.954000Z", "agent": { "version": "22.3.2.373" }, @@ -1531,8 +1532,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "IP Connect", - "category": "ip" + "category": "ip", + "type": "IP Connect" }, "host": { "os": { @@ -1541,14 +1542,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 1, "module_load": 168, "net_conn": 1, "net_conn_in": 0, @@ -1559,10 +1560,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "EE96E5E7AB538ED5", - "uid": "60B6E5E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -1572,9 +1569,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "EE96E5E7AB538ED5", "uid": "ED96E5E7AB538ED5" - } + }, + "root": "False", + "session_id": 0, + "storyline_id": "EE96E5E7AB538ED5", + "uid": "60B6E5E7AB538ED5" } }, + "destination": { + "address": "168.63.129.16", + "ip": "168.63.129.16", + "port": 80 + }, "host": { "name": "desktop-jdoe", "os": { @@ -1583,11 +1589,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "desktop" }, + "network": { + "direction": "outbound", + "protocol": "http" + }, "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-21T13:39:06.954000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "\"CollectGuestLogs.exe\" -Mode:ga -FileName:D:\\CollectGuestLogsTemp\\VMAgentLogs.zip", "executable": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\CollectGuestLogs.exe", "hash": { @@ -1596,18 +1609,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "b3c6abea2eed98449416fd9942afeddff9960c9dd55e2268657c7d2003bfcf72" }, "name": "CollectGuestLogs.exe", - "pid": 7020, - "title": "CollectGuestLogs", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252", - "start": "2023-03-21T13:38:54.712000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "executable": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "hash": { @@ -1617,35 +1623,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "WaAppAgent.exe", "pid": 2304, + "start": "2023-03-21T10:33:56.723000Z", "title": "Microsoft Azure\u00c2\u00ae", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252", - "start": "2023-03-21T10:33:56.723000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "source": { - "ip": "10.0.0.11", - "address": "10.0.0.11", - "port": 50755 - }, - "destination": { - "address": "168.63.129.16", - "port": 80, - "ip": "168.63.129.16" - }, - "network": { - "direction": "outbound", - "protocol": "http" + "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252" + }, + "pid": 7020, + "start": "2023-03-21T13:38:54.712000Z", + "title": "CollectGuestLogs", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252" }, "related": { "hash": [ @@ -1663,6 +1654,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "source": { + "address": "10.0.0.11", + "ip": "10.0.0.11", + "port": 50755 + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -1677,15 +1677,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"ip\",\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"Services and Controller app\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":290,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1680187241789,\"src.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorReconnaissanceCount\":2,\"src.process.storyline.id\":\"1B91E6E7AB538ED5\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"TCPV4\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.port.number\":13470,\"event.network.protocolName\":\"ms-wbt-server\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"0591E6E7AB538ED5\",\"src.process.integrityLevel\":\"SYSTEM\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":15,\"event.time\":1680187214991,\"timestamp\":\"2023-03-30T14:40:14.991Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"dst.port.number\":3389,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":784,\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"sca:ingestTime\":1680187247,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"event.id\":\"01GWSFDCGBJQTT4N3NDHS3WR5B_6\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"event.network.direction\":\"INCOMING\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.ip.address\":\"184.105.247.194\",\"src.process.startTime\":1680169388118,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"Host Process for Windows Services\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"1A91E6E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"event.network.connectionStatus\":\"SUCCESS\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"1A91E6E7AB538ED5\",\"src.process.parent.uid\":\"0491E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"src.process.sessionId\":0,\"src.process.netConnCount\":15,\"mgmt.osRevision\":\"19044\",\"dst.ip.address\":\"10.0.0.11\",\"group.id\":\"1B91E6E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS PUBLISHER\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1680169387098,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSFDCGBJQTT4N3NDHS3WR5B\",\"src.process.name\":\"svchost.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.indicatorGeneralCount\":12,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"ACF2D802403946EAB4FC44D3BDA2268A\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"event.type\":\"IP Connect\",\"event.repetitionCount\":2,\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":676}", "event": { "action": "IP Connect", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "network" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-30T14:40:14.991000Z", "agent": { "version": "22.3.2.373" }, @@ -1696,8 +1697,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "IP Connect", - "category": "ip" + "category": "ip", + "type": "IP Connect" }, "host": { "os": { @@ -1706,14 +1707,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 1, "module_load": 290, "net_conn": 15, "net_conn_in": 15, @@ -1724,10 +1725,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "1B91E6E7AB538ED5", - "uid": "1A91E6E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -1737,9 +1734,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "0591E6E7AB538ED5", "uid": "0491E6E7AB538ED5" - } + }, + "root": "True", + "session_id": 0, + "storyline_id": "1B91E6E7AB538ED5", + "uid": "1A91E6E7AB538ED5" } }, + "destination": { + "address": "10.0.0.11", + "ip": "10.0.0.11", + "port": 3389 + }, "host": { "name": "desktop-jdoe", "os": { @@ -1748,11 +1754,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "desktop" }, + "network": { + "direction": "inbound", + "protocol": "ms-wbt-server" + }, "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T14:40:14.991000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService", "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { @@ -1761,18 +1774,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, "name": "svchost.exe", - "pid": 784, - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-30T09:43:08.118000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS PUBLISHER" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -1782,35 +1788,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 676, + "start": "2023-03-30T09:43:07.098000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-30T09:43:07.098000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS PUBLISHER" - } - } - }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY" - }, - "source": { - "ip": "184.105.247.194", - "address": "184.105.247.194", - "port": 13470 - }, - "destination": { - "address": "10.0.0.11", - "port": 3389, - "ip": "10.0.0.11" - }, - "network": { - "direction": "inbound", - "protocol": "ms-wbt-server" + "working_directory": "C:\\Windows\\System32" + }, + "pid": 784, + "start": "2023-03-30T09:43:08.118000Z", + "title": "Host Process for Windows Services", + "user": { + "name": "NT AUTHORITY\\NETWORK SERVICE" + }, + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -1828,6 +1819,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NETWORK SERVICE" ] + }, + "source": { + "address": "184.105.247.194", + "ip": "184.105.247.194", + "port": 13470 + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } @@ -1842,15 +1842,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":false,\"event.category\":\"ip\",\"src.process.parent.image.sha1\":\"020c0ff3208f4c94856742122a8535565c979686\",\"site.id\":\"1640744535583677559\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"AttestationExtension\",\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":93,\"src.process.parent.name\":\"AttestationExtension.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1680198343920,\"src.process.image.md5\":\"830ab0741415bfe65817accb022b64d9\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"B491E6E7AB538ED5\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"TCPV4\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.port.number\":52343,\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"B491E6E7AB538ED5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":4,\"event.time\":1680198321581,\"timestamp\":\"2023-03-30T17:45:21.581Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"101d2bd70fb62dd0838483f2dc62bbd93f0dd009\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\AttestationExtension.exe\",\"dst.port.number\":52342,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":724,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1680198349,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\AttestationClient.exe\\\" -a \\\"\\\" -r \\\"\\\" -l C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21 -h C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\Status\\\\HeartBeat.Json -s C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\Status\\\\0.status -e C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\Events -v 1.0.1.21\",\"src.process.publisher\":\"MICROSOFT AZURE CODE SIGN\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GWST06SETGGAFBFHCC8YP6XD_19\",\"src.process.parent.cmdline\":\"\\\"C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\AttestationExtension.exe\\\" enable\",\"src.process.image.path\":\"C:\\\\Packages\\\\Plugins\\\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\\\1.0.1.21\\\\AttestationClient.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":4,\"src.process.reasonSignatureInvalid\":\"SignedNotVerified\",\"src.process.netConnOutCount\":19,\"event.network.direction\":\"OUTGOING\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.ip.address\":\"127.0.0.1\",\"src.process.startTime\":1680169453286,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"AttestationClient.exe\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"F492E6E7AB538ED5\",\"src.process.parent.image.md5\":\"f4ad5b3598df100f80e240039f4fbed1\",\"event.network.connectionStatus\":\"SUCCESS\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"F492E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"EF92E6E7AB538ED5\",\"src.process.parent.image.sha256\":\"9cf3b22aaa92f8b6b1f817452cf12791a41cd3969674b46bd1e3718c328a6a44\",\"src.process.sessionId\":0,\"src.process.netConnCount\":23,\"mgmt.osRevision\":\"19044\",\"dst.ip.address\":\"127.0.0.1\",\"group.id\":\"B491E6E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"unverified\",\"src.process.parent.startTime\":1680169451297,\"src.process.dnsCount\":3,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWST06SETGGAFBFHCC8YP6XD\",\"src.process.name\":\"AttestationClient.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"139e2d3b4629933268034a68e6d5202f8c305d9ae29f728790711cc9841ae654\",\"src.process.indicatorGeneralCount\":6,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1014097947594B0B8EF4843F10BCFFB9\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"event.type\":\"IP Connect\",\"event.repetitionCount\":1,\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":3444}", "event": { "action": "IP Connect", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "network" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-30T17:45:21.581000Z", "agent": { "version": "22.3.2.373" }, @@ -1861,8 +1862,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "IP Connect", - "category": "ip" + "category": "ip", + "type": "IP Connect" }, "host": { "os": { @@ -1871,14 +1872,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 3, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 1, "module_load": 93, "net_conn": 23, "net_conn_in": 4, @@ -1889,10 +1890,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "B491E6E7AB538ED5", - "uid": "F492E6E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -1902,9 +1899,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "B491E6E7AB538ED5", "uid": "EF92E6E7AB538ED5" - } + }, + "root": "False", + "session_id": 0, + "storyline_id": "B491E6E7AB538ED5", + "uid": "F492E6E7AB538ED5" } }, + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 52342 + }, "host": { "name": "desktop-jdoe", "os": { @@ -1913,11 +1919,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "desktop" }, + "network": { + "direction": "outbound" + }, "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T17:45:21.581000Z", "process": { + "code_signature": { + "exists": true, + "status": "SignedNotVerified", + "subject_name": "MICROSOFT AZURE CODE SIGN", + "valid": false + }, "command_line": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe\" -a \"\" -r \"\" -l C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21 -h C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\HeartBeat.Json -s C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\0.status -e C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\Events -v 1.0.1.21", "executable": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe", "hash": { @@ -1926,20 +1940,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "139e2d3b4629933268034a68e6d5202f8c305d9ae29f728790711cc9841ae654" }, "name": "AttestationClient.exe", - "pid": 724, - "title": "AttestationClient.exe", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21", - "start": "2023-03-30T09:44:13.286000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT AZURE CODE SIGN", - "valid": false, - "status": "SignedNotVerified" - }, "parent": { + "code_signature": { + "exists": false + }, "command_line": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe\" enable", "executable": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe", "hash": { @@ -1949,33 +1953,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "AttestationExtension.exe", "pid": 3444, + "start": "2023-03-30T09:44:11.297000Z", "title": "AttestationExtension", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21", - "start": "2023-03-30T09:44:11.297000Z", - "code_signature": { - "exists": false - } - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1", - "port": 52343 - }, - "destination": { - "address": "127.0.0.1", - "port": 52342, - "ip": "127.0.0.1" - }, - "network": { - "direction": "outbound" + "working_directory": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21" + }, + "pid": 724, + "start": "2023-03-30T09:44:13.286000Z", + "title": "AttestationClient.exe", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21" }, "related": { "hash": [ @@ -1992,6 +1983,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 52343 + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -2006,15 +2006,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"event.category\":\"logins\",\"src.process.parent.isStorylineRoot\":false,\"src.process.parent.image.sha1\":\"8a212f529aa0a62646438b3494b9d899de182e85\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"sshd\",\"src.process.parent.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":0,\"src.process.parent.name\":\"sshd\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1681370638780,\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"55a4d014-9141-dea7-0774-371da18a6469\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.parent.eUserName\":\"root\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.eUserName\":\"root\",\"meta.event.name\":\"WINLOGONATTEMPT\",\"src.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"event.login.type\":\"REMOTE_INTERACTIVE\",\"src.process.parent.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"55a4cfe4-1718-2ae2-dc40-bc3f342f0eca\",\"event.login.loginIsSuccessful\":true,\"src.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1681370589631,\"src.endpoint.ip.address\":\"83.167.43.106\",\"timestamp\":\"2023-04-13T07:23:09.631Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"linux-desktop-S1\",\"src.process.image.sha1\":\"8a212f529aa0a62646438b3494b9d899de182e85\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"\\/usr\\/sbin\\/sshd\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":1669,\"tgt.file.isSigned\":\"unsigned\",\"src.process.cmdline\":\" sshd: jdoe [priv]\",\"sca:ingestTime\":1681370644,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.rUserUid\":0,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"unsigned\",\"event.id\":\"01GXWQZSEQ5HPDZ88XCF016WAM_25\",\"event.login.accountName\":\"jdoe\",\"src.process.parent.cmdline\":\" sshd: \\/usr\\/sbin\\/sshd -D [listener] 0 of 10-100 startups\",\"src.process.image.path\":\"\\/usr\\/sbin\\/sshd\",\"src.process.tgtFileModificationCount\":5,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"src.process.eUserUid\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"linux\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1681370581710,\"mgmt.id\":\"16964\",\"os.name\":\"Linux\",\"src.process.displayName\":\"sshd\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"src.process.rUserUid\":0,\"src.process.uid\":\"55a4d014-764d-907e-3edd-f7aa19bbf4af\",\"event.login.sessionId\":0,\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"55a4d014-764d-907e-3edd-f7aa19bbf4af\",\"src.process.parent.eUserUid\":0,\"event.login.isAdministratorEquivalent\":false,\"agent.version\":\"22.4.2.4\",\"src.process.parent.uid\":\"55a4cfe3-efa4-0d32-96df-11e5be1ac48d\",\"src.process.parent.rUserName\":\"root\",\"event.login.userName\":\"jdoe\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"Debian GNU\\/11 (bullseye) 5.10.0-21-cloud-amd64\",\"group.id\":\"55a4d014-9141-dea7-0774-371da18a6469\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1681370573560,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"trace.id\":\"01GXWQZSEQ5HPDZ88XCF016WAM\",\"src.process.name\":\"sshd\",\"src.process.rUserName\":\"root\",\"agent.uuid\":\"55cf574b-9fd7-5278-2ee0-badefd0d22ad\",\"src.process.indicatorGeneralCount\":0,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"55afd0af-4609-018d-f36a-cbd2a92b6a59\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"event.type\":\"Login\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":647}", "event": { "action": "Login", - "dataset": "cloud-funnel-2.0", "category": [ "authentication" ], + "dataset": "cloud-funnel-2.0", "kind": "event", "type": [ "start" ] }, + "@timestamp": "2023-04-13T07:23:09.631000Z", + "action": { + "outcome": "success", + "properties": { + "IpAddress": "83.167.43.106", + "LogonType": "10", + "TargetUserName": "jdoe" + } + }, "agent": { "version": "22.4.2.4" }, @@ -2025,8 +2034,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad" }, "event": { - "type": "Login", - "category": "logins" + "category": "logins", + "type": "Login" }, "host": { "os": { @@ -2035,14 +2044,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 5, - "child_process": 1, "module_load": 0, "net_conn": 0, "net_conn_in": 0, @@ -2053,10 +2062,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "55a4d014-9141-dea7-0774-371da18a6469", - "uid": "55a4d014-764d-907e-3edd-f7aa19bbf4af", "parent": { "family": "SUBSYSTEM_UNKNOWN", "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", @@ -2066,7 +2071,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca", "uid": "55a4cfe3-efa4-0d32-96df-11e5be1ac48d" - } + }, + "root": "False", + "session_id": 0, + "storyline_id": "55a4d014-9141-dea7-0774-371da18a6469", + "uid": "55a4d014-764d-907e-3edd-f7aa19bbf4af" } }, "host": { @@ -2080,30 +2089,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-04-13T07:23:09.631000Z", "process": { + "code_signature": { + "exists": false + }, "command_line": " sshd: jdoe [priv]", "executable": "/usr/sbin/sshd", "hash": { "sha1": "8a212f529aa0a62646438b3494b9d899de182e85" }, "name": "sshd", - "pid": 1669, - "title": "sshd", - "working_directory": "/usr/sbin", - "user": { - "name": "root", - "id": "0" - }, - "real_user": { - "name": "root", - "id": "0" - }, - "start": "2023-04-13T07:23:01.710000Z", - "code_signature": { - "exists": false - }, "parent": { + "code_signature": { + "exists": false + }, "command_line": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", "executable": "/usr/sbin/sshd", "hash": { @@ -2111,39 +2110,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "sshd", "pid": 647, - "title": "sshd", - "working_directory": "/usr/sbin", - "user": { - "name": "root", - "id": "0" - }, "real_user": { - "name": "root", - "id": "0" + "id": "0", + "name": "root" }, "start": "2023-04-13T07:22:53.560000Z", - "code_signature": { - "exists": false - } - } - }, - "user": { - "name": "jdoe", - "target": { - "name": "jdoe" - } - }, - "source": { - "ip": "83.167.43.106", - "address": "83.167.43.106" - }, - "action": { - "properties": { - "TargetUserName": "jdoe", - "IpAddress": "83.167.43.106", - "LogonType": "10" + "title": "sshd", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/sbin" }, - "outcome": "success" + "pid": 1669, + "real_user": { + "id": "0", + "name": "root" + }, + "start": "2023-04-13T07:23:01.710000Z", + "title": "sshd", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/sbin" }, "related": { "hash": [ @@ -2155,6 +2145,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jdoe" ] + }, + "source": { + "address": "83.167.43.106", + "ip": "83.167.43.106" + }, + "user": { + "name": "jdoe", + "target": { + "name": "jdoe" + } } } @@ -2169,15 +2169,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":false,\"event.category\":\"logins\",\"src.process.parent.image.sha1\":\"8a212f529aa0a62646438b3494b9d899de182e85\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"sshd\",\"src.process.parent.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":0,\"i.version\":\"preprocess-lib-1.0\",\"src.process.parent.name\":\"sshd\",\"sca:atlantisIngestTime\":1681315742455,\"src.process.storyline.id\":\"55d21a33-24e0-2280-8049-e395c2fe0885\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.parent.eUserName\":\"root\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.eUserName\":\"root\",\"meta.event.name\":\"WINLOGOFF\",\"src.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.parent.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"55d21a32-95e8-7a56-ad57-a9e6aac5a7bd\",\"src.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1681315720511,\"timestamp\":\"2023-04-12T16:08:40.511Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"linux-desktop-S1\",\"src.process.image.sha1\":\"8a212f529aa0a62646438b3494b9d899de182e85\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"\\/usr\\/sbin\\/sshd\",\"src.process.lUserName\":\"jdoe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":1153,\"tgt.file.isSigned\":\"unsigned\",\"src.process.cmdline\":\" sshd: jdoe [priv]\",\"dataSource.category\":\"security\",\"sca:ingestTime\":1681315747,\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.rUserUid\":0,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"unsigned\",\"event.id\":\"01GXV3MFMWN2TKVYBBQT6WR04X_21\",\"src.process.parent.cmdline\":\" sshd: \\/usr\\/sbin\\/sshd -D [listener] 0 of 10-100 startups\",\"src.process.image.path\":\"\\/usr\\/sbin\\/sshd\",\"src.process.tgtFileModificationCount\":2,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"src.process.eUserUid\":0,\"src.process.lUserUid\":1000,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"linux\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1681308825830,\"mgmt.id\":\"16964\",\"os.name\":\"Linux\",\"src.process.displayName\":\"sshd\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.rUserUid\":0,\"src.process.uid\":\"55d21a33-1090-cfe3-3e71-3be4cb5098b8\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"55d21a33-1090-cfe3-3e71-3be4cb5098b8\",\"src.process.parent.eUserUid\":0,\"agent.version\":\"22.4.2.4\",\"src.process.parent.uid\":\"55d21a32-6fa0-ec6b-21df-509b3ca7f0ed\",\"src.process.parent.rUserName\":\"root\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"Debian GNU\\/11 (bullseye) 5.10.0-21-cloud-amd64\",\"group.id\":\"55d21a33-24e0-2280-8049-e395c2fe0885\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1681308331040,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"trace.id\":\"01GXV3MFMWN2TKVYBBQT6WR04X\",\"src.process.name\":\"sshd\",\"src.process.rUserName\":\"root\",\"agent.uuid\":\"55cf574b-9fd7-5278-2ee0-badefd0d22ad\",\"src.process.indicatorGeneralCount\":0,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"55c23dd3-0577-86b3-7357-f1fc8662a4a0\",\"src.process.parent.signedStatus\":\"unsigned\",\"src.process.indicatorPersistenceCount\":0,\"event.type\":\"Logout\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":720}", "event": { "action": "Logout", - "dataset": "cloud-funnel-2.0", "category": [ "authentication" ], + "dataset": "cloud-funnel-2.0", "kind": "event", "type": [ "end" ] }, + "@timestamp": "2023-04-12T16:08:40.511000Z", + "action": { + "outcome": "success" + }, "agent": { "version": "22.4.2.4" }, @@ -2188,8 +2192,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad" }, "event": { - "type": "Logout", - "category": "logins" + "category": "logins", + "type": "Logout" }, "host": { "os": { @@ -2198,14 +2202,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 2, - "child_process": 0, "module_load": 0, "net_conn": 0, "net_conn_in": 0, @@ -2216,10 +2220,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "55d21a33-24e0-2280-8049-e395c2fe0885", - "uid": "55d21a33-1090-cfe3-3e71-3be4cb5098b8", "parent": { "family": "SUBSYSTEM_UNKNOWN", "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", @@ -2229,10 +2229,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd", "uid": "55d21a32-6fa0-ec6b-21df-509b3ca7f0ed" - } - } - }, - "host": { + }, + "root": "False", + "session_id": 0, + "storyline_id": "55d21a33-24e0-2280-8049-e395c2fe0885", + "uid": "55d21a33-1090-cfe3-3e71-3be4cb5098b8" + } + }, + "host": { "name": "linux-desktop-S1", "os": { "family": "linux", @@ -2243,30 +2247,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-04-12T16:08:40.511000Z", "process": { + "code_signature": { + "exists": false + }, "command_line": " sshd: jdoe [priv]", "executable": "/usr/sbin/sshd", "hash": { "sha1": "8a212f529aa0a62646438b3494b9d899de182e85" }, "name": "sshd", - "pid": 1153, - "title": "sshd", - "working_directory": "/usr/sbin", - "user": { - "name": "root", - "id": "0" - }, - "real_user": { - "name": "root", - "id": "0" - }, - "start": "2023-04-12T14:13:45.830000Z", - "code_signature": { - "exists": false - }, "parent": { + "code_signature": { + "exists": false + }, "command_line": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", "executable": "/usr/sbin/sshd", "hash": { @@ -2274,27 +2268,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "sshd", "pid": 720, - "title": "sshd", - "working_directory": "/usr/sbin", - "user": { - "name": "root", - "id": "0" - }, "real_user": { - "name": "root", - "id": "0" + "id": "0", + "name": "root" }, "start": "2023-04-12T14:05:31.040000Z", - "code_signature": { - "exists": false - } - } - }, - "user": { - "name": "root" - }, - "action": { - "outcome": "success" + "title": "sshd", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "pid": 1153, + "real_user": { + "id": "0", + "name": "root" + }, + "start": "2023-04-12T14:13:45.830000Z", + "title": "sshd", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/sbin" }, "related": { "hash": [ @@ -2303,6 +2300,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -2317,15 +2317,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"tgt.process.displayName\":\"ip\",\"src.process.parent.isStorylineRoot\":false,\"event.category\":\"process\",\"src.process.parent.image.sha1\":\"50e2a658cfe2243cfe3e6f722f049b0ba377b7e4\",\"tgt.process.eUserName\":\"root\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"python3.9\",\"tgt.process.storyline.id\":\"55d21a32-c658-5f3f-5d8f-57420736161e\",\"tgt.process.isNative64Bit\":false,\"src.process.parent.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":0,\"src.process.parent.name\":\"python3.9\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1681309502217,\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"55d21a32-c658-5f3f-5d8f-57420736161e\",\"src.process.childProcCount\":1,\"src.process.parent.eUserName\":\"root\",\"mgmt.url\":\"euce1-105.sentinelone.net\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.eUserName\":\"root\",\"src.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"meta.event.name\":\"PROCESSCREATION\",\"src.process.parent.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"55d21a32-c658-5f3f-5d8f-57420736161e\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/ip\",\"src.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"i.scheme\":\"edr\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1681309474835,\"timestamp\":\"2023-04-12T14:24:34.835Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"linux-desktop-S1\",\"src.process.image.sha1\":\"827265afe07691a445674eb09e0eb4fd025dbd43\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"\\/usr\\/bin\\/python3.9\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":1517,\"tgt.file.isSigned\":\"unsigned\",\"src.process.cmdline\":\" \\/bin\\/sh -c ip -6 -a -o address\",\"sca:ingestTime\":1681309508,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.rUserUid\":0,\"src.process.parent.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"3c954614f2c9af7181e4d00e00ab4485e4a9c33f\",\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"unsigned\",\"event.id\":\"01GXTXP1WXXHGR0R7A8NF27FQ3_24\",\"src.process.parent.cmdline\":\" python3 -u \\/usr\\/sbin\\/waagent -run-exthandlers\",\"src.process.image.path\":\"\\/usr\\/bin\\/dash\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"tgt.process.rUserUid\":0,\"src.process.eUserUid\":0,\"tgt.process.pid\":1518,\"src.process.crossProcessDupThreadHandleCount\":0,\"tgt.process.name\":\"ip\",\"endpoint.os\":\"linux\",\"src.process.tgtFileDeletionCount\":0,\"tgt.process.signedStatus\":\"unsigned\",\"src.process.startTime\":1681309474590,\"mgmt.id\":\"16964\",\"os.name\":\"Linux\",\"tgt.process.rUserName\":\"root\",\"tgt.process.cmdline\":\" ip -6 -a -o address\",\"src.process.displayName\":\"dash\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"tgt.process.eUserUid\":0,\"src.process.rUserUid\":0,\"src.process.uid\":\"550f55e1-53a8-e998-adea-61da4ec754de\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"550f55e8-ffb9-9bab-2952-5ef7c734b7d4\",\"src.process.parent.eUserUid\":0,\"tgt.process.uid\":\"550f55e8-ffb9-9bab-2952-5ef7c734b7d4\",\"tgt.process.isStorylineRoot\":false,\"src.process.parent.uid\":\"55d21a32-dd64-9b07-6e84-bd923f6d1e08\",\"agent.version\":\"22.4.2.4\",\"src.process.parent.rUserName\":\"root\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"Debian GNU\\/11 (bullseye) 5.10.0-21-cloud-amd64\",\"group.id\":\"55d21a32-c658-5f3f-5d8f-57420736161e\",\"tgt.process.startTime\":1681309474590,\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1681308332200,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"trace.id\":\"01GXTXP1WXXHGR0R7A8NF27FQ3\",\"src.process.rUserName\":\"root\",\"src.process.name\":\"dash\",\"agent.uuid\":\"55cf574b-9fd7-5278-2ee0-badefd0d22ad\",\"src.process.indicatorGeneralCount\":0,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"551560d7-495f-7d44-7a29-52064745dff7\",\"tgt.process.sessionId\":0,\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"tgt.process.isRedirectCmdProcessor\":false,\"event.type\":\"Process Creation\",\"event.repetitionCount\":1,\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":911}", "event": { "action": "Process Creation", - "dataset": "cloud-funnel-2.0", "category": [ "process" ], + "dataset": "cloud-funnel-2.0", "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-04-12T14:24:34.835000Z", "agent": { "version": "22.4.2.4" }, @@ -2336,8 +2337,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad" }, "event": { - "type": "Process Creation", - "category": "process" + "category": "process", + "type": "Process Creation" }, "host": { "os": { @@ -2346,14 +2347,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 1, "module_load": 0, "net_conn": 0, "net_conn_in": 0, @@ -2364,10 +2365,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", - "uid": "550f55e1-53a8-e998-adea-61da4ec754de", "parent": { "family": "SUBSYSTEM_UNKNOWN", "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", @@ -2378,37 +2375,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", "uid": "55d21a32-dd64-9b07-6e84-bd923f6d1e08" }, + "root": "False", + "session_id": 0, + "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", "target": { + "code_signature": { + "exists": "false" + }, "command_line": " ip -6 -a -o address", "executable": "/usr/bin/ip", "family": "SUBSYSTEM_UNKNOWN", + "hash": { + "sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f" + }, "integrity_level": "INTEGRITY_LEVEL_UNKNOWN", "is_redirected_command_processor": "False", "is_wow64": "False", "name": "ip", "pid": 1518, + "real_user": { + "id": "0", + "name": "root" + }, "root": "False", "session_id": 0, + "start": "2023-04-12T14:24:34.590000Z", "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", "title": "ip", "uid": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4", - "working_directory": "/usr/bin", - "hash": { - "sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f" - }, "user": { - "name": "root", - "id": "0" + "id": "0", + "name": "root" }, - "real_user": { - "name": "root", - "id": "0" - }, - "start": "2023-04-12T14:24:34.590000Z", - "code_signature": { - "exists": "false" - } - } + "working_directory": "/usr/bin" + }, + "uid": "550f55e1-53a8-e998-adea-61da4ec754de" } }, "host": { @@ -2422,30 +2423,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-04-12T14:24:34.835000Z", "process": { + "code_signature": { + "exists": false + }, "command_line": " /bin/sh -c ip -6 -a -o address", "executable": "/usr/bin/dash", "hash": { "sha1": "827265afe07691a445674eb09e0eb4fd025dbd43" }, "name": "dash", - "pid": 1517, - "title": "dash", - "working_directory": "/usr/bin", - "user": { - "name": "root", - "id": "0" - }, - "real_user": { - "name": "root", - "id": "0" - }, - "start": "2023-04-12T14:24:34.590000Z", - "code_signature": { - "exists": false - }, "parent": { + "code_signature": { + "exists": false + }, "command_line": " python3 -u /usr/sbin/waagent -run-exthandlers", "executable": "/usr/bin/python3.9", "hash": { @@ -2453,24 +2444,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "python3.9", "pid": 911, - "title": "python3.9", - "working_directory": "/usr/bin", - "user": { - "name": "root", - "id": "0" - }, "real_user": { - "name": "root", - "id": "0" + "id": "0", + "name": "root" }, "start": "2023-04-12T14:05:32.200000Z", - "code_signature": { - "exists": false - } - } - }, - "user": { - "name": "root" + "title": "python3.9", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/bin" + }, + "pid": 1517, + "real_user": { + "id": "0", + "name": "root" + }, + "start": "2023-04-12T14:24:34.590000Z", + "title": "dash", + "user": { + "id": "0", + "name": "root" + }, + "working_directory": "/usr/bin" }, "related": { "hash": [ @@ -2480,6 +2477,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "name": "root" } } @@ -2494,15 +2494,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"logins\",\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.parent.displayName\":\"Services and Controller app\",\"src.process.image.binaryIsExecutable\":true,\"osSrc.process.image.md5\":\"289d6a47b7692510e2fd3b51979a9fed\",\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.image.sha1\":\"1754e7ee417e56c9c196b1dc7fbf663a43d15d16\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":658,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1679405768536,\"src.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorReconnaissanceCount\":4,\"src.process.storyline.id\":\"6196E5E7AB538ED5\",\"src.process.childProcCount\":3,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"WINLOGONATTEMPT\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"event.login.type\":\"NETWORK\",\"osSrc.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.image.binaryIsExecutable\":true,\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"4896E5E7AB538ED5\",\"event.login.loginIsSuccessful\":false,\"src.process.integrityLevel\":\"SYSTEM\",\"i.scheme\":\"edr\",\"osSrc.process.pid\":684,\"site.name\":\"Default site\",\"src.process.netConnInCount\":65,\"event.time\":1679405708938,\"src.endpoint.ip.address\":\"180.163.86.35\",\"timestamp\":\"2023-03-21T13:35:08.938Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":740,\"osSrc.process.uid\":\"4996E5E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k NetworkService\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"sca:ingestTime\":1679405774,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GW264PY7BGAP7QD40Y666TD8_1\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"event.login.accountName\":\"-\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"lsass.exe\",\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"osSrc.process.startTime\":1679394829462,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.image.sha256\":\"0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679394830438,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"Host Process for Windows Services\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"osSrc.process.sessionId\":0,\"event.login.failureReason\":\"Unknown user name or bad password.\",\"src.process.uid\":\"6096E5E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\",\"event.login.sessionId\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"6096E5E7AB538ED5\",\"src.process.parent.uid\":\"4796E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"event.login.userName\":\"USER\",\"src.process.sessionId\":0,\"src.process.netConnCount\":65,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"group.id\":\"6196E5E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1679394829443,\"src.process.dnsCount\":0,\"event.login.accountDomain\":\"-\",\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW264PY7BGAP7QD40Y666TD8\",\"src.process.name\":\"svchost.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.displayName\":\"Local Security Authority Process\",\"src.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.indicatorGeneralCount\":14,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"CB26CB516DA94909A17845A03C2ED5E0\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"4A96E5E7AB538ED5\",\"event.type\":\"Login\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":676,\"event.login.accountSid\":\"S-1-0-0\"}", "event": { "action": "Login", - "dataset": "cloud-funnel-2.0", "category": [ "authentication" ], + "dataset": "cloud-funnel-2.0", "kind": "event", "type": [ "error" ] }, + "@timestamp": "2023-03-21T13:35:08.938000Z", + "action": { + "outcome": "failure", + "outcome_reason": "Unknown user name or bad password.", + "properties": { + "IpAddress": "180.163.86.35", + "LogonType": "3", + "TargetDomainName": "-", + "TargetUserName": "USER", + "TargetUserSid": "S-1-0-0" + } + }, "agent": { "version": "22.3.2.373" }, @@ -2513,8 +2525,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Login", - "category": "logins" + "category": "logins", + "type": "Login" }, "host": { "os": { @@ -2522,70 +2534,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService", "counters": { + "child_process": 3, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 3, "module_load": 658, "net_conn": 65, "net_conn_in": 65, "net_conn_out": 0, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "6196E5E7AB538ED5", - "uid": "6096E5E7AB538ED5", - "command_line": "C:\\Windows\\System32\\svchost.exe -k NetworkService", "executable": { "name": "C:\\Windows\\System32\\svchost.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "svchost.exe", - "pid": "740", - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T10:33:50.438000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { + "ossrc": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", "root": "True", - "session_id": 0, - "storyline_id": "4896E5E7AB538ED5", - "uid": "4796E5E7AB538ED5" + "session_id": "0", + "storyline_id": "4A96E5E7AB538ED5", + "uid": "4996E5E7AB538ED5" }, - "ossrc": { + "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", "root": "True", - "session_id": "0", - "storyline_id": "4A96E5E7AB538ED5", - "uid": "4996E5E7AB538ED5" - } + "session_id": 0, + "storyline_id": "4896E5E7AB538ED5", + "uid": "4796E5E7AB538ED5" + }, + "pid": "740", + "root": "True", + "session_id": 0, + "start": "2023-03-21T10:33:50.438000Z", + "storyline_id": "6196E5E7AB538ED5", + "title": "Host Process for Windows Services", + "uid": "6096E5E7AB538ED5", + "user": { + "name": "NT AUTHORITY\\NETWORK SERVICE" + }, + "working_directory": "C:\\Windows\\System32" } }, "host": { @@ -2599,9 +2611,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-21T13:35:08.938000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", + "hash": { + "md5": "289d6a47b7692510e2fd3b51979a9fed", + "sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16", + "sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650" + }, + "name": "lsass.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -2611,60 +2638,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 676, + "start": "2023-03-21T10:33:49.443000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T10:33:49.443000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows\\System32" }, - "command_line": "C:\\Windows\\system32\\lsass.exe", - "executable": "C:\\Windows\\System32\\lsass.exe", - "name": "lsass.exe", "pid": 684, + "start": "2023-03-21T10:33:49.462000Z", "title": "Local Security Authority Process", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "289d6a47b7692510e2fd3b51979a9fed", - "sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16", - "sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650" - }, - "start": "2023-03-21T10:33:49.462000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - }, - "user": { - "name": "USER", - "domain": "-", - "id": "S-1-0-0", - "target": { - "name": "USER", - "domain": "-" - } - }, - "source": { - "ip": "180.163.86.35", - "address": "180.163.86.35" - }, - "action": { - "properties": { - "TargetUserName": "USER", - "TargetDomainName": "-", - "TargetUserSid": "S-1-0-0", - "IpAddress": "180.163.86.35", - "LogonType": "3" - }, - "outcome": "failure", - "outcome_reason": "Unknown user name or bad password." + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -2681,12 +2668,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "USER" ] - } - } - - ``` - - + }, + "source": { + "address": "180.163.86.35", + "ip": "180.163.86.35" + }, + "user": { + "domain": "-", + "id": "S-1-0-0", + "name": "USER", + "target": { + "domain": "-", + "name": "USER" + } + } + } + + ``` + + === "logins_login_success.json" ```json @@ -2695,15 +2695,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"logins\",\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Services and Controller app\",\"osSrc.process.image.md5\":\"289d6a47b7692510e2fd3b51979a9fed\",\"osSrc.process.crossProcessOpenProcessCount\":164,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS PUBLISHER\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":19,\"osSrc.process.crossProcessOutOfStorylineCount\":164,\"osSrc.process.image.sha1\":\"1754e7ee417e56c9c196b1dc7fbf663a43d15d16\",\"src.process.tgtFileCreationCount\":0,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":24,\"osSrc.process.indicatorReconnaissanceCount\":1,\"src.process.moduleCount\":7591,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1680604015448,\"src.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorReconnaissanceCount\":1459,\"src.process.storyline.id\":\"C136E7E7AB538ED5\",\"src.process.childProcCount\":90,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":227,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":124,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"WINLOGONATTEMPT\",\"event.login.type\":\"UNLOCK\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"osSrc.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"AB36E7E7AB538ED5\",\"event.login.loginIsSuccessful\":true,\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":688,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680603998952,\"src.endpoint.ip.address\":\"109.190.253.14\",\"timestamp\":\"2023-04-04T10:26:38.952Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":164,\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":536,\"osSrc.process.uid\":\"AC36E7E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1680604021,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":252,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GX5WW9NEJCT67Y7FV3YKQGAC_115\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"event.login.accountName\":\"desktop-jdoe$\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"lsass.exe\",\"src.process.indicatorEvasionCount\":3,\"src.process.netConnOutCount\":102,\"osSrc.process.startTime\":1680601657543,\"src.process.crossProcessDupThreadHandleCount\":6,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":0,\"osSrc.process.image.sha256\":\"0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1680601658531,\"mgmt.id\":\"16964\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":0,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":66,\"src.process.displayName\":\"Host Process for Windows Services\",\"osSrc.process.dnsCount\":0,\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"C036E7E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\",\"event.login.sessionId\":0,\"src.process.indicatorInfostealerCount\":127,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"C036E7E7AB538ED5\",\"event.login.isAdministratorEquivalent\":true,\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"AA36E7E7AB538ED5\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"event.login.userName\":\"john.doe\",\"src.process.sessionId\":0,\"src.process.netConnCount\":102,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"group.id\":\"C136E7E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS PUBLISHER\",\"src.process.parent.startTime\":1680601657524,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":40,\"event.login.accountDomain\":\"WORKGROUP\",\"osSrc.process.tgtFileDeletionCount\":0,\"osSrc.process.indicatorEvasionCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GX5WW9NEJCT67Y7FV3YKQGAC\",\"src.process.name\":\"svchost.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.displayName\":\"Local Security Authority Process\",\"src.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.indicatorGeneralCount\":261,\"src.process.crossProcessOutOfStorylineCount\":252,\"src.process.registryChangeCount\":0,\"packet.id\":\"1E58F722484E4850B02469C4B6DDEBF3\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"AD36E7E7AB538ED5\",\"event.type\":\"Login\",\"src.process.indicatorPostExploitationCount\":0,\"event.login.accountSid\":\"S-1-5-18\",\"src.process.parent.pid\":680}", "event": { "action": "Login", - "dataset": "cloud-funnel-2.0", "category": [ "authentication" ], + "dataset": "cloud-funnel-2.0", "kind": "event", "type": [ "start" ] }, + "@timestamp": "2023-04-04T10:26:38.952000Z", + "action": { + "outcome": "success", + "properties": { + "IpAddress": "109.190.253.14", + "LogonType": "7", + "TargetDomainName": "WORKGROUP", + "TargetUserName": "john.doe", + "TargetUserSid": "S-1-5-18" + } + }, "agent": { "version": "22.3.2.373" }, @@ -2714,8 +2725,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Login", - "category": "logins" + "category": "logins", + "type": "Login" }, "host": { "os": { @@ -2723,70 +2734,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "counters": { + "child_process": 90, + "cross_process": 252, "cross_process_dup_process_handle": 19, "cross_process_dup_thread_handle": 6, - "cross_process": 252, "dns_lookups": 40, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 90, "module_load": 7591, "net_conn": 102, "net_conn_in": 0, "net_conn_out": 102, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "C136E7E7AB538ED5", - "uid": "C036E7E7AB538ED5", - "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "executable": { "name": "C:\\Windows\\System32\\svchost.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "svchost.exe", - "pid": "536", - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-04-04T09:47:38.531000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "AB36E7E7AB538ED5", - "uid": "AA36E7E7AB538ED5" - }, "ossrc": { "counters": { + "child_process": 0, + "cross_process": 164, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 164, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 124, "net_conn": 0, "net_conn_in": 0, @@ -2801,7 +2791,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": "0", "storyline_id": "AD36E7E7AB538ED5", "uid": "AC36E7E7AB538ED5" - } + }, + "parent": { + "family": "SYS_WIN32", + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": 0, + "storyline_id": "AB36E7E7AB538ED5", + "uid": "AA36E7E7AB538ED5" + }, + "pid": "536", + "root": "True", + "session_id": 0, + "start": "2023-04-04T09:47:38.531000Z", + "storyline_id": "C136E7E7AB538ED5", + "title": "Host Process for Windows Services", + "uid": "C036E7E7AB538ED5", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" } }, "host": { @@ -2815,9 +2826,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-04-04T10:26:38.952000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS PUBLISHER" + }, + "command_line": "C:\\Windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", + "hash": { + "md5": "289d6a47b7692510e2fd3b51979a9fed", + "sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16", + "sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650" + }, + "name": "lsass.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS PUBLISHER" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -2827,62 +2853,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 680, + "start": "2023-04-04T09:47:37.524000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-04-04T09:47:37.524000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS PUBLISHER" - } + "working_directory": "C:\\Windows\\System32" }, - "command_line": "C:\\Windows\\system32\\lsass.exe", - "executable": "C:\\Windows\\System32\\lsass.exe", - "name": "lsass.exe", "pid": 688, + "start": "2023-04-04T09:47:37.543000Z", "title": "Local Security Authority Process", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "289d6a47b7692510e2fd3b51979a9fed", - "sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16", - "sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650" - }, - "start": "2023-04-04T09:47:37.543000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "user": { - "name": "john.doe", - "domain": "WORKGROUP", - "id": "S-1-5-18", - "target": { - "name": "john.doe", - "domain": "WORKGROUP" - }, - "roles": [ - "admin" - ] - }, - "source": { - "ip": "109.190.253.14", - "address": "109.190.253.14" - }, - "action": { - "properties": { - "TargetUserName": "john.doe", - "TargetDomainName": "WORKGROUP", - "TargetUserSid": "S-1-5-18", - "IpAddress": "109.190.253.14", - "LogonType": "7" - }, - "outcome": "success" + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -2899,6 +2883,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "109.190.253.14", + "ip": "109.190.253.14" + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "john.doe", + "roles": [ + "admin" + ], + "target": { + "domain": "WORKGROUP", + "name": "john.doe" + } } } @@ -2913,15 +2913,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"tgt.process.displayName\":\"Runtime Broker\",\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"process\",\"osSrc.process.parent.sessionId\":0,\"src.process.parent.image.sha1\":\"5310ba14a05256e4d93e0b04338f53b4e1d680cb\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.parent.displayName\":\"Shell Infrastructure Host\",\"src.process.image.binaryIsExecutable\":true,\"tgt.process.storyline.id\":\"86B6E5E7AB538ED5\",\"osSrc.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"tgt.process.isNative64Bit\":false,\"osSrc.process.parent.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"osSrc.process.crossProcessOpenProcessCount\":1,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.parent.name\":\"svchost.exe\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"osSrc.process.parent.startTime\":1679394829780,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":86,\"osSrc.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.tgtFileCreationCount\":0,\"osSrc.process.childProcCount\":121,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":2,\"src.process.moduleCount\":93,\"src.process.parent.name\":\"sihost.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1679406008310,\"src.process.image.md5\":\"da7063b17dbb8bbb3015351016868006\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"86B6E5E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"tgt.process.subsystem\":\"SYS_WIN32\",\"src.process.crossProcessOpenProcessCount\":0,\"tgt.process.image.binaryIsExecutable\":true,\"osSrc.process.crossProcessThreadCreateCount\":0,\"tgt.process.image.sha256\":\"e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628\",\"osSrc.process.moduleCount\":199,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"PROCESSCREATION\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"osSrc.process.parent.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"tgt.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"BE98E5E7AB538ED5\",\"tgt.process.verifiedStatus\":\"verified\",\"osSrc.process.netConnInCount\":0,\"tgt.process.image.path\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"LOW\",\"tgt.process.integrityLevel\":\"HIGH\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":852,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"tgt.process.image.md5\":\"ba4cfe6461afa1004c52f19c8f2169dc\",\"event.time\":1679405965868,\"osSrc.process.parent.isStorylineRoot\":true,\"timestamp\":\"2023-03-21T13:39:25.868Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":86,\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\sihost.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":2096,\"osSrc.process.parent.integrityLevel\":\"SYSTEM\",\"osSrc.process.uid\":\"5596E5E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679406014,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Windows\\\\system32\\\\BackgroundTaskHost.exe\\\" -ServerName:BackgroundTaskHost.WebAccountProvider\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"ab8539ef6b2a93ff9589dec4b34a0257b6296c92\",\"osSrc.process.integrityLevel\":\"SYSTEM\",\"osSrc.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"osSrc.process.parent.signedStatus\":\"signed\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":85,\"event.id\":\"01GW26C1B7ME6MS4EC7X0K5R6X_12\",\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"sihost.exe\",\"osSrc.process.parent.displayName\":\"Host Process for Windows Services\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"osSrc.process.startTime\":1679394829780,\"tgt.process.pid\":3212,\"src.process.crossProcessDupThreadHandleCount\":0,\"tgt.process.name\":\"RuntimeBroker.exe\",\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":0,\"osSrc.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"tgt.process.signedStatus\":\"signed\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679405965779,\"osSrc.process.indicatorRansomwareCount\":0,\"mgmt.id\":\"16964\",\"osSrc.process.netConnCount\":0,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":12,\"osSrc.process.parent.isNative64Bit\":false,\"tgt.process.cmdline\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe -Embedding\",\"src.process.displayName\":\"Background Task Host\",\"osSrc.process.dnsCount\":0,\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"85B6E5E7AB538ED5\",\"src.process.parent.image.md5\":\"a21e7719d73d0322e2e7d61802cb8f80\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"osSrc.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.parent.isRedirectCmdProcessor\":false,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"87B6E5E7AB538ED5\",\"tgt.process.uid\":\"87B6E5E7AB538ED5\",\"tgt.process.isStorylineRoot\":false,\"osSrc.process.parent.storyline.id\":\"5696E5E7AB538ED5\",\"osSrc.process.parent.pid\":852,\"src.process.parent.uid\":\"BD98E5E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"group.id\":\"86B6E5E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"tgt.process.startTime\":1679405965867,\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1679394873882,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":0,\"osSrc.process.tgtFileDeletionCount\":0,\"osSrc.process.indicatorEvasionCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW26C1B7ME6MS4EC7X0K5R6X\",\"src.process.name\":\"backgroundTaskHost.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.parent.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"osSrc.process.displayName\":\"Host Process for Windows Services\",\"src.process.image.sha256\":\"20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50\",\"osSrc.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"tgt.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorGeneralCount\":3,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"8179FCF2337A43CA9FB82DC8E38EEBD2\",\"tgt.process.sessionId\":2,\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"tgt.process.isRedirectCmdProcessor\":false,\"osSrc.process.parent.uid\":\"5596E5E7AB538ED5\",\"osSrc.process.storyline.id\":\"5696E5E7AB538ED5\",\"event.type\":\"Process Creation\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4164}", "event": { "action": "Process Creation", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "process" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-21T13:39:25.868000Z", "agent": { "version": "22.3.2.373" }, @@ -2932,8 +2933,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Process Creation", - "category": "process" + "category": "process", + "type": "Process Creation" }, "host": { "os": { @@ -2941,144 +2942,144 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider", "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 93, "net_conn": 0, "net_conn_in": 0, "net_conn_out": 0, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "LOW", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "86B6E5E7AB538ED5", - "uid": "85B6E5E7AB538ED5", - "command_line": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider", "executable": { "name": "C:\\Windows\\System32\\backgroundTaskHost.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "da7063b17dbb8bbb3015351016868006", "sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09", "sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50" }, + "integrity_level": "LOW", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "backgroundTaskHost.exe", - "pid": "2096", - "title": "Background Task Host", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T13:39:25.779000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { + "ossrc": { + "counters": { + "child_process": 121, + "cross_process": 86, + "cross_process_dup_process_handle": 85, + "cross_process_dup_thread_handle": 0, + "dns_lookups": 0, + "file_creation": 0, + "file_deletion": 0, + "file_modification": 0, + "module_load": 199, + "net_conn": 0, + "net_conn_in": 0, + "net_conn_out": 0, + "registry_modification": 0 + }, "family": "SYS_WIN32", - "integrity_level": "HIGH", + "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", + "parent": { + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": "0", + "storyline_id": "5696E5E7AB538ED5", + "uid": "5596E5E7AB538ED5" + }, "root": "True", - "session_id": 2, - "storyline_id": "BE98E5E7AB538ED5", - "uid": "BD98E5E7AB538ED5", + "session_id": "0", + "storyline_id": "5696E5E7AB538ED5", + "uid": "5596E5E7AB538ED5" + }, + "parent": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "sihost.exe", "executable": { "name": "C:\\Windows\\System32\\sihost.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "a21e7719d73d0322e2e7d61802cb8f80", "sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb", "sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00" }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "sihost.exe", "pid": "4164", + "root": "True", + "session_id": 2, + "start": "2023-03-21T10:34:33.882000Z", + "storyline_id": "BE98E5E7AB538ED5", "title": "Shell Infrastructure Host", + "uid": "BD98E5E7AB538ED5", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-21T10:34:33.882000Z", + "working_directory": "C:\\Windows\\System32" + }, + "pid": "2096", + "root": "True", + "session_id": 2, + "start": "2023-03-21T13:39:25.779000Z", + "storyline_id": "86B6E5E7AB538ED5", + "target": { "code_signature": { "exists": "true", "subject_name": "MICROSOFT WINDOWS" - } - }, - "target": { + }, "command_line": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding", "executable": "C:\\Windows\\System32\\RuntimeBroker.exe", "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "name": "RuntimeBroker.exe", - "pid": 3212, - "root": "False", - "session_id": 2, - "storyline_id": "86B6E5E7AB538ED5", - "title": "Runtime Broker", - "uid": "87B6E5E7AB538ED5", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", "hash": { "md5": "ba4cfe6461afa1004c52f19c8f2169dc", "sha1": "ab8539ef6b2a93ff9589dec4b34a0257b6296c92", - "sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628" - }, - "start": "2023-03-21T13:39:25.867000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - } - }, - "ossrc": { - "counters": { - "cross_process_dup_process_handle": 85, - "cross_process_dup_thread_handle": 0, - "cross_process": 86, - "dns_lookups": 0, - "file_creation": 0, - "file_deletion": 0, - "file_modification": 0, - "child_process": 121, - "module_load": 199, - "net_conn": 0, - "net_conn_in": 0, - "net_conn_out": 0, - "registry_modification": 0 - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": "0", - "storyline_id": "5696E5E7AB538ED5", - "uid": "5596E5E7AB538ED5", - "parent": { - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": "0", - "storyline_id": "5696E5E7AB538ED5", - "uid": "5596E5E7AB538ED5" - } - } + "sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628" + }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "name": "RuntimeBroker.exe", + "pid": 3212, + "root": "False", + "session_id": 2, + "start": "2023-03-21T13:39:25.867000Z", + "storyline_id": "86B6E5E7AB538ED5", + "title": "Runtime Broker", + "uid": "87B6E5E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows\\System32" + }, + "title": "Background Task Host", + "uid": "85B6E5E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows\\System32" } }, "host": { @@ -3092,54 +3093,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-21T13:39:25.868000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 852, - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", "hash": { "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, - "start": "2023-03-21T10:33:49.780000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, + "name": "svchost.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, "name": "svchost.exe", "process": { "pid": "852" }, + "start": "2023-03-21T10:33:49.780000Z", "title": "Host Process for Windows Services", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "start": "2023-03-21T10:33:49.780000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" + "working_directory": "C:\\Windows\\System32" + }, + "pid": 852, + "start": "2023-03-21T10:33:49.780000Z", + "title": "Host Process for Windows Services", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -3150,6 +3146,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -3164,15 +3164,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"registry\",\"src.process.parent.image.sha1\":\"c54490a0e8a6c9e665f081f3d55847f32d7cb25e\",\"site.id\":\"1640744535583677559\",\"registry.valueFullSize\":24,\"src.process.parent.displayName\":\"Microsoft Edge\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"registry.oldValueType\":\"BINARY\",\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":156,\"src.process.parent.name\":\"msedge.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"sca:atlantisIngestTime\":1680203775822,\"src.process.image.md5\":\"fbbcd4101d9daa064e2686834b1296be\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"14C2E6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"registry.oldValueFullSize\":24,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"REGVALUEMODIFIED\",\"src.process.parent.integrityLevel\":\"HIGH\",\"src.process.indicatorExploitationCount\":2,\"src.process.parent.storyline.id\":\"14C2E6E7AB538ED5\",\"src.process.integrityLevel\":\"LOW\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680203773063,\"timestamp\":\"2023-03-30T19:16:13.063Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"c54490a0e8a6c9e665f081f3d55847f32d7cb25e\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":6912,\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 \\/prefetch:2\",\"src.process.publisher\":\"MICROSOFT CORPORATION\",\"sca:ingestTime\":1680203781,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.activeContentType\":\"FILE\",\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"event.id\":\"01GWSZ5Z9090XZJD6DMNCG2SZ3_20\",\"src.process.parent.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start \\/prefetch:5\",\"registry.value\":\"3929AC173C63D90100000000000000000000000002000000\",\"src.process.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1680183590099,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"registry.keyPath\":\"MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\\\\\Device\\\\HarddiskVolume4\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"src.process.displayName\":\"Microsoft Edge\",\"src.process.parent.sessionId\":2,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"6DC2E6E7AB538ED5\",\"src.process.parent.image.md5\":\"fbbcd4101d9daa064e2686834b1296be\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"6DC2E6E7AB538ED5\",\"registry.valueType\":\"BINARY\",\"src.process.parent.uid\":\"13C2E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"14C2E6E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT CORPORATION\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1680183585577,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSZ5Z9090XZJD6DMNCG2SZ3\",\"src.process.name\":\"msedge.exe\",\"registry.oldValueIsComplete\":true,\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa\",\"src.process.indicatorGeneralCount\":4,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":1,\"packet.id\":\"6E623DBE96C14642980FE486FCC335F2\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"registry.oldValue\":\"C9C6A9173C63D90100000000000000000000000002000000\",\"event.type\":\"Registry Value Modified\",\"src.process.indicatorPostExploitationCount\":0,\"registry.valueIsComplete\":true,\"src.process.parent.activeContent.signedStatus\":\"unsigned\",\"src.process.parent.pid\":6384}", "event": { "action": "Registry Value Modified", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "registry" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "change" ] }, + "@timestamp": "2023-03-30T19:16:13.063000Z", "agent": { "version": "22.3.2.373" }, @@ -3183,8 +3184,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Registry Value Modified", - "category": "registry" + "category": "registry", + "type": "Registry Value Modified" }, "host": { "os": { @@ -3192,15 +3193,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 156, "net_conn": 0, "net_conn_in": 0, @@ -3211,17 +3218,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "LOW", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 2, - "storyline_id": "14C2E6E7AB538ED5", - "uid": "6DC2E6E7AB538ED5", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - }, "parent": { + "activecontent": { + "code_signature": { + "exists": "false" + }, + "type": "FILE" + }, "family": "SYS_WIN32", "integrity_level": "HIGH", "is_redirected_command_processor": "False", @@ -3229,20 +3232,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "root": "True", "session_id": 2, "storyline_id": "14C2E6E7AB538ED5", - "uid": "13C2E6E7AB538ED5", - "activecontent": { - "type": "FILE", - "code_signature": { - "exists": "false" - } - } - } + "uid": "13C2E6E7AB538ED5" + }, + "root": "False", + "session_id": 2, + "storyline_id": "14C2E6E7AB538ED5", + "uid": "6DC2E6E7AB538ED5" }, "registry": { "old": { "data": { - "type": "REG_BINARY", - "bytes": "C9C6A9173C63D90100000000000000000000000002000000" + "bytes": "C9C6A9173C63D90100000000000000000000000002000000", + "type": "REG_BINARY" } } } @@ -3258,8 +3259,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T19:16:13.063000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT CORPORATION" + }, "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:2", "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "hash": { @@ -3268,18 +3272,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa" }, "name": "msedge.exe", - "pid": 6912, - "title": "Microsoft Edge", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "start": "2023-03-30T13:39:50.099000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT CORPORATION" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT CORPORATION" + }, "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "hash": { @@ -3289,31 +3286,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "msedge.exe", "pid": 6384, + "start": "2023-03-30T13:39:45.577000Z", "title": "Microsoft Edge", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application", - "start": "2023-03-30T13:39:45.577000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT CORPORATION" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" + }, + "pid": 6912, + "start": "2023-03-30T13:39:50.099000Z", + "title": "Microsoft Edge", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, "registry": { - "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "value": "msedge.exe", + "data": { + "bytes": "3929AC173C63D90100000000000000000000000002000000", + "type": "REG_BINARY" + }, "hive": "MACHINE", "key": "SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application", - "data": { - "type": "REG_BINARY", - "bytes": "3929AC173C63D90100000000000000000000000002000000" - } + "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "value": "msedge.exe" }, "related": { "hash": [ @@ -3324,6 +3320,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } @@ -3338,15 +3338,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"registry\",\"src.process.parent.image.sha1\":\"68d7290a70ae3a396a0bd5164919694346047384\",\"site.id\":\"1640744535583677559\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Microsoft Azure\u00c2\u00ae\",\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":33,\"src.process.parent.name\":\"WaAppAgent.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679651173876,\"src.process.image.md5\":\"e30e7a42a010bf95524514bdf2035695\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"B91AE6E7AB538ED5\",\"src.process.childProcCount\":1,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"REGKEYCREATE\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"B91AE6E7AB538ED5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679651168286,\"timestamp\":\"2023-03-24T09:46:08.286Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"3f38989e61670025c2585a9e3cc8f1e1c9f229e9\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":2532,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679651179,\"dataSource.category\":\"security\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.cmdline\":\"\\\"wevtutil.exe\\\" im C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\AzureEvents.man\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GW9G5WH7M8ZDX974Z857TJT3_959\",\"src.process.parent.cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\wevtutil.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679651062627,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"registry.keyPath\":\"MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Application\\\\{9e3b8bee-15eb-444b-a692-bab4546644f2}\",\"src.process.displayName\":\"Eventing Command Line Utility\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"081BE6E7AB538ED5\",\"src.process.parent.image.md5\":\"ec038f4fd73993de139b889e7bcf2f66\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"081BE6E7AB538ED5\",\"src.process.parent.uid\":\"B81AE6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"B91AE6E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651056550,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW9G5WH7M8ZDX974Z857TJT3\",\"src.process.name\":\"wevtutil.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"20db4abf4539d2e054fbadde48078452a5a4adbca9eaeff66aba89f2c9164055\",\"src.process.indicatorGeneralCount\":2,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"338EC859EB214768AD336A240538CC9B\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"event.type\":\"Registry Key Create\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2308}", "event": { "action": "Registry Key Create", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "registry" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "creation" ] }, + "@timestamp": "2023-03-24T09:46:08.286000Z", "agent": { "version": "22.3.2.373" }, @@ -3357,8 +3358,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Registry Key Create", - "category": "registry" + "category": "registry", + "type": "Registry Key Create" }, "host": { "os": { @@ -3367,14 +3368,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 1, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 1, "module_load": 33, "net_conn": 0, "net_conn_in": 0, @@ -3385,10 +3386,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "False", - "session_id": 0, - "storyline_id": "B91AE6E7AB538ED5", - "uid": "081BE6E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -3398,7 +3395,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "B91AE6E7AB538ED5", "uid": "B81AE6E7AB538ED5" - } + }, + "root": "False", + "session_id": 0, + "storyline_id": "B91AE6E7AB538ED5", + "uid": "081BE6E7AB538ED5" } }, "host": { @@ -3412,8 +3413,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T09:46:08.286000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "\"wevtutil.exe\" im C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\AzureEvents.man", "executable": "C:\\Windows\\System32\\wevtutil.exe", "hash": { @@ -3422,18 +3426,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "20db4abf4539d2e054fbadde48078452a5a4adbca9eaeff66aba89f2c9164055" }, "name": "wevtutil.exe", - "pid": 2532, - "title": "Eventing Command Line Utility", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:44:22.627000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "executable": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "hash": { @@ -3443,27 +3440,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "WaAppAgent.exe", "pid": 2308, + "start": "2023-03-24T09:44:16.550000Z", "title": "Microsoft Azure\u00c2\u00ae", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252", - "start": "2023-03-24T09:44:16.550000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" + "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252" + }, + "pid": 2532, + "start": "2023-03-24T09:44:22.627000Z", + "title": "Eventing Command Line Utility", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" }, "registry": { - "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application\\{9e3b8bee-15eb-444b-a692-bab4546644f2}", - "value": "{9e3b8bee-15eb-444b-a692-bab4546644f2}", "hive": "MACHINE", - "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application" + "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application", + "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application\\{9e3b8bee-15eb-444b-a692-bab4546644f2}", + "value": "{9e3b8bee-15eb-444b-a692-bab4546644f2}" }, "related": { "hash": [ @@ -3477,6 +3473,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -3491,15 +3491,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"registry\",\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Services and Controller app\",\"osSrc.process.image.md5\":\"60ff40cfd7fb8fe41ee4fe9ae5fe1c51\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":14,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"3ea7cc066317ac45f963c2227c4c7c50aa16eb7c\",\"src.process.tgtFileCreationCount\":0,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":0,\"src.process.moduleCount\":447,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1679651246067,\"src.process.image.md5\":\"ec038f4fd73993de139b889e7bcf2f66\",\"src.process.indicatorReconnaissanceCount\":119,\"src.process.storyline.id\":\"B91AE6E7AB538ED5\",\"src.process.childProcCount\":15,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":172,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"REGKEYSECURITYCHANGED\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"osSrc.process.user\":\"NT AUTHORITY\\\\NETWORK SERVICE\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"src.process.indicatorExploitationCount\":1,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"381AE6E7AB538ED5\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":2996,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679651207497,\"timestamp\":\"2023-03-24T09:46:47.497Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"68d7290a70ae3a396a0bd5164919694346047384\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":2308,\"osSrc.process.uid\":\"F21AE6E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679651252,\"dataSource.category\":\"security\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":14,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GW9G83044XT7MEFV9Z37STGM_351\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"src.process.image.path\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\\\WaAppAgent.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"WmiPrvSE.exe\",\"src.process.indicatorEvasionCount\":2,\"src.process.netConnOutCount\":12,\"osSrc.process.startTime\":1679651059528,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":0,\"osSrc.process.image.sha256\":\"2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679651056550,\"mgmt.id\":\"16964\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":0,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":3,\"registry.keyPath\":\"MACHINE\\\\BCD00000000\\\\Objects\\\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\\\Elements\\\\11000001\",\"src.process.displayName\":\"Microsoft Azure\u00c2\u00ae\",\"osSrc.process.dnsCount\":0,\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"B81AE6E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -secured -Embedding\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"B81AE6E7AB538ED5\",\"src.process.parent.uid\":\"371AE6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"src.process.sessionId\":0,\"src.process.netConnCount\":12,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\"group.id\":\"B91AE6E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651047714,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":1,\"osSrc.process.tgtFileDeletionCount\":0,\"endpoint.type\":\"desktop\",\"osSrc.process.indicatorEvasionCount\":0,\"trace.id\":\"01GW9G83044XT7MEFV9Z37STGM\",\"src.process.name\":\"WaAppAgent.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.displayName\":\"WMI Provider Host\",\"src.process.image.sha256\":\"a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9\",\"src.process.indicatorGeneralCount\":7,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"DE00CD9C6B074221B3EEF81AB421B43F\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"F31AE6E7AB538ED5\",\"event.type\":\"Registry Key Security Changed\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":676}", "event": { "action": "Registry Key Security Changed", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "registry" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "change" ] }, + "@timestamp": "2023-03-24T09:46:47.497000Z", "agent": { "version": "22.3.2.373" }, @@ -3510,8 +3511,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Registry Key Security Changed", - "category": "registry" + "category": "registry", + "type": "Registry Key Security Changed" }, "host": { "os": { @@ -3519,70 +3520,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "counters": { + "child_process": 15, + "cross_process": 14, "cross_process_dup_process_handle": 14, "cross_process_dup_thread_handle": 0, - "cross_process": 14, "dns_lookups": 1, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 15, "module_load": 447, "net_conn": 12, "net_conn_in": 0, "net_conn_out": 12, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "B91AE6E7AB538ED5", - "uid": "B81AE6E7AB538ED5", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe", "executable": { "name": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe" }, - "hash": { - "md5": "ec038f4fd73993de139b889e7bcf2f66", - "sha1": "68d7290a70ae3a396a0bd5164919694346047384", - "sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9" - }, - "name": "WaAppAgent.exe", - "pid": "2308", - "title": "Microsoft Azure\u00c2\u00ae", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252", - "start": "2023-03-24T09:44:16.550000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "381AE6E7AB538ED5", - "uid": "371AE6E7AB538ED5" + "family": "SYS_WIN32", + "hash": { + "md5": "ec038f4fd73993de139b889e7bcf2f66", + "sha1": "68d7290a70ae3a396a0bd5164919694346047384", + "sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9" }, + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "name": "WaAppAgent.exe", "ossrc": { "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 172, "net_conn": 0, "net_conn_in": 0, @@ -3597,7 +3577,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": "0", "storyline_id": "F31AE6E7AB538ED5", "uid": "F21AE6E7AB538ED5" - } + }, + "parent": { + "family": "SYS_WIN32", + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": 0, + "storyline_id": "381AE6E7AB538ED5", + "uid": "371AE6E7AB538ED5" + }, + "pid": "2308", + "root": "True", + "session_id": 0, + "start": "2023-03-24T09:44:16.550000Z", + "storyline_id": "B91AE6E7AB538ED5", + "title": "Microsoft Azure\u00c2\u00ae", + "uid": "B81AE6E7AB538ED5", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252" } }, "host": { @@ -3611,9 +3612,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T09:46:47.497000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "md5": "60ff40cfd7fb8fe41ee4fe9ae5fe1c51", + "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", + "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3" + }, + "name": "WmiPrvSE.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -3623,46 +3639,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 676, + "start": "2023-03-24T09:44:07.714000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:44:07.714000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows\\System32" }, - "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", - "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "name": "WmiPrvSE.exe", "pid": 2996, + "start": "2023-03-24T09:44:19.528000Z", "title": "WMI Provider Host", "user": { "name": "NT AUTHORITY\\NETWORK SERVICE" }, - "working_directory": "C:\\Windows\\System32\\wbem", - "hash": { - "md5": "60ff40cfd7fb8fe41ee4fe9ae5fe1c51", - "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c", - "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3" - }, - "start": "2023-03-24T09:44:19.528000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY" + "working_directory": "C:\\Windows\\System32\\wbem" }, "registry": { - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001", - "value": "11000001", "hive": "MACHINE", - "key": "BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements" + "key": "BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements", + "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001", + "value": "11000001" }, "related": { "hash": [ @@ -3676,6 +3672,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NETWORK SERVICE" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } @@ -3690,15 +3690,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"registry\",\"src.process.parent.image.sha1\":\"d7a213f3cfee2a8a191769eb33847953be51de54\",\"site.id\":\"1640744535583677559\",\"registry.valueFullSize\":8,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Services and Controller app\",\"src.process.user\":\"NT AUTHORITY\\\\LOCAL SERVICE\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"registry.oldValueType\":\"QWORD\",\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":60,\"src.process.parent.name\":\"services.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679651725979,\"src.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"src.process.indicatorReconnaissanceCount\":4,\"src.process.storyline.id\":\"C21AE6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"registry.oldValueFullSize\":8,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"REGVALUEMODIFIED\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"381AE6E7AB538ED5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679651714861,\"timestamp\":\"2023-03-24T09:55:14.861Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":2400,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679651731,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalService\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GW9GPQS7DA4A1MEAAWC62TV0_17\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"registry.value\":\"0x01D95E36BB59E231\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679651056705,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"registry.keyPath\":\"MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\W32Time\\\\Config\\\\LastKnownGoodTime\",\"src.process.displayName\":\"Host Process for Windows Services\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"C11AE6E7AB538ED5\",\"src.process.parent.image.md5\":\"d8e577bf078c45954f4531885478d5a9\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"C11AE6E7AB538ED5\",\"registry.valueType\":\"QWORD\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"371AE6E7AB538ED5\",\"src.process.parent.image.sha256\":\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"C21AE6E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651047714,\"src.process.dnsCount\":1,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW9GPQS7DA4A1MEAAWC62TV0\",\"src.process.name\":\"svchost.exe\",\"registry.oldValueIsComplete\":true,\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.indicatorGeneralCount\":3,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"138ED27662FD4857B56CA60142FA1C2F\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"registry.oldValue\":\"0x01D95E36B1CF068C\",\"event.type\":\"Registry Value Modified\",\"src.process.indicatorPostExploitationCount\":0,\"registry.valueIsComplete\":true,\"src.process.parent.pid\":676}", "event": { "action": "Registry Value Modified", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ "registry" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "change" ] }, + "@timestamp": "2023-03-24T09:55:14.861000Z", "agent": { "version": "22.3.2.373" }, @@ -3709,8 +3710,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Registry Value Modified", - "category": "registry" + "category": "registry", + "type": "Registry Value Modified" }, "host": { "os": { @@ -3719,14 +3720,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 1, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 60, "net_conn": 0, "net_conn_in": 0, @@ -3737,10 +3738,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "SYSTEM", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "C21AE6E7AB538ED5", - "uid": "C11AE6E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "SYSTEM", @@ -3750,15 +3747,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 0, "storyline_id": "381AE6E7AB538ED5", "uid": "371AE6E7AB538ED5" - } + }, + "root": "True", + "session_id": 0, + "storyline_id": "C21AE6E7AB538ED5", + "uid": "C11AE6E7AB538ED5" }, "registry": { "old": { "data": { - "type": "REG_QWORD", "strings": [ "0x01D95E36B1CF068C" - ] + ], + "type": "REG_QWORD" } } } @@ -3774,8 +3775,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T09:55:14.861000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { @@ -3784,18 +3788,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, "name": "svchost.exe", - "pid": 2400, - "title": "Host Process for Windows Services", - "user": { - "name": "NT AUTHORITY\\LOCAL SERVICE" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:44:16.705000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "hash": { @@ -3805,33 +3802,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "services.exe", "pid": 676, + "start": "2023-03-24T09:44:07.714000Z", "title": "Services and Controller app", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:44:07.714000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "LOCAL SERVICE", - "domain": "NT AUTHORITY" + "working_directory": "C:\\Windows\\System32" + }, + "pid": 2400, + "start": "2023-03-24T09:44:16.705000Z", + "title": "Host Process for Windows Services", + "user": { + "name": "NT AUTHORITY\\LOCAL SERVICE" + }, + "working_directory": "C:\\Windows\\System32" }, "registry": { - "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\W32Time\\Config\\LastKnownGoodTime", - "value": "LastKnownGoodTime", - "hive": "MACHINE", - "key": "SYSTEM\\ControlSet001\\Services\\W32Time\\Config", "data": { - "type": "REG_QWORD", "strings": [ "0x01D95E36BB59E231" - ] - } + ], + "type": "REG_QWORD" + }, + "hive": "MACHINE", + "key": "SYSTEM\\ControlSet001\\Services\\W32Time\\Config", + "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\W32Time\\Config\\LastKnownGoodTime", + "value": "LastKnownGoodTime" }, "related": { "hash": [ @@ -3845,6 +3841,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "LOCAL SERVICE" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "LOCAL SERVICE" } } @@ -3862,6 +3862,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "cloud-funnel-2.0", "kind": "event" }, + "@timestamp": "2023-03-24T14:38:22.878000Z", "agent": { "version": "22.3.2.373" }, @@ -3872,82 +3873,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Task Register", - "category": "scheduled_task" + "category": "scheduled_task", + "type": "Task Register" }, "host": { "os": { "revision": "19044" } }, - "scheduled_task": { - "name": "\\Task John" - }, "process": { + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\taskschd.msc\" /s", "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 0, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 397, "net_conn": 0, "net_conn_in": 0, "net_conn_out": 0, "registry_modification": 0 }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "5084E6E7AB538ED5", - "uid": "4F84E6E7AB538ED5", - "command_line": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\taskschd.msc\" /s", "executable": { "name": "C:\\Windows\\System32\\mmc.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "cdbae87d50068565cf2ed20e99246a2e", "sha1": "4a8b68a1ad588175d018944aacca6151e2cb4e3c", "sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e" }, + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "mmc.exe", - "pid": "5228", - "title": "Microsoft Management Console", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T14:37:13.169000Z", - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "FA1CE6E7AB538ED5", - "uid": "F91CE6E7AB538ED5" - }, "ossrc": { "counters": { + "child_process": 73, + "cross_process": 232, "cross_process_dup_process_handle": 9, "cross_process_dup_thread_handle": 4, - "cross_process": 232, "dns_lookups": 28, "file_creation": 0, "file_deletion": 0, "file_modification": 16, - "child_process": 73, "module_load": 44431, "net_conn": 86, "net_conn_in": 0, @@ -3962,7 +3939,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": "0", "storyline_id": "4E1AE6E7AB538ED5", "uid": "4D1AE6E7AB538ED5" - } + }, + "parent": { + "family": "SYS_WIN32", + "integrity_level": "HIGH", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": 2, + "storyline_id": "FA1CE6E7AB538ED5", + "uid": "F91CE6E7AB538ED5" + }, + "pid": "5228", + "root": "True", + "session_id": 2, + "start": "2023-03-24T14:37:13.169000Z", + "storyline_id": "5084E6E7AB538ED5", + "title": "Microsoft Management Console", + "uid": "4F84E6E7AB538ED5", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows\\System32" + }, + "scheduled_task": { + "name": "\\Task John" } }, "host": { @@ -3976,9 +3977,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T14:38:22.878000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "svchost.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "hash": { @@ -3988,40 +4004,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "explorer.exe", "pid": 5044, + "start": "2023-03-24T09:45:50.108000Z", "title": "Windows Explorer", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows", - "start": "2023-03-24T09:45:50.108000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows" }, - "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", "pid": 796, + "start": "2023-03-24T09:44:10.062000Z", "title": "Host Process for Windows Services", "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "start": "2023-03-24T09:44:10.062000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -4035,6 +4031,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -4052,6 +4052,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "cloud-funnel-2.0", "kind": "event" }, + "@timestamp": "2023-03-30T15:01:01.660000Z", "agent": { "version": "22.3.2.373" }, @@ -4062,92 +4063,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "Task Start", - "category": "scheduled_task" + "category": "scheduled_task", + "type": "Task Start" + }, + "file": { + "location": "Local", + "type": "PE" }, "host": { "os": { "revision": "19044" } }, - "scheduled_task": { - "name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask" - }, "process": { + "activecontent": { + "code_signature": { + "exists": "true" + }, + "hash": { + "sha1": "4baee77d42bd0b2fa2660852eeac7962aa27a2f1" + }, + "path": "C:\\Windows\\System32\\pcasvc.dll", + "type": "FILE" + }, + "code_signature": { + "exists": "true", + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask", "counters": { + "child_process": 0, + "cross_process": 0, "cross_process_dup_process_handle": 0, "cross_process_dup_thread_handle": 0, - "cross_process": 0, "dns_lookups": 0, "file_creation": 1, "file_deletion": 0, "file_modification": 0, - "child_process": 0, "module_load": 53, "net_conn": 0, "net_conn_in": 0, "net_conn_out": 0, "registry_modification": 2 }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "7322E6E7AB538ED5", - "uid": "7222E6E7AB538ED5", - "command_line": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask", "executable": { "name": "C:\\Windows\\System32\\rundll32.exe" }, + "family": "SYS_WIN32", "hash": { "md5": "ef3179d498793bf4234f708d3be28633", "sha1": "dd399ae46303343f9f0da189aee11c67bd868222", "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa" }, + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", "name": "rundll32.exe", - "pid": "5304", - "title": "Windows host process (Rundll32)", - "user": { - "name": "NT AUTHORITY\\SYSTEM" - }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:47:14.837000Z", - "activecontent": { - "type": "FILE", - "path": "C:\\Windows\\System32\\pcasvc.dll", - "hash": { - "sha1": "4baee77d42bd0b2fa2660852eeac7962aa27a2f1" - }, - "code_signature": { - "exists": "true" - } - }, - "code_signature": { - "exists": "true", - "subject_name": "MICROSOFT WINDOWS" - }, - "parent": { - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "is_redirected_command_processor": "False", - "is_wow64": "False", - "root": "True", - "session_id": 0, - "storyline_id": "4E1AE6E7AB538ED5", - "uid": "4D1AE6E7AB538ED5" - }, "ossrc": { "counters": { + "child_process": 80, + "cross_process": 172, "cross_process_dup_process_handle": 10, "cross_process_dup_thread_handle": 5, - "cross_process": 172, "dns_lookups": 51, "file_creation": 0, "file_deletion": 0, "file_modification": 59, - "child_process": 80, "module_load": 38352, "net_conn": 99, "net_conn_in": 0, @@ -4162,13 +4143,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": "0", "storyline_id": "1F91E6E7AB538ED5", "uid": "1E91E6E7AB538ED5" - } + }, + "parent": { + "family": "SYS_WIN32", + "integrity_level": "SYSTEM", + "is_redirected_command_processor": "False", + "is_wow64": "False", + "root": "True", + "session_id": 0, + "storyline_id": "4E1AE6E7AB538ED5", + "uid": "4D1AE6E7AB538ED5" + }, + "pid": "5304", + "root": "True", + "session_id": 0, + "start": "2023-03-24T09:47:14.837000Z", + "storyline_id": "7322E6E7AB538ED5", + "title": "Windows host process (Rundll32)", + "uid": "7222E6E7AB538ED5", + "user": { + "name": "NT AUTHORITY\\SYSTEM" + }, + "working_directory": "C:\\Windows\\System32" }, - "file": { - "location": "Local", - "type": "PE" + "scheduled_task": { + "name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask" } }, + "file": { + "code_signature": { + "exists": false + }, + "created": "1966-04-24T06:14:24Z", + "directory": "C:\\Windows\\System32", + "hash": { + "md5": "ef3179d498793bf4234f708d3be28633", + "sha1": "dd399ae46303343f9f0da189aee11c67bd868222", + "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa" + }, + "mtime": "1966-04-24T06:14:24Z", + "name": "rundll32.exe", + "path": "C:\\Windows\\System32\\rundll32.exe", + "size": 71680 + }, "host": { "name": "desktop-jdoe", "os": { @@ -4180,9 +4197,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-30T15:01:01.660000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + }, + "name": "svchost.exe", "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { @@ -4192,56 +4224,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "svchost.exe", "pid": 796, + "start": "2023-03-24T09:44:10.062000Z", "title": "Host Process for Windows Services", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:44:10.062000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } + "working_directory": "C:\\Windows\\System32" }, - "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", "pid": 544, + "start": "2023-03-30T09:43:08.191000Z", "title": "Host Process for Windows Services", "user": { "name": "NT AUTHORITY\\SYSTEM" }, - "working_directory": "C:\\Windows\\System32", - "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" - }, - "start": "2023-03-30T09:43:08.191000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "file": { - "path": "C:\\Windows\\System32\\rundll32.exe", - "hash": { - "md5": "ef3179d498793bf4234f708d3be28633", - "sha1": "dd399ae46303343f9f0da189aee11c67bd868222", - "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa" - }, - "size": 71680, - "created": "1966-04-24T06:14:24Z", - "mtime": "1966-04-24T06:14:24Z", - "code_signature": { - "exists": false - }, - "name": "rundll32.exe", - "directory": "C:\\Windows\\System32" + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -4255,6 +4251,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -4269,16 +4269,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"url\",\"src.process.parent.image.sha1\":\"f2460307d8f0c264df4f101b5adaf6927d4116cf\",\"site.id\":\"1640744535583677559\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Userinit Logon Application\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":13,\"src.process.tgtFileCreationCount\":11,\"src.process.indicatorInjectionCount\":1,\"src.process.moduleCount\":1652,\"src.process.parent.name\":\"userinit.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1679651786046,\"src.process.image.md5\":\"b5da026b38c9e98a6f6d4061b6c3b4f3\",\"src.process.indicatorReconnaissanceCount\":6,\"src.process.storyline.id\":\"FA1CE6E7AB538ED5\",\"src.process.childProcCount\":14,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":1,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"HTTP\",\"src.process.parent.integrityLevel\":\"HIGH\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"F81CE6E7AB538ED5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"url.address\":\"https:\\/\\/assets.msn.com\\/weathermapdata\\/1\\/static\\/weather\\/Icons\\/taskbar_v3\\/Condition_Badge\\/D200PartlySunny.svg\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679651744782,\"timestamp\":\"2023-03-24T09:55:44.782Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"08a3589a9016172702c75f16fe3c694b90942514\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":5044,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679651791,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\Windows\\\\Explorer.EXE\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":18,\"event.id\":\"01GW9GRJCPRADP5V80KH7RQMGX_4\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"src.process.image.path\":\"C:\\\\Windows\\\\explorer.exe\",\"src.process.tgtFileModificationCount\":114,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":3,\"src.process.crossProcessDupThreadHandleCount\":4,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":5,\"src.process.startTime\":1679651150108,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"Windows Explorer\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"src.process.uid\":\"F91CE6E7AB538ED5\",\"src.process.parent.image.md5\":\"47bbdbe152a597f4a840c5269ed961e8\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"F91CE6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"F71CE6E7AB538ED5\",\"src.process.parent.image.sha256\":\"03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55\",\"src.process.sessionId\":2,\"src.process.netConnCount\":3,\"event.url.action\":\"GET\",\"mgmt.osRevision\":\"19044\",\"group.id\":\"FA1CE6E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651149634,\"src.process.dnsCount\":2,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW9GRJCPRADP5V80KH7RQMGX\",\"src.process.name\":\"explorer.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8\",\"src.process.indicatorGeneralCount\":134,\"src.process.crossProcessOutOfStorylineCount\":18,\"src.process.registryChangeCount\":448,\"packet.id\":\"9CD5641227F648059A7D6C568A06DFE8\",\"src.process.indicatorPersistenceCount\":8,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"event.type\":\"GET\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4980}", "event": { "action": "GET", - "dataset": "cloud-funnel-2.0", - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], + "dataset": "cloud-funnel-2.0", + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-03-24T09:55:44.782000Z", "agent": { "version": "22.3.2.373" }, @@ -4289,8 +4290,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "uuid": "9a25d24fd1e4418dab8e358865fa1e29" }, "event": { - "type": "GET", - "category": "url" + "category": "url", + "type": "GET" }, "host": { "os": { @@ -4299,14 +4300,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "counters": { + "child_process": 14, + "cross_process": 18, "cross_process_dup_process_handle": 13, "cross_process_dup_thread_handle": 4, - "cross_process": 18, "dns_lookups": 2, "file_creation": 11, "file_deletion": 5, "file_modification": 114, - "child_process": 14, "module_load": 1652, "net_conn": 3, "net_conn_in": 0, @@ -4317,10 +4318,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "integrity_level": "HIGH", "is_redirected_command_processor": "False", "is_wow64": "False", - "root": "True", - "session_id": 2, - "storyline_id": "FA1CE6E7AB538ED5", - "uid": "F91CE6E7AB538ED5", "parent": { "family": "SYS_WIN32", "integrity_level": "HIGH", @@ -4330,7 +4327,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session_id": 2, "storyline_id": "F81CE6E7AB538ED5", "uid": "F71CE6E7AB538ED5" - } + }, + "root": "True", + "session_id": 2, + "storyline_id": "FA1CE6E7AB538ED5", + "uid": "F91CE6E7AB538ED5" } }, "host": { @@ -4341,11 +4342,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "desktop" }, + "http": { + "request": { + "method": "GET" + } + }, "observer": { "vendor": "SentinelOne" }, - "@timestamp": "2023-03-24T09:55:44.782000Z", "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "hash": { @@ -4354,18 +4363,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8" }, "name": "explorer.exe", - "pid": 5044, - "title": "Windows Explorer", - "user": { - "name": "desktop-jdoe\\john.doe" - }, - "working_directory": "C:\\Windows", - "start": "2023-03-24T09:45:50.108000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - }, "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, "command_line": "C:\\Windows\\system32\\userinit.exe", "executable": "C:\\Windows\\System32\\userinit.exe", "hash": { @@ -4375,36 +4377,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "userinit.exe", "pid": 4980, + "start": "2023-03-24T09:45:49.634000Z", "title": "Userinit Logon Application", "user": { "name": "desktop-jdoe\\john.doe" }, - "working_directory": "C:\\Windows\\System32", - "start": "2023-03-24T09:45:49.634000Z", - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS" - } - } - }, - "user": { - "name": "john.doe", - "domain": "desktop-jdoe" - }, - "http": { - "request": { - "method": "GET" - } - }, - "url": { - "original": "https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg", - "domain": "assets.msn.com", - "top_level_domain": "com", - "subdomain": "assets", - "registered_domain": "msn.com", - "path": "/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg", - "scheme": "https", - "port": 443 + "working_directory": "C:\\Windows\\System32" + }, + "pid": 5044, + "start": "2023-03-24T09:45:50.108000Z", + "title": "Windows Explorer", + "user": { + "name": "desktop-jdoe\\john.doe" + }, + "working_directory": "C:\\Windows" }, "related": { "hash": [ @@ -4418,6 +4404,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "url": { + "domain": "assets.msn.com", + "original": "https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg", + "path": "/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg", + "port": 443, + "registered_domain": "msn.com", + "scheme": "https", + "subdomain": "assets", + "top_level_domain": "com" + }, + "user": { + "domain": "desktop-jdoe", + "name": "john.doe" } } diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md index 8cbb098b84..07df424168 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md @@ -35,26 +35,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Site: OSTAM,Server Name: STR04,Domain Name: MyDomain,The client has downloaded the content package successfully,STV02,ADMIN,stv02.local", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "reason": "The client has downloaded the content package successfully", "type": [ "info" ] }, - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "STV02", - "name": "stv02.local" - }, - "user": { - "name": "ADMIN" - }, "broadcom": { "endpoint_protection": { "server": { @@ -63,6 +52,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "host": { + "hostname": "STV02", + "name": "stv02.local" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { "hosts": [ "STV02" @@ -70,6 +67,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "ADMIN" ] + }, + "user": { + "name": "ADMIN" } } @@ -83,37 +83,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INT23456,,Blocked,C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.3.4615.2000.105\\Bin64\\ccSvcHst.exe,,Begin: 2022-08-29 11:58:20,End Time: 2022-08-29 11:58:20,Rule: ,4428,C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634\\CUAGENT.EXE,0,,C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.3.4615.2000.105\\Bin64\\ccSvcHst.exe,User Name: Admin,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: ", "event": { - "kind": "event", + "action": "Blocked", "category": [ "process" ], - "action": "Blocked", - "start": "2022-08-29T11:58:20Z", "end": "2022-08-29T11:58:20Z", + "kind": "event", + "start": "2022-08-29T11:58:20Z", "type": [ "denied" ] }, "@timestamp": "2022-08-29T11:58:20Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, "host": { "hostname": "INT23456", "name": "INT23456" }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "process": { - "pid": 4428, - "executable": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634\\CUAGENT.EXE", - "name": "CUAGENT.EXE", - "working_directory": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634", "args": [ "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\f.3.4615.2000.105\\Bin64\\ccSvcHst.exe" - ] - }, - "user": { - "name": "Admin" + ], + "executable": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634\\CUAGENT.EXE", + "name": "CUAGENT.EXE", + "pid": 4428, + "working_directory": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634" }, "related": { "hosts": [ @@ -122,6 +119,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Admin" ] + }, + "user": { + "name": "Admin" } } @@ -135,54 +135,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INT23456,1.2.3.4,Continue,Le contr\u00f4le des applications et des p\u00e9riph\u00e9riques est pr\u00eat.,Syst\u00e8me,Begin: 2022-10-19 06:45:39,End Time: 2022-10-19 06:45:39,Rule: R\u00e8gle int\u00e9gr\u00e9e,0,SysPlant,0,SysPlant,Aucun(e),User Name: Aucun(e),Domain Name: DOMAIN,Action Type: ,File size (bytes): 0,Device ID: ", "event": { - "kind": "event", + "action": "Continue", "category": [ "process" ], - "action": "Continue", - "start": "2022-10-19T06:45:39Z", "end": "2022-10-19T06:45:39Z", + "kind": "event", "reason": "Le contr\u00f4le des applications et des p\u00e9riph\u00e9riques est pr\u00eat.", + "start": "2022-10-19T06:45:39Z", "type": [ "info" ] }, "@timestamp": "2022-10-19T06:45:39Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" + "broadcom": { + "endpoint_protection": { + "server": { + "domain": "DOMAIN" + } + } + }, + "file": { + "size": 0 }, "host": { "hostname": "INT23456", "ip": "1.2.3.4", "name": "INT23456" }, - "file": { - "size": 0 + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" }, "process": { - "pid": 0, "executable": "SysPlant", - "name": "SysPlant" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "broadcom": { - "endpoint_protection": { - "server": { - "domain": "DOMAIN" - } - } + "name": "SysPlant", + "pid": 0 }, "related": { - "ip": [ - "1.2.3.4" - ], "hosts": [ "INT23456" + ], + "ip": [ + "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -196,10 +196,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INT23456,Category: 2,LiveUpdate Manager,\"Event Description: L\u2019installation d\u2019une mise \u00e0 jour de Revocation Data a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).\",Event time: 2022-10-18 18:09:26,Group Name: MyDomain\\Servers", "event": { - "kind": "event", "category": [ "process" ], + "kind": "event", "reason": "L\u2019installation d\u2019une mise \u00e0 jour de Revocation Data a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).", "start": "2022-10-18T18:09:26Z", "type": [ @@ -207,22 +207,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-10-18T18:09:26Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "INT23456", - "name": "INT23456" - }, "broadcom": { "endpoint_protection": { - "source": "LiveUpdate Manager", "server": { "group": "MyDomain\\Servers" - } + }, + "source": "LiveUpdate Manager" } }, + "host": { + "hostname": "INT23456", + "name": "INT23456" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { "hosts": [ "INT23456" @@ -240,10 +240,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INT23456,Category: 2,LiveUpdate Manager,\"Event Description: L\u2019installation d\u2019une mise \u00e0 jour de Virus and Spyware Definitions SDS Win64 (Reduced) a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).\",Event time: 2022-10-19 07:32:25,Group Name: MyDomain\\Servers", "event": { - "kind": "event", "category": [ "malware" ], + "kind": "event", "reason": "L\u2019installation d\u2019une mise \u00e0 jour de Virus and Spyware Definitions SDS Win64 (Reduced) a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).", "start": "2022-10-19T07:32:25Z", "type": [ @@ -251,22 +251,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-10-19T07:32:25Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "INT23456", - "name": "INT23456" - }, "broadcom": { "endpoint_protection": { - "source": "LiveUpdate Manager", "server": { "group": "MyDomain\\Servers" - } + }, + "source": "LiveUpdate Manager" } }, + "host": { + "hostname": "INT23456", + "name": "INT23456" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { "hosts": [ "INT23456" @@ -284,80 +284,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INT23456,Event Description: [SID\u00a0: 32329] attaque de Audit: Malicious Scan Attempt 2 d\u00e9tect\u00e9e mais pas bloqu\u00e9e. Chemin d\u2019application\u00a0: SYSTEM,Event Type: ,Local Host IP: 1.2.3.4,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 5.6.7.8,Remote Host MAC: 000000000000,Outbound,TCP,,Begin: 2022-10-19 09:25:40,End Time: 2022-10-19 09:25:40,Occurrences: 1,Application: SYSTEM,Location: Par d\u00e9faut,User Name: none,Domain Name: ,Local Port: 443,Remote Port: 14867,CIDS Signature ID: 32329,CIDS Signature string: Audit: Malicious Scan Attempt 2,CIDS Signature SubID: 68040,Intrusion URL: http://9.8.7.6:443/,Intrusion Payload URL: ,SHA-256: 0000000000000000000000000000000000000000000000000000000000000000,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "end": "2022-10-19T09:25:40Z", + "kind": "event", "reason": "attaque de Audit: Malicious Scan Attempt 2 d\u00e9tect\u00e9e mais pas bloqu\u00e9e. Chemin d\u2019application\u00a0: SYSTEM", "start": "2022-10-19T09:25:40Z", - "end": "2022-10-19T09:25:40Z", "type": [ "info" ] }, "@timestamp": "2022-10-19T09:25:40Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" + "broadcom": { + "endpoint_protection": { + "application": { + "name": "SYSTEM" + }, + "cids": { + "signature": { + "id": 32329, + "label": "Audit: Malicious Scan Attempt 2", + "sub_id": 68040 + } + } + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 14867 }, "host": { "hostname": "INT23456", "ip": "1.2.3.4", "name": "INT23456" }, - "destination": { - "ip": "5.6.7.8", - "port": 14867, - "address": "5.6.7.8" - }, - "url": { - "original": "http://9.8.7.6:443/", - "domain": "9.8.7.6", - "path": "/", - "port": 443, - "scheme": "http" - }, "network": { "direction": "outbound", "transport": "tcp" }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "INT23456" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "source": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 443, - "address": "1.2.3.4" + "port": 443 }, "threat": { "enrichments": [ { "indicator": { - "type": "file", - "sightings": 1 + "sightings": 1, + "type": "file" } } ] }, - "broadcom": { - "endpoint_protection": { - "application": { - "name": "SYSTEM" - }, - "cids": { - "signature": { - "id": 32329, - "label": "Audit: Malicious Scan Attempt 2", - "sub_id": 68040 - } - } - } - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "hosts": [ - "INT23456" - ] + "url": { + "domain": "9.8.7.6", + "original": "http://9.8.7.6:443/", + "path": "/", + "port": 443, + "scheme": "http" } } @@ -371,66 +371,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Scan ID: 1664847558,Begin: 2022-10-04 17:42:10,End Time: 2022-10-04 17:44:22,Completed,Duration (seconds): 132,User1: Syst\u00e8me,User2: Syst\u00e8me,Analyse lanc\u00e9e sur lecteurs et dossiers s\u00e9lectionn\u00e9s et toutes les extensions.,Analyse Installation standard : Risques : 0 Analys\u00e9s : 1553 Fichiers/Dossiers/Lecteurs omis : 0 Fichiers approuv\u00e9s ignor\u00e9s : 844,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1553,Omitted: 0,Computer: DNHFF3453,IP Address: 1.2.3.4,Domain Name: MyDomain,Group Name: MyDomain\\Subdivision\\Citrix VDI persistants,Server Name: XXXXX01,Scan Type: DefWatch", "event": { - "kind": "event", "category": [ "malware" ], + "end": "2022-10-04T17:44:22Z", + "kind": "event", "reason": "Analyse lanc\u00e9e sur lecteurs et dossiers s\u00e9lectionn\u00e9s et toutes les extensions.", "start": "2022-10-04T17:42:10Z", - "end": "2022-10-04T17:44:22Z", "type": [ "info" ] }, "@timestamp": "2022-10-04T17:44:22Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "DNHFF3453", - "ip": "1.2.3.4", - "name": "DNHFF3453" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "Syst\u00e8me" - }, "broadcom": { "endpoint_protection": { - "server": { - "domain": "MyDomain", - "group": "MyDomain\\Subdivision\\Citrix VDI persistants", - "name": "XXXXX01" - }, "scan": { - "id": "1664847558", - "duration": 132, "command": "Not a command scan ()", - "type": "DefWatch", + "duration": 132, + "id": "1664847558", "result": { - "threats": 0, "infections": 0, - "total": 1553, - "omitted": 0 + "omitted": 0, + "threats": 0, + "total": 1553 }, - "status": "completed" + "status": "completed", + "type": "DefWatch" + }, + "server": { + "domain": "MyDomain", + "group": "MyDomain\\Subdivision\\Citrix VDI persistants", + "name": "XXXXX01" } } }, + "host": { + "hostname": "DNHFF3453", + "ip": "1.2.3.4", + "name": "DNHFF3453" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { - "ip": [ - "1.2.3.4" - ], "hosts": [ "DNHFF3453" ], + "ip": [ + "1.2.3.4" + ], "user": [ "Syst\u00e8me" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "Syst\u00e8me" } } @@ -444,64 +444,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "SONAR detection now allowed,IP Address: 1.2.3.4,Computer name: DNHFF3453,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,File path: c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe,Description: ,Actual action: Action invalid,Requested action: Process terminate pending restart,Secondary action: 102,Event time: 2022-07-07 17:01:05,Event Insert Time: 2022-07-07 17:24:14,End Time: 2022-07-07 17:01:05,Last update time: 2022-07-07 17:24:14,Domain Name: MyDomain,Group Name: MyDomain\\Subdivision\\Citrix VDI persistants,Server Name: XXXXX01,User Name: Doe,Source Computer Name: ,Source Computer IP: ,Disposition: Good,Download site: ,Web domain: ,Downloaded by: c:/windows/explorer.exe,Prevalence: This file has been seen by fewer than 50 Symantec users.,Confidence: There is some evidence that this file is trustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Allowed application reason: User allow list,Application hash: E13D72DE479A65E6448C779B3B2BCE45DB7B5AE52B1BAA0FE915380A667D3C01,Hash type: SHA2,Company name: Absyss S.A.S,Application name: Visual TOM,Application version: 6.6.1 (FR),Application type: 127,File size (bytes): 67352,Category set: Malware,Category type: Insight Network Threat,Location: MyDomain,Intensive Protection Level: 0,Certificate issuer: Absyss,Certificate signer: Sectigo RSA Code Signing CA,Certificate thumbprint: D31433F4C8C0BE4846E7E90318CD0CF5046EE95C,Signing timestamp: 1649155201,Certificate serial number: 044541E287C90A879334BFD15D6A3ED3", "event": { - "kind": "event", + "action": "Process terminate pending restart", "category": [ "process" ], + "kind": "event", "reason": "SONAR detection now allowed", - "action": "Process terminate pending restart", "type": [ "info" ] }, "@timestamp": "2022-07-07T17:24:14Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "DNHFF3453", - "ip": "1.2.3.4", - "name": "DNHFF3453" - }, - "file": { - "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe", - "size": 67352, - "name": "vtomxvision.exe", - "directory": "c:\\program files (x86)\\visualxxxxxxxxxx" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "Doe" - }, - "threat": { - "enrichments": [ - { - "indicator": { - "type": "file", - "first_seen": "2022-07-07T17:01:05.000000Z", - "last_seen": "2022-07-07T17:01:05.000000Z", - "modified_at": "2022-07-07T17:24:14.000000Z", - "sightings": 1, - "description": "WS.Reputation.1", - "file": { - "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe", - "size": 67352 - } - } - } - ] - }, "broadcom": { "endpoint_protection": { - "source": "Auto-Protect scan", - "server": { - "domain": "MyDomain", - "group": "MyDomain\\Subdivision\\Citrix VDI persistants", - "name": "XXXXX01" + "action": { + "main": "Action invalid", + "secondary": "102" }, "application": { "code_signature": { @@ -509,10 +467,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "serial_number": "044541E287C90A879334BFD15D6A3ED3", "thumbprint": "D31433F4C8C0BE4846E7E90318CD0CF5046EE95C" }, + "digest_algorithm": "sha2", "signer": "Sectigo RSA Code Signing CA", "subject_name": "Absyss", - "timestamp": "2022-04-05T10:40:01.000000Z", - "digest_algorithm": "sha2" + "timestamp": "2022-04-05T10:40:01.000000Z" }, "hash": { "sha2": "E13D72DE479A65E6448C779B3B2BCE45DB7B5AE52B1BAA0FE915380A667D3C01" @@ -520,36 +478,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Visual TOM", "version": "6.6.1 (FR)" }, - "action": { - "main": "Action invalid", - "secondary": "102" - }, - "prevalence": "This file has been seen by fewer than 50 Symantec users.", "confidence": "There is some evidence that this file is trustworthy.", "downloaded_by": { "file": { "path": "c:/windows/explorer.exe" } }, - "threat": { - "type": "Insight Network Threat", - "category": "Malware" - }, + "prevalence": "This file has been seen by fewer than 50 Symantec users.", "protection": { "level": 0 + }, + "server": { + "domain": "MyDomain", + "group": "MyDomain\\Subdivision\\Citrix VDI persistants", + "name": "XXXXX01" + }, + "source": "Auto-Protect scan", + "threat": { + "category": "Malware", + "type": "Insight Network Threat" } } }, + "file": { + "directory": "c:\\program files (x86)\\visualxxxxxxxxxx", + "name": "vtomxvision.exe", + "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe", + "size": 67352 + }, + "host": { + "hostname": "DNHFF3453", + "ip": "1.2.3.4", + "name": "DNHFF3453" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { - "ip": [ - "1.2.3.4" - ], "hosts": [ "DNHFF3453" ], + "ip": [ + "1.2.3.4" + ], "user": [ "Doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "description": "WS.Reputation.1", + "file": { + "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe", + "size": 67352 + }, + "first_seen": "2022-07-07T17:01:05.000000Z", + "last_seen": "2022-07-07T17:01:05.000000Z", + "modified_at": "2022-07-07T17:24:14.000000Z", + "sightings": 1, + "type": "file" + } + } + ] + }, + "user": { + "name": "Doe" } } @@ -563,10 +563,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "OND345,Category: 2,REP,Event Description: Impossible d\u2019assigner un jeton d\u2019authentification client. Une erreur de communication g\u00e9n\u00e9rale est survenue.,Event time: 2022-08-29 11:35:29,Group Name: Company\\Own", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "reason": "Impossible d\u2019assigner un jeton d\u2019authentification client. Une erreur de communication g\u00e9n\u00e9rale est survenue.", "start": "2022-08-29T11:35:29Z", "type": [ @@ -574,22 +574,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-08-29T11:35:29Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "OND345", - "name": "OND345" - }, "broadcom": { "endpoint_protection": { - "source": "REP", "server": { "group": "Company\\Own" - } + }, + "source": "REP" } }, + "host": { + "hostname": "OND345", + "name": "OND345" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { "hosts": [ "OND345" @@ -607,99 +607,99 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Virus found,IP Address: 1.2.3.4,Computer name: DNHFF3453,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: C:\\Users\\admin\\Desktop\\test.txt,Description: AP realtime deferred scanning,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2022-07-07 14:28:39,Event Insert Time: 2022-07-07 14:30:43,End Time: 2022-07-07 14:28:39,Last update time: 2022-07-07 14:30:43,Domain Name: MyDomain,Group Name: MyDomain\\Subdivision\\Citrix VDI persistants,Server Name: XXXXX01,User Name: ADMIN,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: ,Prevalence: This file has been seen by millions of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Reputation was not used in this detection.,Sensitivity: ,Allowed application reason: Not on the allow list,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: Nouveau document texte.txt,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus,Location: MyDomain,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number: ", "event": { - "kind": "event", + "action": "Cleaned", "category": [ "malware" ], + "kind": "event", "reason": "Virus found", - "action": "Cleaned", "type": [ "info" ] }, "@timestamp": "2022-07-07T14:30:43Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "DNHFF3453", - "ip": "1.2.3.4", - "name": "DNHFF3453" - }, - "file": { - "path": "C:\\Users\\admin\\Desktop\\test.txt", - "size": 68, - "name": "test.txt", - "directory": "C:\\Users\\admin\\Desktop" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "ADMIN" - }, - "threat": { - "enrichments": [ - { - "indicator": { - "type": "file", - "first_seen": "2022-07-07T14:28:39.000000Z", - "last_seen": "2022-07-07T14:28:39.000000Z", - "modified_at": "2022-07-07T14:30:43.000000Z", - "sightings": 1, - "description": "EICAR Test String", - "file": { - "path": "C:\\Users\\admin\\Desktop\\test.txt", - "size": 68 - } - } - } - ] - }, "broadcom": { "endpoint_protection": { - "source": "Auto-Protect scan", - "server": { - "domain": "MyDomain", - "group": "MyDomain\\Subdivision\\Citrix VDI persistants", - "name": "XXXXX01" + "action": { + "main": "Cleaned by deletion", + "secondary": "Quarantined" }, "application": { + "code_signature": { + "digest_algorithm": "sha2" + }, "hash": { "sha2": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" }, - "name": "Nouveau document texte.txt", - "code_signature": { - "digest_algorithm": "sha2" - } + "name": "Nouveau document texte.txt" }, - "action": { - "main": "Cleaned by deletion", - "secondary": "Quarantined" - }, - "prevalence": "This file has been seen by millions of Symantec users.", "confidence": "This file is untrustworthy.", - "threat": { - "type": "Virus", - "category": "Malware" - }, + "prevalence": "This file has been seen by millions of Symantec users.", "protection": { "level": 0 + }, + "server": { + "domain": "MyDomain", + "group": "MyDomain\\Subdivision\\Citrix VDI persistants", + "name": "XXXXX01" + }, + "source": "Auto-Protect scan", + "threat": { + "category": "Malware", + "type": "Virus" } } }, + "file": { + "directory": "C:\\Users\\admin\\Desktop", + "name": "test.txt", + "path": "C:\\Users\\admin\\Desktop\\test.txt", + "size": 68 + }, + "host": { + "hostname": "DNHFF3453", + "ip": "1.2.3.4", + "name": "DNHFF3453" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { - "ip": [ - "1.2.3.4" - ], "hosts": [ "DNHFF3453" ], + "ip": [ + "1.2.3.4" + ], "user": [ "ADMIN" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "description": "EICAR Test String", + "file": { + "path": "C:\\Users\\admin\\Desktop\\test.txt", + "size": 68 + }, + "first_seen": "2022-07-07T14:28:39.000000Z", + "last_seen": "2022-07-07T14:28:39.000000Z", + "modified_at": "2022-07-07T14:30:43.000000Z", + "sightings": 1, + "type": "file" + } + } + ] + }, + "user": { + "name": "ADMIN" } } @@ -713,99 +713,99 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Virus found,IP Address: 1.2.3.4,Computer name: MyComputer,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: /tmp/eicar.txt,Description: ,Actual action: Quarantined,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2022-10-04 19:10:48,Event Insert Time: 2022-10-04 19:15:22,End Time: 2022-10-04 19:10:48,Last update time: 2022-10-04 19:15:22,Domain Name: Par d\u00e9faut,Group Name: Mydomain\\\\Servers\\\\Linux,Server Name: XXXX01,User Name: user,Source Computer Name: ,Source Computer IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: N/A,First Seen: Reputation was not used in this detection.,Sensitivity: Low,Allowed application reason: Not on the allow list,Application hash: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267,Hash type: SHA2,Company name: ,Application name: Unknown,Application version: ,Application type: -1,File size (bytes): 69,Category set: Malware,Category type: Virus,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number: ", "event": { - "kind": "event", + "action": "Cleaned", "category": [ "malware" ], + "kind": "event", "reason": "Virus found", - "action": "Cleaned", "type": [ "info" ] }, "@timestamp": "2022-10-04T19:15:22Z", - "observer": { - "vendor": "Broadcom", - "product": "Symantec Endpoint Protection" - }, - "host": { - "hostname": "MyComputer", - "ip": "1.2.3.4", - "name": "MyComputer" - }, - "file": { - "path": "/tmp/eicar.txt", - "size": 69, - "name": "eicar.txt", - "directory": "/tmp" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "user" - }, - "threat": { - "enrichments": [ - { - "indicator": { - "type": "file", - "first_seen": "2022-10-04T19:10:48.000000Z", - "last_seen": "2022-10-04T19:10:48.000000Z", - "modified_at": "2022-10-04T19:15:22.000000Z", - "sightings": 1, - "description": "EICAR Test String", - "file": { - "path": "/tmp/eicar.txt", - "size": 69 - } - } - } - ] - }, "broadcom": { "endpoint_protection": { - "source": "Auto-Protect scan", - "server": { - "domain": "Par d\u00e9faut", - "group": "Mydomain\\\\Servers\\\\Linux", - "name": "XXXX01" + "action": { + "main": "Quarantined", + "secondary": "Quarantined" }, "application": { + "code_signature": { + "digest_algorithm": "sha2" + }, "hash": { "sha2": "131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267" }, - "name": "Unknown", - "code_signature": { - "digest_algorithm": "sha2" - } - }, - "action": { - "main": "Quarantined", - "secondary": "Quarantined" + "name": "Unknown" }, - "prevalence": "Reputation was not used in this detection.", "confidence": "Reputation was not used in this detection.", - "threat": { - "type": "Virus", - "category": "Malware" - }, + "prevalence": "Reputation was not used in this detection.", "protection": { "level": 0 + }, + "server": { + "domain": "Par d\u00e9faut", + "group": "Mydomain\\\\Servers\\\\Linux", + "name": "XXXX01" + }, + "source": "Auto-Protect scan", + "threat": { + "category": "Malware", + "type": "Virus" } } }, + "file": { + "directory": "/tmp", + "name": "eicar.txt", + "path": "/tmp/eicar.txt", + "size": 69 + }, + "host": { + "hostname": "MyComputer", + "ip": "1.2.3.4", + "name": "MyComputer" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, "related": { - "ip": [ - "1.2.3.4" - ], "hosts": [ "MyComputer" ], + "ip": [ + "1.2.3.4" + ], "user": [ "user" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "description": "EICAR Test String", + "file": { + "path": "/tmp/eicar.txt", + "size": 69 + }, + "first_seen": "2022-10-04T19:10:48.000000Z", + "last_seen": "2022-10-04T19:10:48.000000Z", + "modified_at": "2022-10-04T19:15:22.000000Z", + "sightings": 1, + "type": "file" + } + } + ] + }, + "user": { + "name": "user" } } diff --git a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md index bf2b010612..17bc3adb3c 100644 --- a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md +++ b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md @@ -30,13 +30,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "archive-creation" }, + "@timestamp": "2023-05-23T16:04:17.327781Z", + "client": { + "address": "149.202.162.59", + "ip": "149.202.162.59" + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://app.sekoia.io/operations/archives" + } + }, + "observer": { + "name": "sekoia.webapi" + }, + "related": { + "ip": [ + "149.202.162.59" + ] + }, "sekoiaio": { "activity": { "archive": { - "uuid": "8dc052c8-5e39-4d8b-9b3f-64de4a5a8910", "name": "Test Archive", "provider": "aws_s3", - "short_id": "ARj5VFpxRTet" + "short_id": "ARj5VFpxRTet", + "uuid": "8dc052c8-5e39-4d8b-9b3f-64de4a5a8910" }, "client": { "id": "4abd1b95-ccee-44ba-af50-5c3b18c40b9f", @@ -47,50 +66,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] } }, - "client": { - "ip": "149.202.162.59", - "address": "149.202.162.59" - }, - "@timestamp": "2023-05-23T16:04:17.327781Z", - "http": { - "request": { - "method": "POST", - "referrer": "https://app.sekoia.io/operations/archives" - } - }, - "observer": { - "name": "sekoia.webapi" - }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/sic/conf/archives", "path": "/v1/sic/conf/archives", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", + "port": 80, "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "335cbc80-648d-433a-8396-050c7b5777c8", "domain": "SEKOIA.IO", - "full_name": "Michael S." + "full_name": "Michael S.", + "id": "335cbc80-648d-433a-8396-050c7b5777c8" }, "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "113.0.0", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "os": { "name": "Linux" - } - }, - "related": { - "ip": [ - "149.202.162.59" - ] + }, + "version": "113.0.0" } } @@ -106,6 +106,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "event-searchjob-start" }, + "@timestamp": "2022-11-22T16:03:33.617764Z", + "client": { + "address": "149.202.162.59", + "ip": "149.202.162.59" + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://app.sekoia.io/operations/events?jobId=e2516dab-a983-40bd-bc08-edfd76c5c07c" + } + }, + "observer": { + "name": "sekoia.webapi" + }, + "related": { + "ip": [ + "149.202.162.59" + ] + }, "sekoiaio": { "activity": { "client": { @@ -113,12 +132,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "avatar" }, "communities": [ - "73d366f0-0ff0-44c5-afcc-f23f7f831902", - "9b1f77fc-cf38-4b3d-b1d7-ad0157649c70", - "fbdcf078-7c3e-4263-91a7-354e69fd7c5e", + "03896dd0-5d46-4214-8533-14284d05905e", "03d5d61a-1e39-40e0-bee9-e14983fd4206", "08303d95-46cf-4111-afd4-ae7e954e81fb", - "03896dd0-5d46-4214-8533-14284d05905e" + "73d366f0-0ff0-44c5-afcc-f23f7f831902", + "9b1f77fc-cf38-4b3d-b1d7-ad0157649c70", + "fbdcf078-7c3e-4263-91a7-354e69fd7c5e" ], "events_search": { "earliest_time": "2022-11-22T15:58:33.027Z", @@ -128,50 +147,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "client": { - "ip": "149.202.162.59", - "address": "149.202.162.59" - }, - "@timestamp": "2022-11-22T16:03:33.617764Z", - "http": { - "request": { - "method": "POST", - "referrer": "https://app.sekoia.io/operations/events?jobId=e2516dab-a983-40bd-bc08-edfd76c5c07c" - } - }, - "observer": { - "name": "sekoia.webapi" - }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/sic/conf/events/search/jobs", "path": "/v1/sic/conf/events/search/jobs", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", + "port": 80, "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "335cbc80-648d-433a-8396-050c7b5777c8", "domain": "SEKOIA.IO", - "full_name": "Michael S." + "full_name": "Michael S.", + "id": "335cbc80-648d-433a-8396-050c7b5777c8" }, "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Linux" - } - }, - "related": { - "ip": [ - "149.202.162.59" - ] + }, + "version": "107.0.0" } } @@ -187,19 +187,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "intake-format-picture-retrieval" }, - "sekoiaio": { - "activity": { - "client": { - "id": "41b811fa-6571-4d3e-9d35-38fb916adfcb", - "type": "avatar" - } - } - }, + "@timestamp": "2022-02-22T16:31:58.286485Z", "client": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, - "@timestamp": "2022-02-22T16:31:58.286485Z", "http": { "request": { "method": "GET", @@ -209,36 +201,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "name": "sekoia.webapi" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "sekoiaio": { + "activity": { + "client": { + "id": "41b811fa-6571-4d3e-9d35-38fb916adfcb", + "type": "avatar" + } + } + }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/ingest/formats/4d05ecd7-1a8a-4ce1-8e6d-c2de2593fa97/picture", "path": "/v1/ingest/formats/4d05ecd7-1a8a-4ce1-8e6d-c2de2593fa97/picture", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", + "port": 80, "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "54e0ec48-8430-4ba2-b70b-710341f41447", - "domain": "SEKOIA.IO" + "domain": "SEKOIA.IO", + "id": "54e0ec48-8430-4ba2-b70b-710341f41447" }, "user_agent": { - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36", "device": { "name": "Mac" }, "name": "Chrome", - "version": "98.0.4758", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36", "os": { "name": "Mac OS X", "version": "10.15.7" - } - }, - "related": { - "ip": [ - "1.2.3.4" - ] + }, + "version": "98.0.4758" } } @@ -251,19 +251,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":\"2021-10-29T11:34:23Z\",\"observer\":{\"name\":\"sekoia.webapi\",\"version\":null},\"visit\":{\"id\":null,\"ip\":\"141.229.130.228\",\"user_agent\":\"'Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/2020-08-24 06:07:18 Firefox/3.8\",\"referrer\":\"https://api.sekoia.io/v1/user/profile/settings\"},\"action\":{\"name\":null,\"path\":\"/v1/me\",\"url\":\"http://api.sekoia.io/v1/me?extended=true\",\"method\":\"GET\"},\"identity\":{\"user_uuid\":\"5beacab7-4fc9-4c07-8ec0-e6ad73ed77fe\",\"community_uuid\":\"22806a91-459c-40b1-98db-5af6ccf291fd\",\"profile_type\":\"avatar\",\"profile_identity\":\"95267578-e797-4263-90c3-09fb230536e2\"}}", - "sekoiaio": { - "activity": { - "client": { - "id": "95267578-e797-4263-90c3-09fb230536e2", - "type": "avatar" - } - } - }, + "@timestamp": "2021-10-29T11:34:23Z", "client": { - "ip": "141.229.130.228", - "address": "141.229.130.228" + "address": "141.229.130.228", + "ip": "141.229.130.228" }, - "@timestamp": "2021-10-29T11:34:23Z", "http": { "request": { "method": "GET", @@ -273,36 +265,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "name": "sekoia.webapi" }, + "related": { + "ip": [ + "141.229.130.228" + ] + }, + "sekoiaio": { + "activity": { + "client": { + "id": "95267578-e797-4263-90c3-09fb230536e2", + "type": "avatar" + } + } + }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/me?extended=true", "path": "/v1/me", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", - "registered_domain": "sekoia.io", + "port": 80, "query": "extended=true", + "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "5beacab7-4fc9-4c07-8ec0-e6ad73ed77fe", - "domain": "SEKOIA.IO" + "domain": "SEKOIA.IO", + "id": "5beacab7-4fc9-4c07-8ec0-e6ad73ed77fe" }, "user_agent": { - "original": "'Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/2020-08-24 06:07:18 Firefox/3.8", "device": { "name": "Other" }, "name": "Firefox", - "version": "3.8", + "original": "'Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/2020-08-24 06:07:18 Firefox/3.8", "os": { "name": "Linux" - } - }, - "related": { - "ip": [ - "141.229.130.228" - ] + }, + "version": "3.8" } } @@ -318,22 +318,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "invitation" }, - "sekoiaio": { - "activity": { - "client": { - "id": "335cbc80-648d-433a-8396-050c7b5777c8", - "type": "user" - }, - "user": { - "email": "demo.user@example.com" - } - } - }, + "@timestamp": "2022-11-22T17:51:33.207472Z", "client": { - "ip": "149.202.162.59", - "address": "149.202.162.59" + "address": "149.202.162.59", + "ip": "149.202.162.59" }, - "@timestamp": "2022-11-22T17:51:33.207472Z", "http": { "request": { "method": "POST", @@ -343,39 +332,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "name": "sekoia.webapi" }, + "related": { + "ip": [ + "149.202.162.59" + ] + }, + "sekoiaio": { + "activity": { + "client": { + "id": "335cbc80-648d-433a-8396-050c7b5777c8", + "type": "user" + }, + "user": { + "email": "demo.user@example.com" + } + } + }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/invitations", "path": "/v1/invitations", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", + "port": 80, "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "335cbc80-648d-433a-8396-050c7b5777c8", "domain": "SEKOIA.IO", "full_name": "Michael S.", + "id": "335cbc80-648d-433a-8396-050c7b5777c8", "target": { "email": "demo.user@example.com" } }, "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Linux" - } - }, - "related": { - "ip": [ - "149.202.162.59" - ] + }, + "version": "107.0.0" } } @@ -388,19 +388,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":\"2021-11-01T12:16:21.815546\",\"observer\":{\"name\":\"sekoia.webapi\",\"version\":null},\"visit\":{\"id\":null,\"ip\":\"51.255.128.104\",\"user_agent\":\"python-requests/2.26.0\",\"referrer\":\"None\"},\"action\":{\"name\":null,\"path\":\"/v2/inthreat/bundles\",\"url\":\"http://api.sekoia.io/v2/inthreat/bundles?auto_merge=1\",\"method\":\"POST\"},\"identity\":{\"user_uuid\":null,\"community_uuid\":\"02ff3284-506e-49d6-a9f5-99dbb2ea69ed\",\"profile_type\":\"apikey\",\"profile_identity\":\"9cd287a4-4a61-4bf1-998a-74087098adf4\"}}", - "sekoiaio": { - "activity": { - "client": { - "id": "9cd287a4-4a61-4bf1-998a-74087098adf4", - "type": "apikey" - } - } - }, + "@timestamp": "2021-11-01T12:16:21.815546Z", "client": { - "ip": "51.255.128.104", - "address": "51.255.128.104" + "address": "51.255.128.104", + "ip": "51.255.128.104" }, - "@timestamp": "2021-11-01T12:16:21.815546Z", "http": { "request": { "method": "POST" @@ -409,35 +401,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "name": "sekoia.webapi" }, + "related": { + "ip": [ + "51.255.128.104" + ] + }, + "sekoiaio": { + "activity": { + "client": { + "id": "9cd287a4-4a61-4bf1-998a-74087098adf4", + "type": "apikey" + } + } + }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v2/inthreat/bundles?auto_merge=1", "path": "/v2/inthreat/bundles", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", - "registered_domain": "sekoia.io", + "port": 80, "query": "auto_merge=1", + "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { "domain": "SEKOIA.IO" }, "user_agent": { - "original": "python-requests/2.26.0", "device": { "name": "Other" }, "name": "Python Requests", - "version": "2.26", + "original": "python-requests/2.26.0", "os": { "name": "Other" - } - }, - "related": { - "ip": [ - "51.255.128.104" - ] + }, + "version": "2.26" } } @@ -453,6 +453,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "role-assignment" }, + "@timestamp": "2022-11-22T17:51:17.134509Z", + "client": { + "address": "149.202.162.59", + "ip": "149.202.162.59" + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://app.sekoia.io/user/profile/communities/09c6528e-1b9f-4b81-98c8-482cea4e7974/members/1b28fe10-fa7c-430b-b97e-10874c9eca2e" + } + }, + "observer": { + "name": "sekoia.webapi" + }, + "related": { + "ip": [ + "149.202.162.59" + ] + }, "sekoiaio": { "activity": { "client": { @@ -472,55 +491,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "client": { - "ip": "149.202.162.59", - "address": "149.202.162.59" - }, - "@timestamp": "2022-11-22T17:51:17.134509Z", - "http": { - "request": { - "method": "POST", - "referrer": "https://app.sekoia.io/user/profile/communities/09c6528e-1b9f-4b81-98c8-482cea4e7974/members/1b28fe10-fa7c-430b-b97e-10874c9eca2e" - } - }, - "observer": { - "name": "sekoia.webapi" - }, "url": { + "domain": "api.sekoia.io", "original": "http://api.sekoia.io/v1/communities/09c6528e-1b9f-4b81-98c8-482cea4e7974/roles/2379a555-2817-4503-b7da-a30595fd8af5", "path": "/v1/communities/09c6528e-1b9f-4b81-98c8-482cea4e7974/roles/2379a555-2817-4503-b7da-a30595fd8af5", - "domain": "api.sekoia.io", - "top_level_domain": "io", - "subdomain": "api", + "port": 80, "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 + "subdomain": "api", + "top_level_domain": "io" }, "user": { - "id": "335cbc80-648d-433a-8396-050c7b5777c8", "domain": "SEKOIA.IO", "full_name": "Michael S.", + "id": "335cbc80-648d-433a-8396-050c7b5777c8", "target": { - "id": "0422a57e-1e71-4236-8ba2-538428220c9f", "full_name": "Dwight S.", + "id": "0422a57e-1e71-4236-8ba2-538428220c9f", "roles": "[soar_operator]" } }, "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Linux" - } - }, - "related": { - "ip": [ - "149.202.162.59" - ] + }, + "version": "107.0.0" } } diff --git a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md index f6fe337f94..f09c555449 100644 --- a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md +++ b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md @@ -28,57 +28,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}", "@timestamp": "2021-09-24T05:06:02.686000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T05:06:03.845372592Z", "insertId": "-tn3jrd3lko", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.2svDisable", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632459962686000", + "uniqQualifier": "-7789616625639281959" + }, "event": [ { - "status": { - "success": true - }, + "eventName": "2sv_disable", + "eventType": "2sv_change", "parameter": [ { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", - "name": "dusi" + "name": "dusi", + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } ], - "eventName": "2sv_disable", - "eventType": "2sv_change" + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632459962686000", - "uniqQualifier": "-7789616625639281959" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.2svDisable", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T05:06:03.845372592Z", + "resource": { + "labels": { + "method": "google.login.LoginService.2svDisable", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -87,6 +76,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -101,57 +101,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"1624031130844323135\",\n \"timeUsec\": \"1632458745769000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"2sv_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"2sv_enroll\",\n \"parameter\": [\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"g3k8gid3b3p\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.2svEnroll\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T04:45:45.769Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T04:45:46.331843829Z\"\n}", "@timestamp": "2021-09-24T04:45:45.769000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T04:45:46.331843829Z", "insertId": "g3k8gid3b3p", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.2svEnroll", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632458745769000", + "uniqQualifier": "1624031130844323135" + }, "event": [ { - "eventType": "2sv_change", - "status": { - "success": true - }, "eventName": "2sv_enroll", + "eventType": "2sv_change", "parameter": [ { - "value": "INfDlrzP9IH8_QE", - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "name": "dusi" + "name": "dusi", + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } - ] + ], + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632458745769000", - "uniqQualifier": "1624031130844323135" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.2svEnroll", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T04:45:46.331843829Z", + "resource": { + "labels": { + "method": "google.login.LoginService.2svEnroll", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -160,6 +149,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -174,30 +174,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledGeneric\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_generic\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledGeneric\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}", "@timestamp": "2021-04-30T23:33:09.352000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T23:33:10.673412983Z", "insertId": "nlgrf8d6ygj", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.accountDisabledGeneric", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619825589352000", + "uniqQualifier": "-3303614929287073633" + }, "event": [ { - "eventType": "account_warning", "eventName": "account_disabled_generic", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -205,30 +199,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619825589352000", - "uniqQualifier": "-3303614929287073633" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.accountDisabledGeneric", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T23:33:10.673412983Z", + "resource": { + "labels": { + "method": "google.login.LoginService.accountDisabledGeneric", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -243,30 +243,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledHijacked\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825589352000\",\n \"uniqQualifier\": \"-3303614929287073633\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_hijacked\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"nlgrf8d6ygj\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledHijacked\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T23:33:09.352Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:33:10.673412983Z\"\n}", "@timestamp": "2021-04-30T23:33:09.352000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T23:33:10.673412983Z", "insertId": "nlgrf8d6ygj", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.accountDisabledHijacked", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619825589352000", + "uniqQualifier": "-3303614929287073633" + }, "event": [ { - "eventType": "account_warning", "eventName": "account_disabled_hijacked", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -274,30 +268,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619825589352000", - "uniqQualifier": "-3303614929287073633" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.accountDisabledHijacked", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T23:33:10.673412983Z", + "resource": { + "labels": { + "method": "google.login.LoginService.accountDisabledHijacked", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -312,30 +312,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_password_leak\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledPasswordLeak\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}", "@timestamp": "2021-04-30T18:41:23.475000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", "insertId": "-xkklkzcxkl", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.accountDisabledPasswordLeak", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619808083475000", + "uniqQualifier": "6286848759980589624" + }, "event": [ { - "eventType": "account_warning", "eventName": "account_disabled_password_leak", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -343,30 +337,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619808083475000", - "uniqQualifier": "6286848759980589624" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.accountDisabledPasswordLeak", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", + "resource": { + "labels": { + "method": "google.login.LoginService.accountDisabledPasswordLeak", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -381,30 +381,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpamming\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpamming\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}", "@timestamp": "2021-04-30T18:41:23.475000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", "insertId": "-xkklkzcxkl", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.accountDisabledSpamming", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619808083475000", + "uniqQualifier": "6286848759980589624" + }, "event": [ { - "eventType": "account_warning", "eventName": "account_disabled_spamming", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -412,30 +406,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619808083475000", - "uniqQualifier": "6286848759980589624" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.accountDisabledSpamming", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", + "resource": { + "labels": { + "method": "google.login.LoginService.accountDisabledSpamming", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" + }, + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -450,30 +450,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619808083475000\",\n \"uniqQualifier\": \"6286848759980589624\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"account_disabled_spamming_through_relay\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-xkklkzcxkl\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.accountDisabledSpammingThroughRelay\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-04-30T18:41:23.475Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T18:41:24.650965796Z\"\n}", "@timestamp": "2021-04-30T18:41:23.475000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", "insertId": "-xkklkzcxkl", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.accountDisabledSpammingThroughRelay", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619808083475000", + "uniqQualifier": "6286848759980589624" + }, "event": [ { - "eventType": "account_warning", "eventName": "account_disabled_spamming_through_relay", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -481,30 +475,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619808083475000", - "uniqQualifier": "6286848759980589624" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.accountDisabledSpammingThroughRelay", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T18:41:24.650965796Z", + "resource": { + "labels": { + "method": "google.login.LoginService.accountDisabledSpammingThroughRelay", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -519,57 +519,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.2svDisable\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-7789616625639281959\",\n \"timeUsec\": \"1632459962686000\"\n },\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventName\": \"2sv_disable\",\n \"eventType\": \"2sv_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-tn3jrd3lko\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.2svDisable\"\n }\n },\n \"timestamp\": \"2021-09-24T05:06:02.686Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:06:03.845372592Z\"\n}\n", "@timestamp": "2021-09-24T05:06:02.686000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T05:06:03.845372592Z", "insertId": "-tn3jrd3lko", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.2svDisable", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632459962686000", + "uniqQualifier": "-7789616625639281959" + }, "event": [ { - "status": { - "success": true - }, + "eventName": "2sv_disable", + "eventType": "2sv_change", "parameter": [ { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", - "name": "dusi" + "name": "dusi", + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } ], - "eventName": "2sv_disable", - "eventType": "2sv_change" + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632459962686000", - "uniqQualifier": "-7789616625639281959" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.2svDisable", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T05:06:03.845372592Z", + "resource": { + "labels": { + "method": "google.login.LoginService.2svDisable", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -578,6 +567,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -592,63 +592,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"-5683698025624301037\",\n \"timeUsec\": \"1632501152256000\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"email_forwarding_out_of_domain\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"test-user@google.com\",\n \"name\": \"email_forwarding_destination_address\"\n }\n ],\n \"eventType\": \"email_forwarding_change\"\n }\n ]\n }\n },\n \"insertId\": \"rrcp9gd3y2f\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.emailForwardingOutOfDomain\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:32:32.256Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T16:32:33.319260836Z\"\n}", "@timestamp": "2021-09-24T16:32:32.256000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T16:32:33.319260836Z", "insertId": "rrcp9gd3y2f", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.emailForwardingOutOfDomain", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632501152256000", + "uniqQualifier": "-5683698025624301037" + }, "event": [ { "eventName": "email_forwarding_out_of_domain", - "status": { - "success": true - }, + "eventType": "email_forwarding_change", "parameter": [ { + "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING", - "value": "INfDlrzP9IH8_QE", - "label": "LABEL_OPTIONAL" + "value": "INfDlrzP9IH8_QE" }, { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "value": "test-user@google.com", - "name": "email_forwarding_destination_address" + "name": "email_forwarding_destination_address", + "type": "TYPE_STRING", + "value": "test-user@google.com" } ], - "eventType": "email_forwarding_change" + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632501152256000", - "uniqQualifier": "-5683698025624301037" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.emailForwardingOutOfDomain", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T16:32:33.319260836Z", + "resource": { + "labels": { + "method": "google.login.LoginService.emailForwardingOutOfDomain", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -657,6 +646,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -671,19 +671,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"insertId\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kube-scheduler\\\" of ClusterRole \\\"system:kube-scheduler\\\" to User \\\"system:kube-scheduler\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"2f93b0a6-f932-4d91-ad61-785ae9587360\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kube-scheduler\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.coordination.v1.leases.update\",\"resource\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\"}],\"methodName\":\"io.k8s.coordination.v1.leases.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election\"},\"resourceName\":\"coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-14T14:32:10.838967694Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-14T14:32:09.910723Z\"}", "@timestamp": "2022-06-14T14:32:09.910723Z", "google_cloud_audit": { - "receiveTimestamp": "2022-06-14T14:32:10.838967694Z", "insertId": "2f93b0a6-f932-4d91-ad61-785ae9587360", "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity", - "resource": { - "type": "k8s_cluster", - "labels": { - "project_id": "hazel-aria-348413", - "cluster_name": "cluster-1", - "location": "europe-central2-a" - } + "operation": { + "first": true, + "id": "2f93b0a6-f932-4d91-ad61-785ae9587360", + "last": true, + "producer": "k8s.io" }, "protoPayload": { - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "authorizationInfo": [ { "granted": true, @@ -692,42 +688,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ], "methodName": "io.k8s.coordination.v1.leases.update", - "resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler" + "resourceName": "coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" }, - "operation": { - "id": "2f93b0a6-f932-4d91-ad61-785ae9587360", - "first": true, - "last": true, - "producer": "k8s.io" + "receiveTimestamp": "2022-06-14T14:32:10.838967694Z", + "resource": { + "labels": { + "cluster_name": "cluster-1", + "location": "europe-central2-a", + "project_id": "hazel-aria-348413" + }, + "type": "k8s_cluster" } }, - "user": { - "name": "system:kube-scheduler" + "related": { + "ip": [ + "10.186.0.146" + ], + "user": [ + "system:kube-scheduler" + ] }, "service": { "name": "k8s.io" }, "source": { - "ip": "10.186.0.146", - "address": "10.186.0.146" + "address": "10.186.0.146", + "ip": "10.186.0.146" + }, + "user": { + "name": "system:kube-scheduler" }, "user_agent": { - "original": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election", "device": { "name": "Other" }, "name": "Other", + "original": "kube-scheduler/v1.22.8 (linux/amd64) kubernetes/2dca91e/leader-election", "os": { "name": "Linux" } - }, - "related": { - "ip": [ - "10.186.0.146" - ], - "user": [ - "system:kube-scheduler" - ] } } @@ -742,20 +742,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.govAttackWarning\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1619825837106000\",\n \"uniqQualifier\": \"7230131091737932677\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"gov_attack_warning\",\n \"eventType\": \"attack_warning\",\n \"status\": {\n \"success\": true\n }\n }\n ]\n }\n },\n \"insertId\": \"bxuophd1vlw\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.govAttackWarning\"\n }\n },\n \"timestamp\": \"2021-04-30T23:37:17.106Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-04-30T23:37:18.488559815Z\"\n}", "@timestamp": "2021-04-30T23:37:17.106000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-04-30T23:37:18.488559815Z", "insertId": "bxuophd1vlw", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.govAttackWarning", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1619825837106000", + "uniqQualifier": "7230131091737932677" + }, "event": [ { "eventName": "gov_attack_warning", @@ -765,26 +759,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1619825837106000", - "uniqQualifier": "7230131091737932677" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.govAttackWarning", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-04-30T23:37:18.488559815Z", + "resource": { + "labels": { + "method": "google.login.LoginService.govAttackWarning", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -793,6 +782,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -807,19 +807,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"insertId\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"labels\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"system:kubestore-collector\\\" of ClusterRole \\\"system:kubestore-collector\\\" to User \\\"system:kubestore-collector\\\"\"},\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"first\":true,\"id\":\"9d92cd5d-5043-4c8d-9a3b-92c0be113704\",\"last\":true,\"producer\":\"k8s.io\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"system:kubestore-collector\"},\"authorizationInfo\":[{\"granted\":true,\"permission\":\"io.k8s.core.v1.configmaps.update\",\"resource\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\"}],\"methodName\":\"io.k8s.core.v1.configmaps.update\",\"requestMetadata\":{\"callerIp\":\"10.186.0.146\",\"callerSuppliedUserAgent\":\"kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format\"},\"resourceName\":\"core/v1/namespaces/kube-system/configmaps/cluster-kubestore\",\"serviceName\":\"k8s.io\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T07:27:38.524909478Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"k8s_cluster\"},\"timestamp\":\"2022-06-15T07:27:36.652663Z\"}\n\n", "@timestamp": "2022-06-15T07:27:36.652663Z", "google_cloud_audit": { - "receiveTimestamp": "2022-06-15T07:27:38.524909478Z", "insertId": "9d92cd5d-5043-4c8d-9a3b-92c0be113704", "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity", - "resource": { - "type": "k8s_cluster", - "labels": { - "project_id": "hazel-aria-348413", - "cluster_name": "cluster-1", - "location": "europe-central2-a" - } + "operation": { + "first": true, + "id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704", + "last": true, + "producer": "k8s.io" }, "protoPayload": { - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "authorizationInfo": [ { "granted": true, @@ -828,42 +824,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ], "methodName": "io.k8s.core.v1.configmaps.update", - "resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore" + "resourceName": "core/v1/namespaces/kube-system/configmaps/cluster-kubestore", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" }, - "operation": { - "id": "9d92cd5d-5043-4c8d-9a3b-92c0be113704", - "first": true, - "last": true, - "producer": "k8s.io" + "receiveTimestamp": "2022-06-15T07:27:38.524909478Z", + "resource": { + "labels": { + "cluster_name": "cluster-1", + "location": "europe-central2-a", + "project_id": "hazel-aria-348413" + }, + "type": "k8s_cluster" } }, - "user": { - "name": "system:kubestore-collector" - }, - "service": { + "related": { + "ip": [ + "10.186.0.146" + ], + "user": [ + "system:kubestore-collector" + ] + }, + "service": { "name": "k8s.io" }, "source": { - "ip": "10.186.0.146", - "address": "10.186.0.146" + "address": "10.186.0.146", + "ip": "10.186.0.146" + }, + "user": { + "name": "system:kubestore-collector" }, "user_agent": { - "original": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format", "device": { "name": "Other" }, "name": "Other", + "original": "kubestore_collector/v0.0.0 (linux/amd64) kubernetes/$Format", "os": { "name": "Linux" } - }, - "related": { - "ip": [ - "10.186.0.146" - ], - "user": [ - "system:kubestore-collector" - ] } } @@ -878,36 +878,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"insertId\":\"ofj3qoe4mbih\",\"logName\":\"projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity\",\"operation\":{\"id\":\"operation-1655309832996-a5fd6e18\",\"last\":true,\"producer\":\"container.googleapis.com\"},\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"metadata\":{\"operationType\":\"DELETE_CLUSTER\"},\"methodName\":\"google.container.v1.ClusterManager.DeleteCluster\",\"policyViolationInfo\":{\"orgPolicyViolationInfo\":{}},\"resourceLocation\":{\"currentLocations\":[\"europe-central2-a\"]},\"resourceName\":\"projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1\",\"serviceName\":\"container.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2022-06-15T16:19:48.068568099Z\",\"resource\":{\"labels\":{\"cluster_name\":\"cluster-1\",\"location\":\"europe-central2-a\",\"project_id\":\"hazel-aria-348413\"},\"type\":\"gke_cluster\"},\"severity\":\"NOTICE\",\"timestamp\":\"2022-06-15T16:19:47.720234784Z\"}", "@timestamp": "2022-06-15T16:19:47.720234Z", "google_cloud_audit": { - "receiveTimestamp": "2022-06-15T16:19:48.068568099Z", "insertId": "ofj3qoe4mbih", "logName": "projects/hazel-aria-348413/logs/cloudaudit.googleapis.com%2Factivity", - "severity": "NOTICE", - "resource": { - "type": "gke_cluster", - "labels": { - "project_id": "hazel-aria-348413", - "cluster_name": "cluster-1", - "location": "europe-central2-a" - } + "operation": { + "id": "operation-1655309832996-a5fd6e18", + "last": true, + "producer": "container.googleapis.com" }, "protoPayload": { "metadata": { "operationType": "DELETE_CLUSTER" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.container.v1.ClusterManager.DeleteCluster", - "resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1", "resourceLocation": { "currentLocations": [ "europe-central2-a" ] - } + }, + "resourceName": "projects/hazel-aria-348413/zones/europe-central2-a/clusters/cluster-1", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" }, - "operation": { - "id": "operation-1655309832996-a5fd6e18", - "last": true, - "producer": "container.googleapis.com" - } + "receiveTimestamp": "2022-06-15T16:19:48.068568099Z", + "resource": { + "labels": { + "cluster_name": "cluster-1", + "location": "europe-central2-a", + "project_id": "hazel-aria-348413" + }, + "type": "gke_cluster" + }, + "severity": "NOTICE" }, "service": { "name": "container.googleapis.com" @@ -925,74 +925,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginChallenge\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_challenge\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"incorrect_answer_entered\",\n \"name\": \"login_challenge_status\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632500217183211\",\n \"uniqQualifier\": \"358068855354\"\n }\n }\n },\n \"insertId\": \"-nahbepd4l2j\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginChallenge\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183211Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:28.041126044Z\"}", "@timestamp": "2021-09-24T16:16:57.183211Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T17:51:28.041126044Z", "insertId": "-nahbepd4l2j", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.loginChallenge", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632500217183211", + "uniqQualifier": "358068855354" + }, "event": [ { "eventName": "login_challenge", + "eventType": "login", "parameter": [ { + "label": "LABEL_OPTIONAL", "name": "login_type", - "value": "google_password", "type": "TYPE_STRING", - "label": "LABEL_OPTIONAL" + "value": "google_password" }, { - "type": "TYPE_STRING", "label": "LABEL_REPEATED", - "name": "login_challenge_method", "multiStrValue": [ "idv_preregistered_phone" - ] + ], + "name": "login_challenge_method", + "type": "TYPE_STRING" }, { "label": "LABEL_OPTIONAL", + "name": "login_challenge_status", "type": "TYPE_STRING", - "value": "incorrect_answer_entered", - "name": "login_challenge_status" + "value": "incorrect_answer_entered" }, { - "type": "TYPE_STRING", - "name": "dusi", "label": "LABEL_OPTIONAL", + "name": "dusi", + "type": "TYPE_STRING", "value": "IOWJlfPwgvrTfg" } - ], - "eventType": "login" + ] } ], - "activityId": { - "timeUsec": "1632500217183211", - "uniqQualifier": "358068855354" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.loginChallenge", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T17:51:28.041126044Z", + "resource": { + "labels": { + "method": "google.login.LoginService.loginChallenge", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1001,6 +990,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1015,40 +1015,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginFailure\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"login_failure\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"value\": \"google_password\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_REPEATED\",\n \"multiStrValue\": [\n \"password\",\n \"idv_preregistered_phone\",\n \"idv_preregistered_phone\"\n ]\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"IOWJlfPwgvrTfg\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632500217183212\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nahbepd4l1x\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginFailure\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T16:16:57.183212Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T17:51:25.034361197Z\"\n}", "@timestamp": "2021-09-24T16:16:57.183212Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T17:51:25.034361197Z", "insertId": "-nahbepd4l1x", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.loginFailure", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632500217183212", + "uniqQualifier": "358068855354" + }, "event": [ { "eventName": "login_failure", "eventType": "login", "parameter": [ { - "value": "google_password", - "type": "TYPE_STRING", + "label": "LABEL_OPTIONAL", "name": "login_type", - "label": "LABEL_OPTIONAL" + "type": "TYPE_STRING", + "value": "google_password" }, { - "name": "login_challenge_method", - "type": "TYPE_STRING", "label": "LABEL_REPEATED", "multiStrValue": [ "password", "idv_preregistered_phone", "idv_preregistered_phone" - ] + ], + "name": "login_challenge_method", + "type": "TYPE_STRING" }, { "label": "LABEL_OPTIONAL", @@ -1059,26 +1053,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] } ], - "activityId": { - "timeUsec": "1632500217183212", - "uniqQualifier": "358068855354" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.loginFailure", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T17:51:25.034361197Z", + "resource": { + "labels": { + "method": "google.login.LoginService.loginFailure", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1087,6 +1076,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1101,74 +1101,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginSuccess\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632458429811809\",\n \"uniqQualifier\": \"358068855354\"\n },\n \"event\": [\n {\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"name\": \"login_type\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\",\n \"multiStrValue\": [\n \"password\"\n ]\n },\n {\n \"type\": \"TYPE_BOOL\",\n \"boolValue\": false,\n \"name\": \"is_suspicious\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ],\n \"eventType\": \"login\",\n \"eventName\": \"login_success\"\n }\n ]\n }\n },\n \"insertId\": \"ci1svzd3hfk\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.loginSuccess\"\n }\n },\n \"timestamp\": \"2021-09-24T04:40:29.811809Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T05:43:20.474338130Z\"\n}", "@timestamp": "2021-09-24T04:40:29.811809Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T05:43:20.474338130Z", "insertId": "ci1svzd3hfk", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.loginSuccess", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632458429811809", + "uniqQualifier": "358068855354" + }, "event": [ { + "eventName": "login_success", + "eventType": "login", "parameter": [ { - "type": "TYPE_STRING", - "value": "google_password", + "label": "LABEL_OPTIONAL", "name": "login_type", - "label": "LABEL_OPTIONAL" + "type": "TYPE_STRING", + "value": "google_password" }, { - "name": "login_challenge_method", "label": "LABEL_REPEATED", - "type": "TYPE_STRING", "multiStrValue": [ "password" - ] + ], + "name": "login_challenge_method", + "type": "TYPE_STRING" }, { - "type": "TYPE_BOOL", "boolValue": false, + "label": "LABEL_OPTIONAL", "name": "is_suspicious", - "label": "LABEL_OPTIONAL" + "type": "TYPE_BOOL" }, { - "value": "INfDlrzP9IH8_QE", + "label": "LABEL_OPTIONAL", "name": "dusi", "type": "TYPE_STRING", - "label": "LABEL_OPTIONAL" + "value": "INfDlrzP9IH8_QE" } - ], - "eventType": "login", - "eventName": "login_success" + ] } ], - "activityId": { - "timeUsec": "1632458429811809", - "uniqQualifier": "358068855354" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.loginSuccess", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T05:43:20.474338130Z", + "resource": { + "labels": { + "method": "google.login.LoginService.loginSuccess", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1177,6 +1166,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1191,80 +1191,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.loginVerification\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"login_verification\",\n \"parameter\": [\n {\n \"name\": \"login_type\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"google_password\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"name\": \"login_challenge_method\",\n \"multiStrValue\": [\n \"idv_preregistered_phone\"\n ],\n \"label\": \"LABEL_REPEATED\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"value\": \"passed\",\n \"name\": \"login_challenge_status\",\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\"\n },\n {\n \"value\": \"INfDlrzP9IH8_QE\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"dusi\",\n \"type\": \"TYPE_STRING\"\n },\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"boolValue\": true,\n \"type\": \"TYPE_BOOL\",\n \"name\": \"is_second_factor\"\n }\n ],\n \"eventType\": \"login\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459936762000\"\n }\n }\n },\n \"insertId\": \"ivb9z4d41rh\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.loginVerification\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:36.762Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.386813664Z\"\n}", "@timestamp": "2021-09-24T05:05:36.762000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T06:39:22.386813664Z", "insertId": "ivb9z4d41rh", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.loginVerification", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632459936762000", + "uniqQualifier": "358068855354" + }, "event": [ { "eventName": "login_verification", + "eventType": "login", "parameter": [ { + "label": "LABEL_OPTIONAL", "name": "login_type", "type": "TYPE_STRING", - "value": "google_password", - "label": "LABEL_OPTIONAL" + "value": "google_password" }, { - "name": "login_challenge_method", + "label": "LABEL_REPEATED", "multiStrValue": [ "idv_preregistered_phone" ], - "label": "LABEL_REPEATED", + "name": "login_challenge_method", "type": "TYPE_STRING" }, { - "value": "passed", + "label": "LABEL_OPTIONAL", "name": "login_challenge_status", "type": "TYPE_STRING", - "label": "LABEL_OPTIONAL" + "value": "passed" }, { - "value": "INfDlrzP9IH8_QE", "label": "LABEL_OPTIONAL", "name": "dusi", - "type": "TYPE_STRING" + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" }, { - "label": "LABEL_OPTIONAL", "boolValue": true, - "type": "TYPE_BOOL", - "name": "is_second_factor" + "label": "LABEL_OPTIONAL", + "name": "is_second_factor", + "type": "TYPE_BOOL" } - ], - "eventType": "login" + ] } ], - "activityId": { - "timeUsec": "1632459936762000", - "uniqQualifier": "358068855354" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.loginVerification", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T06:39:22.386813664Z", + "resource": { + "labels": { + "method": "google.login.LoginService.loginVerification", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1273,12 +1262,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] - } - } - - ``` - - + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" + } + } + + ``` + + === "logout.json" ```json @@ -1287,60 +1287,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.logout\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"eventName\": \"logout\",\n \"eventType\": \"login\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"name\": \"login_type\",\n \"value\": \"google_password\"\n },\n {\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"358068855354\",\n \"timeUsec\": \"1632459903014598\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"v37ytid14th\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.logout\"\n }\n },\n \"timestamp\": \"2021-09-24T05:05:03.014598Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-24T06:39:22.229734504Z\"\n}", "@timestamp": "2021-09-24T05:05:03.014598Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-24T06:39:22.229734504Z", "insertId": "v37ytid14th", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.logout", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632459903014598", + "uniqQualifier": "358068855354" + }, "event": [ { "eventName": "logout", "eventType": "login", "parameter": [ { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", "name": "login_type", + "type": "TYPE_STRING", "value": "google_password" }, { - "type": "TYPE_STRING", - "name": "dusi", "label": "LABEL_OPTIONAL", + "name": "dusi", + "type": "TYPE_STRING", "value": "INfDlrzP9IH8_QE" } ] } ], - "activityId": { - "timeUsec": "1632459903014598", - "uniqQualifier": "358068855354" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.logout", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-24T06:39:22.229734504Z", + "resource": { + "labels": { + "method": "google.login.LoginService.logout", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1349,6 +1338,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1363,57 +1363,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.passwordEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"password_edit\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"password_change\"\n }\n ],\n \"activityId\": {\n \"uniqQualifier\": \"8894052787391296929\",\n \"timeUsec\": \"1632803013900566\"\n }\n }\n },\n \"insertId\": \"-u8coc0d6n78\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.passwordEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:23:33.900566Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:23:37.724654918Z\"\n}", "@timestamp": "2021-09-28T04:23:33.900566Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T04:23:37.724654918Z", "insertId": "-u8coc0d6n78", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.passwordEdit", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632803013900566", + "uniqQualifier": "8894052787391296929" + }, "event": [ { "eventName": "password_edit", - "status": { - "success": true - }, + "eventType": "password_change", "parameter": [ { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", - "name": "dusi" + "name": "dusi", + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } ], - "eventType": "password_change" + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632803013900566", - "uniqQualifier": "8894052787391296929" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.passwordEdit", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T04:23:37.724654918Z", + "resource": { + "labels": { + "method": "google.login.LoginService.passwordEdit", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1422,6 +1411,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1436,30 +1436,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryEmailEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1632802942940979\",\n \"uniqQualifier\": \"-7373127890859496609\"\n },\n \"event\": [\n {\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_email_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-nkwfupd26zt\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryEmailEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:22:22.940979Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:22:26.523242112Z\"\n}", "@timestamp": "2021-09-28T04:22:22.940979Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T04:22:26.523242112Z", "insertId": "-nkwfupd26zt", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.recoveryEmailEdit", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632802942940979", + "uniqQualifier": "-7373127890859496609" + }, "event": [ { - "eventType": "recovery_info_change", "eventName": "recovery_email_edit", + "eventType": "recovery_info_change", "parameter": [ { "label": "LABEL_OPTIONAL", + "name": "dusi", "type": "TYPE_STRING", - "value": "INfDlrzP9IH8_QE", - "name": "dusi" + "value": "INfDlrzP9IH8_QE" } ], "status": { @@ -1467,26 +1461,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1632802942940979", - "uniqQualifier": "-7373127890859496609" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.recoveryEmailEdit", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T04:22:26.523242112Z", + "resource": { + "labels": { + "method": "google.login.LoginService.recoveryEmailEdit", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1495,6 +1484,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1509,57 +1509,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoveryPhoneEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"event\": [\n {\n \"status\": {\n \"success\": true\n },\n \"eventType\": \"recovery_info_change\",\n \"eventName\": \"recovery_phone_edit\",\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"activityId\": {\n \"timeUsec\": \"1632804439611095\",\n \"uniqQualifier\": \"1470137036135837564\"\n }\n }\n },\n \"insertId\": \"-1xtrgbd2vl2\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.recoveryPhoneEdit\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:19.611095Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:25.741574446Z\"}", "@timestamp": "2021-09-28T04:47:19.611095Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T04:47:25.741574446Z", "insertId": "-1xtrgbd2vl2", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.recoveryPhoneEdit", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632804439611095", + "uniqQualifier": "1470137036135837564" + }, "event": [ { - "status": { - "success": true - }, - "eventType": "recovery_info_change", "eventName": "recovery_phone_edit", + "eventType": "recovery_info_change", "parameter": [ { "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", + "name": "dusi", "type": "TYPE_STRING", - "name": "dusi" + "value": "INfDlrzP9IH8_QE" } - ] + ], + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632804439611095", - "uniqQualifier": "1470137036135837564" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.recoveryPhoneEdit", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T04:47:25.741574446Z", + "resource": { + "labels": { + "method": "google.login.LoginService.recoveryPhoneEdit", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1568,6 +1557,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1582,57 +1582,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"8328506129139272243\",\n \"timeUsec\": \"1632804455273424\"\n },\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventName\": \"recovery_secret_qa_edit\",\n \"eventType\": \"recovery_info_change\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\",\n \"label\": \"LABEL_OPTIONAL\"\n }\n ]\n }\n ]\n }\n },\n \"insertId\": \"vn31slcpmy\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"method\": \"google.login.LoginService.recoverySecretQaEdit\",\n \"service\": \"login.googleapis.com\"\n }\n },\n \"timestamp\": \"2021-09-28T04:47:35.273424Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T04:47:37.650432219Z\"}", "@timestamp": "2021-09-28T04:47:35.273424Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T04:47:37.650432219Z", "insertId": "vn31slcpmy", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.recoverySecretQaEdit", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632804455273424", + "uniqQualifier": "8328506129139272243" + }, "event": [ { "eventName": "recovery_secret_qa_edit", "eventType": "recovery_info_change", - "status": { - "success": true - }, "parameter": [ { - "type": "TYPE_STRING", - "value": "INfDlrzP9IH8_QE", + "label": "LABEL_OPTIONAL", "name": "dusi", - "label": "LABEL_OPTIONAL" + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } - ] + ], + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632804455273424", - "uniqQualifier": "8328506129139272243" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.recoverySecretQaEdit", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T04:47:37.650432219Z", + "resource": { + "labels": { + "method": "google.login.LoginService.recoverySecretQaEdit", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1641,6 +1630,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1655,30 +1655,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}", "@timestamp": "2021-05-04T02:26:21Z", "google_cloud_audit": { - "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", "insertId": "-778d70d2n5b", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.suspiciousLogin", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1620095181000000", + "uniqQualifier": "-2034771694824799453" + }, "event": [ { - "eventType": "account_warning", "eventName": "suspicious_login", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -1686,30 +1680,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1620095181000000", - "uniqQualifier": "-2034771694824799453" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.suspiciousLogin", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", + "resource": { + "labels": { + "method": "google.login.LoginService.suspiciousLogin", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -1724,30 +1724,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousLoginLessSecureApp\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_login_less_secure_app\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousLoginLessSecureApp\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}", "@timestamp": "2021-05-04T02:26:21Z", "google_cloud_audit": { - "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", "insertId": "-778d70d2n5b", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.suspiciousLoginLessSecureApp", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1620095181000000", + "uniqQualifier": "-2034771694824799453" + }, "event": [ { - "eventType": "account_warning", "eventName": "suspicious_login_less_secure_app", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -1755,30 +1749,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1620095181000000", - "uniqQualifier": "-2034771694824799453" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", + "resource": { + "labels": { + "method": "google.login.LoginService.suspiciousLoginLessSecureApp", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -1793,30 +1793,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {},\n \"requestMetadata\": {\n \"callerIp\": \"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff\"\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.suspiciousProgrammaticLogin\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"timeUsec\": \"1620095181000000\",\n \"uniqQualifier\": \"-2034771694824799453\"\n },\n \"event\": [\n {\n \"eventType\": \"account_warning\",\n \"eventName\": \"suspicious_programmatic_login\",\n \"parameter\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"test-user@example.com\",\n \"label\": \"LABEL_OPTIONAL\",\n \"type\": \"TYPE_STRING\"\n }\n ],\n \"status\": {\n \"success\": true\n }\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-778d70d2n5b\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.suspiciousProgrammaticLogin\"\n }\n },\n \"timestamp\": \"2021-05-04T02:26:21Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-05-04T02:56:23.806722355Z\"\n}", "@timestamp": "2021-05-04T02:26:21Z", "google_cloud_audit": { - "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", "insertId": "-778d70d2n5b", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.suspiciousProgrammaticLogin", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1620095181000000", + "uniqQualifier": "-2034771694824799453" + }, "event": [ { - "eventType": "account_warning", "eventName": "suspicious_programmatic_login", + "eventType": "account_warning", "parameter": [ { - "name": "affected_email_address", - "value": "test-user@example.com", "label": "LABEL_OPTIONAL", - "type": "TYPE_STRING" + "name": "affected_email_address", + "type": "TYPE_STRING", + "value": "test-user@example.com" } ], "status": { @@ -1824,30 +1818,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ], - "activityId": { - "timeUsec": "1620095181000000", - "uniqQualifier": "-2034771694824799453" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.suspiciousProgrammaticLogin", - "resourceName": "organizations/123" - } + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-05-04T02:56:23.806722355Z", + "resource": { + "labels": { + "method": "google.login.LoginService.suspiciousProgrammaticLogin", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, - "user": { - "email": "test-user@example.com" + "related": { + "ip": [ + "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + ] }, "service": { "name": "login.googleapis.com" }, "source": { - "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", - "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" + "address": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff", + "ip": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" }, - "related": { - "ip": [ - "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff" - ] + "user": { + "email": "test-user@example.com" } } @@ -1862,57 +1862,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumEnroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"activityId\": {\n \"uniqQualifier\": \"4206430548119220064\",\n \"timeUsec\": \"1632843484846000\"\n },\n \"event\": [\n {\n \"eventName\": \"titanium_enroll\",\n \"status\": {\n \"success\": true\n },\n \"parameter\": [\n {\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"type\": \"TYPE_STRING\",\n \"name\": \"dusi\"\n }\n ],\n \"eventType\": \"titanium_change\"\n }\n ],\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\"\n }\n },\n \"insertId\": \"-bxbn5bd167i\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumEnroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:38:04.846Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:38:05.969683854Z\"\n}", "@timestamp": "2021-09-28T15:38:04.846000Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T15:38:05.969683854Z", "insertId": "-bxbn5bd167i", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.titaniumEnroll", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632843484846000", + "uniqQualifier": "4206430548119220064" + }, "event": [ { "eventName": "titanium_enroll", - "status": { - "success": true - }, + "eventType": "titanium_change", "parameter": [ { "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", + "name": "dusi", "type": "TYPE_STRING", - "name": "dusi" + "value": "INfDlrzP9IH8_QE" } ], - "eventType": "titanium_change" + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632843484846000", - "uniqQualifier": "4206430548119220064" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.titaniumEnroll", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T15:38:05.969683854Z", + "resource": { + "labels": { + "method": "google.login.LoginService.titaniumEnroll", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1921,6 +1910,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } @@ -1935,57 +1935,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\n \"protoPayload\": {\n \"@type\": \"type.googleapis.com/google.cloud.audit.AuditLog\",\n \"authenticationInfo\": {\n \"principalEmail\": \"test-user@example.com\"\n },\n \"requestMetadata\": {\n \"callerIp\": \"203.0.113.255\",\n \"requestAttributes\": {},\n \"destinationAttributes\": {}\n },\n \"serviceName\": \"login.googleapis.com\",\n \"methodName\": \"google.login.LoginService.titaniumUnenroll\",\n \"resourceName\": \"organizations/123\",\n \"metadata\": {\n \"@type\": \"type.googleapis.com/ccc_hosted_reporting.ActivityProto\",\n \"event\": [\n {\n \"eventType\": \"titanium_change\",\n \"status\": {\n \"success\": true\n },\n \"eventName\": \"titanium_unenroll\",\n \"parameter\": [\n {\n \"type\": \"TYPE_STRING\",\n \"label\": \"LABEL_OPTIONAL\",\n \"value\": \"INfDlrzP9IH8_QE\",\n \"name\": \"dusi\"\n }\n ]\n }\n ],\n \"activityId\": {\n \"timeUsec\": \"1632843914653434\",\n \"uniqQualifier\": \"-6706492269209711994\"\n }\n }\n },\n \"insertId\": \"-vw60qad1861\",\n \"resource\": {\n \"type\": \"audited_resource\",\n \"labels\": {\n \"service\": \"login.googleapis.com\",\n \"method\": \"google.login.LoginService.titaniumUnenroll\"\n }\n },\n \"timestamp\": \"2021-09-28T15:45:14.653434Z\",\n \"severity\": \"NOTICE\",\n \"logName\": \"organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access\",\n \"receiveTimestamp\": \"2021-09-28T15:45:15.862755277Z\"\n}", "@timestamp": "2021-09-28T15:45:14.653434Z", "google_cloud_audit": { - "receiveTimestamp": "2021-09-28T15:45:15.862755277Z", "insertId": "-vw60qad1861", "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access", - "severity": "NOTICE", - "resource": { - "type": "audited_resource", - "labels": { - "method": "google.login.LoginService.titaniumUnenroll", - "service": "login.googleapis.com" - } - }, "protoPayload": { "metadata": { - "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", + "activityId": { + "timeUsec": "1632843914653434", + "uniqQualifier": "-6706492269209711994" + }, "event": [ { - "eventType": "titanium_change", - "status": { - "success": true - }, "eventName": "titanium_unenroll", + "eventType": "titanium_change", "parameter": [ { - "type": "TYPE_STRING", "label": "LABEL_OPTIONAL", - "value": "INfDlrzP9IH8_QE", - "name": "dusi" + "name": "dusi", + "type": "TYPE_STRING", + "value": "INfDlrzP9IH8_QE" } - ] + ], + "status": { + "success": true + } } ], - "activityId": { - "timeUsec": "1632843914653434", - "uniqQualifier": "-6706492269209711994" - } + "type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" }, - "type": "type.googleapis.com/google.cloud.audit.AuditLog", "methodName": "google.login.LoginService.titaniumUnenroll", - "resourceName": "organizations/123" - } - }, - "user": { - "email": "test-user@example.com", - "name": "test-user@example.com" - }, - "service": { - "name": "login.googleapis.com" - }, - "source": { - "ip": "203.0.113.255", - "address": "203.0.113.255" + "resourceName": "organizations/123", + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + }, + "receiveTimestamp": "2021-09-28T15:45:15.862755277Z", + "resource": { + "labels": { + "method": "google.login.LoginService.titaniumUnenroll", + "service": "login.googleapis.com" + }, + "type": "audited_resource" + }, + "severity": "NOTICE" }, "related": { "ip": [ @@ -1994,6 +1983,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "test-user@example.com" ] + }, + "service": { + "name": "login.googleapis.com" + }, + "source": { + "address": "203.0.113.255", + "ip": "203.0.113.255" + }, + "user": { + "email": "test-user@example.com", + "name": "test-user@example.com" } } diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index 6b18814fd6..c2b49c27c2 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -39,39 +39,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-2-106001: Inbound TCP connection denied from 172.16.10.234/901 to 192.168.122.55/111 flags SYN on interface LAN", "event": { - "code": "106001", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" + ], + "code": "106001", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "denied" + "name": "denied", + "target": "network-traffic" }, "destination": { + "address": "192.168.122.55", "ip": "192.168.122.55", - "port": 111, - "address": "192.168.122.55" + "port": 111 }, "network": { "direction": "Inbound", "transport": "tcp" }, - "source": { - "ip": "172.16.10.234", - "port": 901, - "address": "172.16.10.234" + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" }, "related": { "ip": [ "172.16.10.234", "192.168.122.55" ] + }, + "source": { + "address": "172.16.10.234", + "ip": "172.16.10.234", + "port": 901 } } @@ -85,39 +85,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-2-106006: Deny inbound UDP from 172.16.10.234/901 to 192.168.122.55/111 on interface LAN", "event": { - "code": "106006", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" + ], + "code": "106006", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "deny" + "name": "deny", + "target": "network-traffic" }, "destination": { + "address": "192.168.122.55", "ip": "192.168.122.55", - "port": 111, - "address": "192.168.122.55" + "port": 111 }, "network": { "direction": "inbound", "transport": "udp" }, - "source": { - "ip": "172.16.10.234", - "port": 901, - "address": "172.16.10.234" + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" }, "related": { "ip": [ "172.16.10.234", "192.168.122.55" ] + }, + "source": { + "address": "172.16.10.234", + "ip": "172.16.10.234", + "port": 901 } } @@ -131,29 +131,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%NGIPS-1-430002: EventPriority: Low, DeviceUUID: b2433c5c-a6a1-11eb-a6e7-be0b9833091f, InstanceID: 2, FirstPacketSecond: 2021-04-30T11:31:19Z, ConnectionID: 4, AccessControlRuleAction: Allow, SrcIP: 172.16.10.10, DstIP: 172.16.20.10, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, ACPolicy: Default Allow All Traffic, AccessControlRuleName: test, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 74, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "event": { - "code": "430002", - "kind": "event", + "action": "connection-started", "category": [ "network" ], - "action": "connection-started", + "code": "430002", + "kind": "event", "type": [ "connection", "start" ] }, - "observer": { - "vendor": "Cisco", - "product": "Secure IPS" - }, "action": { "target": "network-traffic" }, "destination": { + "address": "172.16.20.10", "bytes": 0, "ip": "172.16.20.10", - "packets": 0, - "address": "172.16.20.10" + "packets": 0 }, "log": { "level": "Low" @@ -163,21 +159,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "ICMP", "transport": "icmp" }, + "observer": { + "product": "Secure IPS", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "172.16.10.10", + "172.16.20.10" + ] + }, "rule": { "name": "test", "ruleset": "Default Allow All Traffic" }, "source": { + "address": "172.16.10.10", "bytes": 74, "ip": "172.16.10.10", - "packets": 1, - "address": "172.16.10.10" - }, - "related": { - "ip": [ - "172.16.10.10", - "172.16.20.10" - ] + "packets": 1 } } @@ -191,30 +191,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%NGIPS-1-430003: EventPriority: Low, DeviceUUID: e8566508-eaa9-11e5-860f-de3e305d8269, InstanceID: 3, FirstPacketSecond: 2020-02-04T08:45:34Z, ConnectionID: 34774, AccessControlRuleAction:
Block with reset, SrcIP: 93.157.158.93, DstIP: 10.1.9.9, SrcPort: 13723, DstPort: 80, Protocol: tcp, IngressInterface: outside, EgressInterface: seversDMZ, ACPolicy: Basic IPS/IDS and GeoIP block foreign contries, AccessControlRuleName: GeoBlock other Countries, Prefilter Policy: Unknown, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "event": { - "code": "430003", - "kind": "event", + "action": "connection-finished", "category": [ "network" ], - "action": "connection-finished", + "code": "430003", + "kind": "event", "type": [ "connection", "end" ] }, - "observer": { - "vendor": "Cisco", - "product": "Secure IPS" - }, "action": { "target": "network-traffic" }, "destination": { + "address": "10.1.9.9", "bytes": 0, "ip": "10.1.9.9", "packets": 0, - "port": 80, - "address": "10.1.9.9" + "port": 80 }, "log": { "level": "Low" @@ -222,22 +218,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "transport": "tcp" }, + "observer": { + "product": "Secure IPS", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.1.9.9", + "93.157.158.93" + ] + }, "rule": { "name": "GeoBlock other Countries", "ruleset": "Basic IPS/IDS and GeoIP block foreign contries" }, "source": { + "address": "93.157.158.93", "bytes": 54, "ip": "93.157.158.93", "packets": 1, - "port": 13723, - "address": "93.157.158.93" - }, - "related": { - "ip": [ - "10.1.9.9", - "93.157.158.93" - ] + "port": 13723 } } @@ -251,20 +251,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "event": { - "code": "430005", - "kind": "alert", + "action": "malware-detected", "category": [ "malware" ], - "action": "malware-detected", + "code": "430005", + "kind": "alert", "type": [ "info" ] }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" - }, "action": { "target": "network-traffic" }, @@ -277,9 +273,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { + "address": "81.2.69.144", "ip": "81.2.69.144", - "port": 80, - "address": "81.2.69.144" + "port": 80 }, "file": { "extension": "zip", @@ -294,10 +290,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "HTTP", "transport": "tcp" }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ], + "user": [ + "No Authentication Required" + ] + }, "source": { + "address": "10.0.1.20", "ip": "10.0.1.20", - "port": 46004, - "address": "10.0.1.20" + "port": 46004 }, "threat": { "software": { @@ -305,29 +317,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "url": { - "original": "http://www.eicar.org/download/eicar_com.zip", "domain": "www.eicar.org", - "top_level_domain": "org", - "subdomain": "www", - "registered_domain": "eicar.org", + "original": "http://www.eicar.org/download/eicar_com.zip", "path": "/download/eicar_com.zip", + "port": 80, + "registered_domain": "eicar.org", "scheme": "http", - "port": 80 + "subdomain": "www", + "top_level_domain": "org" }, "user": { "name": "No Authentication Required" - }, - "related": { - "hash": [ - "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" - ], - "ip": [ - "10.0.1.20", - "81.2.69.144" - ], - "user": [ - "No Authentication Required" - ] } } @@ -341,34 +341,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-106012: Deny IP from 192.168.122.143 to 224.0.0.22, IP options: \"Router Alert\"", "event": { - "code": "106012", - "kind": "event", "category": [ "network" ], + "code": "106012", + "kind": "event", "reason": "IP options: \"Router Alert\"" }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "deny" + "name": "deny", + "target": "network-traffic" }, "destination": { - "ip": "224.0.0.22", - "address": "224.0.0.22" + "address": "224.0.0.22", + "ip": "224.0.0.22" }, - "source": { - "ip": "192.168.122.143", - "address": "192.168.122.143" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "192.168.122.143", "224.0.0.22" ] + }, + "source": { + "address": "192.168.122.143", + "ip": "192.168.122.143" } } @@ -382,39 +382,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-106015: Deny TCP (no connection) from 10.9.4.3/52675 to 161.5.222.141/443 flags FIN ACK on interface ACME_interface", "event": { - "code": "106015", - "kind": "event", "category": [ "network" ], + "code": "106015", + "kind": "event", "reason": "no connection" }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "deny" + "name": "deny", + "target": "network-traffic" }, "destination": { + "address": "161.5.222.141", "ip": "161.5.222.141", - "port": 443, - "address": "161.5.222.141" + "port": 443 }, "network": { "transport": "tcp" }, - "source": { - "ip": "10.9.4.3", - "port": 52675, - "address": "10.9.4.3" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.9.4.3", "161.5.222.141" ] + }, + "source": { + "address": "10.9.4.3", + "ip": "10.9.4.3", + "port": 52675 } } @@ -428,39 +428,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-4-106023: Deny udp src ACMEsL:10.0.200.29/320 dst identity:224.0.1.129/320 by access-group \"ACME_group\" [0x0, 0x0]", "event": { - "code": "106023", - "kind": "event", "category": [ "network" ], + "code": "106023", + "kind": "event", "reason": "ACME_group" }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "deny" + "name": "deny", + "target": "network-traffic" }, "destination": { + "address": "224.0.1.129", "ip": "224.0.1.129", - "port": 320, - "address": "224.0.1.129" + "port": 320 }, "network": { "transport": "udp" }, - "source": { - "ip": "10.0.200.29", - "port": 320, - "address": "10.0.200.29" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.0.200.29", "224.0.1.129" ] + }, + "source": { + "address": "10.0.200.29", + "ip": "10.0.200.29", + "port": 320 } } @@ -474,39 +474,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-106100: access-list ACME_INFRA permitted udp ACME_INFRA/10.1.0.16(42592) -> ACME/10.1.1.76(161) hit-cnt 1 first hit [0x42666c4c, 0x05739900]", "event": { - "code": "106100", - "kind": "event", "category": [ "network" ], + "code": "106100", + "kind": "event", "reason": "ACME_INFRA" }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "permitted" + "name": "permitted", + "target": "network-traffic" }, "destination": { + "address": "10.1.1.76", "ip": "10.1.1.76", - "port": 161, - "address": "10.1.1.76" + "port": 161 }, "network": { "transport": "udp" }, - "source": { - "ip": "10.1.0.16", - "port": 42592, - "address": "10.1.0.16" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.1.0.16", "10.1.1.76" ] + }, + "source": { + "address": "10.1.0.16", + "ip": "10.1.0.16", + "port": 42592 } } @@ -520,33 +520,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-110003: Routing failed to locate next hop for icmp from WAN:10.11.0.2/0 to WAN:10.112.115.1/0", "event": { - "code": "110003", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "110003", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "routing failed to locate next hop for icmp" + "name": "routing failed to locate next hop for icmp", + "target": "network-traffic" }, "destination": { - "ip": "10.112.115.1", - "address": "10.112.115.1" + "address": "10.112.115.1", + "ip": "10.112.115.1" }, - "source": { - "ip": "10.11.0.2", - "address": "10.11.0.2" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.11.0.2", "10.112.115.1" ] + }, + "source": { + "address": "10.11.0.2", + "ip": "10.11.0.2" } } @@ -560,31 +560,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-111007: Begin configuration: 10.24.25.21 reading from http [POST]", "event": { - "code": "111007", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "111007", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "begin configuration" + "name": "begin configuration", + "target": "network-traffic" }, "network": { "transport": "http" }, - "source": { - "ip": "10.24.25.21", - "address": "10.24.25.21" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.24.25.21" ] + }, + "source": { + "address": "10.24.25.21", + "ip": "10.24.25.21" } } @@ -598,16 +598,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-7-199019: Mar 6 21:58:53 Ipc[1234]: func return 1#012", "event": { - "code": "199019", - "kind": "event", + "action": "return 1#012", "category": [ "network" ], - "action": "return 1#012" - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + "code": "199019", + "kind": "event" }, "action": { "target": "network-traffic" @@ -615,9 +611,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host": { "name": "func" }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, "process": { - "pid": 1234, - "name": "Ipc" + "name": "Ipc", + "pid": 1234 } } @@ -631,47 +631,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302013: Built inbound TCP connection 1800234408 for TTA-ACME-VDO_CAM:10.1.7.248/40454 (10.1.7.248/40454) to TTA-ACME-SRV_INFRA:10.1.0.10/53 (10.1.0.10/53)", "event": { - "code": "302013", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302013", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "built" + "name": "built", + "target": "network-traffic" }, "destination": { + "address": "10.1.0.10", "ip": "10.1.0.10", "nat": { "ip": "10.1.0.10", "port": 53 }, - "port": 53, - "address": "10.1.0.10" + "port": 53 }, "network": { "direction": "inbound", "transport": "tcp" }, - "source": { - "ip": "10.1.7.248", - "port": 40454, - "nat": { - "ip": "10.1.7.248", - "port": 40454 - }, - "address": "10.1.7.248" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.1.0.10", "10.1.7.248" ] + }, + "source": { + "address": "10.1.7.248", + "ip": "10.1.7.248", + "nat": { + "ip": "10.1.7.248", + "port": 40454 + }, + "port": 40454 } } @@ -685,39 +685,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302014: Teardown TCP connection 3642851852 for outside:9.27.0.93/63677 to Pika:172.17.1.200/443 duration 0:10:06 bytes 4666 FIN Timeout from Pika", "event": { - "code": "302014", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302014", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "teardown" + "name": "teardown", + "target": "network-traffic" }, "destination": { + "address": "172.17.1.200", "ip": "172.17.1.200", - "port": 443, - "address": "172.17.1.200" + "port": 443 }, "network": { "bytes": 4666, "transport": "tcp" }, - "source": { - "ip": "9.27.0.93", - "port": 63677, - "address": "9.27.0.93" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "172.17.1.200", "9.27.0.93" ] + }, + "source": { + "address": "9.27.0.93", + "ip": "9.27.0.93", + "port": 63677 } } @@ -731,38 +731,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302020: Built inbound ICMP connection for faddr 47.241.116.84/10800 gaddr 10.11.0.2/0 laddr 10.11.0.2/0", "event": { - "code": "302020", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302020", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "built" + "name": "built", + "target": "network-traffic" }, "destination": { + "address": "47.241.116.84", "ip": "47.241.116.84", - "port": 10800, - "address": "47.241.116.84" + "port": 10800 }, "network": { "direction": "inbound", "transport": "icmp" }, - "source": { - "ip": "10.11.0.2", - "address": "10.11.0.2" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.11.0.2", "47.241.116.84" ] + }, + "source": { + "address": "10.11.0.2", + "ip": "10.11.0.2" } } @@ -776,19 +776,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.4/1(LOCAL\\USER) gaddr 1.2.3.5/0 laddr 1.2.3.5/0 (USER) type 8 code 0", "event": { - "code": "302020", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302020", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "built" + "name": "built", + "target": "network-traffic" }, "cisco": { "ftd": { @@ -797,21 +793,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 1, - "address": "1.2.3.4" + "port": 1 }, "network": { "direction": "inbound", "transport": "icmp" }, - "source": { - "ip": "1.2.3.5", - "address": "1.2.3.5" - }, - "user": { - "domain": "LOCAL", - "name": "USER" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -821,6 +813,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "USER" ] + }, + "source": { + "address": "1.2.3.5", + "ip": "1.2.3.5" + }, + "user": { + "domain": "LOCAL", + "name": "USER" } } @@ -834,34 +834,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302021: Teardown ICMP connection for faddr 172.16.10.208/2189 gaddr 172.16.19.90/0 laddr 172.16.19.90/0 (karibou)", "event": { - "code": "302021", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302021", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "teardown" + "name": "teardown", + "target": "network-traffic" }, "destination": { + "address": "172.16.10.208", "ip": "172.16.10.208", - "port": 2189, - "address": "172.16.10.208" + "port": 2189 }, "network": { "transport": "icmp" }, - "source": { - "ip": "172.16.19.90", - "address": "172.16.19.90" - }, - "user": { - "name": "karibou" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -871,6 +864,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "karibou" ] + }, + "source": { + "address": "172.16.19.90", + "ip": "172.16.19.90" + }, + "user": { + "name": "karibou" } } @@ -884,19 +884,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-302021: Teardown ICMP connection for faddr 1.2.3.4/25481 gaddr 1.2.4.3/0 laddr 1.2.4.3/0 type 8 code 0", "event": { - "code": "302021", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "302021", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "teardown" + "name": "teardown", + "target": "network-traffic" }, "cisco": { "ftd": { @@ -905,22 +901,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 25481, - "address": "1.2.3.4" + "port": 25481 }, "network": { "transport": "icmp" }, - "source": { - "ip": "1.2.4.3", - "address": "1.2.4.3" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "1.2.3.4", "1.2.4.3" ] + }, + "source": { + "address": "1.2.4.3", + "ip": "1.2.4.3" } } @@ -934,38 +934,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-305011: Built dynamic TCP translation from interco_pa_asa:10.79.16.23/35928 to dmz-gce:126.189.129.55/35928", "event": { - "code": "305011", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "305011", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "built" + "name": "built", + "target": "network-traffic" }, "destination": { + "address": "126.189.129.55", "ip": "126.189.129.55", - "port": 35928, - "address": "126.189.129.55" + "port": 35928 }, "network": { "transport": "tcp" }, - "source": { - "ip": "10.79.16.23", - "port": 35928, - "address": "10.79.16.23" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.79.16.23", "126.189.129.55" ] + }, + "source": { + "address": "10.79.16.23", + "ip": "10.79.16.23", + "port": 35928 } } @@ -979,38 +979,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-305012: Teardown dynamic TCP translation from interco_asa:10.79.16.24/55924 to dmz:12.18.129.56/55924 duration 0:00:15", "event": { - "code": "305012", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "305012", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "teardown" + "name": "teardown", + "target": "network-traffic" }, "destination": { + "address": "12.18.129.56", "ip": "12.18.129.56", - "port": 55924, - "address": "12.18.129.56" + "port": 55924 }, "network": { "transport": "tcp" }, - "source": { - "ip": "10.79.16.24", - "port": 55924, - "address": "10.79.16.24" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "10.79.16.24", "12.18.129.56" ] + }, + "source": { + "address": "10.79.16.24", + "ip": "10.79.16.24", + "port": 55924 } } @@ -1024,30 +1024,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:1.2.3.4(LOCAL\\a.smithee) dst inside:1.4.3.2 (type 3, code 3) on outside interface. Original IP payload: udp src 1.4.3.2/53 dst 1.2.3.4/60717.", "event": { - "code": "313005", - "kind": "event", "category": [ "network" ], + "code": "313005", + "kind": "event", "reason": "icmp" }, - "observer": { - "vendor": "Cisco", - "ingress": { - "interface": { - "alias": "outside" - } - }, - "egress": { - "interface": { - "alias": "inside" - } - }, - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "no matching connection" + "name": "no matching connection", + "target": "network-traffic" }, "cisco": { "ftd": { @@ -1056,19 +1042,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { - "ip": "1.4.3.2", - "address": "1.4.3.2" + "address": "1.4.3.2", + "ip": "1.4.3.2" }, "network": { "transport": "icmp" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "domain": "LOCAL", - "name": "a.smithee" + "observer": { + "egress": { + "interface": { + "alias": "inside" + } + }, + "ingress": { + "interface": { + "alias": "outside" + } + }, + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1078,6 +1070,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "a.smithee" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "LOCAL", + "name": "a.smithee" } } @@ -1091,19 +1091,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::f037:5fbc:b824:230d on interface NEA-FOR-WIFOR", "event": { - "code": "313008", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "313008", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "denied" + "name": "denied", + "target": "network-traffic" }, "cisco": { "ftd": { @@ -1114,14 +1110,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "transport": "ipv6-icmp" }, - "source": { - "ip": "fe80::f037:5fbc:b824:230d", - "address": "fe80::f037:5fbc:b824:230d" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "fe80::f037:5fbc:b824:230d" ] + }, + "source": { + "address": "fe80::f037:5fbc:b824:230d", + "ip": "fe80::f037:5fbc:b824:230d" } } @@ -1135,24 +1135,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-7-609002: Teardown local-host outside:1.2.3.4 duration 0:10:26", "event": { - "code": "609002", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "ingress": { - "interface": { - "alias": "outside" - } - }, - "product": "Adaptive Security Appliance" + ], + "code": "609002", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "teardown" + "name": "teardown", + "target": "network-traffic" }, "cisco": { "ftd": { @@ -1161,14 +1152,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "ingress": { + "interface": { + "alias": "outside" + } + }, + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1182,30 +1182,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-716058: Group User IP <86.199.78.204> AnyConnect session lost connection. Waiting to resume.", "event": { - "code": "716058", - "kind": "event", "category": [ "network" ], + "code": "716058", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "anyconnect session lost connection" - }, - "source": { - "ip": "86.199.78.204", - "address": "86.199.78.204" + "name": "anyconnect session lost connection", + "target": "network-traffic" }, - "user": { - "domain": "CLIENT_VPN", - "name": "Acme_account" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1214,6 +1206,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Acme_account" ] + }, + "source": { + "address": "86.199.78.204", + "ip": "86.199.78.204" + }, + "user": { + "domain": "CLIENT_VPN", + "name": "Acme_account" } } @@ -1227,30 +1227,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-716059: Group User IP <10.17.100.175> AnyConnect session resumed connection from IP <10.17.100.175>.", "event": { - "code": "716059", - "kind": "event", "category": [ "network" ], + "code": "716059", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "anyconnect session resumed" - }, - "source": { - "ip": "10.17.100.175", - "address": "10.17.100.175" + "name": "anyconnect session resumed", + "target": "network-traffic" }, - "user": { - "domain": "CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1259,6 +1251,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "10.17.100.175", + "ip": "10.17.100.175" + }, + "user": { + "domain": "CLIENT_VPN", + "name": "User_Acme" } } @@ -1272,30 +1272,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722011: Group User IP <91.172.139.4> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..", "event": { - "code": "722011", - "kind": "event", "category": [ "network" ], + "code": "722011", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "reconnecting the vpn tunnel.." - }, - "source": { - "ip": "91.172.139.4", - "address": "91.172.139.4" + "name": "reconnecting the vpn tunnel..", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1304,6 +1296,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_acme" ] + }, + "source": { + "address": "91.172.139.4", + "ip": "91.172.139.4" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_acme" } } @@ -1317,30 +1317,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722012: Group User IP <86.217.237.163> SVC Message: 16/NOTICE: Client PC is going into suspend mode (Sleep, Hibernate, etc)..", "event": { - "code": "722012", - "kind": "event", "category": [ "network" ], + "code": "722012", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "client pc is going into suspend mode (sleep, hibernate, etc).." - }, - "source": { - "ip": "86.217.237.163", - "address": "86.217.237.163" + "name": "client pc is going into suspend mode (sleep, hibernate, etc)..", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1349,6 +1341,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "86.217.237.163", + "ip": "86.217.237.163" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1362,30 +1362,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-722023: Group User IP <86.215.190.93> TCP SVC connection terminated without compression", "event": { - "code": "722023", - "kind": "event", "category": [ "network" ], - "type": [ + "code": "722023", + "kind": "event", + "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "svc connection terminated" - }, - "source": { - "ip": "86.215.190.93", - "address": "86.215.190.93" + "name": "svc connection terminated", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1394,6 +1386,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "86.215.190.93", + "ip": "86.215.190.93" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1407,30 +1407,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-722023: Group User IP <1.2.3.4> UDP SVC connection terminated without compression", "event": { - "code": "722023", - "kind": "event", "category": [ "network" ], + "code": "722023", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "svc connection terminated" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "name": "svc connection terminated", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy-CLIENT-VPN", - "name": "a.smithee" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1439,6 +1431,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "a.smithee" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "GroupPolicy-CLIENT-VPN", + "name": "a.smithee" } } @@ -1452,30 +1452,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722028: Group User IP <91.172.139.4> Stale SVC connection closed.", "event": { - "code": "722028", - "kind": "event", "category": [ "network" ], + "code": "722028", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "connection closed." - }, - "source": { - "ip": "91.172.139.4", - "address": "91.172.139.4" + "name": "connection closed.", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1484,6 +1476,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "91.172.139.4", + "ip": "91.172.139.4" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1497,30 +1497,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722032: Group User IP <93.23.18.76> New UDP SVC connection replacing old connection.", "event": { - "code": "722032", - "kind": "event", "category": [ "network" ], + "code": "722032", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "connection replacing old connection." - }, - "source": { - "ip": "93.23.18.76", - "address": "93.23.18.76" + "name": "connection replacing old connection.", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1529,6 +1521,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "93.23.18.76", + "ip": "93.23.18.76" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1542,30 +1542,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722033: Group User IP <77.205.143.138> First TCP SVC connection established for SVC session.", "event": { - "code": "722033", - "kind": "event", "category": [ "network" ], + "code": "722033", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "connection established for svc session." - }, - "source": { - "ip": "77.205.143.138", - "address": "77.205.143.138" + "name": "connection established for svc session.", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1574,6 +1566,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "77.205.143.138", + "ip": "77.205.143.138" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1587,30 +1587,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-5-722034: Group User IP <109.17.100.175> New TCP SVC connection, no existing connection.", "event": { - "code": "722034", - "kind": "event", "category": [ "network" ], + "code": "722034", + "kind": "event", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "connection, no existing connection." - }, - "source": { - "ip": "109.17.100.175", - "address": "109.17.100.175" + "name": "connection, no existing connection.", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1619,6 +1611,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "109.17.100.175", + "ip": "109.17.100.175" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1632,31 +1632,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-4-722037: Group User IP <92.131.212.102> SVC closing connection: Transport closing.", "event": { - "code": "722037", - "kind": "event", "category": [ "network" ], + "code": "722037", + "kind": "event", "reason": "Transport closing", "type": [ "connection" ] }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "closing connection" - }, - "source": { - "ip": "92.131.212.102", - "address": "92.131.212.102" + "name": "closing connection", + "target": "network-traffic" }, - "user": { - "domain": "GroupPolicy_CLIENT_VPN", - "name": "User_Acme" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ @@ -1665,6 +1657,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "User_Acme" ] + }, + "source": { + "address": "92.131.212.102", + "ip": "92.131.212.102" + }, + "user": { + "domain": "GroupPolicy_CLIENT_VPN", + "name": "User_Acme" } } @@ -1678,29 +1678,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-725001: Starting SSL handshake with client WAN:195.101.173.60/49238 for TLS session.", "event": { - "code": "725001", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "725001", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "starting ssl handshake" + "name": "starting ssl handshake", + "target": "network-traffic" }, - "source": { - "ip": "195.101.173.60", - "port": 49238, - "address": "195.101.173.60" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "195.101.173.60" ] + }, + "source": { + "address": "195.101.173.60", + "ip": "195.101.173.60", + "port": 49238 } } @@ -1714,29 +1714,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-725002: Device completed SSL handshake with client WAN:90.114.208.186/65531", "event": { - "code": "725002", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "725002", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "device completed ssl handshake" + "name": "device completed ssl handshake", + "target": "network-traffic" }, - "source": { - "ip": "90.114.208.186", - "port": 65531, - "address": "90.114.208.186" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "90.114.208.186" ] + }, + "source": { + "address": "90.114.208.186", + "ip": "90.114.208.186", + "port": 65531 } } @@ -1750,29 +1750,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-725006: Device failed SSL handshake with client WAN:195.101.173.60/49699", "event": { - "code": "725006", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "725006", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "device failed ssl handshake" + "name": "device failed ssl handshake", + "target": "network-traffic" }, - "source": { - "ip": "195.101.173.60", - "port": 49699, - "address": "195.101.173.60" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "195.101.173.60" ] + }, + "source": { + "address": "195.101.173.60", + "ip": "195.101.173.60", + "port": 49699 } } @@ -1786,30 +1786,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "<166>Nov 09 2022 10:01:59: %ASA-6-725007: SSL session with client WAN:195.101.173.60/49486 terminated.", "event": { - "code": "725007", - "kind": "event", "category": [ "network" ], + "code": "725007", + "kind": "event", "reason": "terminated" }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" - }, "action": { - "target": "network-traffic", - "name": "ssl session" + "name": "ssl session", + "target": "network-traffic" }, - "source": { - "ip": "195.101.173.60", - "port": 49486, - "address": "195.101.173.60" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "195.101.173.60" ] + }, + "source": { + "address": "195.101.173.60", + "ip": "195.101.173.60", + "port": 49486 } } @@ -1823,19 +1823,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-4-733100: [scanning] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 23 per second, max configured rate is 5; Cumulative total count is 14188", "event": { - "code": "733100", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "733100", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "scanning" + "name": "scanning", + "target": "network-traffic" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" } } @@ -1849,28 +1849,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%ASA-6-737016: IPAA: Freeing local pool address 192.168.122.247", "event": { - "code": "737016", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Adaptive Security Appliance" + ], + "code": "737016", + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "freeing local pool address" + "name": "freeing local pool address", + "target": "network-traffic" }, - "source": { - "ip": "192.168.122.247", - "address": "192.168.122.247" + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" }, "related": { "ip": [ "192.168.122.247" ] + }, + "source": { + "address": "192.168.122.247", + "ip": "192.168.122.247" } } @@ -1884,38 +1884,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-6-852001: Received Lightweight to full proxy event from application Snort for TCP flow 1.2.3.4/10000 to 4.3.2.1/47003", "event": { - "code": "852001", - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" + ], + "code": "852001", + "kind": "event" }, "action": { "target": "network-traffic" }, "destination": { + "address": "4.3.2.1", "ip": "4.3.2.1", - "port": 47003, - "address": "4.3.2.1" + "port": 47003 }, "network": { - "transport": "tcp", - "application": "Snort" + "application": "Snort", + "transport": "tcp" }, - "source": { - "ip": "1.2.3.4", - "port": 10000, - "address": "1.2.3.4" + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" }, "related": { "ip": [ "1.2.3.4", "4.3.2.1" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 10000 } } @@ -1929,30 +1929,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-1-430002: EventPriority: Low, DeviceUUID: 1662dc94-665c-4e50-97df-1c5b281556aa, InstanceID: 3, FirstPacketSecond: 2023-07-27T08:13:09Z, ConnectionID: 62230, AccessControlRuleAction: Allow, SrcIP: 1.2.3.4, DstIP: 5.6.7.8, SrcPort: 63853, DstPort: 443, Protocol: tcp, IngressInterface: WAN, EgressInterface: DMZ, IngressZone: OUT, EgressZone: DMZ, IngressVRF: Global, EgressVRF: Global, ACPolicy: ACPolicy, AccessControlRuleName: IN_KEMP_MAIL, Prefilter Policy: EXAMPLE L3-L4 Policy, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity", "event": { - "code": "430002", - "kind": "event", + "action": "connection-started", "category": [ "network" ], - "action": "connection-started", + "code": "430002", + "kind": "event", "type": [ "connection", "start" ] }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" - }, "action": { "target": "network-traffic" }, "destination": { + "address": "5.6.7.8", "bytes": 66, "ip": "5.6.7.8", "packets": 1, - "port": 443, - "address": "5.6.7.8" + "port": 443 }, "log": { "level": "Low" @@ -1960,22 +1956,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "transport": "tcp" }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "rule": { "name": "IN_KEMP_MAIL", "ruleset": "ACPolicy" }, "source": { + "address": "1.2.3.4", "bytes": 128, "ip": "1.2.3.4", "packets": 2, - "port": 63853, - "address": "1.2.3.4" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] + "port": 63853 } } @@ -1989,46 +1989,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-1-430003: EventPriority: Low, DeviceUUID: 1662dc94-665c-4e50-97df-1c5b281556aa, InstanceID: 5, FirstPacketSecond: 2023-07-27T08:13:09Z, ConnectionID: 35868, AccessControlRuleAction: Allow, SrcIP: 1.2.3.4, DstIP: 5.6.7.8, SrcPort: 56901, DstPort: 53, Protocol: udp, IngressInterface: LAN, EgressInterface: WAN, IngressZone: LAN, EgressZone: OUT, IngressVRF: Global, EgressVRF: Global, ACPolicy: ACPolicy, AccessControlRuleName: SORTIE_SRVAD_DNS_OUT, Prefilter Policy: EXAMPLE L3-L4 Policy, User: Not Found, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 88, ResponderBytes: 152, NAPPolicy: Balanced Security and Connectivity, DNSQuery: 1.fr.pool.ntp.org, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 150, NAT_InitiatorPort: 22294, NAT_ResponderPort: 53, NAT_InitiatorIP: 4.3.2.1, NAT_ResponderIP: 8.7.6.5", "event": { - "code": "430003", - "kind": "event", + "action": "connection-finished", "category": [ "network" ], - "action": "connection-finished", + "code": "430003", + "kind": "event", "type": [ "connection", "end" ] }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" - }, "action": { "target": "network-traffic" }, + "cisco": { + "dns": { + "record_type": "a host address", + "ttl": "150" + } + }, "destination": { + "address": "5.6.7.8", "bytes": 152, "ip": "5.6.7.8", "packets": 1, - "port": 53, - "address": "5.6.7.8" + "port": 53 }, "dns": { "question": { "name": "1.fr.pool.ntp.org", - "top_level_domain": "org", + "registered_domain": "ntp.org", "subdomain": "1.fr.pool", - "registered_domain": "ntp.org" + "top_level_domain": "org" }, "response_code": "No Error" }, - "cisco": { - "dns": { - "record_type": "a host address", - "ttl": "150" - } - }, "log": { "level": "Low" }, @@ -2037,31 +2033,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "DNS", "transport": "udp" }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "1.fr.pool.ntp.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "Not Found" + ] + }, "rule": { "name": "SORTIE_SRVAD_DNS_OUT", "ruleset": "ACPolicy" }, "source": { + "address": "1.2.3.4", "bytes": 88, "ip": "1.2.3.4", "packets": 1, - "port": 56901, - "address": "1.2.3.4" + "port": 56901 }, "user": { "name": "Not Found" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "Not Found" - ], - "hosts": [ - "1.fr.pool.ntp.org" - ] } } @@ -2075,37 +2075,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "%FTD-1-430003: EventPriority: Low, DeviceUUID: 1662dc94-665c-4e50-97df-1c5b281556aa, InstanceID: 5, FirstPacketSecond: 2023-07-27T08:13:09Z, ConnectionID: 35871, AccessControlRuleAction: Allow, SrcIP: 1.2.3.4, DstIP: 5.6.7.8, SrcPort: 50158, DstPort: 443, Protocol: tcp, IngressInterface: LAN, EgressInterface: WAN, IngressZone: LAN, EgressZone: OUT, IngressVRF: Global, EgressVRF: Global, ACPolicy: ACPolicy, AccessControlRuleName: SORTIE_INTERNET_ALL, Prefilter Policy: EXAMPLE L3-L4 Policy, User: Not Found, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Trend Micro, ConnectionDuration: 0, InitiatorPackets: 10, ResponderPackets: 13, InitiatorBytes: 967, ResponderBytes: 5018, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: 3ccc5ece59e81d905ed314c1e9af0f797393fec5, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: example.org, URLCategory: Computer Security, URLReputation: Trusted, URL: https://example.org, NAT_InitiatorPort: 36170, NAT_ResponderPort: 443, NAT_InitiatorIP: 4.3.2.1, NAT_ResponderIP: 8.7.6.5", "event": { - "code": "430003", - "kind": "event", + "action": "connection-finished", "category": [ "network" ], - "action": "connection-finished", + "code": "430003", + "kind": "event", "type": [ "connection", "end" ] }, - "observer": { - "vendor": "Cisco", - "product": "Firepower Threat Defense" - }, "action": { "target": "network-traffic" }, "destination": { + "address": "5.6.7.8", "bytes": 5018, "ip": "5.6.7.8", "packets": 13, - "port": 443, - "address": "5.6.7.8" - }, - "url": { - "original": "https://example.org", - "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org", - "scheme": "https", "port": 443 }, "log": { @@ -2116,28 +2104,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "HTTPS", "transport": "tcp" }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "Not Found" + ] + }, "rule": { "name": "SORTIE_INTERNET_ALL", "ruleset": "ACPolicy" }, "source": { + "address": "1.2.3.4", "bytes": 967, "ip": "1.2.3.4", "packets": 10, - "port": 50158, - "address": "1.2.3.4" + "port": 50158 + }, + "url": { + "domain": "example.org", + "original": "https://example.org", + "port": 443, + "registered_domain": "example.org", + "scheme": "https", + "top_level_domain": "org" }, "user": { "name": "Not Found" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "Not Found" - ] } } @@ -2151,25 +2151,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Group User IP <1.2.3.4> AnyConnect session lost connection. Waiting to resume.", "event": { - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco" + ], + "kind": "event" }, "action": { - "target": "network-traffic", - "name": "anyconnect session lost connection" - }, - "user": { - "domain": "AnyConnect-SESAME", - "name": "JD34242243" + "name": "anyconnect session lost connection", + "target": "network-traffic" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "vendor": "Cisco" }, "related": { "ip": [ @@ -2178,6 +2170,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JD34242243" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "AnyConnect-SESAME", + "name": "JD34242243" } } @@ -2191,25 +2191,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Group User IP <1.2.3.4> SVC closing connection: DPD failure.", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "reason": "DPD failure" }, - "observer": { - "vendor": "Cisco" - }, "action": { "target": "network-traffic" }, - "user": { - "domain": "MYGROUP", - "name": "JD34242243" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "vendor": "Cisco" }, "related": { "ip": [ @@ -2218,6 +2210,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JD34242243" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "MYGROUP", + "name": "JD34242243" } } @@ -2231,25 +2231,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Group = MYGROUP, Username = JD34242243, IP = 1.2.3.4, Session disconnected. Session Type: SSL, Duration: 6h:33m:18s, Bytes xmt: 220870890, Bytes rcv: 57125392, Reason: Idle Timeout", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "reason": "Idle Timeout" }, - "observer": { - "vendor": "Cisco" - }, "action": { "target": "network-traffic" }, - "user": { - "domain": "MYGROUP", - "name": "JD34242243" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "vendor": "Cisco" }, "related": { "ip": [ @@ -2258,6 +2250,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JD34242243" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "MYGROUP", + "name": "JD34242243" } } @@ -2271,13 +2271,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Task ran for 109 msec, Process = aaa_shim_thread, PC = ade9333c, Call stack = 0x000000aaabb34820 0x000000aaabb2429c 0x000000aaabb24218", "event": { - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco" + ], + "kind": "event" }, "action": { "target": "network-traffic" @@ -2291,6 +2288,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "name": "ade9333c" + }, + "observer": { + "vendor": "Cisco" } } @@ -2304,24 +2304,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "TunnelGroup GroupPolicy User IP <1.2.3.4> No IPv6 address available for SVC connection", "event": { - "kind": "event", "category": [ "network" - ] - }, - "observer": { - "vendor": "Cisco" + ], + "kind": "event" }, "action": { "target": "network-traffic" }, - "user": { - "domain": "AnyConnect-SESAME", - "name": "JD34242243" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "observer": { + "vendor": "Cisco" }, "related": { "ip": [ @@ -2330,6 +2322,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JD34242243" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "AnyConnect-SESAME", + "name": "JD34242243" } } diff --git a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md index 75e7bc7f29..43a4a54d0f 100644 --- a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md +++ b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md @@ -39,54 +39,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"event_time\":\"2021-12-01T15:07:11Z\",\"account_id\":\"1714\",\"action\":\"Block\",\"dest_ip\":\"10.64.4.10\",\"dest_is_site_or_vpn\":\"Site\",\"dest_port\":\"22\",\"event_count\":\"1\",\"event_sub_type\":\"IPS\",\"event_type\":\"Security\",\"internalId\":\"M9w5A3mkAa\",\"ip_protocol\":\"TCP\",\"mitre_attack_subtechniques\":\"\",\"mitre_attack_tactics\":\"\",\"mitre_attack_techniques\":\"\",\"os_type\":\"OS_UNKNOWN\",\"pop_name\":\"Dublin\",\"risk_level\":\"Medium\",\"rule\":\"3605\",\"rule_id\":\"3605\",\"signature_id\":\"feed_ips15_ssh\",\"src_country\":\"China\",\"src_ip\":\"61.177.173.13\",\"src_is_site_or_vpn\":\"Site\",\"src_port\":\"47046\",\"src_site\":\"Reflector\",\"threat_name\":\"IP reputation based signature - Network Scanner\",\"threat_reference\":\"https://support.catonetworks.com/hc/en-us/articles/360011568478\",\"threat_type\":\"Reputation\",\"time\":\"1650596005910\",\"traffic_direction\":\"INBOUND\",\"event_timestamp\":\"2022-04-22T02:53:25Z\"}", "event": { - "kind": "event", "action": "block", "category": [ "intrusion_detection" ], + "kind": "event", "type": [ "denied" ] }, - "destination": { - "ip": "10.64.4.10", - "port": 22, - "address": "10.64.4.10" - }, - "network": { - "transport": "TCP", - "direction": "INBOUND" - }, - "rule": { - "id": "3605" - }, - "source": { - "geo": { - "country_name": "China" - }, - "ip": "61.177.173.13", - "port": 47046, - "address": "61.177.173.13" - }, + "@timestamp": "2021-12-01T15:07:11Z", "cato": { "sase": { - "threat_type": "Reputation", - "risk_level": "Medium", + "event_sub_type": "IPS", "event_type": "Security", - "event_sub_type": "IPS" + "risk_level": "Medium", + "threat_type": "Reputation" } }, + "destination": { + "address": "10.64.4.10", + "ip": "10.64.4.10", + "port": 22 + }, "host": { "os": { "type": "unknown" } }, - "@timestamp": "2021-12-01T15:07:11Z", + "network": { + "direction": "INBOUND", + "transport": "TCP" + }, "related": { "ip": [ "10.64.4.10", "61.177.173.13" ] + }, + "rule": { + "id": "3605" + }, + "source": { + "address": "61.177.173.13", + "geo": { + "country_name": "China" + }, + "ip": "61.177.173.13", + "port": 47046 } } @@ -100,30 +100,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"account_id\":\"1714\",\"action\":\"Succeeded\",\"authentication_type\":\"Password\",\"event_count\":\"1\",\"event_sub_type\":\"Cato Management Application\",\"event_type\":\"Connectivity\",\"internalId\":\"fN6RlumJ1s\",\"login_type\":\"Admin Login\",\"src_country\":\"United Kingdom of Great Britain and Northern Ireland\",\"src_ip\":\"185.69.144.176\",\"src_is_site_or_vpn\":\"VPN User\",\"src_site\":\"4472\",\"time\":\"1651158043764\",\"user_name\":\"Peter Lee\",\"vpn_user_email\":\"peter@xxx.com\",\"event_timestamp\":\"2022-04-28T15:00:43Z\"}", "event": { - "kind": "event", "action": "succeeded", "category": [ "authentication" ], + "kind": "event", "type": [ "start" ] }, - "user": { - "name": "Peter Lee", - "email": "peter@xxx.com" - }, - "source": { - "geo": { - "country_name": "United Kingdom of Great Britain and Northern Ireland" - }, - "ip": "185.69.144.176", - "address": "185.69.144.176" - }, "cato": { "sase": { - "event_type": "Connectivity", - "event_sub_type": "Cato Management Application" + "event_sub_type": "Cato Management Application", + "event_type": "Connectivity" } }, "related": { @@ -133,6 +122,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Peter Lee" ] + }, + "source": { + "address": "185.69.144.176", + "geo": { + "country_name": "United Kingdom of Great Britain and Northern Ireland" + }, + "ip": "185.69.144.176" + }, + "user": { + "email": "peter@xxx.com", + "name": "Peter Lee" } } @@ -146,11 +146,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ISP_name\":\"Vodafone Ltd\",\"account_id\":\"1714\",\"action\":\"Succeeded\",\"client_version\":\"4.5.2\",\"device_name\":\"Peter\u2019s MacBook Pro\",\"event_count\":\"1\",\"event_sub_type\":\"Connected\",\"event_type\":\"Connectivity\",\"internalId\":\"qV6DEyT6wP\",\"link_type\":\"Cato\",\"os_type\":\"OS_MAC\",\"os_version\":\"11.6.0\",\"pop_name\":\"London\",\"src_country\":\"United Kingdom of Great Britain and Northern Ireland\",\"src_ip\":\"10.41.6.171\",\"src_is_site_or_vpn\":\"VPN User\",\"src_isp_ip\":\"185.69.145.183\",\"src_site\":\"Peter James\",\"time\":\"1651172220000\",\"tunnel_protocol\":\"DTLS\",\"vpn_user_email\":\"peter@xxx.com\",\"event_timestamp\":\"2022-04-28T18:57:00Z\"}", "event": { - "kind": "event", "action": "succeeded", "category": [ "network" ], + "kind": "event", "type": [ "start" ] @@ -158,30 +158,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "agent": { "version": "4.5.2" }, - "user": { - "email": "peter@xxx.com" - }, - "source": { - "geo": { - "country_name": "United Kingdom of Great Britain and Northern Ireland" - }, - "ip": "10.41.6.171", - "nat": { - "ip": "185.69.145.183" - }, - "address": "10.41.6.171" - }, "cato": { "sase": { - "event_type": "Connectivity", - "event_sub_type": "Connected" + "event_sub_type": "Connected", + "event_type": "Connectivity" } }, "host": { "name": "Peter\u2019s MacBook Pro", "os": { - "version": "11.6.0", - "type": "macos" + "type": "macos", + "version": "11.6.0" } }, "related": { @@ -189,6 +176,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.41.6.171", "185.69.145.183" ] + }, + "source": { + "address": "10.41.6.171", + "geo": { + "country_name": "United Kingdom of Great Britain and Northern Ireland" + }, + "ip": "10.41.6.171", + "nat": { + "ip": "185.69.145.183" + } + }, + "user": { + "email": "peter@xxx.com" } } @@ -202,61 +202,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ISP_name\":\"Vodafone Ltd\",\"account_id\":\"1714\",\"action\":\"Monitor\",\"application\":\"Technological apps\",\"categories\":\"Computers and Technology\",\"custom_categories\":\"Allowed Internet for Guests, Domain User Internet\",\"dest_country\":\"United States of America\",\"dest_ip\":\"44.240.37.33\",\"dest_port\":\"443\",\"domain_name\":\"push.services.mozilla.com\",\"event_count\":\"1\",\"event_sub_type\":\"Internet Firewall\",\"event_type\":\"Security\",\"internalId\":\"UK8P5Uy7ms\",\"ip_protocol\":\"TCP\",\"is_sanctioned_app\":\"false\",\"os_type\":\"OS_MAC\",\"os_version\":\"11.6.0\",\"pop_name\":\"Melbourne\",\"rule\":\"Track All\",\"rule_id\":\"5957\",\"rule_name\":\"Track All\",\"src_country\":\"United Kingdom of Great Britain and Northern Ireland\",\"src_ip\":\"10.41.169.183\",\"src_is_site_or_vpn\":\"VPN User\",\"src_isp_ip\":\"185.69.144.161\",\"src_site\":\"Peter James\",\"time\":\"1650741710842\",\"vpn_user_email\":\"peter@xxx.com\",\"event_timestamp\":\"2022-04-23T19:21:50Z\"}", "event": { - "kind": "event", "action": "monitor", "category": [ "network" ], + "kind": "event", "type": [ "info" ] }, + "cato": { + "sase": { + "event_sub_type": "Internet Firewall", + "event_type": "Security" + } + }, "destination": { + "address": "44.240.37.33", "geo": { "country_name": "United States of America" }, "ip": "44.240.37.33", - "port": 443, - "address": "44.240.37.33" + "port": 443 + }, + "host": { + "os": { + "type": "macos", + "version": "11.6.0" + } }, "network": { "transport": "TCP" }, - "user": { - "email": "peter@xxx.com" + "related": { + "ip": [ + "10.41.169.183", + "185.69.144.161", + "44.240.37.33" + ] }, "rule": { "id": "Track All", "name": "Track All" }, "source": { + "address": "10.41.169.183", "geo": { "country_name": "United Kingdom of Great Britain and Northern Ireland" }, "ip": "10.41.169.183", "nat": { "ip": "185.69.144.161" - }, - "address": "10.41.169.183" - }, - "cato": { - "sase": { - "event_type": "Security", - "event_sub_type": "Internet Firewall" - } - }, - "host": { - "os": { - "version": "11.6.0", - "type": "macos" } }, - "related": { - "ip": [ - "10.41.169.183", - "185.69.144.161", - "44.240.37.33" - ] + "user": { + "email": "peter@xxx.com" } } @@ -270,53 +270,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"account_id\":\"1714\",\"action\":\"Block\",\"dest_ip\":\"10.64.4.10\",\"dest_is_site_or_vpn\":\"Site\",\"dest_port\":\"22\",\"event_count\":\"1\",\"event_sub_type\":\"IPS\",\"event_type\":\"Security\",\"internalId\":\"M9w5A3mkAa\",\"ip_protocol\":\"TCP\",\"mitre_attack_subtechniques\":\"\",\"mitre_attack_tactics\":\"\",\"mitre_attack_techniques\":\"\",\"os_type\":\"OS_UNKNOWN\",\"pop_name\":\"Dublin\",\"risk_level\":\"Medium\",\"rule\":\"3605\",\"rule_id\":\"3605\",\"signature_id\":\"feed_ips15_ssh\",\"src_country\":\"China\",\"src_ip\":\"61.177.173.13\",\"src_is_site_or_vpn\":\"Site\",\"src_port\":\"47046\",\"src_site\":\"Reflector\",\"threat_name\":\"IP reputation based signature - Network Scanner\",\"threat_reference\":\"https://support.catonetworks.com/hc/en-us/articles/360011568478\",\"threat_type\":\"Reputation\",\"time\":\"1650596005910\",\"traffic_direction\":\"INBOUND\",\"event_timestamp\":\"2022-04-22T02:53:25Z\"}", "event": { - "kind": "event", "action": "block", "category": [ "intrusion_detection" ], + "kind": "event", "type": [ "denied" ] }, - "destination": { - "ip": "10.64.4.10", - "port": 22, - "address": "10.64.4.10" - }, - "network": { - "transport": "TCP", - "direction": "INBOUND" - }, - "rule": { - "id": "3605" - }, - "source": { - "geo": { - "country_name": "China" - }, - "ip": "61.177.173.13", - "port": 47046, - "address": "61.177.173.13" - }, "cato": { "sase": { - "threat_type": "Reputation", - "risk_level": "Medium", + "event_sub_type": "IPS", "event_type": "Security", - "event_sub_type": "IPS" + "risk_level": "Medium", + "threat_type": "Reputation" } }, + "destination": { + "address": "10.64.4.10", + "ip": "10.64.4.10", + "port": 22 + }, "host": { "os": { "type": "unknown" } }, + "network": { + "direction": "INBOUND", + "transport": "TCP" + }, "related": { "ip": [ "10.64.4.10", "61.177.173.13" ] + }, + "rule": { + "id": "3605" + }, + "source": { + "address": "61.177.173.13", + "geo": { + "country_name": "China" + }, + "ip": "61.177.173.13", + "port": 47046 } } @@ -330,22 +330,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"account_id\":\"1714\",\"action\":\"Block\",\"application\":\"Suspected apps\",\"dest_country\":\"Ireland\",\"dest_ip\":\"52.51.102.52\",\"dest_port\":\"443\",\"domain_name\":\"reflector.peterljames.org\",\"event_count\":\"1\",\"event_sub_type\":\"NG Anti Malware\",\"event_type\":\"Security\",\"file_hash\":\"70355dcf91019652e32eba67140a2708232a1fa786f90446d7984afe314f63f3\",\"file_name\":\"eicar.exe\",\"file_size\":\"68\",\"indicator\":\"EICAR-SENTINEL-ANTIVIRUS-TEST-FILE\",\"internalId\":\"QCzt6ht6GY\",\"os_type\":\"OS_MAC\",\"os_version\":\"11.6.0\",\"pop_name\":\"London\",\"rule\":\"0\",\"rule_id\":\"0\",\"src_ip\":\"10.41.173.156\",\"src_is_site_or_vpn\":\"VPN User\",\"src_site\":\"Peter James\",\"threat_name\":\"malware\",\"threat_verdict\":\"virus_found\",\"time\":\"1651045480623\",\"url\":\"https://reflec.xxx.com /eicar.exe\",\"vpn_user_email\":\"peter@xxx.com\",\"event_timestamp\":\"2022-04-27T07:44:40Z\"}", "event": { - "kind": "event", "action": "block", "category": [ "malware" ], + "kind": "event", "type": [ "info" ] }, + "cato": { + "sase": { + "event_sub_type": "NG Anti Malware", + "event_type": "Security" + } + }, "destination": { + "address": "52.51.102.52", "geo": { "country_name": "Ireland" }, "ip": "52.51.102.52", - "port": 443, - "address": "52.51.102.52" + "port": 443 }, "file": { "hash": { @@ -354,36 +360,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "eicar.exe", "size": 68 }, - "url": { - "original": "https://reflec.xxx.com /eicar.exe", - "domain": "reflec.xxx.com ", - "top_level_domain": "com", - "subdomain": "reflec", - "registered_domain": "xxx.com", - "path": "/eicar.exe", - "scheme": "https", - "port": 443 - }, - "user": { - "email": "peter@xxx.com" - }, - "rule": { - "id": "0" - }, - "source": { - "ip": "10.41.173.156", - "address": "10.41.173.156" - }, - "cato": { - "sase": { - "event_type": "Security", - "event_sub_type": "NG Anti Malware" - } - }, "host": { "os": { - "version": "11.6.0", - "type": "macos" + "type": "macos", + "version": "11.6.0" } }, "related": { @@ -394,6 +374,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.41.173.156", "52.51.102.52" ] + }, + "rule": { + "id": "0" + }, + "source": { + "address": "10.41.173.156", + "ip": "10.41.173.156" + }, + "url": { + "domain": "reflec.xxx.com ", + "original": "https://reflec.xxx.com /eicar.exe", + "path": "/eicar.exe", + "port": 443, + "registered_domain": "xxx.com", + "scheme": "https", + "subdomain": "reflec", + "top_level_domain": "com" + }, + "user": { + "email": "peter@xxx.com" } } @@ -407,39 +407,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"account_id\":\"1714\",\"action\":\"Allow\",\"dest_country\":\"United Kingdom of Great Britain and Northern Ireland\",\"dest_ip\":\"85.255.16.36\",\"dest_port\":\"22\",\"dest_site\":\"Reflector\",\"event_count\":\"6\",\"event_sub_type\":\"RPF\",\"event_type\":\"Security\",\"internalId\":\"cAmaGkX3na\",\"os_type\":\"OS_UNKNOWN\",\"pop_name\":\"London\",\"rule\":\"RPF22\",\"rule_id\":\"15366\",\"rule_name\":\"RPF22\",\"src_country\":\"China\",\"src_ip\":\"61.177.173.13\",\"time\":\"1650618945981\",\"event_timestamp\":\"2022-04-22T09:15:45Z\"}", "event": { - "kind": "event", "action": "allow", "category": [ "network" ], + "kind": "event", "type": [ "allowed" ] }, + "cato": { + "sase": { + "event_sub_type": "RPF", + "event_type": "Security" + } + }, "destination": { + "address": "85.255.16.36", "geo": { "country_name": "United Kingdom of Great Britain and Northern Ireland" }, "ip": "85.255.16.36", - "port": 22, - "address": "85.255.16.36" - }, - "rule": { - "id": "RPF22", - "name": "RPF22" - }, - "source": { - "geo": { - "country_name": "China" - }, - "ip": "61.177.173.13", - "address": "61.177.173.13" - }, - "cato": { - "sase": { - "event_type": "Security", - "event_sub_type": "RPF" - } + "port": 22 }, "host": { "os": { @@ -451,6 +440,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "61.177.173.13", "85.255.16.36" ] + }, + "rule": { + "id": "RPF22", + "name": "RPF22" + }, + "source": { + "address": "61.177.173.13", + "geo": { + "country_name": "China" + }, + "ip": "61.177.173.13" } } diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index 3efe02b22c..34cbea804e 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -36,19 +36,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"clickIP\":\"192.0.2.1\",\"clickTime\":\"2016-06-24T19:17:44.000Z\",\"GUID\":\"b27dbea0-87d5-463b-b93c-4e8b708289ce\",\"id\":\"8c8b4895-a277-449f-r797-547e3c89b25a\",\"messageID\":\"8c6cfedd-3050-4d65-8c09-c5f65c38da81\",\"recipient\":\"bruce.wayne@pharmtech.zz\",\"sender\":\"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz\",\"senderIP\":\"192.0.2.255\",\"threatID\":\"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50\",\"threatTime\":\"2016-06-24T19:17:46.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50\",\"threatStatus\":\"active\",\"url\":\"http://badguy.zz/\",\"userAgent\":\"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0\",\"type\":\"click\",\"status\":\"permitted\"}\n", "event": { "action": "permitted", - "dataset": "click", - "kind": "event", "category": [ "network" ], + "dataset": "click", + "kind": "event", "type": [ "allowed" ] }, - "source": { - "ip": "192.0.2.255", - "address": "192.0.2.255" - }, + "@timestamp": "2016-06-24T19:17:44Z", "email": { "local_id": "b27dbea0-87d5-463b-b93c-4e8b708289ce", "message_id": "8c6cfedd-3050-4d65-8c09-c5f65c38da81", @@ -64,29 +61,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "observer": { - "vendor": "ProofPoint", - "product": "Targeted Attack Protection" + "product": "Targeted Attack Protection", + "vendor": "ProofPoint" }, - "@timestamp": "2016-06-24T19:17:44Z", - "user_agent": { - "original": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", - "device": { - "name": "Other" - }, - "name": "Firefox", - "version": "27.0", - "os": { - "name": "Windows", - "version": "NT" + "proofpoint": { + "tap": { + "threat": { + "classifications": [ + "malware" + ] + } } }, - "url": { - "original": "http://badguy.zz/", - "domain": "badguy.zz", - "subdomain": "badguy", - "path": "/", - "scheme": "http", - "port": 80 + "related": { + "ip": [ + "192.0.2.255" + ] + }, + "source": { + "address": "192.0.2.255", + "ip": "192.0.2.255" }, "threat": { "enrichments": [ @@ -103,19 +97,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ] }, - "proofpoint": { - "tap": { - "threat": { - "classifications": [ - "malware" - ] - } - } + "url": { + "domain": "badguy.zz", + "original": "http://badguy.zz/", + "path": "/", + "port": 80, + "scheme": "http", + "subdomain": "badguy" }, - "related": { - "ip": [ - "192.0.2.255" - ] + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "os": { + "name": "Windows", + "version": "NT" + }, + "version": "27.0" } } @@ -130,20 +130,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"GUID\":\"c26dbea0-80d5-463b-b93c-4e8b708219ce\",\"status\":\"delivered\",\"type\":\"message\",\"QID\":\"r2FNwRHF004109\",\"ccAddresses\":[\"bruce.wayne@university-of-education.zz\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":[\"badguy@evil.zz\"],\"headerCC\":\"\\\"Bruce Wayne\\\" \",\"headerFrom\":\"\\\"A. Badguy\\\" \",\"headerReplyTo\":null,\"headerTo\":\"\\\"Clark Kent\\\" ; \\\"Diana Prince\\\" \",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"20160624211145.62086.mail@evil.zz\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"008c5926ca861023c1d2a36653fd88e2\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"Invoice for Pharmtech.pdf\",\"md5\":\"5873c7d37608e0d49bcaa6f32b6c731f\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\"}],\"messageTime\":\"2016-06-24T21:18:38.000Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"replyToAddress\":null,\"sender\":\"e99d7ed5580193f36a51f597bc2c0210@evil.zz\",\"senderIP\":\"192.0.2.255\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"threat\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\",\"threatId\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\",\"threatStatus\":\"active\",\"threatTime\":\"2016-06-24T21:18:38.000Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\"},{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"threat\":\"badsite.zz\",\"threatId\":\"3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa\",\"threatTime\":\"2016-06-24T21:18:07.000Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa\"}],\"toAddresses\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"xmailer\":\"Spambot v2.5\"}", "event": { "action": "delivered", + "category": [ + "email" + ], "dataset": "message", "kind": "event", "type": [ "info" - ], - "category": [ - "email" ] }, - "source": { - "ip": "192.0.2.255", - "address": "192.0.2.255" - }, + "@timestamp": "2016-06-24T21:18:38Z", "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "008c5926ca861023c1d2a36653fd88e2", + "sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "5873c7d37608e0d49bcaa6f32b6c731f", + "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + }, + "mime_type": "application/pdf", + "name": "Invoice for Pharmtech.pdf" + } + } + ], + "cc": { + "address": [ + "bruce.wayne@university-of-education.zz" + ] + }, + "from": { + "address": [ + "badguy@evil.zz" + ] + }, "local_id": "c26dbea0-80d5-463b-b93c-4e8b708219ce", "message_id": "20160624211145.62086.mail@evil.zz", "sender": { @@ -151,7 +180,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "e99d7ed5580193f36a51f597bc2c0210@evil.zz" ] }, - "x_mailer": "Spambot v2.5", "subject": "Please find a totally safe invoice attached.", "to": { "address": [ @@ -159,60 +187,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. "diana.prince@pharmtech.zz" ] }, - "from": { - "address": [ - "badguy@evil.zz" - ] - }, - "cc": { - "address": [ - "bruce.wayne@university-of-education.zz" - ] - }, - "attachments": [ - { - "file": { - "name": "text.txt", - "mime_type": "text/plain", - "hash": { - "sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281", - "md5": "008c5926ca861023c1d2a36653fd88e2" - } + "x_mailer": "Spambot v2.5" + }, + "observer": { + "product": "Targeted Attack Protection", + "vendor": "ProofPoint" + }, + "proofpoint": { + "tap": { + "cluster": { + "id": "pharmtech_hosted" + }, + "email": { + "to": { + "address": [ + "clark.kent@pharmtech.zz", + "diana.prince@pharmtech.zz" + ] } }, - { - "file": { - "name": "Invoice for Pharmtech.pdf", - "mime_type": "application/pdf", - "hash": { - "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", - "md5": "5873c7d37608e0d49bcaa6f32b6c731f" - } + "modules": [ + "pdr", + "sandbox", + "spam", + "urldefense" + ], + "threat": { + "classifications": [ + "malware" + ], + "scores": { + "impostor": 0, + "malware": 100, + "phish": 46, + "spam": 4 } } - ] + } }, - "observer": { - "vendor": "ProofPoint", - "product": "Targeted Attack Protection" + "related": { + "ip": [ + "192.0.2.255" + ] }, - "@timestamp": "2016-06-24T21:18:38Z", "rule": { "name": "module.sandbox.threat" }, + "source": { + "address": "192.0.2.255", + "ip": "192.0.2.255" + }, "threat": { "enrichments": [ { "indicator": { - "first_seen": "2016-06-24T21:18:38.000Z", - "last_seen": "2016-06-24T21:18:38.000Z", - "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", - "type": "file", "file": { "hash": { "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" } - } + }, + "first_seen": "2016-06-24T21:18:38.000Z", + "last_seen": "2016-06-24T21:18:38.000Z", + "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "type": "file" } }, { @@ -227,43 +264,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } ] - }, - "proofpoint": { - "tap": { - "threat": { - "classifications": [ - "malware" - ], - "scores": { - "spam": 4, - "impostor": 0, - "malware": 100, - "phish": 46 - } - }, - "modules": [ - "pdr", - "sandbox", - "spam", - "urldefense" - ], - "cluster": { - "id": "pharmtech_hosted" - }, - "email": { - "to": { - "address": [ - "clark.kent@pharmtech.zz", - "diana.prince@pharmtech.zz" - ] - } - } - } - }, - "related": { - "ip": [ - "192.0.2.255" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index 2c1dd3ec7b..0a77e0fa68 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -35,33 +35,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669549802503,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:582598250481:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"XSS-Detection-URL\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"XSS\",\"location\":\"QUERY_STRING\",\"matchedData\":[\"REDACTED\"]}],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2S4G6AQPVW9DQ\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"84.46.249.194\",\"country\":\"DE\",\"headers\":[{\"name\":\"Host\",\"value\":\"login.ACME.com\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"Accept-Language\",\"value\":\"en\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/config/postProcessing/testNaming\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"hZV7g-jjDydLm1cVp7MhsMVf20NcU_pe0x55txifIcdG5VZxKJ78zw==\"}}", "event": { - "kind": "event", + "action": "BLOCK", "category": [ "network" ], - "type": [ - "access" - ], + "kind": "event", "module": "aws.waf", - "action": "BLOCK", "reason": [ "XSS" + ], + "type": [ + "access" ] }, "@timestamp": "2022-11-27T11:50:02.503000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -69,12 +59,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "login.ACME.com", "address": "login.ACME.com", - "top_level_domain": "com", + "domain": "login.ACME.com", + "registered_domain": "ACME.com", "subdomain": "login", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -83,40 +80,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "login.ACME.com" + ], + "ip": [ + "84.46.249.194" + ] + }, "rule": { "category": "REGULAR", "name": "XSS-Detection-URL" }, "source": { + "address": "84.46.249.194", "geo": { "country_iso_code": "DE" }, - "ip": "84.46.249.194", - "address": "84.46.249.194" + "ip": "84.46.249.194" }, "url": { "original": "/config/postProcessing/testNaming", "path": "/config/postProcessing/testNaming" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "35.0.2117", + "original": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36", "os": { "name": "Windows", "version": "XP" - } - }, - "related": { - "hosts": [ - "login.ACME.com" - ], - "ip": [ - "84.46.249.194" - ] + }, + "version": "35.0.2117" } } @@ -130,33 +130,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669547932510,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:582598250481:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"SQL-injection-Detection-URL\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"BODY\",\"matchedData\":[\"email\",\"=\",\"=''or\",\"email.com\",\"=\"],\"sensitivityLevel\":\"LOW\"}],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2S4G6AQPVW9DQ\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"84.46.249.194\",\"country\":\"DE\",\"headers\":[{\"name\":\"Host\",\"value\":\"login.ACME.com\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Content-Length\",\"value\":\"74\"},{\"name\":\"Accept\",\"value\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},{\"name\":\"Content-Type\",\"value\":\"application/x-www-form-urlencoded\"},{\"name\":\"Cookie\",\"value\":\"REDACTED\"},{\"name\":\"Referer\",\"value\":\"https://login.ACME.com/login.php\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/login.php\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"mVzg_KS6DmSRrKCDEA4cdK6WXSB6mVDo1z0ak8THDjiNdoOpC0yOqA==\"}}", "event": { - "kind": "event", + "action": "BLOCK", "category": [ "network" ], - "type": [ - "access" - ], + "kind": "event", "module": "aws.waf", - "action": "BLOCK", "reason": [ "SQL_INJECTION" + ], + "type": [ + "access" ] }, "@timestamp": "2022-11-27T11:18:52.510000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -164,12 +154,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "login.ACME.com", "address": "login.ACME.com", - "top_level_domain": "com", + "domain": "login.ACME.com", + "registered_domain": "ACME.com", "subdomain": "login", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -182,40 +179,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "login.ACME.com" + ], + "ip": [ + "84.46.249.194" + ] + }, "rule": { "category": "REGULAR", "name": "SQL-injection-Detection-URL" }, "source": { + "address": "84.46.249.194", "geo": { "country_iso_code": "DE" }, - "ip": "84.46.249.194", - "address": "84.46.249.194" + "ip": "84.46.249.194" }, "url": { "original": "/login.php", "path": "/login.php" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "70.0.3538", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "hosts": [ - "login.ACME.com" - ], - "ip": [ - "84.46.249.194" - ] + }, + "version": "70.0.3538" } } @@ -229,33 +229,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669544590505,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:582598250481:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"XSS-Detection-HTML-tags\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"XSS\",\"location\":\"QUERY_STRING\",\"matchedData\":[\"REDACTED\"]}],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2S4G6AQPVW9DQ\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"84.46.249.194\",\"country\":\"DE\",\"headers\":[{\"name\":\"Host\",\"value\":\"login.ACME.com\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"Accept-Language\",\"value\":\"en\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/wp-admin/options-general.php\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"n1nt9-sFYbgTvL2v6xKUDAn4GpFxtycHepSjN4bcZAB7ipZRCOijSw==\"}}", "event": { - "kind": "event", + "action": "BLOCK", "category": [ "network" ], - "type": [ - "access" - ], + "kind": "event", "module": "aws.waf", - "action": "BLOCK", "reason": [ "XSS" + ], + "type": [ + "access" ] }, "@timestamp": "2022-11-27T10:23:10.505000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -263,12 +253,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "login.ACME.com", "address": "login.ACME.com", - "top_level_domain": "com", + "domain": "login.ACME.com", + "registered_domain": "ACME.com", "subdomain": "login", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -277,40 +274,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "login.ACME.com" + ], + "ip": [ + "84.46.249.194" + ] + }, "rule": { "category": "REGULAR", "name": "XSS-Detection-HTML-tags" }, "source": { + "address": "84.46.249.194", "geo": { "country_iso_code": "DE" }, - "ip": "84.46.249.194", - "address": "84.46.249.194" + "ip": "84.46.249.194" }, "url": { "original": "/wp-admin/options-general.php", "path": "/wp-admin/options-general.php" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "37.0.2049", + "original": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", "os": { "name": "Windows", "version": "8.1" - } - }, - "related": { - "hosts": [ - "login.ACME.com" - ], - "ip": [ - "84.46.249.194" - ] + }, + "version": "37.0.2049" } } @@ -324,30 +324,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669449723944,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2R57GJ4AQX5UR\",\"ruleGroupList\":[{\"ruleGroupId\":\"AWS#AWSManagedRulesAmazonIpReputationList\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"30.255.150.197\",\"country\":\"IE\",\"headers\":[{\"name\":\"accept\",\"value\":\"*/*\"},{\"name\":\"content-type\",\"value\":\"application/json\"},{\"name\":\"x-client-origin\",\"value\":\"atf.team.ACME.com\"},{\"name\":\"Content-Length\",\"value\":\"183\"},{\"name\":\"User-Agent\",\"value\":\"node-fetch/1.0 (+https://github.com/bitinn/node-fetch)\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip,deflate\"},{\"name\":\"Host\",\"value\":\"api.ACME.com\"},{\"name\":\"Connection\",\"value\":\"keep-alive\"}],\"uri\":\"/graphql\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"e6Hwr9m4uRtjSPXu2C2K4mmiFk0n7Ubqu0EUf0CqI0uxPbUE2qWiKA==\"}}", "event": { - "kind": "event", + "action": "ALLOW", "category": [ "network" ], + "kind": "event", + "module": "aws.waf", "type": [ "access" - ], - "module": "aws.waf", - "action": "ALLOW" + ] }, "@timestamp": "2022-11-26T08:02:03.944000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -355,12 +345,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "api.ACME.com", "address": "api.ACME.com", - "top_level_domain": "com", + "domain": "api.ACME.com", + "registered_domain": "ACME.com", "subdomain": "api", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -374,38 +371,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "api.ACME.com" + ], + "ip": [ + "30.255.150.197" + ] + }, "rule": { "category": "REGULAR", "name": "Default_Action" }, "source": { + "address": "30.255.150.197", "geo": { "country_iso_code": "IE" }, - "ip": "30.255.150.197", - "address": "30.255.150.197" + "ip": "30.255.150.197" }, "url": { "original": "/graphql", "path": "/graphql" }, "user_agent": { - "original": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)", "device": { "name": "Other" }, "name": "Other", + "original": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)", "os": { "name": "Other" } - }, - "related": { - "hosts": [ - "api.ACME.com" - ], - "ip": [ - "30.255.150.197" - ] } } @@ -419,30 +419,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669441143965,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2R57GJ4AQX5UR\",\"ruleGroupList\":[{\"ruleGroupId\":\"AWS#AWSManagedRulesAmazonIpReputationList\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":200,\"httpRequest\":{\"clientIp\":\"2600:4040:2974:1c00:5404:1cac:9f62:ffff\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"api.ACME.com\"},{\"name\":\"Connection\",\"value\":\"Upgrade\"},{\"name\":\"Pragma\",\"value\":\"no-cache\"},{\"name\":\"Cache-Control\",\"value\":\"no-cache\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"},{\"name\":\"Upgrade\",\"value\":\"websocket\"},{\"name\":\"Origin\",\"value\":\"https://app.ACME.com\"},{\"name\":\"Sec-WebSocket-Version\",\"value\":\"13\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip, deflate, br\"},{\"name\":\"Accept-Language\",\"value\":\"en-US,en;q=0.9\"},{\"name\":\"Cookie\",\"value\":\"REDACTED\"},{\"name\":\"Sec-WebSocket-Key\",\"value\":\"QUKS5ot19xG6kMaXl0FbIg==\"},{\"name\":\"Sec-WebSocket-Extensions\",\"value\":\"permessage-deflate; client_max_window_bits\"},{\"name\":\"Sec-WebSocket-Protocol\",\"value\":\"graphql-ws\"}],\"uri\":\"/subscriptions\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"XNSlGmCpHQABja00TCTI294jyGl26K_7qsJ2-L3Iu1UmeQtJwUgJIg==\"}}", "event": { - "kind": "event", + "action": "ALLOW", "category": [ "network" ], + "kind": "event", + "module": "aws.waf", "type": [ "access" - ], - "module": "aws.waf", - "action": "ALLOW" + ] }, "@timestamp": "2022-11-26T05:39:03.965000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -450,12 +440,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "api.ACME.com", "address": "api.ACME.com", - "top_level_domain": "com", + "domain": "api.ACME.com", + "registered_domain": "ACME.com", "subdomain": "api", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -467,40 +464,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "api.ACME.com" + ], + "ip": [ + "2600:4040:2974:1c00:5404:1cac:9f62:ffff" + ] + }, "rule": { "category": "REGULAR", "name": "Default_Action" }, "source": { + "address": "2600:4040:2974:1c00:5404:1cac:9f62:ffff", "geo": { "country_iso_code": "US" }, - "ip": "2600:4040:2974:1c00:5404:1cac:9f62:ffff", - "address": "2600:4040:2974:1c00:5404:1cac:9f62:ffff" + "ip": "2600:4040:2974:1c00:5404:1cac:9f62:ffff" }, "url": { "original": "/subscriptions", "path": "/subscriptions" }, "user_agent": { - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Mac" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Mac OS X", "version": "10.15.7" - } - }, - "related": { - "hosts": [ - "api.ACME.com" - ], - "ip": [ - "2600:4040:2974:1c00:5404:1cac:9f62:ffff" - ] + }, + "version": "107.0.0" } } @@ -514,30 +514,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669639359431,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:582598250481:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2R57GJ4AQX5UR\",\"ruleGroupList\":[{\"ruleGroupId\":\"AWS#AWSManagedRulesAmazonIpReputationList\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"36.37.214.134\",\"country\":\"KH\",\"headers\":[{\"name\":\"host\",\"value\":\"api.ACME.com\"},{\"name\":\"content-length\",\"value\":\"182\"},{\"name\":\"sec-ch-ua\",\"value\":\"\\\"Google Chrome\\\";v=\\\"107\\\", \\\"Chromium\\\";v=\\\"107\\\", \\\"Not=A?Brand\\\";v=\\\"24\\\"\"},{\"name\":\"x-client-version\",\"value\":\"2.214.1\"},{\"name\":\"sec-ch-ua-mobile\",\"value\":\"?0\"},{\"name\":\"authorization\",\"value\":\"REDACTED\"},{\"name\":\"user-agent\",\"value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"},{\"name\":\"content-type\",\"value\":\"application/json\"},{\"name\":\"accept\",\"value\":\"*/*\"},{\"name\":\"x-client-origin\",\"value\":\"app.ACME.com\"},{\"name\":\"sec-ch-ua-platform\",\"value\":\"\\\"Windows\\\"\"},{\"name\":\"origin\",\"value\":\"https://app.ACME.com\"},{\"name\":\"sec-fetch-site\",\"value\":\"same-site\"},{\"name\":\"sec-fetch-mode\",\"value\":\"cors\"},{\"name\":\"sec-fetch-dest\",\"value\":\"empty\"},{\"name\":\"referer\",\"value\":\"https://app.ACME.com/\"},{\"name\":\"accept-encoding\",\"value\":\"gzip, deflate, br\"},{\"name\":\"accept-language\",\"value\":\"en-US,en;q=0.9\"}],\"uri\":\"/graphql\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/2.0\",\"httpMethod\":\"POST\",\"requestId\":\"Cs2c_cKDiRUpviG8OWN--0CZVO32-LajujdsNebKbTzMFDaOBEF1sw==\"}}", "event": { - "kind": "event", + "action": "ALLOW", "category": [ "network" ], + "kind": "event", + "module": "aws.waf", "type": [ "access" - ], - "module": "aws.waf", - "action": "ALLOW" + ] }, "@timestamp": "2022-11-28T12:42:39.431000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -545,12 +535,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "api.ACME.com", "address": "api.ACME.com", - "top_level_domain": "com", + "domain": "api.ACME.com", + "registered_domain": "ACME.com", "subdomain": "api", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -564,40 +561,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/2.0" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "api.ACME.com" + ], + "ip": [ + "36.37.214.134" + ] + }, "rule": { "category": "REGULAR", "name": "Default_Action" }, "source": { + "address": "36.37.214.134", "geo": { "country_iso_code": "KH" }, - "ip": "36.37.214.134", - "address": "36.37.214.134" + "ip": "36.37.214.134" }, "url": { "original": "/graphql", "path": "/graphql" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "hosts": [ - "api.ACME.com" - ], - "ip": [ - "36.37.214.134" - ] + }, + "version": "107.0.0" } } @@ -611,30 +611,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":1669449735564,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:us-east-1:global/webacl/ACME/41f0e583-5098\",\"terminatingRuleId\":\"Whitelist-Header-Cookie\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"CF\",\"httpSourceId\":\"E2R57GJ4AQX5UR\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"140.161.225.89\",\"country\":\"GB\",\"headers\":[{\"name\":\"Host\",\"value\":\"api.ACME.com\"},{\"name\":\"Connection\",\"value\":\"Upgrade\"},{\"name\":\"Pragma\",\"value\":\"no-cache\"},{\"name\":\"Cache-Control\",\"value\":\"no-cache\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"},{\"name\":\"Upgrade\",\"value\":\"websocket\"},{\"name\":\"Origin\",\"value\":\"https://app.ACME.com\"},{\"name\":\"Sec-WebSocket-Version\",\"value\":\"13\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip, deflate, br\"},{\"name\":\"Accept-Language\",\"value\":\"en-GB,en-US;q=0.9,en;q=0.8\"},{\"name\":\"Cookie\",\"value\":\"REDACTED\"},{\"name\":\"Sec-WebSocket-Key\",\"value\":\"Fl+0IdBjmYwtjTGcoMneOQ==\"},{\"name\":\"Sec-WebSocket-Extensions\",\"value\":\"permessage-deflate; client_max_window_bits\"},{\"name\":\"Sec-WebSocket-Protocol\",\"value\":\"graphql-ws\"}],\"uri\":\"/subscriptions\",\"args\":\"REDACTED\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"rS38BhqsbkL36wW_M5wAKI2TJHZ9CXIlefVf5-yfJQ-TA5oYq9n8yA==\"}}", "event": { - "kind": "event", + "action": "ALLOW", "category": [ "network" ], + "kind": "event", + "module": "aws.waf", "type": [ "access" - ], - "module": "aws.waf", - "action": "ALLOW" + ] }, "@timestamp": "2022-11-26T08:02:15.564000Z", "action": { "target": "network-traffic" }, - "cloud": { - "provider": "aws", - "service": { - "name": "waf" - }, - "region": "us-east-1" - }, - "observer": { - "type": "waf" - }, "aws": { "waf": { "rule": { @@ -642,12 +632,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "cloud": { + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "waf" + } + }, "destination": { - "domain": "api.ACME.com", "address": "api.ACME.com", - "top_level_domain": "com", + "domain": "api.ACME.com", + "registered_domain": "ACME.com", "subdomain": "api", - "registered_domain": "ACME.com" + "top_level_domain": "com" }, "http": { "request": { @@ -656,40 +653,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "HTTP/1.1" }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "api.ACME.com" + ], + "ip": [ + "140.161.225.89" + ] + }, "rule": { "category": "REGULAR", "name": "Whitelist-Header-Cookie" }, "source": { + "address": "140.161.225.89", "geo": { "country_iso_code": "GB" }, - "ip": "140.161.225.89", - "address": "140.161.225.89" + "ip": "140.161.225.89" }, "url": { "original": "/subscriptions", "path": "/subscriptions" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "107.0.0", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "hosts": [ - "api.ACME.com" - ], - "ip": [ - "140.161.225.89" - ] + }, + "version": "107.0.0" } } diff --git a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md index c9dad96f75..5bf35d1c6f 100644 --- a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md +++ b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md @@ -37,41 +37,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "kind": "event" }, - "source": { - "ip": "255.255.255.1", - "domain": "mail.fr", - "address": "mail.fr", - "top_level_domain": "fr", - "registered_domain": "mail.fr" - }, - "observer": { - "version": "1.0", - "hostname": "events.retarus.com" - }, - "organization": { - "id": "45987FR" + "action": { + "name": "EVENT", + "outcome": "success", + "outcome_reason": "ACCEPTED" }, "destination": { - "domain": "mail.com", "address": "mail.com", - "top_level_domain": "com", - "registered_domain": "mail.com" + "domain": "mail.com", + "registered_domain": "mail.com", + "top_level_domain": "com" }, - "retarus": { - "timestamp": "2021-05-18 16:50:30 +0200", - "email_direction": "OUTBOUND", - "mime_message_id": "", - "message_id": "20210518-32464-yvrfukcZEcd-0@out33.fg", - "recipient": "recepient@mail.com", - "sender": "utilisateur@mail.fr", - "status": "ACCEPTED", - "class": "EVENT", - "type": "MTA" + "observer": { + "hostname": "events.retarus.com", + "version": "1.0" }, - "action": { - "name": "EVENT", - "outcome": "success", - "outcome_reason": "ACCEPTED" + "organization": { + "id": "45987FR" }, "related": { "hosts": [ @@ -82,6 +64,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "255.255.255.1" ] + }, + "retarus": { + "class": "EVENT", + "email_direction": "OUTBOUND", + "message_id": "20210518-32464-yvrfukcZEcd-0@out33.fg", + "mime_message_id": "", + "recipient": "recepient@mail.com", + "sender": "utilisateur@mail.fr", + "status": "ACCEPTED", + "timestamp": "2021-05-18 16:50:30 +0200", + "type": "MTA" + }, + "source": { + "address": "mail.fr", + "domain": "mail.fr", + "ip": "255.255.255.1", + "registered_domain": "mail.fr", + "top_level_domain": "fr" } } @@ -97,47 +97,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "kind": "event" }, + "action": { + "name": "EVENT", + "outcome": "success", + "outcome_reason": "ACCEPTED" + }, + "destination": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" + }, "observer": { - "version": "1.0", - "hostname": "events.retarus.com" + "hostname": "events.retarus.com", + "version": "1.0" }, "organization": { "id": "CuNo" }, - "source": { - "domain": "retarus.com", - "address": "retarus.com", - "top_level_domain": "com", - "registered_domain": "retarus.com" - }, - "destination": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" + "related": { + "hosts": [ + "events.retarus.com", + "retarus.com", + "retarus.de" + ] }, "retarus": { - "timestamp": "2021-07-11 14:58:43 +0200", + "class": "EVENT", "email_direction": "INBOUND", - "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27", + "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", "recipient": "xxxxxxx@retarus.de", "sender": "xxxxxxx@retarus.com", "status": "ACCEPTED", - "class": "EVENT", + "timestamp": "2021-07-11 14:58:43 +0200", "type": "MTA" }, - "action": { - "name": "EVENT", - "outcome": "success", - "outcome_reason": "ACCEPTED" - }, - "related": { - "hosts": [ - "events.retarus.com", - "retarus.com", - "retarus.de" - ] + "source": { + "address": "retarus.com", + "domain": "retarus.com", + "registered_domain": "retarus.com", + "top_level_domain": "com" } } @@ -153,37 +153,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "kind": "event" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "observer": { - "version": "1.0", - "hostname": "events.retarus.com" - }, - "organization": { - "id": "15752FR" + "action": { + "name": "EVENT", + "outcome": "success", + "outcome_reason": "ACCEPTED" }, "destination": { - "domain": "example.org", "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" }, - "retarus": { - "timestamp": "2022-09-12 16:30:58 +0200", - "email_direction": "INBOUND", - "mime_message_id": "<00000000@mailer.com>", - "message_id": "20220912-000000-111111111111-0@example", - "recipient": "user@example.org", - "status": "ACCEPTED", - "class": "EVENT", - "type": "MTA" + "observer": { + "hostname": "events.retarus.com", + "version": "1.0" }, - "action": { - "name": "EVENT", - "outcome": "success", - "outcome_reason": "ACCEPTED" + "organization": { + "id": "15752FR" }, "related": { "hosts": [ @@ -193,6 +179,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "retarus": { + "class": "EVENT", + "email_direction": "INBOUND", + "message_id": "20220912-000000-111111111111-0@example", + "mime_message_id": "<00000000@mailer.com>", + "recipient": "user@example.org", + "status": "ACCEPTED", + "timestamp": "2022-09-12 16:30:58 +0200", + "type": "MTA" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -208,41 +208,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "kind": "event" }, - "source": { - "ip": "255.255.255.1", - "domain": "retarus.com", - "address": "retarus.com", - "top_level_domain": "com", - "registered_domain": "retarus.com" - }, - "observer": { - "version": "1.0", - "hostname": "events.retarus.com" - }, - "organization": { - "id": "CuNo" + "action": { + "name": "EVENT", + "outcome": "success", + "outcome_reason": "ACCEPTED" }, "destination": { - "domain": "retarus.de", "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" }, - "retarus": { - "timestamp": "2021-07-11 14:58:43 +0200", - "email_direction": "OUTBOUND", - "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", - "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27", - "recipient": "xxxxxxx@retarus.de", - "sender": "xxxxxxx@retarus.com", - "status": "ACCEPTED", - "class": "EVENT", - "type": "MTA" + "observer": { + "hostname": "events.retarus.com", + "version": "1.0" }, - "action": { - "name": "EVENT", - "outcome": "success", - "outcome_reason": "ACCEPTED" + "organization": { + "id": "CuNo" }, "related": { "hosts": [ @@ -253,6 +235,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "255.255.255.1" ] + }, + "retarus": { + "class": "EVENT", + "email_direction": "OUTBOUND", + "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27", + "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", + "recipient": "xxxxxxx@retarus.de", + "sender": "xxxxxxx@retarus.com", + "status": "ACCEPTED", + "timestamp": "2021-07-11 14:58:43 +0200", + "type": "MTA" + }, + "source": { + "address": "retarus.com", + "domain": "retarus.com", + "ip": "255.255.255.1", + "registered_domain": "retarus.com", + "top_level_domain": "com" } } @@ -265,37 +265,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"class\": \"EVENT\", \"rmxId\": \"0001\", \"sourceIp\": \"1.1.1.1\", \"metaData\": {\"header\": {\"from\": \"sender \", \"subject\": \"This is a subject\"}, \"transportEncryption\": {\"requested\": true, \"established\": true, \"protocol\": \"TLSv1.2\", \"cipherSuite\": \"ecdhe-ecdsa-aes128-gcm-sha256\"}}, \"recipient\": \"recipient@recipientdomain.fr\", \"mimeId\": \"<11111111>\", \"sender\": \"sender@senderdomain.fr\", \"version\": \"1.0\", \"customer\": \"1\", \"host\": \"host.fr\", \"subtype\": \"INCOMING\", \"type\": \"AAA\", \"ts\": \"2021-10-1 09:00:00 +0200\", \"direction\": \"OUTBOUND\", \"status\": \"ACCEPTED\"}", - "source": { - "ip": "1.1.1.1", - "domain": "senderdomain.fr", - "address": "senderdomain.fr", - "top_level_domain": "fr", - "registered_domain": "senderdomain.fr" + "destination": { + "address": "recipientdomain.fr", + "domain": "recipientdomain.fr", + "registered_domain": "recipientdomain.fr", + "top_level_domain": "fr" }, "observer": { - "version": "1.0", - "hostname": "host.fr" + "hostname": "host.fr", + "version": "1.0" }, "organization": { "id": "1" }, - "destination": { - "domain": "recipientdomain.fr", - "address": "recipientdomain.fr", - "top_level_domain": "fr", - "registered_domain": "recipientdomain.fr" - }, - "retarus": { - "timestamp": "2021-10-1 09:00:00 +0200", - "email_direction": "OUTBOUND", - "mime_message_id": "<11111111>", - "message_id": "0001", - "recipient": "recipient@recipientdomain.fr", - "sender": "sender@senderdomain.fr", - "status": "ACCEPTED", - "class": "EVENT", - "type": "AAA" - }, "related": { "hosts": [ "host.fr", @@ -305,6 +287,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "retarus": { + "class": "EVENT", + "email_direction": "OUTBOUND", + "message_id": "0001", + "mime_message_id": "<11111111>", + "recipient": "recipient@recipientdomain.fr", + "sender": "sender@senderdomain.fr", + "status": "ACCEPTED", + "timestamp": "2021-10-1 09:00:00 +0200", + "type": "AAA" + }, + "source": { + "address": "senderdomain.fr", + "domain": "senderdomain.fr", + "ip": "1.1.1.1", + "registered_domain": "senderdomain.fr", + "top_level_domain": "fr" } } @@ -318,54 +318,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\", \"metaData\": {}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:18 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"CxO\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<164D6G96.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145817-42ZFjPxxxxxx-0@mailin01\"}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, + "action": { + "name": "THREAT", + "outcome": "failure" + }, + "destination": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" + }, "observer": { - "version": "1.0", - "hostname": "events.retarus.com" + "hostname": "events.retarus.com", + "version": "1.0" }, "organization": { "id": "CuNo" }, - "source": { - "domain": "retarus.com", - "address": "retarus.com", - "top_level_domain": "com", - "registered_domain": "retarus.com" - }, - "destination": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" + "related": { + "hosts": [ + "events.retarus.com", + "retarus.com", + "retarus.de" + ] }, "retarus": { - "timestamp": "2018-10-16 14:58:18 +0200", + "class": "THREAT", "email_direction": "INBOUND", - "mime_message_id": "<164D6G96.xxxxxxx@retarus.net>", "message_id": "20181016-145817-42ZFjPxxxxxx-0@mailin01", + "mime_message_id": "<164D6G96.xxxxxxx@retarus.net>", "recipient": "xxxxxxx@retarus.de", "sender": "xxxxxxx@retarus.com", "status": "DETECTED", - "class": "THREAT", + "timestamp": "2018-10-16 14:58:18 +0200", "type": "CxO" }, - "action": { - "name": "THREAT", - "outcome": "failure" - }, - "related": { - "hosts": [ - "events.retarus.com", - "retarus.com", - "retarus.de" - ] + "source": { + "address": "retarus.com", + "domain": "retarus.com", + "registered_domain": "retarus.com", + "top_level_domain": "com" } } @@ -379,55 +379,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\", \"metaData\": {\"details\": \"EICAR-AV-Test\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"MultiScan\", \"direction\": \"OUTBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\", \"status\": \"INFECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145842-xxxxxx-xxxxxx-0@mailin27\"}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, + "action": { + "name": "THREAT", + "outcome": "failure" + }, + "destination": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" + }, "observer": { - "version": "1.0", - "hostname": "events.retarus.com" + "hostname": "events.retarus.com", + "version": "1.0" }, "organization": { "id": "CuNo" }, - "source": { - "domain": "retarus.com", - "address": "retarus.com", - "top_level_domain": "com", - "registered_domain": "retarus.com" - }, - "destination": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" + "related": { + "hosts": [ + "events.retarus.com", + "retarus.com", + "retarus.de" + ] }, "retarus": { - "timestamp": "2018-10-16 14:58:43 +0200", + "class": "THREAT", "email_direction": "OUTBOUND", - "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", "message_id": "20181016-145842-xxxxxx-xxxxxx-0@mailin27", + "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", "recipient": "xxxxxxx@retarus.de", "sender": "xxxxxxx@retarus.com", "status": "INFECTED", - "class": "THREAT", + "timestamp": "2018-10-16 14:58:43 +0200", "type": "MultiScan", "virus_name": "EICAR-AV-Test" }, - "action": { - "name": "THREAT", - "outcome": "failure" - }, - "related": { - "hosts": [ - "events.retarus.com", - "retarus.com", - "retarus.de" - ] + "source": { + "address": "retarus.com", + "domain": "retarus.com", + "registered_domain": "retarus.com", + "top_level_domain": "com" } } @@ -441,54 +441,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"threatType\": \"VIRUS\", \"checksum\": \"6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd\", \"mimeType\": \"applicationx-dosexec\", \"details\": \"EICAR-Test-File\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:56 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxx@retarus.de\", \"type\": \"PZD\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<56168B42.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145852-xxxxxx-xxxxxx-0@mailin01\"}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, - "observer": { - "version": "1.0", - "hostname": "events.retarus.com" - }, - "organization": { - "id": "CuNo" - }, - "source": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" - }, - "destination": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" - }, - "retarus": { - "timestamp": "2018-10-16 14:58:56 +0200", - "email_direction": "INBOUND", - "mime_message_id": "<56168B42.xxxxxxx@retarus.net>", - "message_id": "20181016-145852-xxxxxx-xxxxxx-0@mailin01", - "recipient": "xxxxxxx@retarus.de", - "sender": "xxxxxx@retarus.de", - "status": "DETECTED", - "class": "THREAT", - "type": "PZD", - "virus_name": "EICAR-Test-File" - }, "action": { "name": "THREAT", "outcome": "failure" }, + "destination": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" + }, "file": { - "mimeType": "applicationx-dosexec", "hash": { "sha256": "sha256" - } + }, + "mimeType": "applicationx-dosexec" + }, + "observer": { + "hostname": "events.retarus.com", + "version": "1.0" + }, + "organization": { + "id": "CuNo" }, "related": { "hash": [ @@ -498,6 +480,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "events.retarus.com", "retarus.de" ] + }, + "retarus": { + "class": "THREAT", + "email_direction": "INBOUND", + "message_id": "20181016-145852-xxxxxx-xxxxxx-0@mailin01", + "mime_message_id": "<56168B42.xxxxxxx@retarus.net>", + "recipient": "xxxxxxx@retarus.de", + "sender": "xxxxxx@retarus.de", + "status": "DETECTED", + "timestamp": "2018-10-16 14:58:56 +0200", + "type": "PZD", + "virus_name": "EICAR-Test-File" + }, + "source": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" } } @@ -511,53 +511,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"checksum\": \"cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 15:03:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"Sandboxing\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<37357C96.xxxxxxx@retarus.net>\", \"status\": \"SUSPICIOUS\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145902-xxxxxx-0@mailin08\"}", "event": { - "kind": "alert", "category": [ "malware" ], + "kind": "alert", "type": [ "info" ] }, - "observer": { - "version": "1.0", - "hostname": "events.retarus.com" - }, - "organization": { - "id": "CuNo" - }, - "source": { - "domain": "retarus.com", - "address": "retarus.com", - "top_level_domain": "com", - "registered_domain": "retarus.com" - }, - "destination": { - "domain": "retarus.de", - "address": "retarus.de", - "top_level_domain": "de", - "registered_domain": "retarus.de" - }, - "retarus": { - "timestamp": "2018-10-16 15:03:43 +0200", - "email_direction": "INBOUND", - "mime_message_id": "<37357C96.xxxxxxx@retarus.net>", - "message_id": "20181016-145902-xxxxxx-0@mailin08", - "recipient": "xxxxxxx@retarus.de", - "sender": "xxxxxxx@retarus.com", - "status": "SUSPICIOUS", - "class": "THREAT", - "type": "Sandboxing" - }, "action": { "name": "THREAT", "outcome": "failure" }, + "destination": { + "address": "retarus.de", + "domain": "retarus.de", + "registered_domain": "retarus.de", + "top_level_domain": "de" + }, "file": { "hash": { "sha256": "sha256" } }, + "observer": { + "hostname": "events.retarus.com", + "version": "1.0" + }, + "organization": { + "id": "CuNo" + }, "related": { "hash": [ "sha256" @@ -567,6 +550,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "retarus.com", "retarus.de" ] + }, + "retarus": { + "class": "THREAT", + "email_direction": "INBOUND", + "message_id": "20181016-145902-xxxxxx-0@mailin08", + "mime_message_id": "<37357C96.xxxxxxx@retarus.net>", + "recipient": "xxxxxxx@retarus.de", + "sender": "xxxxxxx@retarus.com", + "status": "SUSPICIOUS", + "timestamp": "2018-10-16 15:03:43 +0200", + "type": "Sandboxing" + }, + "source": { + "address": "retarus.com", + "domain": "retarus.com", + "registered_domain": "retarus.com", + "top_level_domain": "com" } } diff --git a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md index 0f42ddf259..8b1f4efb0a 100644 --- a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md +++ b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md @@ -27,49 +27,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"level\": \"RequestResponse\",\"auditID\": \"91afc40c-f1ef-4956-b85a-7e12d09511e9\",\"stage\": \"ResponseComplete\",\"requestURI\":\"/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true\",\"verb\": \"create\",\"user\": {\"username\": \"user@mail.com\",\"groups\": [\"system:authenticated\"]},\"sourceIPs\": [\"192.168.0.1\"],\"userAgent\": \"kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f\",\"objectRef\": {\"resource\": \"pods\",\"namespace\": \"test\",\"name\": \"test-1669140000-zp58r\",\"apiVersion\": \"v1\",\"subresource\": \"exec\"},\"responseStatus\": {\"metadata\": {},\"code\": 101},\"requestReceivedTimestamp\": \"2022-11-23T14:36:45.243457Z\",\"stageTimestamp\": \"2022-11-23T14:36:53.531481Z\",\"annotations\": {\"authorization.k8s.io/decision\": \"allow\",\"authorization.k8s.io/reason\": \"RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated\"}}", "event": { + "action": "create", "code": "91afc40c-f1ef-4956-b85a-7e12d09511e9", - "start": "2022-11-23T14:36:45.243457Z", - "action": "create" - }, - "url": { - "path": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true" - }, - "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" - }, - "user": { - "name": "user@mail.com", - "roles": [ - "system:authenticated" - ] + "start": "2022-11-23T14:36:45.243457Z" }, "action": { "outcome": "allow" }, - "user_agent": { - "original": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Linux" - } - }, "http": { "response": { "status_code": 101 } }, "kubernetes": { + "namespace": "test", "object": { "name": "test-1669140000-zp58r" }, + "rbacreason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated", "resource": "pods", - "namespace": "test", - "subresource": "exec", - "rbacreason": "RBAC: allowed by ClusterRoleBinding test-role-binding of ClusterRole test-admin to Group system:authenticated" + "subresource": "exec" }, "related": { "ip": [ @@ -78,29 +55,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user@mail.com" ] - } - } - - ``` - - -=== "event_user_patch_deploy.json" - - ```json - - { - "message": "{\"level\":\"RequestResponse\",\"auditID\":\"bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"verb\":\"patch\",\"user\":{\"username\":\"user@mail.com\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"192.168.0.1\"],\"userAgent\":\"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\",\"objectRef\":{\"resource\":\"deployments\",\"namespace\":\"test\",\"apiGroup\":\"apps\",\"apiVersion\":\"v1\",\"subresource\":\"scale\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"spec\":{\"replicas\":3}},\"responseObject\":{\"kind\":\"Scale\",\"apiVersion\":\"autoscaling/v1\",\"metadata\":{\"name\":\"test\",\"namespace\":\"test\",\"selfLink\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"uid\":\"7e649fbd-ca1b-4e30-b763-1b52527c774b\",\"resourceVersion\":\"1368503426\",\"creationTimestamp\":\"2020-01-24T17:04:30Z\"},\"spec\":{\"replicas\":3},\"status\":{\"replicas\":2,\"selector\":\"test=test\"}},\"requestReceivedTimestamp\":\"2022-11-23T13:10:04.499444Z\",\"stageTimestamp\":\"2022-11-23T13:10:04.514995Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"test-role-binding\\\" of ClusterRole \\\"test-admin\\\" to Group \\\"system:authenticated\\\"\"}}", - "event": { - "code": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f", - "start": "2022-11-23T13:10:04.499444Z", - "action": "patch" - }, - "url": { - "path": "/apis/apps/v1/namespaces/test/deployments/test/scale" }, "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "url": { + "path": "/api/v1/namespaces/test/pods/test-1669140000-zp58r/exec?command=sh&container=test&stdin=true&stdout=true&tty=true" }, "user": { "name": "user@mail.com", @@ -108,18 +69,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "system:authenticated" ] }, - "action": { - "outcome": "allow" - }, "user_agent": { - "original": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19", "device": { "name": "Other" }, "name": "Other", + "original": "kubectl/v1.24.2 (linux/amd64) kubernetes/f66044f", "os": { "name": "Linux" } + } + } + + ``` + + +=== "event_user_patch_deploy.json" + + ```json + + { + "message": "{\"level\":\"RequestResponse\",\"auditID\":\"bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"verb\":\"patch\",\"user\":{\"username\":\"user@mail.com\",\"groups\":[\"system:authenticated\"]},\"sourceIPs\":[\"192.168.0.1\"],\"userAgent\":\"kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19\",\"objectRef\":{\"resource\":\"deployments\",\"namespace\":\"test\",\"apiGroup\":\"apps\",\"apiVersion\":\"v1\",\"subresource\":\"scale\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestObject\":{\"spec\":{\"replicas\":3}},\"responseObject\":{\"kind\":\"Scale\",\"apiVersion\":\"autoscaling/v1\",\"metadata\":{\"name\":\"test\",\"namespace\":\"test\",\"selfLink\":\"/apis/apps/v1/namespaces/test/deployments/test/scale\",\"uid\":\"7e649fbd-ca1b-4e30-b763-1b52527c774b\",\"resourceVersion\":\"1368503426\",\"creationTimestamp\":\"2020-01-24T17:04:30Z\"},\"spec\":{\"replicas\":3},\"status\":{\"replicas\":2,\"selector\":\"test=test\"}},\"requestReceivedTimestamp\":\"2022-11-23T13:10:04.499444Z\",\"stageTimestamp\":\"2022-11-23T13:10:04.514995Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"RBAC: allowed by ClusterRoleBinding \\\"test-role-binding\\\" of ClusterRole \\\"test-admin\\\" to Group \\\"system:authenticated\\\"\"}}", + "event": { + "action": "patch", + "code": "bbd6d83f-4b6d-4a3d-b3cd-840a0691c19f", + "start": "2022-11-23T13:10:04.499444Z" + }, + "action": { + "outcome": "allow" }, "http": { "response": { @@ -127,13 +104,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "kubernetes": { - "resource": "deployments", "namespace": "test", - "subresource": "scale", - "rbacreason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\"", "object": { "name": "test" - } + }, + "rbacreason": "RBAC: allowed by ClusterRoleBinding \"test-role-binding\" of ClusterRole \"test-admin\" to Group \"system:authenticated\"", + "resource": "deployments", + "subresource": "scale" }, "related": { "ip": [ @@ -142,6 +119,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user@mail.com" ] + }, + "source": { + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "url": { + "path": "/apis/apps/v1/namespaces/test/deployments/test/scale" + }, + "user": { + "name": "user@mail.com", + "roles": [ + "system:authenticated" + ] + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "kubectl/v1.20.2 (linux/amd64) kubernetes/faecb19", + "os": { + "name": "Linux" + } } } diff --git a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md index 273af6d99a..6984e695ba 100644 --- a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md +++ b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md @@ -35,81 +35,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"1sxgleif1dyxla\",\n \"jsonPayload\": {\n \"dest_gke_details\": {\n \"cluster\": {\n \"cluster_location\": \"europe-central2-a\",\n \"cluster_name\": \"cluster-3\"\n }\n },\n \"src_location\": {\n \"continent\": \"Europe\",\n \"country\": \"pol\",\n \"asn\": 15169\n },\n \"dest_vpc\": {\n \"vpc_name\": \"foo\",\n \"project_id\": \"hazel-aria-348413\",\n \"subnetwork_name\": \"foo\"\n },\n \"start_time\": \"2022-06-03T12:09:42.501046130Z\",\n \"end_time\": \"2022-06-03T12:09:42.768509812Z\",\n \"bytes_sent\": \"1872\",\n \"reporter\": \"DEST\",\n \"connection\": {\n \"src_ip\": \"34.118.64.229\",\n \"dest_port\": 45950,\n \"dest_ip\": \"10.0.0.4\",\n \"src_port\": 443,\n \"protocol\": 6\n },\n \"dest_instance\": {\n \"region\": \"europe-central2\",\n \"zone\": \"europe-central2-a\",\n \"vm_name\": \"gke-cluster-3-default-pool-4e355575-tdhx\",\n \"project_id\": \"hazel-aria-348413\"\n },\n \"packets_sent\": \"16\"\n },\n \"resource\": {\n \"type\": \"gce_subnetwork\",\n \"labels\": {\n \"subnetwork_id\": \"7449846049104218257\",\n \"subnetwork_name\": \"foo\",\n \"project_id\": \"hazel-aria-348413\",\n \"location\": \"europe-central2-a\"\n }\n },\n \"timestamp\": \"2022-06-03T12:09:43.654174991Z\",\n \"logName\": \"projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows\",\n \"receiveTimestamp\": \"2022-06-03T12:09:43.654174991Z\"\n}", "event": { - "end": "2022-06-03T12:09:42.768509Z", - "start": "2022-06-03T12:09:42.501046Z", - "kind": "event", "category": [ "network" ], + "end": "2022-06-03T12:09:42.768509Z", + "kind": "event", + "start": "2022-06-03T12:09:42.501046Z", "type": [ "info" ] }, - "network": { - "bytes": 1872, - "packets": 16, - "iana_number": "6", - "name": "foo" + "@timestamp": "2022-06-03T12:09:43.654174Z", + "cloud": { + "availability_zone": "europe-central2-a", + "project": { + "id": "hazel-aria-348413" + }, + "region": "europe-central2" + }, + "destination": { + "address": "10.0.0.4", + "ip": "10.0.0.4", + "port": 45950 }, "google_vpc_flow_logs": { + "insertId": "1sxgleif1dyxla", "jsonPayload": { - "reporter": "DEST", "connection": { "protocol": 6 }, - "dest_vpc": { - "vpc_name": "foo" - }, "dest_gke_details": { "cluster": { "cluster_location": "europe-central2-a" } - } + }, + "dest_vpc": { + "vpc_name": "foo" + }, + "reporter": "DEST" }, + "logName": "projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows", + "receiveTimestamp": "2022-06-03T12:09:43.654174991Z", "resource": { "labels": { "subnetwork_id": "7449846049104218257", "subnetwork_name": "foo" }, "type": "gce_subnetwork" - }, - "insertId": "1sxgleif1dyxla", - "logName": "projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows", - "receiveTimestamp": "2022-06-03T12:09:43.654174991Z" - }, - "server": { - "geo": { - "name": "europe-central2-a" } }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - }, - "region": "europe-central2", - "availability_zone": "europe-central2-a" - }, - "@timestamp": "2022-06-03T12:09:43.654174Z", - "destination": { - "ip": "10.0.0.4", - "port": 45950, - "address": "10.0.0.4" - }, - "source": { - "ip": "34.118.64.229", - "port": 443, - "as": { - "number": 15169 - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "POL" - }, - "address": "34.118.64.229" - }, "host": { "name": "gke-cluster-3-default-pool-4e355575-tdhx" }, + "network": { + "bytes": 1872, + "iana_number": "6", + "name": "foo", + "packets": 16 + }, "orchestrator": { "cluster": { "name": "cluster-3" @@ -121,6 +104,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.0.0.4", "34.118.64.229" ] + }, + "server": { + "geo": { + "name": "europe-central2-a" + } + }, + "source": { + "address": "34.118.64.229", + "as": { + "number": 15169 + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "POL" + }, + "ip": "34.118.64.229", + "port": 443 } } @@ -134,81 +134,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"insertId\": \"17aa0kaf4hig5c\",\n \"jsonPayload\": {\n \"end_time\": \"2022-06-03T12:09:44.424429165Z\",\n \"packets_sent\": \"32\",\n \"src_location\": {\n \"asn\": 15169,\n \"country\": \"pol\",\n \"continent\": \"Europe\"\n },\n \"start_time\": \"2022-06-03T12:09:44.421947861Z\",\n \"dest_vpc\": {\n \"subnetwork_name\": \"foo\",\n \"vpc_name\": \"foo\",\n \"project_id\": \"hazel-aria-348413\"\n },\n \"bytes_sent\": \"33792\",\n \"reporter\": \"DEST\",\n \"dest_instance\": {\n \"region\": \"europe-central2\",\n \"project_id\": \"hazel-aria-348413\",\n \"vm_name\": \"gke-cluster-3-default-pool-4e355575-k1w8\",\n \"zone\": \"europe-central2-a\"\n },\n \"dest_gke_details\": {\n \"cluster\": {\n \"cluster_location\": \"europe-central2-a\",\n \"cluster_name\": \"cluster-3\"\n }\n },\n \"connection\": {\n \"protocol\": 6,\n \"dest_ip\": \"10.0.0.3\",\n \"src_ip\": \"34.118.64.229\",\n \"src_port\": 443,\n \"dest_port\": 41834\n }\n },\n \"resource\": {\n \"type\": \"gce_subnetwork\",\n \"labels\": {\n \"project_id\": \"hazel-aria-348413\",\n \"subnetwork_name\": \"foo\",\n \"subnetwork_id\": \"7449846049104218257\",\n \"location\": \"europe-central2-a\"\n }\n },\n \"timestamp\": \"2022-06-03T12:09:52.418604934Z\",\n \"logName\": \"projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows\",\n \"receiveTimestamp\": \"2022-06-03T12:09:52.418604934Z\"\n}", "event": { - "end": "2022-06-03T12:09:44.424429Z", - "start": "2022-06-03T12:09:44.421947Z", - "kind": "event", "category": [ "network" ], + "end": "2022-06-03T12:09:44.424429Z", + "kind": "event", + "start": "2022-06-03T12:09:44.421947Z", "type": [ "info" ] }, - "network": { - "bytes": 33792, - "packets": 32, - "iana_number": "6", - "name": "foo" + "@timestamp": "2022-06-03T12:09:52.418604Z", + "cloud": { + "availability_zone": "europe-central2-a", + "project": { + "id": "hazel-aria-348413" + }, + "region": "europe-central2" + }, + "destination": { + "address": "10.0.0.3", + "ip": "10.0.0.3", + "port": 41834 }, "google_vpc_flow_logs": { + "insertId": "17aa0kaf4hig5c", "jsonPayload": { - "reporter": "DEST", "connection": { "protocol": 6 }, - "dest_vpc": { - "vpc_name": "foo" - }, "dest_gke_details": { "cluster": { "cluster_location": "europe-central2-a" } - } + }, + "dest_vpc": { + "vpc_name": "foo" + }, + "reporter": "DEST" }, + "logName": "projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows", + "receiveTimestamp": "2022-06-03T12:09:52.418604934Z", "resource": { "labels": { "subnetwork_id": "7449846049104218257", "subnetwork_name": "foo" }, "type": "gce_subnetwork" - }, - "insertId": "17aa0kaf4hig5c", - "logName": "projects/hazel-aria-348413/logs/compute.googleapis.com%2Fvpc_flows", - "receiveTimestamp": "2022-06-03T12:09:52.418604934Z" - }, - "server": { - "geo": { - "name": "europe-central2-a" } }, - "cloud": { - "project": { - "id": "hazel-aria-348413" - }, - "region": "europe-central2", - "availability_zone": "europe-central2-a" - }, - "@timestamp": "2022-06-03T12:09:52.418604Z", - "destination": { - "ip": "10.0.0.3", - "port": 41834, - "address": "10.0.0.3" - }, - "source": { - "ip": "34.118.64.229", - "port": 443, - "as": { - "number": 15169 - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "POL" - }, - "address": "34.118.64.229" - }, "host": { "name": "gke-cluster-3-default-pool-4e355575-k1w8" }, + "network": { + "bytes": 33792, + "iana_number": "6", + "name": "foo", + "packets": 32 + }, "orchestrator": { "cluster": { "name": "cluster-3" @@ -220,6 +203,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.0.0.3", "34.118.64.229" ] + }, + "server": { + "geo": { + "name": "europe-central2-a" + } + }, + "source": { + "address": "34.118.64.229", + "as": { + "number": 15169 + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "POL" + }, + "ip": "34.118.64.229", + "port": 443 } } diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md index 09479d060d..c87c6b9a25 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md @@ -35,20 +35,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"admin_log\",\n \"action\": \"admin_login_error\",\n \"description\": \"{\\\"ip_address\\\": \\\"10.1.23.116\\\", \\\"error\\\": \\\"SAML login is disabled\\\", \\\"email\\\": \\\"narroway@example.com\\\"}\",\n \"isotimestamp\": \"2020-01-23T16:18:58+00:00\",\n \"object\": null,\n \"timestamp\": 1579796338,\n \"username\": \"\"\n}", "event": { - "kind": "event", + "action": "admin_login_error", "category": [ "iam" ], + "dataset": "admin_log", + "kind": "event", "type": [ "admin" - ], - "dataset": "admin_log", - "action": "admin_login_error" + ] }, "@timestamp": "2020-01-23T16:18:58Z", "observer": { - "vendor": "Duo", - "product": "Duo Security" + "product": "Duo Security", + "vendor": "Duo" } } @@ -62,33 +62,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"admin_log\",\n \"action\": \"user_update\",\n \"description\": \"{\\\"notes\\\": \\\"Joe asked for their nickname to be displayed instead of Joseph.\\\", \\\"realname\\\": \\\"Joe Smith\\\"}\",\n \"isotimestamp\": \"2020-01-24T15:09:42+00:00\",\n \"object\": \"jsmith\",\n \"timestamp\": 1579878582,\n \"username\": \"admin\"\n}", "event": { - "kind": "event", + "action": "user_update", "category": [ "iam" ], + "dataset": "admin_log", + "kind": "event", "type": [ "admin" - ], - "dataset": "admin_log", - "action": "user_update" + ] }, "@timestamp": "2020-01-24T15:09:42Z", - "observer": { - "vendor": "Duo", - "product": "Duo Security" - }, - "user": { - "name": "admin" - }, "duo": { "security": { "object": "jsmith" } }, + "observer": { + "product": "Duo Security", + "vendor": "Duo" + }, "related": { "user": [ "admin" ] + }, + "user": { + "name": "admin" } } @@ -102,51 +102,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"auth_log\",\n \"access_device\": {\n \"browser\": \"Chrome\",\n \"browser_version\": \"67.0.3396.99\",\n \"flash_version\": \"uninstalled\",\n \"hostname\": null,\n \"ip\": \"169.232.89.219\",\n \"is_encryption_enabled\": true,\n \"is_firewall_enabled\": true,\n \"is_password_set\": true,\n \"java_version\": \"uninstalled\",\n \"location\": {\n \"city\": \"Ann Arbor\",\n \"country\": \"United States\",\n \"state\": \"Michigan\"\n },\n \"os\": \"Mac OS X\",\n \"os_version\": \"10.14.1\",\n \"security_agents\": []\n },\n \"adaptive_trust_assessments\": {\n \"more_secure_auth\": {\n \"features_version\": \"3.0\",\n \"model_version\": \"2022.07.19.001\",\n \"policy_enabled\": false,\n \"reason\": \"Normal level of trust; no detection of known attack pattern\",\n \"trust_level\": \"NORMAL\"\n },\n \"remember_me\": {\n \"features_version\": \"3.0\",\n \"model_version\": \"2022.07.19.001\",\n \"policy_enabled\": false,\n \"reason\": \"Known Access IP\",\n \"trust_level\": \"NORMAL\"\n }\n },\n \"alias\": \"\",\n \"application\": {\n \"key\": \"DIY231J8BR23QK4UKBY8\",\n \"name\": \"Microsoft Azure Active Directory\"\n },\n \"auth_device\": {\n \"ip\": \"192.168.225.254\",\n \"key\": \"DP5BJ05HI4WRBVI4Q7JF\",\n \"location\": {\n \"city\": \"Ann Arbor\",\n \"country\": \"United States\",\n \"state\": \"Michigan\"\n },\n \"name\": \"My iPhone X (734-555-2342)\"\n },\n \"email\": \"narroway@example.com\",\n \"event_type\": \"authentication\",\n \"factor\": \"duo_push\",\n \"isotimestamp\": \"2020-02-13T18:56:20.351346+00:00\",\n \"ood_software\": null,\n \"reason\": \"user_approved\",\n \"result\": \"success\",\n \"timestamp\": 1581620180,\n \"trusted_endpoint_status\": \"not trusted\",\n \"txid\": \"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\n \"user\": {\n \"groups\": [\"Duo Users\", \"CorpHQ Users\"],\n \"key\": \"DU3KC77WJ06Y5HIV7XKQ\",\n \"name\": \"narroway@example.com\"\n }\n}", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "auth_log", + "kind": "event", "type": [ "info" - ], - "dataset": "auth_log" + ] }, "@timestamp": "2020-02-13T18:56:20.351346Z", + "host": { + "os": { + "name": "Mac OS X", + "version": "10.14.1" + } + }, "observer": { - "vendor": "Duo", - "product": "Duo Security" + "product": "Duo Security", + "vendor": "Duo" }, - "user": { - "email": "narroway@example.com", - "id": "DU3KC77WJ06Y5HIV7XKQ", - "roles": [ - "Duo Users", - "CorpHQ Users" + "related": { + "ip": [ + "169.232.89.219" ] }, "source": { - "ip": "169.232.89.219", + "address": "169.232.89.219", "geo": { "city_name": "Ann Arbor", "country_name": "United States", "region_name": "Michigan" }, - "address": "169.232.89.219" + "ip": "169.232.89.219" + }, + "user": { + "email": "narroway@example.com", + "id": "DU3KC77WJ06Y5HIV7XKQ", + "roles": [ + "CorpHQ Users", + "Duo Users" + ] }, "user_agent": { "name": "Chrome", "version": "67.0.3396.99" - }, - "host": { - "os": { - "name": "Mac OS X", - "version": "10.14.1" - } - }, - "related": { - "ip": [ - "169.232.89.219" - ] } } @@ -160,47 +160,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"offline_log\",\n \"action\": \"o2fa_user_provisioned\",\n \"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\n \"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\n \"object\": \"Acme Laptop Windows Logon\",\n \"timestamp\": 1567181405,\n \"username\": \"narroway\"\n}", "event": { - "kind": "event", + "action": "o2fa_user_provisioned", "category": [ "authentication" ], + "dataset": "offline_log", + "kind": "event", "type": [ "info" - ], - "dataset": "offline_log", - "action": "o2fa_user_provisioned" + ] }, "@timestamp": "2019-08-30T16:10:05Z", - "observer": { - "vendor": "Duo", - "product": "Duo Security" - }, "duo": { "security": { "object": "Acme Laptop Windows Logon" } }, + "host": { + "name": "WKSW10x64" + }, + "observer": { + "product": "Duo Security", + "vendor": "Duo" + }, + "related": { + "user": [ + "narroway" + ] + }, "user": { "name": "narroway" }, "user_agent": { - "original": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)", "device": { "name": "Other" }, "name": "Other", + "original": "DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)", "os": { "name": "Windows", "version": "8.1" } - }, - "host": { - "name": "WKSW10x64" - }, - "related": { - "user": [ - "narroway" - ] } } @@ -214,27 +214,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"administrator login\",\n \"credits\": 0,\n \"phone\": \"+13135559542\",\n \"telephony_id\": \"5bf1a860-fe39-49e3-be29-217659663a74\",\n \"ts\": \"2022-10-25T16:07:45.304526+00:00\",\n \"txid\": \"fb0c129b-f994-4d3d-953b-c3e764272eb7\",\n \"type\": \"sms\"\n}", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "telephony_log", + "kind": "event", + "reason": "administrator login", "type": [ "info" - ], - "dataset": "telephony_log", - "reason": "administrator login" - }, - "observer": { - "vendor": "Duo", - "product": "Duo Security" + ] }, "duo": { "security": { "telephony": { - "type": "sms", - "phone_number": "+13135559542" + "phone_number": "+13135559542", + "type": "sms" } } + }, + "observer": { + "product": "Duo Security", + "vendor": "Duo" } } @@ -248,27 +248,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"authentication\",\n \"credits\": 2,\n \"phone\": \"+17345551311\",\n \"telephony_id\": \"60799fee-f08f-4ba8-971f-4e53b3473e9a\",\n \"ts\": \"2023-01-26T20:54:12.573580+00:00\",\n \"txid\": \"373bd5f3-1e42-4a5d-aefa-b33ae278fac8\",\n \"type\": \"phone\"\n}", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "telephony_log", + "kind": "event", + "reason": "authentication", "type": [ "info" - ], - "dataset": "telephony_log", - "reason": "authentication" - }, - "observer": { - "vendor": "Duo", - "product": "Duo Security" + ] }, "duo": { "security": { "telephony": { - "type": "phone", - "phone_number": "+17345551311" + "phone_number": "+17345551311", + "type": "phone" } } + }, + "observer": { + "product": "Duo Security", + "vendor": "Duo" } } @@ -282,27 +282,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"enrollment\",\n \"credits\": 1,\n \"phone\": \"+12125556707\",\n \"telephony_id\": \"220f89ff-bff8-4466-b6cb-b7787940ce68\",\n \"ts\": \"2023-03-21T22:34:49.466370+00:00\",\n \"txid\": \"2f5d34d3-053f-422c-9dd4-77a5d58706b1\",\n \"type\": \"sms\"\n}", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "telephony_log", + "kind": "event", + "reason": "enrollment", "type": [ "info" - ], - "dataset": "telephony_log", - "reason": "enrollment" - }, - "observer": { - "vendor": "Duo", - "product": "Duo Security" + ] }, "duo": { "security": { "telephony": { - "type": "sms", - "phone_number": "+12125556707" + "phone_number": "+12125556707", + "type": "sms" } } + }, + "observer": { + "product": "Duo Security", + "vendor": "Duo" } } diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index ce695fc46b..48ca84adfd 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -31,13 +31,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Fortinet|Fortigate|v6.2.9|32102|event:system|7|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0100032102 cat=event:system FortinetFortiGatesubtype=system FortinetFortiGatelevel=alert FortinetFortiGatevd=root FortinetFortiGateeventtime=1637681708541881380 FortinetFortiGatetz=+0100 FortinetFortiGatelogdesc=Configuration changed duser= sproc=console msg=Configuration is changed in the admin session", "event": { + "category": "event", "code": "0100032102", - "reason": "Configuration is changed in the admin session", - "timezone": "+0100", "dataset": "event:system", - "category": "event" + "reason": "Configuration is changed in the admin session", + "timezone": "+0100" }, "@timestamp": "2021-11-23T15:35:08.541882Z", + "action": { + "outcome_reason": "Configuration is changed in the admin session", + "target": "network-traffic", + "type": "system" + }, "log": { "level": "alert" }, @@ -45,11 +50,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Fortigate", "vendor": "Fortinet", "version": "v6.2.9" - }, - "action": { - "type": "system", - "outcome_reason": "Configuration is changed in the admin session", - "target": "network-traffic" } } @@ -64,20 +64,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|24576|utm:dlp dlp block|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0954024576 cat=utm:dlp FTNTFGTsubtype=dlp FTNTFGTeventtype=dlp FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545949776 FTNTFGTfilteridx=1 FTNTFGTdlpextra=test-dlp3 FTNTFGTfiltertype=file-type FTNTFGTfiltercat=file FTNTFGTseverity=medium FTNTFGTpolicyid=1 externalId=12680 FTNTFGTepoch=418303178 FTNTFGTeventid=0 duser=bob src=10.1.100.11 spt=33638 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.18.62.158 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP FTNTFGTfiletype=gif deviceDirection=0 act=block dhost=172.18.62.158 request=/dlp/flower.gif requestClientApplication=curl/7.47.0 fname=flower.gif fsize=1209 FTNTFGTprofile=test-dlp", "event": { "action": "block", + "category": "utm", "code": "0954024576", - "dataset": "utm:dlp", - "category": "utm" + "dataset": "utm:dlp" }, "@timestamp": "2018-12-27T22:29:36Z", + "action": { + "name": "block", + "outcome": "success", + "target": "network-traffic", + "type": "dlp - dlp" + }, "destination": { "address": "172.18.62.158", "domain": "172.18.62.158", - "port": 80, "ip": "172.18.62.158", + "port": 80, "user": { "name": "bob" } }, + "file": { + "name": "flower.gif", + "size": 1209 + }, "fortinet": { "fortigate": { "event": { @@ -85,18 +95,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "file": { - "name": "flower.gif", - "size": 1209 - }, "log": { "level": "warning" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "inbound", "protocol": "http", - "direction": "inbound" + "transport": "tcp" }, "observer": { "egress": { @@ -113,43 +119,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, + "related": { + "hosts": [ + "172.18.62.158" + ], + "ip": [ + "10.1.100.11", + "172.18.62.158" + ], + "user": [ + "bob" + ] + }, "source": { - "port": 33638, + "address": "10.1.100.11", "ip": "10.1.100.11", - "address": "10.1.100.11" + "port": 33638 }, "url": { "original": "/dlp/flower.gif", "path": "/dlp/flower.gif" }, "user_agent": { - "original": "curl/7.47.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.47.0", + "original": "curl/7.47.0", "os": { "name": "Other" - } - }, - "action": { - "name": "block", - "type": "dlp - dlp", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "user": [ - "bob" - ], - "hosts": [ - "172.18.62.158" - ], - "ip": [ - "10.1.100.11", - "172.18.62.158" - ] + }, + "version": "7.47.0" } } @@ -164,16 +164,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|54802|dns:dns-response pass|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1501054802 cat=dns:dns-response FTNTFGTsubtype=dns-response FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545950726 FTNTFGTpolicyid=1 externalId=13355 duser=bob src=10.1.100.11 spt=54621 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan dst=172.16.200.55 dpt=53 deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=17 FTNTFGTprofile=default FTNTFGTsrcmac=a2:e9:00:ec:40:01 FTNTFGTxid=5137 FTNTFGTqname=detectportal.firefox.com FTNTFGTqtype=A FTNTFGTqtypeval=1 FTNTFGTqclass=IN FTNTFGTipaddr=104.80.89.26, 104.80.89.24 msg=Domain is monitored act=pass FTNTFGTcat=52 FTNTFGTcatdesc=Information Technology", "event": { "action": "pass", + "category": "dns", "code": "1501054802", - "reason": "Domain is monitored", "dataset": "dns:dns-response", - "category": "dns" + "reason": "Domain is monitored" }, "@timestamp": "2018-12-27T22:45:26Z", + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "Domain is monitored", + "target": "network-traffic", + "type": "dns-response" + }, "destination": { "address": "172.16.200.55", - "port": 53, "ip": "172.16.200.55", + "port": 53, "user": { "name": "bob" } @@ -199,26 +206,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 54621, - "ip": "10.1.100.11", - "address": "10.1.100.11" - }, - "action": { - "name": "pass", - "type": "dns-response", - "outcome_reason": "Domain is monitored", - "target": "network-traffic", - "outcome": "success" - }, "related": { - "user": [ - "bob" - ], "ip": [ "10.1.100.11", "172.16.200.55" + ], + "user": [ + "bob" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11", + "port": 54621 } } @@ -232,20 +232,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=15:51:59 devname=\"my-device\" devid=\"1111111111111111\" eventtime=1668001919663486001 tz=\"+0100\" logid=\"1500054000\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-query\" level=\"information\" vd=\"root\" policyid=1685 poluuid=\"4470d4c5-7e12-4a8f-a369-08eff4a43b5b\" policytype=\"policy\" sessionid=933308058 srcip=1.2.3.4 srcport=35305 srccountry=\"Reserved\" srcintf=\"INTF-1\" srcintfrole=\"undefined\" dstip=8.8.8.8 dstport=53 dstcountry=\"Reserved\" dstintf=\"INTF-2\" dstintfrole=\"lan\" proto=17 profile=\"DNS Filtering Normal\" xid=42240 qtype=\"NS\" qtypeval=2 qclass=\"IN\"", "event": { + "category": "utm", "code": "1500054000", - "timezone": "+0100", - "category": "utm" + "timezone": "+0100" }, "@timestamp": "2022-11-09T13:51:59.663486Z", + "action": { + "target": "network-traffic", + "type": "dns" + }, "destination": { "address": "8.8.8.8", - "port": 53, - "ip": "8.8.8.8" + "ip": "8.8.8.8", + "port": 53 }, "dns": { "question": { - "type": "NS", - "class": "IN" + "class": "IN", + "type": "NS" }, "rrtype": "NS" }, @@ -257,38 +261,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "my-device" + }, "log": { - "level": "information", - "hostname": "my-device" + "hostname": "my-device", + "level": "information" + }, + "network": { + "transport": "udp" }, "observer": { - "hostname": "my-device", - "serial_number": "1111111111111111", "egress": { "interface": { "name": "INTF-2" } }, + "hostname": "my-device", "ingress": { "interface": { "name": "INTF-1" } - } - }, - "network": { - "transport": "udp" - }, - "rule": { - "ruleset": "policy" - }, - "source": { - "port": 35305, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "action": { - "type": "dns", - "target": "network-traffic" + }, + "serial_number": "1111111111111111" }, "related": { "hosts": [ @@ -299,8 +294,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "8.8.8.8" ] }, - "host": { - "name": "my-device" + "rule": { + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 35305 } } @@ -314,22 +314,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=15:58:39 devname=\"dev-name\" devid=\"1111111111111111\" eventtime=1668002319383195535 tz=\"+0100\" logid=\"1500054000\" type=\"utm\" subtype=\"dns\" eventtype=\"dns-query\" level=\"information\" vd=\"root\" policyid=770 poluuid=\"f2aef0f2-a721-49cf-9dd3-b27f7f5b90bc\" policytype=\"policy\" sessionid=933538554 user=\"agt\" srcip=1.2.3.4 srcport=45362 srccountry=\"Reserved\" srcintf=\"intf-1\" srcintfrole=\"undefined\" dstip=8.8.8.8 dstport=53 dstcountry=\"Reserved\" dstintf=\"intf-2\" dstintfrole=\"undefined\" proto=17 profile=\"DNS Filtering Normal\" xid=32649 qname=\"['fr.pool.ntp.org']\" qtype=\"A\" qtypeval=1 qclass=\"IN\"", "event": { + "category": "utm", "code": "1500054000", - "timezone": "+0100", - "category": "utm" + "timezone": "+0100" }, "@timestamp": "2022-11-09T13:58:39.383196Z", + "action": { + "target": "network-traffic", + "type": "dns" + }, "destination": { "address": "8.8.8.8", - "port": 53, - "ip": "8.8.8.8" + "ip": "8.8.8.8", + "port": 53 }, "dns": { "question": { - "name": "'fr.pool.ntp.org'", - "type": "A", "class": "IN", - "subdomain": "'fr.pool.ntp" + "name": "'fr.pool.ntp.org'", + "subdomain": "'fr.pool.ntp", + "type": "A" }, "rrname": "'fr.pool.ntp.org'", "rrtype": "A" @@ -342,41 +346,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "dev-name" + }, "log": { - "level": "information", - "hostname": "dev-name" + "hostname": "dev-name", + "level": "information" + }, + "network": { + "transport": "udp" }, "observer": { - "hostname": "dev-name", - "serial_number": "1111111111111111", "egress": { "interface": { "name": "intf-2" } }, + "hostname": "dev-name", "ingress": { "interface": { "name": "intf-1" } - } - }, - "network": { - "transport": "udp" - }, - "rule": { - "ruleset": "policy" - }, - "source": { - "port": 45362, - "ip": "1.2.3.4", - "user": { - "name": "agt" }, - "address": "1.2.3.4" - }, - "action": { - "type": "dns", - "target": "network-traffic" + "serial_number": "1111111111111111" }, "related": { "hosts": [ @@ -391,8 +383,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "agt" ] }, - "host": { - "name": "dev-name" + "rule": { + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45362, + "user": { + "name": "agt" + } } } @@ -407,17 +407,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|16384|utm:ips signature reset|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0419016384 cat=utm:ips FTNTFGTsubtype=ips FTNTFGTeventtype=signature FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938887 FTNTFGTseverity=info src=172.16.200.55 FTNTFGTsrccountry=Reserved dst=10.1.100.11 deviceInboundInterface=port11 FTNTFGTsrcintfrole=undefined deviceOutboundInterface=port12 FTNTFGTdstintfrole=undefined externalId=901 act=reset proto=6 app=HTTP FTNTFGTpolicyid=1 FTNTFGTattack=Eicar.Virus.Test.File spt=80 dpt=44362 dhost=172.16.200.55 request=/virus/eicar.com deviceDirection=0 FTNTFGTattackid=29844 FTNTFGTprofile=test-ips FTNTFGTref=http://www.fortinet.com/ids/VID29844 duser=bob FTNTFGTincidentserialno=877326946 msg=file_transfer: Eicar.Virus.Test.File,", "event": { "action": "reset", + "category": "utm", "code": "0419016384", - "reason": "file_transfer: Eicar.Virus.Test.File,", "dataset": "utm:ips", - "category": "utm" + "reason": "file_transfer: Eicar.Virus.Test.File," }, "@timestamp": "2018-12-27T19:28:07Z", + "action": { + "name": "reset", + "outcome": "success", + "outcome_reason": "file_transfer: Eicar.Virus.Test.File,", + "target": "network-traffic", + "type": "signature - ips" + }, "destination": { "address": "10.1.100.11", "domain": "172.16.200.55", - "port": 44362, "ip": "10.1.100.11", + "port": 44362, "user": { "name": "bob" } @@ -433,10 +440,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "alert" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "inbound", "protocol": "http", - "direction": "inbound" + "transport": "tcp" }, "observer": { "egress": { @@ -453,33 +460,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 80, - "ip": "172.16.200.55", - "address": "172.16.200.55" - }, - "url": { - "original": "/virus/eicar.com", - "path": "/virus/eicar.com" - }, - "action": { - "name": "reset", - "type": "signature - ips", - "outcome_reason": "file_transfer: Eicar.Virus.Test.File,", - "target": "network-traffic", - "outcome": "success" - }, "related": { - "user": [ - "bob" - ], "hosts": [ "172.16.200.55" ], "ip": [ "10.1.100.11", "172.16.200.55" + ], + "user": [ + "bob" ] + }, + "source": { + "address": "172.16.200.55", + "ip": "172.16.200.55", + "port": 80 + }, + "url": { + "original": "/virus/eicar.com", + "path": "/virus/eicar.com" } } @@ -494,50 +494,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=17:24:16 devname=\"abc\" devid=\"1\" logid=\"0101037130\" type=\"event\" subtype=\"vpn\" level=\"error\" vd=\"root\" eventtime=1580142256 logdesc=\"Progress IPsec phase 2\" msg=\"progress IPsec phase 2\" action=\"negotiate\" remip=1.1.1.1 locip=93.187.43.9 remport=500 locport=500 outintf=\"N/A\" cookies=\"07f928d94dd975ea/89b1d990f54f0b82\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"VPN-FOOBAR\" status=\"failure\" init=\"local\" exch=\"CREATE_CHILD\" dir=\"inbound\" role=\"initiator\" result=\"ERROR\" version=\"IKEv2\"", "event": { "action": "negotiate", + "category": "event", "code": "0101037130", - "reason": "progress IPsec phase 2", "dataset": "event:vpn", - "category": "event" + "reason": "progress IPsec phase 2" }, "@timestamp": "2020-01-27T16:24:16Z", + "action": { + "name": "negotiate", + "outcome": "failure", + "outcome_reason": "progress IPsec phase 2", + "target": "network-traffic", + "type": "vpn" + }, "destination": { - "port": 500, + "address": "93.187.43.9", "ip": "93.187.43.9", - "address": "93.187.43.9" + "port": 500 }, "fortinet": { "fortigate": { "event": { "type": "event" }, - "virtual_domain": "root", "tunnel": { "name": "VPN-FOOBAR", "version": "IKEv2" - } + }, + "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "error", "description": "Progress IPsec phase 2", - "hostname": "abc" + "hostname": "abc", + "level": "error" }, "observer": { "hostname": "abc", "serial_number": "1" }, - "source": { - "port": 500, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "negotiate", - "type": "vpn", - "outcome": "failure", - "outcome_reason": "progress IPsec phase 2", - "target": "network-traffic" - }, "related": { "hosts": [ "abc" @@ -547,8 +545,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "93.187.43.9" ] }, - "host": { - "name": "abc" + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 500 } } @@ -563,13 +563,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=16:48:00 devname=\"abc\" devid=\"1\" logid=\"0100032003\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" eventtime=1619621280 logdesc=\"Admin logout successful\" sn=\"1619620402\" user=\"test\" ui=\"jsconsole\" method=\"jsconsole\" srcip=1.1.1.1 dstip=2.2.2.2 action=\"logout\" status=\"success\" duration=878 reason=\"exit\" msg=\"Administrator test logged out from jsconsole\"", "event": { "action": "logout", + "category": "event", "code": "0100032003", - "reason": "exit", "dataset": "event:system", - "category": "event", - "provider": "jsconsole" + "provider": "jsconsole", + "reason": "exit" }, "@timestamp": "2021-04-28T14:48:00Z", + "action": { + "name": "logout", + "outcome": "success", + "outcome_reason": "Administrator test logged out from jsconsole", + "target": "network-traffic", + "type": "system" + }, "destination": { "address": "2.2.2.2", "ip": "2.2.2.2" @@ -582,34 +589,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "http": { "request": { "method": "jsconsole" } }, "log": { - "level": "information", "description": "Admin logout successful", - "hostname": "abc" + "hostname": "abc", + "level": "information" }, "observer": { "hostname": "abc", "serial_number": "1" }, - "source": { - "ip": "1.1.1.1", - "user": { - "name": "test" - }, - "address": "1.1.1.1" - }, - "action": { - "name": "logout", - "type": "system", - "outcome": "success", - "outcome_reason": "Administrator test logged out from jsconsole", - "target": "network-traffic" - }, "related": { "hosts": [ "abc" @@ -622,8 +618,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "test" ] }, - "host": { - "name": "abc" + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "name": "test" + } } } @@ -638,12 +638,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=16:23:50 devname=\"abc\" devid=\"1\" logid=\"0100032011\" type=\"event\" subtype=\"system\" level=\"notice\" vd=\"PRX1-AA\" eventtime=1619619830 logdesc=\"Disk log rolled\" action=\"roll-log\" reason=\"file-size\" log=\"tlog\" msg=\"Disk log has rolled.\"", "event": { "action": "roll-log", + "category": "event", "code": "0100032011", - "reason": "file-size", "dataset": "event:system", - "category": "event" + "reason": "file-size" }, "@timestamp": "2021-04-28T14:23:50Z", + "action": { + "name": "roll-log", + "outcome": "success", + "outcome_reason": "Disk log has rolled.", + "target": "network-traffic", + "type": "system" + }, "fortinet": { "fortigate": { "event": { @@ -652,29 +659,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "PRX1-AA" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", "description": "Disk log rolled", - "hostname": "abc" + "hostname": "abc", + "level": "notice" }, "observer": { "hostname": "abc", "serial_number": "1" }, - "action": { - "name": "roll-log", - "type": "system", - "outcome_reason": "Disk log has rolled.", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "abc" ] - }, - "host": { - "name": "abc" } } @@ -689,15 +689,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|61002|utm:ssh ssh-command passthrough|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1600061002 cat=utm:ssh FTNTFGTsubtype=ssh FTNTFGTeventtype=ssh-command FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545950175 FTNTFGTpolicyid=1 externalId=12921 duser=bob FTNTFGTprofile=test-ssh src=10.1.100.11 spt=56698 dst=172.16.200.55 dpt=22 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=6 act=passthrough FTNTFGTlogin=root FTNTFGTcommand=ls FTNTFGTseverity=low", "event": { "action": "passthrough", + "category": "utm", "code": "1600061002", - "dataset": "utm:ssh", - "category": "utm" + "dataset": "utm:ssh" }, "@timestamp": "2018-12-27T22:36:15Z", + "action": { + "name": "passthrough", + "outcome": "success", + "target": "network-traffic", + "type": "ssh-command - ssh" + }, "destination": { "address": "172.16.200.55", - "port": 22, "ip": "172.16.200.55", + "port": 22, "user": { "name": "bob" } @@ -730,25 +736,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 56698, - "ip": "10.1.100.11", - "address": "10.1.100.11" - }, - "action": { - "name": "passthrough", - "type": "ssh-command - ssh", - "target": "network-traffic", - "outcome": "success" - }, "related": { - "user": [ - "bob" - ], "ip": [ "10.1.100.11", "172.16.200.55" + ], + "user": [ + "bob" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11", + "port": 56698 } } @@ -763,15 +763,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|44032|utm:voip voip permit start|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0814044032 cat=utm:voip FTNTFGTsubtype=voip FTNTFGTeventtype=voip FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545958028 externalId=18975 FTNTFGTepoch=0 FTNTFGTevent_id=6857 src=10.1.100.11 spt=5060 dst=172.16.200.55 dpt=5060 proto=17 deviceInboundInterface=port12 deviceOutboundInterface=port11 FTNTFGTpolicy_id=1 FTNTFGTprofile=default FTNTFGTvoip_proto=sip FTNTFGTkind=call act=permit outcome=start FTNTFGTduration=0 FTNTFGTdir=session_origin FTNTFGTcall_id=3444-13134@127.0.0.1 suser=sip:sipp@127.0.0.1:5060 duser=sip:service@172.16.200.55:5060", "event": { "action": "permit", + "category": "utm", "code": "0814044032", - "dataset": "utm:voip", - "category": "utm" + "dataset": "utm:voip" }, "@timestamp": "2018-12-28T00:47:08Z", + "action": { + "name": "permit", + "outcome": "start", + "target": "network-traffic", + "type": "voip - voip" + }, "destination": { "address": "172.16.200.55", - "port": 5060, "ip": "172.16.200.55", + "port": 5060, "user": { "name": "sip:service@172.16.200.55:5060" } @@ -797,29 +803,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 5060, - "ip": "10.1.100.11", - "user": { - "name": "sip:sipp@127.0.0.1:5060" - }, - "address": "10.1.100.11" - }, - "action": { - "name": "permit", - "type": "voip - voip", - "outcome": "start", - "target": "network-traffic" - }, "related": { - "user": [ - "sip:service@172.16.200.55:5060", - "sip:sipp@127.0.0.1:5060" - ], "ip": [ "10.1.100.11", "172.16.200.55" + ], + "user": [ + "sip:service@172.16.200.55:5060", + "sip:sipp@127.0.0.1:5060" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11", + "port": 5060, + "user": { + "name": "sip:sipp@127.0.0.1:5060" + } } } @@ -834,48 +834,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=15:29:39 devname=\"abc\" devid=\"1\" logid=\"0105048039\" type=\"event\" subtype=\"wad\" level=\"error\" vd=\"PRX1-AA\" eventtime=1619616579 logdesc=\"SSL fatal alert sent\" session_id=473f963d policyid=0 srcip=2.2.2.2 srcport=47782 dstip=1.1.1.1 dstport=8002 action=\"send\" alert=\"2\" desc=\"illegal parameter\" msg=\"SSL Alert sent\"", "event": { "action": "send", + "category": "event", "code": "0105048039", - "reason": "SSL Alert sent", "dataset": "utm:wad", - "category": "event", + "reason": "SSL Alert sent", "type": "illegal parameter" }, "@timestamp": "2021-04-28T13:29:39Z", + "action": { + "name": "send", + "outcome": "success", + "outcome_reason": "SSL Alert sent", + "target": "network-traffic", + "type": "wad" + }, "destination": { "address": "1.1.1.1", - "port": 8002, - "ip": "1.1.1.1" + "ip": "1.1.1.1", + "port": 8002 }, "fortinet": { "fortigate": { "event": { - "type": "event", - "desc": "illegal parameter" + "desc": "illegal parameter", + "type": "event" }, "virtual_domain": "PRX1-AA" } }, + "host": { + "name": "abc" + }, "log": { - "level": "error", "description": "SSL fatal alert sent", - "hostname": "abc" + "hostname": "abc", + "level": "error" }, "observer": { "hostname": "abc", "serial_number": "1" }, - "source": { - "port": 47782, - "ip": "2.2.2.2", - "address": "2.2.2.2" - }, - "action": { - "name": "send", - "type": "wad", - "outcome_reason": "SSL Alert sent", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "abc" @@ -885,8 +883,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2" ] }, - "host": { - "name": "abc" + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 47782 } } @@ -901,15 +901,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|30258|utm:waf waf-http-constraint passthrough|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1203030258 cat=utm:waf FTNTFGTsubtype=waf FTNTFGTeventtype=waf-http-constraint FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545951320 FTNTFGTpolicyid=1 externalId=13614 duser=bob FTNTFGTprofile=waf_test src=10.1.100.11 spt=57304 dst=172.16.200.55 dpt=80 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=6 app=HTTP request=http://172.16.200.55/index.html?a\\=0123456789&b\\=0123456789&c\\=0123456789 FTNTFGTseverity=medium act=passthrough deviceDirection=0 requestClientApplication=curl/7.47.0 FTNTFGTconstraint=url-param-num FTNTFGTrawdata=Method\\=GET|User-Agent\\=curl/7.47.0", "event": { "action": "passthrough", + "category": "utm", "code": "1203030258", - "dataset": "utm:waf", - "category": "utm" + "dataset": "utm:waf" }, "@timestamp": "2018-12-27T22:55:20Z", + "action": { + "name": "passthrough", + "outcome": "success", + "target": "network-traffic", + "type": "waf-http-constraint - waf" + }, "destination": { "address": "172.16.200.55", - "port": 80, "ip": "172.16.200.55", + "port": 80, "user": { "name": "bob" } @@ -925,10 +931,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "warning" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "inbound", "protocol": "http", - "direction": "inbound" + "transport": "tcp" }, "observer": { "egress": { @@ -945,45 +951,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, + "related": { + "ip": [ + "10.1.100.11", + "172.16.200.55" + ], + "user": [ + "bob" + ] + }, "source": { - "port": 57304, + "address": "10.1.100.11", "ip": "10.1.100.11", - "address": "10.1.100.11" + "port": 57304 }, "url": { - "original": "http://172.16.200.55/index.html?a\\=0123456789&b\\=0123456789&c\\=0123456789", - "full": "http://172.16.200.55/index.html?a\\=0123456789&b\\=0123456789&c\\=0123456789", "domain": "172.16.200.55", + "full": "http://172.16.200.55/index.html?a\\=0123456789&b\\=0123456789&c\\=0123456789", + "original": "http://172.16.200.55/index.html?a\\=0123456789&b\\=0123456789&c\\=0123456789", "path": "/index.html", + "port": 80, "query": "a\\=0123456789&b\\=0123456789&c\\=0123456789", - "scheme": "http", - "port": 80 + "scheme": "http" }, "user_agent": { - "original": "curl/7.47.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.47.0", + "original": "curl/7.47.0", "os": { "name": "Other" - } - }, - "action": { - "name": "passthrough", - "type": "waf-http-constraint - waf", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "user": [ - "bob" - ], - "ip": [ - "10.1.100.11", - "172.16.200.55" - ] + }, + "version": "7.47.0" } } @@ -998,12 +998,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "0|Fortinet|Fortigate|v6.0.3|18433|utm:anomaly anomaly clear_session|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0720018433 cat=utm:anomaly FTNTFGTsubtype=anomaly FTNTFGTeventtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545939604 FTNTFGTseverity=critical src=10.1.100.11 FTNTFGTsrccountry=Reserved dst=172.16.200.55 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined externalId=0 act=clear_session proto=1 app=PING cnt=1 FTNTFGTattack=icmp_flood FTNTFGTicmpid=0x3053 FTNTFGTicmptype=0x08 FTNTFGTicmpcode=0x00 FTNTFGTattackid=16777316 FTNTFGTpolicyid=1 FTNTFGTpolicytype=DoS-policy FTNTFGTref=http://www.fortinet.com/ids/VID16777316 msg=anomaly: icmp_flood, 51 > threshold 50 FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { "action": "clear_session", + "category": "utm", "code": "0720018433", - "reason": "anomaly: icmp_flood, 51 > threshold 50", "dataset": "utm:anomaly", - "category": "utm" + "reason": "anomaly: icmp_flood, 51 > threshold 50" }, "@timestamp": "2018-12-27T19:40:04Z", + "action": { + "name": "clear_session", + "outcome": "success", + "outcome_reason": "anomaly: icmp_flood, 51 > threshold 50", + "target": "network-traffic", + "type": "anomaly - anomaly" + }, "destination": { "address": "172.16.200.55", "ip": "172.16.200.55" @@ -1019,9 +1026,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "alert" }, "network": { - "transport": "icmp", "application": "PING", - "protocol": "ping" + "protocol": "ping", + "transport": "icmp" }, "observer": { "ingress": { @@ -1033,22 +1040,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "ip": "10.1.100.11", - "address": "10.1.100.11" - }, - "action": { - "name": "clear_session", - "type": "anomaly - anomaly", - "outcome_reason": "anomaly: icmp_flood, 51 > threshold 50", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "10.1.100.11", "172.16.200.55" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11" } } @@ -1063,15 +1063,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v5.6.0|18433|anomaly:anomaly clear_ session|7|FTNTFGTlogid=0720018433 cat=anomaly:anomaly FTNTFGTsubtype=anomaly FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTseverity=critical src=1.1.1.1 dst=2.2.2.2 deviceInboundInterface=port15 externalId=0 act=clear_session proto=1 app=icmp/146/81 cnt=306 FTNTFGTattack=icmp_flood dpt=20882 FTNTFGTicmptype=0x92 FTNTFGTicmpcode=0x51 FTNTFGTattackid=16777316 FTNTFGTprofile=DoS-policy1 cs2=http://www.fortinet.com/ids/VID16777316 cs2Label=Reference msg=anomaly: icmp_flood, 34 > threshold 25, repeats 306 times FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { "action": "clear_session", + "category": "anomaly", "code": "0720018433", - "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", "dataset": "anomaly:anomaly", - "category": "anomaly" + "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" + }, + "action": { + "name": "clear_session", + "outcome": "success", + "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", + "target": "network-traffic", + "type": "anomaly" }, "destination": { "address": "2.2.2.2", - "port": 20882, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 20882 }, "fortinet": { "fortigate": { @@ -1084,9 +1091,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "alert" }, "network": { - "transport": "icmp", "application": "icmp/146/81", - "protocol": "icmp/146/81" + "protocol": "icmp/146/81", + "transport": "icmp" }, "observer": { "ingress": { @@ -1098,22 +1105,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v5.6.0" }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "clear_session", - "type": "anomaly", - "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -1128,37 +1128,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2016-02-12,time=14:10:42,logid=0720018433,type=anomaly,subtype=anomaly,level=alert,vd=\"vdom1\",severity=critical,srcip=1.1.1.1,dstip=2.2.2.2,srcintf=\"port15\",sessionid=0,action=clear_session,proto=1,service=\"icmp/146/81\",count=306,attack=\"icmp_ flood\",dstport=20882,icmptype=0x92,icmpcode=0x51,attackid=16777316,profile=\"DoS-policy1\",ref=\"http://www.fortinet.com/ids/VID16777316\",msg=\"anomaly: icmp_flood, 34 > threshold 25, repeats 306 times\",crscore=50,crlevel=critical", "event": { "action": "clear_session", + "category": "anomaly", "code": "0720018433", - "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", "dataset": "utm:anomaly", - "category": "anomaly" + "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" + }, + "action": { + "name": "clear_session", + "outcome": "success", + "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", + "properties": { + "icmp_code": "0x51", + "icmp_type": "0x92" + }, + "target": "network-traffic", + "type": "anomaly" }, "destination": { "address": "2.2.2.2", - "port": 20882, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 20882 }, "fortinet": { "fortigate": { "event": { - "type": "anomaly", - "severity": "critical" + "severity": "critical", + "type": "anomaly" }, - "virtual_domain": "vdom1", "icmp": { "request": { - "type": "0x92", - "code": "0x51" + "code": "0x51", + "type": "0x92" } - } + }, + "virtual_domain": "vdom1" } }, "log": { "level": "alert" }, "network": { - "transport": "icmp", - "protocol": "icmp/146/81" + "protocol": "icmp/146/81", + "transport": "icmp" }, "observer": { "ingress": { @@ -1167,26 +1178,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "clear_session", - "type": "anomaly", - "properties": { - "icmp_code": "0x51", - "icmp_type": "0x92" - }, - "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -1201,37 +1201,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2016-02-12 time=14:10:42 logid=0720018433 type=anomaly subtype=anomaly level=alert vd=\"vdom1\" severity=critical srcip=1.1.1.1 dstip=2.2.2.2 srcintf=\"port15\" sessionid=0 action=clear_session proto=1 service=\"icmp/146/81\" count=306 attack=\"icmp_ flood\" dstport=20882 icmptype=0x92 icmpcode=0x51 attackid=16777316 profile=\"DoS-policy1\" ref=\"http://www.fortinet.com/ids/VID16777316\" msg=\"anomaly: icmp_flood, 34 > threshold 25, repeats 306 times\" crscore=50 crlevel=critical", "event": { "action": "clear_session", + "category": "anomaly", "code": "0720018433", - "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", "dataset": "utm:anomaly", - "category": "anomaly" + "reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times" + }, + "action": { + "name": "clear_session", + "outcome": "success", + "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", + "properties": { + "icmp_code": "0x51", + "icmp_type": "0x92" + }, + "target": "network-traffic", + "type": "anomaly" }, "destination": { "address": "2.2.2.2", - "port": 20882, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 20882 }, "fortinet": { "fortigate": { "event": { - "type": "anomaly", - "severity": "critical" + "severity": "critical", + "type": "anomaly" }, - "virtual_domain": "vdom1", "icmp": { "request": { - "type": "0x92", - "code": "0x51" + "code": "0x51", + "type": "0x92" } - } + }, + "virtual_domain": "vdom1" } }, "log": { "level": "alert" }, "network": { - "transport": "icmp", - "protocol": "icmp/146/81" + "protocol": "icmp/146/81", + "transport": "icmp" }, "observer": { "ingress": { @@ -1240,27 +1251,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "clear_session", - "type": "anomaly", - "properties": { - "icmp_code": "0x51", - "icmp_type": "0x92" - }, - "outcome_reason": "anomaly: icmp_flood, 34 > threshold 25, repeats 306 times", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] - } + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } } ``` @@ -1274,16 +1274,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|08192|utm:virus infected blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0211008192 cat=utm:virus FTNTFGTsubtype=virus FTNTFGTeventtype=infected FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938448 msg=File is infected. act=blocked app=HTTP externalId=695 src=10.1.100.11 dst=172.16.200.55 spt=44356 dpt=80 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpolicyid=1 proto=6 deviceDirection=0 fname=eicar.com FTNTFGTquarskip=File-was-not-quarantined. FTNTFGTvirus=EICAR_TEST_FILE FTNTFGTdtype=Virus FTNTFGTref=http://www.fortinet.com/ve?vn\\=EICAR_TEST_FILE FTNTFGTvirusid=2172 request=http://172.16.200.55/virus/eicar.com FTNTFGTprofile=g-default duser=bob requestClientApplication=curl/7.47.0 FTNTFGTanalyticscksum=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f FTNTFGTanalyticssubmit=false FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { "action": "blocked", + "category": "utm", "code": "0211008192", - "reason": "File is infected.", "dataset": "utm:virus", - "category": "utm" + "reason": "File is infected." }, "@timestamp": "2018-12-27T19:20:48Z", + "action": { + "name": "blocked", + "outcome": "success", + "outcome_reason": "File is infected.", + "target": "network-traffic", + "type": "infected - virus" + }, "destination": { "address": "172.16.200.55", - "port": 80, "ip": "172.16.200.55", + "port": 80, "user": { "name": "bob" } @@ -1295,10 +1302,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "warning" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "inbound", "protocol": "http", - "direction": "inbound" + "transport": "tcp" }, "observer": { "egress": { @@ -1315,45 +1322,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, + "related": { + "ip": [ + "10.1.100.11", + "172.16.200.55" + ], + "user": [ + "bob" + ] + }, "source": { - "port": 44356, + "address": "10.1.100.11", "ip": "10.1.100.11", - "address": "10.1.100.11" + "port": 44356 }, "url": { - "original": "http://172.16.200.55/virus/eicar.com", - "full": "http://172.16.200.55/virus/eicar.com", "domain": "172.16.200.55", + "full": "http://172.16.200.55/virus/eicar.com", + "original": "http://172.16.200.55/virus/eicar.com", "path": "/virus/eicar.com", - "scheme": "http", - "port": 80 + "port": 80, + "scheme": "http" }, "user_agent": { - "original": "curl/7.47.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.47.0", + "original": "curl/7.47.0", "os": { "name": "Other" - } - }, - "action": { - "name": "blocked", - "type": "infected - virus", - "outcome_reason": "File is infected.", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "user": [ - "bob" - ], - "ip": [ - "10.1.100.11", - "172.16.200.55" - ] + }, + "version": "7.47.0" } } @@ -1368,15 +1368,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v5.6.0|08192|utm:virus infected blocked|4|FTNTFGTlogid=0211008192 cat=utm:virus FTNTFGTsubtype=virus FTNTFGTeventtype=infected FTNTFGTlevel=warning FTNTFGTvd=vdom1 msg=File is infected act=blocked app=HTTP externalId=56633 src=1.1.1.1 dst=2.2.2.2 spt=45719 dpt=80 deviceInboundInterface=port15 deviceOutboundInterface=port19 proto=6 deviceDirection=0 fname=eicar.com FTNTFGTchecksum=1dd02bdb FTNTFGTquarskip=No-skip cs1=EICAR_TEST_FILE cs1Label=Virus FTNTFGTdtype=Virus cs2=http://www.fortinet.com/ve?vn\\=EICAR_TEST_FILE cs2Label=Reference FTNTFGTvirusid=2172 request=http://2.2.2.2/eicar.com FTNTFGTprofile=default duser= requestClientApplication=Wget/1 10 2 FTNTFGTanalyticscksum=131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 FTNTFGTanalyticssubmit=false FTNTFGTcrscore=50 FTNTFGTcrlevel=critical", "event": { "action": "blocked", + "category": "utm", "code": "0211008192", - "reason": "File is infected", "dataset": "utm:virus", - "category": "utm" + "reason": "File is infected" + }, + "action": { + "name": "blocked", + "outcome": "success", + "outcome_reason": "File is infected", + "target": "network-traffic", + "type": "infected - virus" }, "destination": { "address": "2.2.2.2", - "port": 80, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 80 }, "file": { "name": "eicar.com" @@ -1385,10 +1392,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "warning" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "inbound", "protocol": "http", - "direction": "inbound" + "transport": "tcp" }, "observer": { "egress": { @@ -1405,42 +1412,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v5.6.0" }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, "source": { - "port": 45719, + "address": "1.1.1.1", "ip": "1.1.1.1", - "address": "1.1.1.1" + "port": 45719 }, "url": { - "original": "http://2.2.2.2/eicar.com", - "full": "http://2.2.2.2/eicar.com", "domain": "2.2.2.2", + "full": "http://2.2.2.2/eicar.com", + "original": "http://2.2.2.2/eicar.com", "path": "/eicar.com", - "scheme": "http", - "port": 80 + "port": 80, + "scheme": "http" }, "user_agent": { - "original": "Wget/1 10 2", "device": { "name": "Other" }, "name": "Wget", - "version": "1", + "original": "Wget/1 10 2", "os": { "name": "Other" - } - }, - "action": { - "name": "blocked", - "type": "infected - virus", - "outcome_reason": "File is infected", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "ip": [ - "1.1.1.1", - "2.2.2.2" - ] + }, + "version": "1" } } @@ -1455,26 +1455,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|28704|utm:app-ctrl app-ctrl-all pass|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1059028704 cat=utm:app-ctrl FTNTFGTsubtype=app-ctrl FTNTFGTeventtype=app-ctrl-all FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545949688 FTNTFGTappid=34050 src=10.1.100.11 dst=104.80.89.24 spt=56826 dpt=80 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP deviceDirection=1 FTNTFGTpolicyid=1 externalId=12567 FTNTFGTapplist=g-default FTNTFGTappcat=Web.Client FTNTFGTapp=HTTP.BROWSER_Firefox act=pass dhost=detectportal.firefox.com FTNTFGTincidentserialno=1702350499 request=/success.txt msg=Web.Client: HTTP.BROWSER_Firefox, FTNTFGTapprisk=elevated suser=Domain\\\\alice", "event": { "action": "pass", + "category": "utm", "code": "1059028704", - "reason": "Web.Client: HTTP.BROWSER_Firefox,", "dataset": "utm:app-ctrl", - "category": "utm" + "reason": "Web.Client: HTTP.BROWSER_Firefox," }, "@timestamp": "2018-12-27T22:28:08Z", + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "Web.Client: HTTP.BROWSER_Firefox,", + "target": "network-traffic", + "type": "app-ctrl-all - app-ctrl" + }, "destination": { "address": "104.80.89.24", "domain": "detectportal.firefox.com", - "port": 80, - "ip": "104.80.89.24" + "ip": "104.80.89.24", + "port": 80 }, "log": { "level": "information" }, "network": { - "transport": "tcp", "application": "HTTP", + "direction": "outbound", "protocol": "http", - "direction": "outbound" + "transport": "tcp" }, "observer": { "egress": { @@ -1491,26 +1498,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 56826, - "ip": "10.1.100.11", - "user": { - "name": "alice", - "domain": "Domain" - }, - "address": "10.1.100.11" - }, - "url": { - "original": "/success.txt", - "path": "/success.txt" - }, - "action": { - "name": "pass", - "type": "app-ctrl-all - app-ctrl", - "outcome_reason": "Web.Client: HTTP.BROWSER_Firefox,", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "detectportal.firefox.com" @@ -1522,6 +1509,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "alice" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11", + "port": 56826, + "user": { + "domain": "Domain", + "name": "alice" + } + }, + "url": { + "original": "/success.txt", + "path": "/success.txt" } } @@ -1536,25 +1536,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2018-12-27,time=14:45:26,logid=\"1501054802\",type=\"dns\",subtype=\"dns-response\",level=\"notice\",vd=\"vdom1\",eventtime=1545950726,policyid=1,sessionid=13355,user=\"bob\",srcip=1.1.1.1,srcport=54621,srcintf=\"port12\",srcintfrole=\"lan\",dstip=2.2.2.2,dstport=53,dstintf=\"port11\",dstintfrole=\"wan\",proto=17,profile=\"default\",srcmac=\"00:00:00:00:00:00\",xid=5137,qname=\"detectportal.firefox.com\",qtype=\"A\",qtypeval=1,qclass=\"IN\",ipaddr=\"104.80.89.26, 104.80.89.24\",msg=\"Domain is monitored\",action=\"pass\",cat=52,catdesc=\"Information Technology\"", "event": { "action": "pass", + "category": "dns", "code": "1501054802", - "reason": "Domain is monitored", "dataset": "dns:dns-response", - "category": "dns" + "reason": "Domain is monitored" }, "@timestamp": "2018-12-27T22:45:26Z", + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "Domain is monitored", + "target": "network-traffic", + "type": "dns-response" + }, "destination": { "address": "2.2.2.2", - "port": 53, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 53 }, "dns": { "question": { - "name": "detectportal.firefox.com", - "type": "A", "class": "IN", - "top_level_domain": "com", + "name": "detectportal.firefox.com", + "registered_domain": "firefox.com", "subdomain": "detectportal", - "registered_domain": "firefox.com" + "top_level_domain": "com", + "type": "A" }, "rrname": "detectportal.firefox.com", "rrtype": "A" @@ -1585,36 +1592,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "rule": { - "category": "Information Technology" - }, - "source": { - "mac": "00:00:00:00:00:00", - "port": 54621, - "ip": "1.1.1.1", - "user": { - "name": "bob" - }, - "address": "1.1.1.1" - }, - "action": { - "name": "pass", - "type": "dns-response", - "outcome_reason": "Domain is monitored", - "target": "network-traffic", - "outcome": "success" - }, "related": { + "hosts": [ + "detectportal.firefox.com" + ], "ip": [ "1.1.1.1", "2.2.2.2" ], "user": [ "bob" - ], - "hosts": [ - "detectportal.firefox.com" ] + }, + "rule": { + "category": "Information Technology" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "mac": "00:00:00:00:00:00", + "port": 54621, + "user": { + "name": "bob" + } } } @@ -1629,16 +1629,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|20503|utm:emailfilter smtp log-only|2|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0508020503 cat=utm:emailfilter FTNTFGTsubtype=emailfilter FTNTFGTeventtype=smtp FTNTFGTlevel=information FTNTFGTvd=vdom1 FTNTFGTeventtime=1545939418 FTNTFGTpolicyid=1 externalId=1135 duser=bob src=10.1.100.11 spt=35969 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=172.18.62.158 dpt=25 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=SMTP FTNTFGTprofile=test-spam act=log-only suser=testpc1@qa.fortinet.com duser=test1@server88.qa.fortinet.com FTNTFGTsender=testpc1@qa.fortinet.com FTNTFGTrecipient=test1@server88.qa.fortinet.com deviceDirection=1 msg=general email log FTNTFGTsubject=hello_world2 FTNTFGTsize=216 FTNTFGTattachment=no", "event": { "action": "log-only", + "category": "utm", "code": "0508020503", - "reason": "general email log", "dataset": "utm:emailfilter", - "category": "utm" + "reason": "general email log" }, "@timestamp": "2018-12-27T19:36:58Z", + "action": { + "name": "log-only", + "outcome": "success", + "outcome_reason": "general email log", + "target": "network-traffic", + "type": "smtp - emailfilter" + }, "destination": { "address": "172.18.62.158", - "port": 25, "ip": "172.18.62.158", + "port": 25, "user": { "name": "bob" } @@ -1647,10 +1654,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "information" }, "network": { - "transport": "tcp", "application": "SMTP", + "direction": "outbound", "protocol": "smtp", - "direction": "outbound" + "transport": "tcp" }, "observer": { "egress": { @@ -1667,30 +1674,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "port": 35969, - "ip": "10.1.100.11", - "user": { - "name": "testpc1@qa.fortinet.com" - }, - "address": "10.1.100.11" - }, - "action": { - "name": "log-only", - "type": "smtp - emailfilter", - "outcome_reason": "general email log", - "target": "network-traffic", - "outcome": "success" - }, "related": { - "user": [ - "bob", - "testpc1@qa.fortinet.com" - ], "ip": [ "10.1.100.11", "172.18.62.158" + ], + "user": [ + "bob", + "testpc1@qa.fortinet.com" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11", + "port": 35969, + "user": { + "name": "testpc1@qa.fortinet.com" + } } } @@ -1705,12 +1705,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|32002|event:system login failed|7|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0100032002 cat=event:system FTNTFGTsubtype=system FTNTFGTlevel=alert FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938140 FTNTFGTlogdesc=Admin login failed FTNTFGTsn=0 duser=admin1 sproc=https(172.16.200.254) FTNTFGTmethod=https src=172.16.200.254 dst=172.16.200.1 act=login outcome=failed reason=name_invalid msg=Administrator admin1 login failed from https(172.16.200.254) because of invalid user name", "event": { "action": "login", + "category": "event", "code": "0100032002", - "reason": "name_invalid", "dataset": "event:system", - "category": "event" + "reason": "name_invalid" }, "@timestamp": "2018-12-27T19:15:40Z", + "action": { + "name": "login", + "outcome": "failed", + "outcome_reason": "Administrator admin1 login failed from https(172.16.200.254) because of invalid user name", + "target": "network-traffic", + "type": "system" + }, "destination": { "address": "172.16.200.1", "ip": "172.16.200.1", @@ -1726,25 +1733,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "ip": "172.16.200.254", - "address": "172.16.200.254" - }, - "action": { - "name": "login", - "type": "system", - "outcome": "failed", - "outcome_reason": "Administrator admin1 login failed from https(172.16.200.254) because of invalid user name", - "target": "network-traffic" - }, "related": { - "user": [ - "admin1" - ], "ip": [ "172.16.200.1", "172.16.200.254" + ], + "user": [ + "admin1" ] + }, + "source": { + "address": "172.16.200.254", + "ip": "172.16.200.254" } } @@ -1759,12 +1759,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|43008|event:user authentication success|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0102043008 cat=event:user FTNTFGTsubtype=user FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938255 FTNTFGTlogdesc=Authentication success src=10.1.100.11 dst=172.16.200.55 FTNTFGTpolicyid=1 deviceInboundInterface=port12 duser=bob FTNTFGTgroup=N/A FTNTFGTauthproto=TELNET(10.1.100.11) act=authentication outcome=success reason=N/A msg=User bob succeeded in authentication", "event": { "action": "authentication", + "category": "event", "code": "0102043008", - "reason": "User bob succeeded in authentication", "dataset": "event:user", - "category": "event" + "reason": "User bob succeeded in authentication" }, "@timestamp": "2018-12-27T19:17:35Z", + "action": { + "name": "authentication", + "outcome": "success", + "outcome_reason": "User bob succeeded in authentication", + "target": "network-traffic", + "type": "user" + }, "destination": { "address": "172.16.200.55", "ip": "172.16.200.55", @@ -1785,25 +1792,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "ip": "10.1.100.11", - "address": "10.1.100.11" - }, - "action": { - "name": "authentication", - "type": "user", - "outcome": "success", - "outcome_reason": "User bob succeeded in authentication", - "target": "network-traffic" - }, "related": { - "user": [ - "bob" - ], "ip": [ "10.1.100.11", "172.16.200.55" + ], + "user": [ + "bob" ] + }, + "source": { + "address": "10.1.100.11", + "ip": "10.1.100.11" } } @@ -1818,70 +1818,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=11:09:50 devname=\"abc\" devid=\"1\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1579860590 appid=40568 srcip=1.1.1.1 dstip=2.2.2.2 srcport=33345 dstport=443 srcintf=\"test\" srcintfrole=\"undefined\" dstintf=\"port1\" dstintfrole=\"undefined\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=1508480438 applist=\"default\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"abcd\" incidentserialno=455926217 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\"", "event": { "action": "pass", + "category": "utm", "code": "1059028704", - "reason": "Web.Client: HTTPS.BROWSER,", "dataset": "utm:app-ctrl", - "category": "utm" + "reason": "Web.Client: HTTPS.BROWSER," }, "@timestamp": "2020-01-24T10:09:50Z", - "destination": { - "address": "2.2.2.2", + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "Web.Client: HTTPS.BROWSER,", + "target": "network-traffic", + "type": "app-ctrl" + }, + "destination": { + "address": "2.2.2.2", "domain": "abcd", - "port": 443, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 443 }, "fortinet": { "fortigate": { + "apprisk": "medium", "event": { "type": "utm" }, - "apprisk": "medium", "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "information", - "hostname": "abc" + "hostname": "abc", + "level": "information" + }, + "network": { + "application": "HTTPS.BROWSER", + "protocol": "https", + "transport": "tcp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "port1" } }, + "hostname": "abc", "ingress": { "interface": { "name": "test" } - } - }, - "network": { - "transport": "tcp", - "application": "HTTPS.BROWSER", - "protocol": "https" - }, - "rule": { - "category": "Web.Client", - "ruleset": "default", - "apprisk": "medium" - }, - "source": { - "port": 33345, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "url": { - "original": "/", - "path": "/" - }, - "action": { - "name": "pass", - "type": "app-ctrl", - "outcome_reason": "Web.Client: HTTPS.BROWSER,", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -1893,8 +1882,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2" ] }, - "host": { - "name": "abc" + "rule": { + "apprisk": "medium", + "category": "Web.Client", + "ruleset": "default" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 33345 + }, + "url": { + "original": "/", + "path": "/" } } @@ -1909,12 +1909,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " time=15:22:43 devname=\"abc\" devid=\"1\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"warning\" vd=\"root\" eventtime=1602591763587868496 tz=\"+0300\" srcip=1.1.1.1 identifier=256 srcintf=\"internal\" srcintfrole=\"lan\" dstip=2.2.2.2 dstintf=\"wan1\" dstintfrole=\"wan\" srcuuid=\"b22e6ef4-2e38-51ea-72c9-53b2da2e20f5\" dstuuid=\"052bdbce-823a-51e9-eb23-7a3e819fea4f\" poluuid=\"1520e1aa-823a-51e9-984f-a55e1f39b3c7\" sessionid=706677975 proto=1 action=\"ip-conn\" policyid=1 policytype=\"policy\" service=\"icmp/0/8\" dstcountry=\"Netherlands\" srccountry=\"Reserved\" appcat=\"unscanned\" crscore=5 craction=262144 crlevel=\"low\"", "event": { "action": "ip-conn", + "category": "traffic", "code": "0000000011", - "timezone": "+0300", "dataset": "traffic:forward", - "category": "traffic" + "timezone": "+0300" }, "@timestamp": "2020-10-13T12:22:43.587868Z", + "action": { + "name": "ip-conn", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "2.2.2.2", "ip": "2.2.2.2" @@ -1927,41 +1933,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "warning", - "hostname": "abc" + "hostname": "abc", + "level": "warning" + }, + "network": { + "protocol": "icmp/0/8", + "transport": "icmp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "wan1" } }, + "hostname": "abc", "ingress": { "interface": { "name": "internal" } - } - }, - "network": { - "transport": "icmp", - "protocol": "icmp/0/8" - }, - "rule": { - "category": "unscanned", - "ruleset": "policy" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "ip-conn", - "type": "forward", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -1972,8 +1967,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2" ] }, - "host": { - "name": "abc" + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -1988,17 +1988,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " time=13:02:14 devname=\"abc\" devid=\"1\" logid=\"0001000014\" type=\"traffic\" subtype=\"local\" level=\"notice\" vd=\"root\" eventtime=1602586934900309053 tz=\"+0200\" srcip=00::00:00:00:00 identifier=0 srcintf=\"AVR-GUEST-AP\" srcintfrole=\"lan\" dstip=12::16 dstintf=\"unknown0\" dstintfrole=\"undefined\" sessionid=1395131 proto=58 action=\"accept\" policyid=0 policytype=\"local-in-policy6\" service=\"icmp6/143/0\" trandisp=\"noop\" app=\"icmp6/143/0\" duration=60 sentbyte=76 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat=\"unscanned\"", "event": { "action": "accept", + "category": "traffic", "code": "0001000014", - "timezone": "+0200", "dataset": "traffic:local", - "category": "traffic" + "timezone": "+0200" }, "@timestamp": "2020-10-13T11:02:14.900309Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "local" + }, "destination": { "address": "12::16", "bytes": 0, - "packets": 0, - "ip": "12::16" + "ip": "12::16", + "packets": 0 }, "fortinet": { "fortigate": { @@ -2008,45 +2014,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", - "hostname": "abc" + "hostname": "abc", + "level": "notice" + }, + "network": { + "application": "icmp6/143/0", + "bytes": 76, + "protocol": "icmp6/143/0", + "transport": "ipv6-icmp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "unknown0" } }, + "hostname": "abc", "ingress": { "interface": { "name": "AVR-GUEST-AP" } - } - }, - "network": { - "transport": "ipv6-icmp", - "bytes": 76, - "application": "icmp6/143/0", - "protocol": "icmp6/143/0" - }, - "rule": { - "category": "unscanned", - "ruleset": "local-in-policy6" - }, - "source": { - "bytes": 76, - "packets": 1, - "ip": "::", - "address": "::" - }, - "action": { - "name": "accept", - "type": "local", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -2057,8 +2050,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "::" ] }, - "host": { - "name": "abc" + "rule": { + "category": "unscanned", + "ruleset": "local-in-policy6" + }, + "source": { + "address": "::", + "bytes": 76, + "ip": "::", + "packets": 1 } } @@ -2073,25 +2073,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.10|00014|traffic:local accept|3|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0001000014 cat=traffic:local FortinetFortiGatesubtype=local FortinetFortiGatelevel=notice FortinetFortiGatevd=root FortinetFortiGateeventtime=1602663098 src=1.1.1.1 deviceInboundInterface=port1 FortinetFortiGatesrcintfrole=undefined dst=2.2.2.2 deviceOutboundInterface=root FortinetFortiGatedstintfrole=undefined externalId=4887198 proto=1 FortinetFortiGateaction=accept FortinetFortiGatepolicyid=0 FortinetFortiGatepolicytype=local-in-policy app=icmp/8/0 FortinetFortiGatedstcountry=Reserved FortinetFortiGatesrccountry=China FortinetFortiGatetrandisp=noop FortinetFortiGateapp=icmp/8/0 FortinetFortiGateduration=61 out=84 in=84 FortinetFortiGatesentpkt=1 FortinetFortiGatercvdpkt=1 FortinetFortiGateappcat=unscanned", "event": { "action": "accept", + "category": "traffic", "code": "0001000014", - "dataset": "traffic:local", - "category": "traffic" + "dataset": "traffic:local" }, "@timestamp": "2020-10-14T08:11:38Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "local" + }, "destination": { "address": "2.2.2.2", "bytes": 84, - "packets": 1, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "packets": 1 }, "log": { "level": "notice" }, "network": { - "transport": "icmp", - "bytes": 168, "application": "icmp/8/0", - "protocol": "icmp/8/0" + "bytes": 168, + "protocol": "icmp/8/0", + "transport": "icmp" }, "observer": { "egress": { @@ -2108,23 +2114,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.10" }, - "source": { - "bytes": 84, - "packets": 1, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "type": "local", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "source": { + "address": "1.1.1.1", + "bytes": 84, + "ip": "1.1.1.1", + "packets": 1 } } @@ -2139,17 +2139,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " time=14:22:37 devname=\"abc\" devid=\"1\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"ROUTER\" eventtime=1602591758311908837 tz=\"+0200\" srcip=1.1.1.1 identifier=29027 srcintf=\"test1\" srcintfrole=\"undefined\" dstip=2.2.2.2 dstintf=\"test\" dstintfrole=\"undefined\" sessionid=3558919660 proto=1 action=\"accept\" policyid=637 policytype=\"policy\" poluuid=\"b23818a6-8f49-51ea-9db7-4e4965a3483c\" service=\"PING\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=64 sentbyte=420 rcvdbyte=420 sentpkt=5 rcvdpkt=5 appcat=\"unscanned\"", "event": { "action": "accept", + "category": "traffic", "code": "0000000013", - "timezone": "+0200", "dataset": "traffic:forward", - "category": "traffic" + "timezone": "+0200" }, "@timestamp": "2020-10-13T12:22:38.311909Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "2.2.2.2", "bytes": 420, - "packets": 5, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "packets": 5 }, "fortinet": { "fortigate": { @@ -2159,44 +2165,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "ROUTER" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", - "hostname": "abc" + "hostname": "abc", + "level": "notice" + }, + "network": { + "bytes": 840, + "protocol": "ping", + "transport": "icmp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "test" } }, + "hostname": "abc", "ingress": { "interface": { "name": "test1" } - } - }, - "network": { - "transport": "icmp", - "bytes": 840, - "protocol": "ping" - }, - "rule": { - "category": "unscanned", - "ruleset": "policy" - }, - "source": { - "bytes": 420, - "packets": 5, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "type": "forward", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -2207,8 +2200,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2" ] }, - "host": { - "name": "abc" + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.1.1.1", + "bytes": 420, + "ip": "1.1.1.1", + "packets": 5 } } @@ -2223,12 +2223,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.4|32021|event:system login failed|7|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0100032021 cat=event:system FortinetFortiGatesubtype=system FortinetFortiGatelevel=alert FortinetFortiGatevd=root FortinetFortiGateeventtime=1579172447 FortinetFortiGatelogdesc=Admin login disabled sproc=1.1.1.1 FortinetFortiGateaction=login outcome=failed reason=exceed_limit msg=Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", "event": { "action": "login", + "category": "event", "code": "0100032021", - "reason": "exceed_limit", "dataset": "event:system", - "category": "event" + "reason": "exceed_limit" }, "@timestamp": "2020-01-16T11:00:47Z", + "action": { + "name": "login", + "outcome": "failed", + "outcome_reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", + "target": "network-traffic", + "type": "system" + }, "log": { "level": "alert" }, @@ -2236,13 +2243,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Fortigate", "vendor": "Fortinet", "version": "v6.0.4" - }, - "action": { - "name": "login", - "type": "system", - "outcome": "failed", - "outcome_reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts", - "target": "network-traffic" } } @@ -2257,12 +2257,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.10|39943|event:vpn ssl-new-con|2|deviceExternalId=FGT3HD3916803645 FTNTFGTlogid=0101039943 cat=event:vpn FTNTFGTsubtype=vpn FTNTFGTlevel=information FTNTFGTvd=root FTNTFGTeventtime=1637338258 FTNTFGTlogdesc=SSL VPN new connection act=ssl-new-con FTNTFGTtunneltype=ssl FTNTFGTtunnelid=0 dst=2.2.2.2 duser=N/A FTNTFGTgroup=N/A FTNTFGTdst_host=N/A reason=N/A msg=SSL new connection", "event": { "action": "ssl-new-con", + "category": "event", "code": "0101039943", - "reason": "SSL new connection", "dataset": "event:vpn", - "category": "event" + "reason": "SSL new connection" }, "@timestamp": "2021-11-19T16:10:58Z", + "action": { + "name": "ssl-new-con", + "outcome": "success", + "outcome_reason": "SSL new connection", + "target": "network-traffic", + "type": "vpn" + }, "destination": { "address": "2.2.2.2", "ip": "2.2.2.2" @@ -2275,13 +2282,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.10" }, - "action": { - "name": "ssl-new-con", - "type": "vpn", - "outcome_reason": "SSL new connection", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "2.2.2.2" @@ -2300,74 +2300,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=08:20:44 devname=\"computer-039482\" devid=\"C10382849\" eventtime=1669620044749365658 tz=\"+0100\" logid=\"0000000020\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcname=\"C-3424\" srcport=52272 srcintf=\"ID102\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"ID015\" dstintfrole=\"wan\" srcuuid=\"ccd49675-9207-46cf-9c4b-8d522c2b977e\" srccountry=\"Reserved\" dstinetsvc=\"Microsoft-Office365.Published\" dstcountry=\"France\" dstregion=\"Ile-de-France\" dstcity=\"Paris\" dstreputation=5 sessionid=111111111 proto=6 action=\"accept\" policyid=37 policytype=\"policy\" poluuid=\"6a8f76d0-1459-4ddb-948a-62700ddbf241\" service=\"Microsoft-Office365.Published\" trandisp=\"snat\" transip=4.3.2.1 transport=52272 duration=258 sentbyte=160972 rcvdbyte=58449 sentpkt=333 rcvdpkt=192 vwlid=8 vwlquality=\"Seq_num(13 ID015), alive, custom1: 78.211: 0.000% 7.754 0.067 897379Kbps, selected\" vwlname=\"TO-INTERNET\" appcat=\"unscanned\" sentdelta=31328 rcvddelta=10476 srchwvendor=\"Dell\" devtype=\"Home & Office\" srcfamily=\"Computer\" osname=\"Windows\" srcswversion=\"10\" unauthuser=\"DOMAIN\\jdoe\" unauthusersource=\"kerberos\" mastersrcmac=\"00:00:00:00:00:00\" srcmac=\"00:00:00:00:00:00\" srcserver=0", "event": { "action": "accept", + "category": "traffic", "code": "0000000020", - "timezone": "+0100", "dataset": "traffic:forward", - "category": "traffic" + "timezone": "+0100" }, "@timestamp": "2022-11-28T07:20:44.749366Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "5.6.7.8", "bytes": 58449, + "ip": "5.6.7.8", "packets": 192, - "port": 443, - "ip": "5.6.7.8" + "port": 443 }, "fortinet": { "fortigate": { "event": { "type": "traffic" }, - "virtual_domain": "root", "user": { "source": "kerberos" - } + }, + "virtual_domain": "root" } }, + "host": { + "name": "computer-039482" + }, "log": { - "level": "notice", - "hostname": "computer-039482" + "hostname": "computer-039482", + "level": "notice" + }, + "network": { + "bytes": 219421, + "protocol": "microsoft-office365.published", + "transport": "tcp" }, "observer": { - "hostname": "computer-039482", - "serial_number": "C10382849", "egress": { "interface": { "name": "ID015" } }, + "hostname": "computer-039482", "ingress": { "interface": { "name": "ID102" } - } - }, - "network": { - "transport": "tcp", - "bytes": 219421, - "protocol": "microsoft-office365.published" - }, - "rule": { - "category": "unscanned", - "ruleset": "policy" - }, - "source": { - "bytes": 160972, - "mac": "00:00:00:00:00:00", - "packets": 333, - "port": 52272, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "jdoe", - "domain": "DOMAIN" - }, - "action": { - "name": "accept", - "type": "forward", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "C10382849" }, "related": { "hosts": [ @@ -2381,8 +2368,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "jdoe" ] }, - "host": { - "name": "computer-039482" + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "bytes": 160972, + "ip": "1.2.3.4", + "mac": "00:00:00:00:00:00", + "packets": 333, + "port": 52272 + }, + "user": { + "domain": "DOMAIN", + "name": "jdoe" } } @@ -2397,23 +2397,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|FortiGate-1000C|5.6.14,build1727 (GA)|0000000020|forward traffic accept|5|start=Oct 12 2022 12:50:31 logver=506141727 deviceExternalId=FGT123 dvchost=FW-123 ad.vd=root ad.logid=0000000020 cat=traffic ad.subtype=forward deviceSeverity=notice ad.eventtime=1665571831 src=1.1.1.1 spt=55390 deviceInboundInterface=abc ad.srcintfrole=undefined dst=2.2.2.2 dpt=1522 deviceOutboundInterface=efg ad.dstintfrole=lan foo.poluuid=ec6ff8fe-5e41-51ec-bcbe-9e5484033dc8 externalID=3812440508 proto=6 act=accept ad.policyid=185 ad.policytype=policy app=SQLNET-1522 ad.dstcountry=Reserved ad.srccountry=Reserved ad.trandisp=noop ad.duration=268 out=202 in=52 ad.sentpkt=3 ad.rcvdpkt=1 ad.appcat=unscanned ad.sentdelta=0 ad.rcvddelta=0 tz=\"+0200\"", "event": { "action": "accept", + "category": "traffic", "code": "0000000020", - "timezone": "+0200", "dataset": "traffic", - "category": "traffic" + "timezone": "+0200" }, "@timestamp": "2022-10-12T10:50:31Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic" + }, "destination": { "address": "2.2.2.2", "bytes": 202, - "port": 1522, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 1522 }, "network": { - "transport": "tcp", - "bytes": 254, "application": "SQLNET-1522", - "protocol": "sqlnet-1522" + "bytes": 254, + "protocol": "sqlnet-1522", + "transport": "tcp" }, "observer": { "egress": { @@ -2430,22 +2435,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "5.6.14,build1727 (GA)" }, - "source": { - "bytes": 52, - "port": 55390, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "source": { + "address": "1.1.1.1", + "bytes": 52, + "ip": "1.1.1.1", + "port": 55390 } } @@ -2460,30 +2460,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.4|00013|traffic:forward timeout|3|deviceExternalId=FGVM2V0000171868 FortinetFortiGatelogid=0000000013 cat=traffic:forward FortinetFortiGatesubtype=forward FortinetFortiGatelevel=notice FortinetFortiGatevd=root FortinetFortiGateeventtime=1572471876 src=1.1.1.1 spt=49260 deviceInboundInterface=port1 FortinetFortiGatesrcintfrole=undefined dst=3.3.3.3 dpt=80 deviceOutboundInterface=port2 FortinetFortiGatedstintfrole=undefined FortinetFortiGatepoluuid=bafe134e-c0ad-51e8-ed9c-52f798dd69d4 externalId=12812952 proto=6 FortinetFortiGateaction=timeout FortinetFortiGatepolicyid=1 FortinetFortiGatepolicytype=policy app=HTTP FortinetFortiGatedstcountry=Reserved FortinetFortiGatesrccountry=United States FortinetFortiGatetrandisp=dnat destinationTranslatedAddress=2.2.2.2 destinationTranslatedPort=80 FortinetFortiGateduration=20 out=48 in=144 FortinetFortiGatesentpkt=1 FortinetFortiGatercvdpkt=3 FortinetFortiGateappcat=unscanned FortinetFortiGatecrscore=5 FortinetFortiGatecraction=262144 FortinetFortiGatecrlevel=low", "event": { "action": "timeout", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2019-10-30T21:44:36Z", + "action": { + "name": "timeout", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "3.3.3.3", "bytes": 48, + "ip": "3.3.3.3", "nat": { - "port": 80, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 80 }, "packets": 3, - "port": 80, - "ip": "3.3.3.3" + "port": 80 }, "log": { "level": "notice" }, "network": { - "transport": "tcp", - "bytes": 192, "application": "HTTP", - "protocol": "http" + "bytes": 192, + "protocol": "http", + "transport": "tcp" }, "observer": { "egress": { @@ -2500,25 +2506,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.4" }, - "source": { - "bytes": 144, - "packets": 1, - "port": 49260, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "timeout", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "1.1.1.1", "2.2.2.2", "3.3.3.3" ] + }, + "source": { + "address": "1.1.1.1", + "bytes": 144, + "ip": "1.1.1.1", + "packets": 1, + "port": 49260 } } @@ -2533,25 +2533,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|00013|traffic:forward close|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545937675 src=10.1.100.11 spt=54190 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=52.53.140.235 dpt=443 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined FTNTFGTpoluuid=c2d460aa-fe6f-51e8-9505-41b5117dfdd4 externalId=402 proto=6 act=close FTNTFGTpolicyid=1 FTNTFGTpolicytype=policy app=HTTPS FTNTFGTdstcountry=United States FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=172.16.200.1 sourceTranslatedPort=54190 FTNTFGTappid=40568 FTNTFGTapp=HTTPS.BROWSER FTNTFGTappcat=Web.Client FTNTFGTapprisk=medium FTNTFGTapplist=g-default FTNTFGTduration=2 out=3652 in=146668 FTNTFGTsentpkt=58 FTNTFGTrcvdpkt=105 FTNTFGTutmaction=allow FTNTFGTcountapp=2", "event": { "action": "close", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2018-12-27T19:07:55Z", + "action": { + "name": "close", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "52.53.140.235", "bytes": 3652, - "port": 443, - "ip": "52.53.140.235" + "ip": "52.53.140.235", + "port": 443 }, "log": { "level": "notice" }, "network": { - "transport": "tcp", - "bytes": 150320, "application": "HTTPS", - "protocol": "https" + "bytes": 150320, + "protocol": "https", + "transport": "tcp" }, "observer": { "egress": { @@ -2568,29 +2574,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, - "source": { - "bytes": 146668, - "nat": { - "port": 54190, - "ip": "172.16.200.1" - }, - "packets": 58, - "port": 54190, - "ip": "10.1.100.11", - "address": "10.1.100.11" - }, - "action": { - "name": "close", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "10.1.100.11", "172.16.200.1", "52.53.140.235" ] + }, + "source": { + "address": "10.1.100.11", + "bytes": 146668, + "ip": "10.1.100.11", + "nat": { + "ip": "172.16.200.1", + "port": 54190 + }, + "packets": 58, + "port": 54190 } } @@ -2605,26 +2605,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v5.6.0|00013|traffic:forward close|3|FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=vdom1 src=2.2.2.2 shost=2.2.2.2 spt=45719 deviceInboundInterface=port15 dst=3.3.3.3 dhost=3.3.3.3 dpt=80 deviceOutboundInterface=port19 FTNTFGTpoluuid=61c4243a-34ba-51e5-c32a-3859389a5162 externalId=56633 proto=6 act=close cs5=10 cs5Label=Policy Id FTNTFGTdstcountry=Reserved FTNTFGTsrccountry=Reserved FTNTFGTtrandisp=snat sourceTranslatedAddress=1.1.1.1 sourceTranslatedPort=45719 app=HTTP FTNTFGTappid=38783 FTNTFGTapp=Wget.Like FTNTFGTappcat=General.Interest FTNTFGTapprisk=low FTNTFGTapplist=default FTNTFGTappact=detected cn1=7 cn1Label=Duration out=398 in=1605 cn2=5 cn2Label=Packets Sent cn3=5 cn3Label=Packets Received FTNTFGTutmaction=block FTNTFGTcountav=1 FTNTFGTcountapp=1 FTNTFGTcrscore=50 FTNTFGTcraction=2", "event": { "action": "close", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" + }, + "action": { + "name": "close", + "outcome": "success", + "target": "network-traffic", + "type": "forward" }, "destination": { "address": "3.3.3.3", "bytes": 398, "domain": "3.3.3.3", + "ip": "3.3.3.3", "packets": 5, - "port": 80, - "ip": "3.3.3.3" + "port": 80 }, "log": { "level": "notice" }, "network": { - "transport": "tcp", - "bytes": 2003, "application": "HTTP", - "protocol": "http" + "bytes": 2003, + "protocol": "http", + "transport": "tcp" }, "observer": { "egress": { @@ -2641,24 +2647,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v5.6.0" }, - "source": { - "bytes": 1605, - "domain": "2.2.2.2", - "nat": { - "port": 45719, - "ip": "1.1.1.1" - }, - "packets": 5, - "port": 45719, - "ip": "2.2.2.2", - "address": "2.2.2.2" - }, - "action": { - "name": "close", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "2.2.2.2", @@ -2669,6 +2657,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2", "3.3.3.3" ] + }, + "source": { + "address": "2.2.2.2", + "bytes": 1605, + "domain": "2.2.2.2", + "ip": "2.2.2.2", + "nat": { + "ip": "1.1.1.1", + "port": 45719 + }, + "packets": 5, + "port": 45719 } } @@ -2683,25 +2683,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2018-07-26,time=16:51:36,logid=\"0000000013\",type=\"traffic\",subtype=\"forward\",level=\"notice\",vd=\"root\",eventtime=1532616695,srcip=1.1.1.1,srcport=10016,srcintf=\"test\",srcintfrole=\"undefined\",dstip=2.2.2.2,dstport=20,dstintf=\"dmz1\",dstintfrole=\"dmz\",sessionid=10006,proto=6,action=\"accept\",policyid=1,policytype=\"policy\",service=\"tcp/20\",dstcountry=\"France\",srccountry=\"United States\",trandisp=\"noop\",appid=35421,app=\"application\",appcat=\"Storage.Backup\",apprisk=\"medium\",applist=\"default\",duration=10,sentbyte=2000,rcvdbyte=1000,sentpkt=0,rcvdpkt=0,utmaction=\"allow\",countapp=1,devtype=\"iPad\",osname=\"Apple\",osversion=\"ver\",mastersrcmac=\"01:01:01:01:01:01\",srcmac=\"01:01:01:01:01:01\",srcserver=0,dstdevtype=\"Android Phone\",dstosname=\"Android\",dstosversion=\"ver\",masterdstmac=\"00:00:00:00:00:00\",dstmac=\"00:00:00:00:00:00\",dstserver=0,utmref=65491-194", "event": { "action": "accept", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2018-07-26T14:51:35Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "2.2.2.2", "bytes": 1000, + "ip": "2.2.2.2", "mac": "00:00:00:00:00:00", "packets": 0, - "port": 20, - "ip": "2.2.2.2" + "port": 20 }, "fortinet": { "fortigate": { + "apprisk": "medium", "event": { "type": "traffic" }, - "apprisk": "medium", "virtual_domain": "root" } }, @@ -2709,10 +2715,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "notice" }, "network": { - "transport": "tcp", - "bytes": 3000, "application": "application", - "protocol": "tcp/20" + "bytes": 3000, + "protocol": "tcp/20", + "transport": "tcp" }, "observer": { "egress": { @@ -2726,30 +2732,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, "rule": { + "apprisk": "medium", "category": "Storage.Backup", - "ruleset": "default", - "apprisk": "medium" + "ruleset": "default" }, "source": { + "address": "1.1.1.1", "bytes": 2000, + "ip": "1.1.1.1", "mac": "01:01:01:01:01:01", "packets": 0, - "port": 10016, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "ip": [ - "1.1.1.1", - "2.2.2.2" - ] + "port": 10016 } } @@ -2764,25 +2764,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2018-07-26 time=16:51:36 logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1532616695 srcip=1.1.1.1 srcport=10016 srcintf=\"test\" srcintfrole=\"undefined\" dstip=2.2.2.2 dstport=20 dstintf=\"test1\" dstintfrole=\"dmz\" sessionid=10006 proto=6 action=\"accept\" policyid=1 policytype=\"policy\" service=\"tcp/20\" dstcountry=\"France\" srccountry=\"United States\" trandisp=\"noop\" appid=35421 app=\"Dropbox_File.Download\" appcat=\"Storage.Backup\" apprisk=\"medium\" applist=\"default\" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction=\"allow\" countapp=1 devtype=\"iPad\" osname=\"Apple\" osversion=\"ver\" mastersrcmac=\"01:01:01:01:01:01\" srcmac=\"01:01:01:01:01:01\" srcserver=0 dstdevtype=\"Android Phone\" dstosname=\"Android\" dstosversion=\"ver\" masterdstmac=\"00:00:00:00:00:00\" dstmac=\"00:00:00:00:00:00\" dstserver=0 utmref=65491-194", "event": { "action": "accept", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2018-07-26T14:51:35Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "2.2.2.2", "bytes": 1000, + "ip": "2.2.2.2", "mac": "00:00:00:00:00:00", "packets": 0, - "port": 20, - "ip": "2.2.2.2" + "port": 20 }, "fortinet": { "fortigate": { + "apprisk": "medium", "event": { "type": "traffic" }, - "apprisk": "medium", "virtual_domain": "root" } }, @@ -2790,10 +2796,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "level": "notice" }, "network": { - "transport": "tcp", - "bytes": 3000, "application": "Dropbox_File.Download", - "protocol": "tcp/20" + "bytes": 3000, + "protocol": "tcp/20", + "transport": "tcp" }, "observer": { "egress": { @@ -2807,30 +2813,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, "rule": { + "apprisk": "medium", "category": "Storage.Backup", - "ruleset": "default", - "apprisk": "medium" + "ruleset": "default" }, "source": { + "address": "1.1.1.1", "bytes": 2000, + "ip": "1.1.1.1", "mac": "01:01:01:01:01:01", "packets": 0, - "port": 10016, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "ip": [ - "1.1.1.1", - "2.2.2.2" - ] + "port": 10016 } } @@ -2845,16 +2845,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2021-06-21 time=09:38:29 devname=\"abc\" devid=\"1\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"PRX1-AA\" eventtime=1624261109 srcip=1.1.1.1 srcport=50592 srcintf=\"port2\" srcintfrole=\"dmz\" dstip=2.2.2.2 dstport=443 dstintf=\"test\" dstintfrole=\"wan\" sessionid=1224900441 poluuid=\"1eb429d4-ff52-51ea-d119-d1db60e409a6\" dstcountry=\"United Kingdom\" srccountry=\"Reserved\" service=\"HTTPS\" wanoptapptype=\"web-proxy\" proto=6 action=\"accept\" duration=37 policyid=1 policytype=\"proxy-policy\" wanin=5851 rcvdbyte=5851 wanout=2523 lanin=2769 sentbyte=2769 lanout=5923 appcat=\"unscanned\" utmaction=\"allow\" countweb=1", "event": { "action": "accept", + "category": "traffic", "code": "0000000010", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2021-06-21T07:38:29Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "2.2.2.2", "bytes": 5851, - "port": 443, - "ip": "2.2.2.2" + "ip": "2.2.2.2", + "port": 443 }, "fortinet": { "fortigate": { @@ -2864,44 +2870,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "PRX1-AA" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", - "hostname": "abc" + "hostname": "abc", + "level": "notice" + }, + "network": { + "bytes": 8620, + "protocol": "https", + "transport": "tcp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "test" } }, + "hostname": "abc", "ingress": { "interface": { "name": "port2" } - } - }, - "network": { - "transport": "tcp", - "bytes": 8620, - "protocol": "https" - }, - "rule": { - "category": "unscanned", - "ruleset": "proxy-policy" - }, - "source": { - "bytes": 2769, - "port": 50592, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "accept", - "type": "forward", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -2912,14 +2905,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2.2.2.2" ] }, - "host": { - "name": "abc" - } - } - - ``` - - + "rule": { + "category": "unscanned", + "ruleset": "proxy-policy" + }, + "source": { + "address": "1.1.1.1", + "bytes": 2769, + "ip": "1.1.1.1", + "port": 50592 + } + } + + ``` + + === "traffic_forward_FTNTFGTtz.CEF.json" ```json @@ -2928,24 +2928,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.4.9|00011|traffic:forward dns|4|deviceExternalId=FG5H0ETB19909686 FTNTFGTeventtime=1662381825920035319 FTNTFGTtz=+0200 FTNTFGTlogid=0000000011 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=warning FTNTFGTvd=root src=172.16.222.150 spt=49956 deviceInboundInterface=port1 FTNTFGTsrcintfrole=wan dst=172.18.67.10 dpt=53 deviceOutboundInterface=RWC FRANCE 2023 FTNTFGTdstintfrole=lan FTNTFGTsrccountry=Reserved FTNTFGTdstcountry=Reserved externalId=1797928567 proto=17 act=dns FTNTFGTpolicyid=30 FTNTFGTpolicytype=policy FTNTFGTpoluuid=6c8b6672-0b92-51ea-95a0-556c3c0fdb8f FTNTFGTpolicyname=CLT-RWC2023-001 FTNTFGTcentralnatid=6 app=DNS FTNTFGTappcat=unscanned FTNTFGTcrscore=5 FTNTFGTcraction=262144 FTNTFGTcrlevel=low FTNTFGTdsthwvendor=VMware FTNTFGTdstdevtype=Server FTNTFGTdstfamily=Virtual Machine FTNTFGTdstosname=Windows FTNTFGTdsthwversion=Workstation Pro FTNTFGTdstswversion=7 FTNTFGTmasterdstmac=00:50:56:86:7a:ab FTNTFGTdstmac=00:50:56:86:7a:ab FTNTFGTdstserver=0", "event": { "action": "dns", + "category": "traffic", "code": "0000000011", - "timezone": "+0200", "dataset": "traffic:forward", - "category": "traffic" + "timezone": "+0200" }, "@timestamp": "2022-09-05T12:43:45.920035Z", + "action": { + "name": "dns", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "172.18.67.10", - "port": 53, - "ip": "172.18.67.10" + "ip": "172.18.67.10", + "port": 53 }, "log": { "level": "warning" }, "network": { - "transport": "udp", "application": "DNS", - "protocol": "dns" + "protocol": "dns", + "transport": "udp" }, "observer": { "egress": { @@ -2962,22 +2968,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.4.9" }, - "source": { - "port": 49956, - "ip": "172.16.222.150", - "address": "172.16.222.150" - }, - "action": { - "name": "dns", - "type": "forward", - "target": "network-traffic", - "outcome": "success" - }, "related": { "ip": [ "172.16.222.150", "172.18.67.10" ] + }, + "source": { + "address": "172.16.222.150", + "ip": "172.16.222.150", + "port": 49956 } } @@ -2992,21 +2992,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "date=2018-07-26 time=14:56:21 devname=\"abc\" devid=\"1\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1609941381 srcip=1.1.1.1 srcport=52125 srcintf=\"port9\" srcintfrole=\"undefined\" dstip=3.3.3.3 dstport=3727 dstintf=\"port10\" dstintfrole=\"undefined\" poluuid=\"d77c53b2-a3c6-51e9-49b2-61c9e68c1f7e\" sessionid=578033623 proto=6 action=\"server-rst\" policyid=207 policytype=\"policy\" service=\"tcp/3727\" dstcountry=\"France\" srccountry=\"Netherlands\" trandisp=\"dnat\" tranip=2.2.2.2 tranport=3727 duration=5 sentbyte=80 rcvdbyte=40 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\" dstdevtype=\"Router/NAT Device\" dstdevcategory=\"Windows Device\" masterdstmac=\"00:00:00:00:00:00\" dstmac=\"00:00:00:00:00:00\" dstserver=1", "event": { "action": "server-rst", + "category": "traffic", "code": "0000000013", - "dataset": "traffic:forward", - "category": "traffic" + "dataset": "traffic:forward" }, "@timestamp": "2021-01-06T13:56:21Z", + "action": { + "name": "server-rst", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, "destination": { "address": "3.3.3.3", "bytes": 40, + "ip": "3.3.3.3", "mac": "00:00:00:00:00:00", - "packets": 1, - "port": 3727, "nat": { "ip": "2.2.2.2" }, - "ip": "3.3.3.3" + "packets": 1, + "port": 3727 }, "fortinet": { "fortigate": { @@ -3016,45 +3022,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", - "hostname": "abc" + "hostname": "abc", + "level": "notice" + }, + "network": { + "bytes": 120, + "protocol": "tcp/3727", + "transport": "tcp" }, "observer": { - "hostname": "abc", - "serial_number": "1", "egress": { "interface": { "name": "port10" } }, + "hostname": "abc", "ingress": { "interface": { "name": "port9" } - } - }, - "network": { - "transport": "tcp", - "bytes": 120, - "protocol": "tcp/3727" - }, - "rule": { - "category": "unscanned", - "ruleset": "policy" - }, - "source": { - "bytes": 80, - "packets": 2, - "port": 52125, - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "action": { - "name": "server-rst", - "type": "forward", - "target": "network-traffic", - "outcome": "success" + }, + "serial_number": "1" }, "related": { "hosts": [ @@ -3066,8 +3058,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "3.3.3.3" ] }, - "host": { - "name": "abc" + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.1.1.1", + "bytes": 80, + "ip": "1.1.1.1", + "packets": 2, + "port": 52125 } } @@ -3082,13 +3082,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "logver=60 timestamp=1566916060 tz=\"UTC+2\" devname=\"abc\" devid=\"1\" vd=\"IPSEC\" date=2019-08-27 time=16:27:40 logid=\"0101039949\" type=\"event\" subtype=\"vpn\" level=\"information\" eventtime=1566916060 logdesc=\"SSL VPN statistics\" action=\"tunnel-stats\" tunneltype=\"ssl-tunnel\" tunnelid=1995 remip=1.1.1.1 tunnelip=2.2.2.2 user=\"test\" group=\"GRP_Generic_JAIL_VPN\" dst_host=\"N/A\" nextstat=600 duration=8437 sentbyte=71524041 rcvdbyte=6151809 msg=\"SSL tunnel statistics\"\n", "event": { "action": "tunnel-stats", + "category": "event", "code": "0101039949", - "reason": "SSL tunnel statistics", - "timezone": "UTC+2", "dataset": "event:vpn", - "category": "event" + "reason": "SSL tunnel statistics", + "timezone": "UTC+2" }, "@timestamp": "2019-08-27T14:27:40Z", + "action": { + "name": "tunnel-stats", + "outcome": "success", + "outcome_reason": "SSL tunnel statistics", + "target": "network-traffic", + "type": "vpn" + }, "destination": { "bytes": 6151809 }, @@ -3097,58 +3104,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "event" }, - "virtual_domain": "IPSEC", "tunnel": { - "type": "ssl-tunnel", "id": "1995", - "ip": "2.2.2.2" - } + "ip": "2.2.2.2", + "type": "ssl-tunnel" + }, + "virtual_domain": "IPSEC" } }, + "host": { + "name": "abc" + }, "log": { - "level": "information", "description": "SSL VPN statistics", - "hostname": "abc" - }, - "observer": { "hostname": "abc", - "serial_number": "1" - }, - "source": { - "bytes": 71524041, - "ip": "1.1.1.1", - "nat": { - "ip": "2.2.2.2" - }, - "user": { - "name": "test" - }, - "address": "1.1.1.1" + "level": "information" }, "network": { "bytes": 77675850 }, - "action": { - "name": "tunnel-stats", - "type": "vpn", - "outcome_reason": "SSL tunnel statistics", - "target": "network-traffic", - "outcome": "success" + "observer": { + "hostname": "abc", + "serial_number": "1" }, "related": { "hosts": [ "abc" ], - "user": [ - "test" - ], "ip": [ "1.1.1.1", "2.2.2.2" + ], + "user": [ + "test" ] }, - "host": { - "name": "abc" + "source": { + "address": "1.1.1.1", + "bytes": 71524041, + "ip": "1.1.1.1", + "nat": { + "ip": "2.2.2.2" + }, + "user": { + "name": "test" + } } } @@ -3163,55 +3163,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " time=12:02:57 devname=\"abc\" devid=\"1\" logid=\"0101037141\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"root\" eventtime=1614855777 logdesc=\"IPsec tunnel statistics\" msg=\"IPsec tunnel statistics\" action=\"tunnel-stats\" remip=1.1.1.1 locip=93.187.43.9 remport=500 locport=500 outintf=\"N/A\" cookies=\"9b064274e0648c03/662c2b1264a2295e\" user=\"N/A\" group=\"N/A\" xauthuser=\"N/A\" xauthgroup=\"N/A\" assignip=N/A vpntunnel=\"VPN-HELPLINE\" tunnelip=N/A tunnelid=0 tunneltype=\"ipsec\" duration=102908570 sentbyte=7649 rcvdbyte=0 nextstat=600", "event": { "action": "tunnel-stats", + "category": "event", "code": "0101037141", - "reason": "IPsec tunnel statistics", "dataset": "event:vpn", - "category": "event" + "reason": "IPsec tunnel statistics" }, "@timestamp": "2021-03-04T11:02:57Z", + "action": { + "name": "tunnel-stats", + "outcome": "success", + "outcome_reason": "IPsec tunnel statistics", + "target": "network-traffic", + "type": "vpn" + }, "destination": { + "address": "93.187.43.9", "bytes": 0, - "port": 500, "ip": "93.187.43.9", - "address": "93.187.43.9" + "port": 500 }, "fortinet": { "fortigate": { "event": { "type": "event" }, - "virtual_domain": "root", "tunnel": { + "id": "0", "name": "VPN-HELPLINE", - "type": "ipsec", - "id": "0" - } + "type": "ipsec" + }, + "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "log": { - "level": "notice", "description": "IPsec tunnel statistics", - "hostname": "abc" - }, - "observer": { "hostname": "abc", - "serial_number": "1" - }, - "source": { - "bytes": 7649, - "port": 500, - "ip": "1.1.1.1", - "address": "1.1.1.1" + "level": "notice" }, "network": { "bytes": 7649 }, - "action": { - "name": "tunnel-stats", - "type": "vpn", - "outcome_reason": "IPsec tunnel statistics", - "target": "network-traffic", - "outcome": "success" + "observer": { + "hostname": "abc", + "serial_number": "1" }, "related": { "hosts": [ @@ -3222,8 +3219,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "93.187.43.9" ] }, - "host": { - "name": "abc" + "source": { + "address": "1.1.1.1", + "bytes": 7649, + "ip": "1.1.1.1", + "port": 500 } } @@ -3238,13 +3238,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " time=14:38:46 devname=\"abc\" devid=\"1\" logid=\"0101041987\" type=\"event\" subtype=\"vpn\" level=\"information\" vd=\"root\" eventtime=1615469926 logdesc=\"Certificate updated\" action=\"info\" cert-type=\"CRL\" status=\"success\" name=\"CRL_1\" method=\"HTTP\" reason=\"N/A\" msg=\"A certificate is updated\"", "event": { "action": "CRL_1", + "category": "event", "code": "0101041987", - "reason": "A certificate is updated", "dataset": "event:vpn", - "category": "event", - "provider": "HTTP" + "provider": "HTTP", + "reason": "A certificate is updated" }, "@timestamp": "2021-03-11T13:38:46Z", + "action": { + "name": "CRL_1", + "outcome": "success", + "outcome_reason": "A certificate is updated", + "target": "network-traffic", + "type": "vpn" + }, "fortinet": { "fortigate": { "event": { @@ -3253,34 +3260,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "virtual_domain": "root" } }, + "host": { + "name": "abc" + }, "http": { "request": { "method": "HTTP" } }, "log": { - "level": "information", "description": "Certificate updated", - "hostname": "abc" + "hostname": "abc", + "level": "information" }, "observer": { "hostname": "abc", "serial_number": "1" }, - "action": { - "name": "CRL_1", - "type": "vpn", - "outcome": "success", - "outcome_reason": "A certificate is updated", - "target": "network-traffic" - }, "related": { "hosts": [ "abc" ] - }, - "host": { - "name": "abc" } } @@ -3295,61 +3295,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=17:43:43 devname=\"FW-FOOBAR\" devid=\"FG123\" eventtime=1665675824075327440 tz=\"+0200\" logid=\"0101039426\" type=\"event\" subtype=\"vpn\" level=\"alert\" vd=\"root\" logdesc=\"SSL VPN login fail\" action=\"ssl-login-fail\" tunneltype=\"ssl-web\" tunnelid=0 remip=1.1.1.1 user=\"CN = foo.bar.baz.com\" group=\"N/A\" dst_host=\"N/A\" reason=\"sslvpn_login_cert_checked_error\" msg=\"SSL user failed to logged in\"", "event": { "action": "ssl-login-fail", + "category": "event", "code": "0101039426", - "reason": "sslvpn_login_cert_checked_error", - "timezone": "+0200", "dataset": "event:vpn", - "category": "event" + "reason": "sslvpn_login_cert_checked_error", + "timezone": "+0200" }, "@timestamp": "2022-10-13T15:43:44.075328Z", + "action": { + "name": "ssl-login-fail", + "outcome": "success", + "outcome_reason": "SSL user failed to logged in", + "target": "network-traffic", + "type": "vpn" + }, "fortinet": { "fortigate": { "event": { "type": "event" }, - "virtual_domain": "root", "tunnel": { - "type": "ssl-web", - "id": "0" - } + "id": "0", + "type": "ssl-web" + }, + "virtual_domain": "root" } }, + "host": { + "name": "FW-FOOBAR" + }, "log": { - "level": "alert", "description": "SSL VPN login fail", - "hostname": "FW-FOOBAR" + "hostname": "FW-FOOBAR", + "level": "alert" }, "observer": { "hostname": "FW-FOOBAR", "serial_number": "FG123" }, - "source": { - "ip": "1.1.1.1", - "user": { - "name": "CN = foo.bar.baz.com" - }, - "address": "1.1.1.1" - }, - "action": { - "name": "ssl-login-fail", - "type": "vpn", - "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "FW-FOOBAR" ], - "user": [ - "CN = foo.bar.baz.com" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "CN = foo.bar.baz.com" ] }, - "host": { - "name": "FW-FOOBAR" + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "name": "CN = foo.bar.baz.com" + } } } @@ -3364,46 +3364,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "time=17:43:43 devname=\"FW-FOOBAR\" devid=\"FG123\" eventtime=1665675824075327440 tz=\"+0200\" logid=\"0101039426\" type=\"event\" subtype=\"vpn\" level=\"alert\" vd=\"root\" logdesc=\"SSL VPN login fail\" action=\"ssl-login-fail\" tunneltype=\"ssl-web\" tunnelid=0 remip=\"N/A\" user=\"CN = foo.bar.baz.com\" group=\"N/A\" dst_host=\"N/A\" reason=\"sslvpn_login_cert_checked_error\" msg=\"SSL user failed to logged in\"", "event": { "action": "ssl-login-fail", + "category": "event", "code": "0101039426", - "reason": "sslvpn_login_cert_checked_error", - "timezone": "+0200", "dataset": "event:vpn", - "category": "event" + "reason": "sslvpn_login_cert_checked_error", + "timezone": "+0200" }, "@timestamp": "2022-10-13T15:43:44.075328Z", + "action": { + "name": "ssl-login-fail", + "outcome": "success", + "outcome_reason": "SSL user failed to logged in", + "target": "network-traffic", + "type": "vpn" + }, "fortinet": { "fortigate": { "event": { "type": "event" }, - "virtual_domain": "root", "tunnel": { - "type": "ssl-web", - "id": "0" - } + "id": "0", + "type": "ssl-web" + }, + "virtual_domain": "root" } }, + "host": { + "name": "FW-FOOBAR" + }, "log": { - "level": "alert", "description": "SSL VPN login fail", - "hostname": "FW-FOOBAR" + "hostname": "FW-FOOBAR", + "level": "alert" }, "observer": { "hostname": "FW-FOOBAR", "serial_number": "FG123" }, - "source": { - "user": { - "name": "CN = foo.bar.baz.com" - } - }, - "action": { - "name": "ssl-login-fail", - "type": "vpn", - "outcome_reason": "SSL user failed to logged in", - "target": "network-traffic", - "outcome": "success" - }, "related": { "hosts": [ "FW-FOOBAR" @@ -3412,8 +3410,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "CN = foo.bar.baz.com" ] }, - "host": { - "name": "FW-FOOBAR" + "source": { + "user": { + "name": "CN = foo.bar.baz.com" + } } } @@ -3428,32 +3428,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Fortinet|Fortigate|v6.0.3|13056|utm:webfilter ftgd_blk blocked|4|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=0316013056 cat=utm:webfilter FTNTFGTsubtype=webfilter FTNTFGTeventtype=ftgd_blk FTNTFGTlevel=warning FTNTFGTvd=vdom1 FTNTFGTeventtime=1545938629 FTNTFGTpolicyid=1 externalId=764 duser=Domain\\\\\\\\bob src=10.1.100.11 spt=59194 deviceInboundInterface=port12 FTNTFGTsrcintfrole=undefined dst=185.230.61.185 dpt=80 deviceOutboundInterface=port11 FTNTFGTdstintfrole=undefined proto=6 app=HTTP dhost=ambrishsriv.wixsite.com FTNTFGTprofile=g-default act=blocked FTNTFGTreqtype=direct request=/bizsquads out=96 in=0 deviceDirection=1 msg=URL belongs to a denied category in policy FTNTFGTmethod=domain FTNTFGTcat=26 requestContext=Malicious Websites FTNTFGTcrscore=60 FTNTFGTcrlevel=high", "event": { "action": "blocked", + "category": "utm", "code": "0316013056", - "reason": "URL belongs to a denied category in policy", "dataset": "utm:webfilter", - "category": "utm" + "reason": "URL belongs to a denied category in policy" }, "@timestamp": "2018-12-27T19:23:49Z", + "action": { + "name": "blocked", + "outcome": "success", + "outcome_reason": "URL belongs to a denied category in policy", + "target": "network-traffic", + "type": "ftgd_blk - webfilter" + }, "destination": { "address": "185.230.61.185", "bytes": 96, "domain": "ambrishsriv.wixsite.com", - "port": 80, "ip": "185.230.61.185", + "port": 80, "user": { - "name": "bob", - "domain": "Domain" + "domain": "Domain", + "name": "bob" } }, "log": { "level": "warning" }, "network": { - "transport": "tcp", - "bytes": 96, "application": "HTTP", + "bytes": 96, + "direction": "outbound", "protocol": "http", - "direction": "outbound" + "transport": "tcp" }, "observer": { "egress": { @@ -3470,37 +3477,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Fortinet", "version": "v6.0.3" }, + "related": { + "hosts": [ + "ambrishsriv.wixsite.com" + ], + "ip": [ + "10.1.100.11", + "185.230.61.185" + ], + "user": [ + "bob" + ] + }, "rule": { "category": "Malicious Websites" }, "source": { + "address": "10.1.100.11", "bytes": 0, - "port": 59194, "ip": "10.1.100.11", - "address": "10.1.100.11" + "port": 59194 }, "url": { "original": "/bizsquads", "path": "/bizsquads" - }, - "action": { - "name": "blocked", - "type": "ftgd_blk - webfilter", - "outcome_reason": "URL belongs to a denied category in policy", - "target": "network-traffic", - "outcome": "success" - }, - "related": { - "user": [ - "bob" - ], - "hosts": [ - "ambrishsriv.wixsite.com" - ], - "ip": [ - "10.1.100.11", - "185.230.61.185" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md index 5c4f234e51..9be995b7df 100644 --- a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md +++ b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md @@ -36,8 +36,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Action\":\"\",\"Allowed\":true,\"AppDomain\":\"sekoiaio.cloudflareaccess.com/cdn-cgi/access/sso/saml/c4d0a525391e32821996da07ec86781977836c14341048dd16c4bb8173741238\",\"AppUUID\":\"123e233b-253e-7890-8844-08123123123a\",\"Connection\":\"onetimepin\",\"Country\":\"fr\",\"CreatedAt\":\"2023-02-24T14:52:47Z\",\"Email\":\"john.doe@mock.com\",\"IPAddress\":\"78.101.123.45\",\"PurposeJustificationPrompt\":\"\",\"PurposeJustificationResponse\":\"\",\"RayID\":\"79e906eb5dc32123\",\"TemporaryAccessApprovers\":[],\"TemporaryAccessDuration\":0,\"UserUID\":\"123f6715-400f-5fae-a345-d28191234123\"}", "event": { "category": [ - "network", - "authentication" + "authentication", + "network" ], "dataset": "access_requests", "kind": "event", @@ -47,43 +47,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2023-02-24T14:52:47Z", "client": { - "ip": "78.101.123.45", - "address": "78.101.123.45" + "address": "78.101.123.45", + "ip": "78.101.123.45" + }, + "cloudflare": { + "AppUUID": "123e233b-253e-7890-8844-08123123123a", + "Connection": "onetimepin", + "RayID": "79e906eb5dc32123", + "TemporaryAccessDuration": 0 }, "observer": { "type": "proxy", "vendor": "Cloudflare" }, - "url": { - "domain": "sekoiaio.cloudflareaccess.com/cdn-cgi/access/sso/saml/c4d0a525391e32821996da07ec86781977836c14341048dd16c4bb8173741238", - "top_level_domain": "com", - "subdomain": "sekoiaio", - "registered_domain": "cloudflareaccess.com" - }, - "user": { - "email": "john.doe@mock.com", - "id": "123f6715-400f-5fae-a345-d28191234123" + "related": { + "hosts": [ + "sekoiaio.cloudflareaccess.com/cdn-cgi/access/sso/saml/c4d0a525391e32821996da07ec86781977836c14341048dd16c4bb8173741238" + ], + "ip": [ + "78.101.123.45" + ] }, "source": { + "address": "78.101.123.45", "geo": { "country_iso_code": "fr" }, - "ip": "78.101.123.45", - "address": "78.101.123.45" + "ip": "78.101.123.45" }, - "cloudflare": { - "AppUUID": "123e233b-253e-7890-8844-08123123123a", - "Connection": "onetimepin", - "RayID": "79e906eb5dc32123", - "TemporaryAccessDuration": 0 + "url": { + "domain": "sekoiaio.cloudflareaccess.com/cdn-cgi/access/sso/saml/c4d0a525391e32821996da07ec86781977836c14341048dd16c4bb8173741238", + "registered_domain": "cloudflareaccess.com", + "subdomain": "sekoiaio", + "top_level_domain": "com" }, - "related": { - "ip": [ - "78.101.123.45" - ], - "hosts": [ - "sekoiaio.cloudflareaccess.com/cdn-cgi/access/sso/saml/c4d0a525391e32821996da07ec86781977836c14341048dd16c4bb8173741238" - ] + "user": { + "email": "john.doe@mock.com", + "id": "123f6715-400f-5fae-a345-d28191234123" } } diff --git a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md index ae9ce00869..7a280b87b7 100644 --- a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md +++ b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md @@ -37,29 +37,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 19:27:57 CET: %ARP-2-DUP_SRC_IP: arp [20856] Source address of packet received from 0050.5683.69cd on Vlan756(port-channel100) is duplicate of local, 10.30.38.5 (message repeated 1 time)", "event": { - "kind": "event", "category": [ "host" ], + "code": "DUP_SRC_IP", + "kind": "event", + "reason": "arp [20856] Source address of packet received from 0050.5683.69cd on Vlan756(port-channel100) is duplicate of local, 10.30.38.5 (message repeated 1 time)", + "severity": 2, "type": [ "info" - ], - "severity": 2, - "code": "DUP_SRC_IP", - "reason": "arp [20856] Source address of packet received from 0050.5683.69cd on Vlan756(port-channel100) is duplicate of local, 10.30.38.5 (message repeated 1 time)" + ] }, "@timestamp": "2023-01-11T18:27:57Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "source": { - "ip": "10.30.38.5", - "address": "10.30.38.5" - }, - "host": { - "mac": "00:50:56:83:69:CD" - }, "cisco": { "nxos": { "event": { @@ -73,10 +62,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "host": { + "mac": "00:50:56:83:69:CD" + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" + }, "related": { "ip": [ "10.30.38.5" ] + }, + "source": { + "address": "10.30.38.5", + "ip": "10.30.38.5" } } @@ -90,31 +90,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 15 00:31:52 CET: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 1.2.3.4 - dcos_sshd[6531]", "event": { - "kind": "event", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 3, "code": "SYSTEM_MSG", + "kind": "event", + "module": "pam", "reason": "pam_aaa:Authentication failed from 1.2.3.4 - dcos_sshd[6531]", - "module": "pam" + "severity": 3, + "type": [ + "info" + ] }, "@timestamp": "2023-01-14T23:31:52Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "process": { - "pid": 6531, - "name": "dcos_sshd" - }, "cisco": { "nxos": { "event": { @@ -123,10 +111,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" + }, + "process": { + "name": "dcos_sshd", + "pid": 6531 + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -140,34 +140,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 15 00:31:52 CET: %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user USERID from 4.3.6.5 - dcos_sshd[6526]", "event": { - "kind": "event", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 3, "code": "SYSTEM_MSG", + "kind": "event", + "module": "pam", "reason": "error: PAM: Authentication failure for illegal user USERID from 4.3.6.5 - dcos_sshd[6526]", - "module": "pam" + "severity": 3, + "type": [ + "info" + ] }, "@timestamp": "2023-01-14T23:31:52Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "source": { - "ip": "4.3.6.5", - "address": "4.3.6.5" - }, - "user": { - "name": "USERID" - }, - "process": { - "pid": 6526, - "name": "dcos_sshd" - }, "cisco": { "nxos": { "event": { @@ -176,6 +161,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" + }, + "process": { + "name": "dcos_sshd", + "pid": 6526 + }, "related": { "ip": [ "4.3.6.5" @@ -183,6 +176,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "USERID" ] + }, + "source": { + "address": "4.3.6.5", + "ip": "4.3.6.5" + }, + "user": { + "name": "USERID" } } @@ -196,23 +196,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 17 12:23:16 CET: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet1/38 (description:SRV-01) is down (Administratively down)", "event": { - "kind": "event", + "action": "down", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 5, "code": "IF_DOWN_ADMIN_DOWN", + "kind": "event", "reason": "Administratively down", - "action": "down" + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2023-01-17T11:23:16Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -224,6 +220,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -237,23 +237,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 17 12:23:15 CET: %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet1/38 (description:SRV-01) is down(Config change)", "event": { - "kind": "event", + "action": "down", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 5, "code": "IF_DOWN_CFG_CHANGE", + "kind": "event", "reason": "Config change", - "action": "down" + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2023-01-17T11:23:15Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -265,6 +261,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -278,22 +278,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 18:43:54 CET: %ETHPORT-5-IF_DUPLEX: Interface Ethernet1/38, operational duplex mode changed to Full", "event": { - "kind": "event", "category": [ "host" ], + "code": "IF_DUPLEX", + "kind": "event", + "reason": "operational duplex mode changed to Full", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "IF_DUPLEX", - "reason": "operational duplex mode changed to Full" + ] }, "@timestamp": "2023-01-11T17:43:54Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -305,6 +301,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -318,22 +318,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 18:43:54 CET: %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Ethernet1/38, operational Receive Flow Control state changed to off", "event": { - "kind": "event", "category": [ "host" ], + "code": "IF_RX_FLOW_CONTROL", + "kind": "event", + "reason": "operational Receive Flow Control state changed to off", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "IF_RX_FLOW_CONTROL", - "reason": "operational Receive Flow Control state changed to off" + ] }, "@timestamp": "2023-01-11T17:43:54Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -345,6 +341,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -358,22 +358,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 18:43:54 CET: %ETHPORT-5-SPEED: Interface Ethernet1/38, operational speed changed to 1 Gbps", "event": { - "kind": "event", "category": [ "host" ], + "code": "SPEED", + "kind": "event", + "reason": "operational speed changed to 1 Gbps", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "SPEED", - "reason": "operational speed changed to 1 Gbps" + ] }, "@timestamp": "2023-01-11T17:43:54Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -385,6 +381,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -398,23 +398,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 17 12:23:02 CET: %ETHPORT-5-IF_UP: Interface Ethernet1/38 (description:SRV-01) is up in mode access", "event": { - "kind": "event", + "action": "up", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 5, "code": "IF_UP", + "kind": "event", "reason": "Interface Ethernet1/38 (description:SRV-01) is up in mode access", - "action": "up" + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2023-01-17T11:23:02Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -426,6 +422,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -439,23 +439,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 16:46:31 CET: %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel110 is down (No operational members)", "event": { - "kind": "event", + "action": "down", "category": [ "host" ], - "type": [ - "info" - ], - "severity": 5, "code": "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", + "kind": "event", "reason": "No operational members", - "action": "down" + "severity": 5, + "type": [ + "info" + ] }, "@timestamp": "2023-01-11T15:46:31Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -467,6 +463,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -480,22 +480,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 16:46:45 CET: %ETH_PORT_CHANNEL-5-PORT_SUSPENDED: Ethernet1/38: Ethernet1/38 is suspended", "event": { - "kind": "event", "category": [ "host" ], + "code": "PORT_SUSPENDED", + "kind": "event", + "reason": "Ethernet1/38 is suspended", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "PORT_SUSPENDED", - "reason": "Ethernet1/38 is suspended" + ] }, "@timestamp": "2023-01-11T15:46:45Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, "cisco": { "nxos": { "event": { @@ -507,6 +503,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -520,25 +520,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 13 02:11:53 CET: %USER-3-SYSTEM_MSG: Failed to open file: No such file or directory - securityd", "event": { - "kind": "event", "category": [ "host" ], + "code": "SYSTEM_MSG", + "kind": "event", + "reason": "No such file or directory", + "severity": 3, "type": [ "info" - ], - "severity": 3, - "code": "SYSTEM_MSG", - "reason": "No such file or directory" + ] }, "@timestamp": "2023-01-13T01:11:53Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "file": { - "name": "securityd" - }, "cisco": { "nxos": { "event": { @@ -546,6 +539,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outcome": "failure" } } + }, + "file": { + "name": "securityd" + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" } } @@ -559,44 +559,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 19:06:23 CET: %VSHD-5-VSHD_SYSLOG_CMD_EXEC: User:jdoe executed the command:securityd", "event": { - "kind": "event", "category": [ "host" ], + "code": "VSHD_SYSLOG_CMD_EXEC", + "kind": "event", + "reason": "User:jdoe executed the command:securityd", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "VSHD_SYSLOG_CMD_EXEC", - "reason": "User:jdoe executed the command:securityd" + ] }, "@timestamp": "2023-01-11T18:06:23Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" + "cisco": { + "nxos": { + "event": { + "facility": "VSHD" + } + } }, - "user": { - "name": "jdoe" + "observer": { + "product": "NX-OS", + "vendor": "Cisco" }, "process": { - "command_line": "securityd", "args": [ "securityd" ], + "command_line": "securityd", "executable": "securityd", "name": "securityd" }, - "cisco": { - "nxos": { - "event": { - "facility": "VSHD" - } - } - }, "related": { "user": [ "jdoe" ] + }, + "user": { + "name": "jdoe" } } @@ -610,29 +610,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 19:00:56 CET: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by jdoe on 1.2.3.4@pts/0", "event": { - "kind": "event", "category": [ "host" ], + "code": "VSHD_SYSLOG_CONFIG_I", + "kind": "event", + "reason": "Configured from vty by jdoe on 1.2.3.4@pts/0", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "VSHD_SYSLOG_CONFIG_I", - "reason": "Configured from vty by jdoe on 1.2.3.4@pts/0" + ] }, "@timestamp": "2023-01-11T18:00:56Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "destination": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "jdoe" - }, "cisco": { "nxos": { "event": { @@ -643,6 +632,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" + }, "related": { "ip": [ "1.2.3.4" @@ -650,6 +647,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jdoe" ] + }, + "user": { + "name": "jdoe" } } @@ -663,25 +663,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023 Jan 11 19:00:56 CET: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by jdoe on console", "event": { - "kind": "event", "category": [ "host" ], + "code": "VSHD_SYSLOG_CONFIG_I", + "kind": "event", + "reason": "Configured from vty by jdoe on console", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "code": "VSHD_SYSLOG_CONFIG_I", - "reason": "Configured from vty by jdoe on console" + ] }, "@timestamp": "2023-01-11T18:00:56Z", - "observer": { - "vendor": "Cisco", - "product": "NX-OS" - }, - "user": { - "name": "jdoe" - }, "cisco": { "nxos": { "event": { @@ -692,10 +685,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "product": "NX-OS", + "vendor": "Cisco" + }, "related": { "user": [ "jdoe" ] + }, + "user": { + "name": "jdoe" } } diff --git a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md new file mode 100644 index 0000000000..a228ccfa71 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md @@ -0,0 +1,114 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `DNS records` | Both DNS queries and responses handled by the SonicWall domain name servers can be recorded. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `network` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event.json" + + ```json + + { + "message": "id=sslvpn sn=111111111111 time=\"2023-09-18 07:43:15\" vp_time=\"2023-09-18 05:43:15 UTC\" fw=5.6.7.8 pri=5 m=1 c=1 src=1.2.3.4 dst=\"off0123.example.com\" user=\"JDOE@OFF0123\" usr=\"JDOE@OFF0123\" msg=\"User login successful\" portal=\"off0123\" domain=\"off0123\" agent=\"SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64\"", + "event": { + "kind": "event", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "observer": { + "vendor": "SonicWall", + "product": "Secure Mobile Access", + "type": "firewall", + "ip": [ + "5.6.7.8" + ] + }, + "@timestamp": "2023-09-18T05:43:15Z", + "source": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "destination": { + "address": "off0123.example.com" + }, + "user_agent": { + "original": "SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64", + "device": { + "name": "Other" + }, + "name": "IE", + "version": "7.0", + "os": { + "name": "Windows", + "version": "10" + } + }, + "user": { + "name": "JDOE", + "domain": "OFF0123" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.address` | `keyword` | Destination network address. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`observer.ip` | `ip` | IP addresses of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`source.ip` | `ip` | IP address of the source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md index 1f13499357..b2b196cc62 100644 --- a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md +++ b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md @@ -36,78 +36,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-08-29T15:03:25.4715017Z\",\"resourceId\":\"/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ\",\"category\":\"FrontDoorAccessLog\",\"operationName\":\"Microsoft.Cdn/Profiles/AccessLog/Write\",\"properties\":{\"trackingReference\":\"0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==\",\"httpMethod\":\"GET\",\"httpVersion\":\"1.1.0.0\",\"requestUri\":\"http://example.1.azurefd.net:80/\",\"requestBytes\":\"109\",\"responseBytes\":\"221\",\"userAgent\":\"curl/7.77.0\",\"clientIp\":\"1.2.3.4\",\"socketIp\":\"1.2.3.4\",\"clientPort\":\"53170\",\"timeToFirstByte\":\"0.002\",\"timeTaken\":\"0.002\",\"requestProtocol\":\"HTTP\",\"securityProtocol\":\"\",\"endpoint\":\"example.1.azurefd.net\",\"routingRuleName\":\"example.1.azurefd.net\",\"rulesEngineMatchNames\":[\"DefaultHttpsRedirectRule\"],\"httpStatusCode\":\"307\",\"httpStatusDetails\":\"307\",\"pop\":\"PAR\",\"cacheStatus\":\"CONFIG_NOCACHE\",\"ErrorInfo\":\"NoError\",\"hostName\":\"example.1.azurefd.net\",\"originUrl\":\"N/A\",\"originIp\":\"N/A\",\"originName\":\"N/A\",\"referer\":\"\",\"clientCountry\":\"France\",\"domain\":\"example.1.azurefd.net:80\",\"securityCipher\":\"\"}}\n", "event": { - "kind": "event", "category": [ "web" ], - "module": "azure.waf", "dataset": "access", + "kind": "event", + "module": "azure.waf", "type": [ "access" ] }, "@timestamp": "2022-08-29T15:03:25.471501Z", + "azure_front_door": { + "category": "FrontDoorAccessLog", + "operation_name": "Microsoft.Cdn/Profiles/AccessLog/Write", + "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", + "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==" + }, "cloud": { "provider": "azure" }, - "observer": { - "vendor": "Microsoft", - "product": "Azure Front Door", - "hostname": "example.1.azurefd.net" - }, - "source": { - "port": 53170, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "http": { "request": { - "method": "GET", - "bytes": 109 + "bytes": 109, + "method": "GET" }, "response": { - "status_code": 307, - "bytes": 221 + "bytes": 221, + "status_code": 307 }, "version": "1.1" }, + "network": { + "protocol": "HTTP" + }, + "observer": { + "hostname": "example.1.azurefd.net", + "product": "Azure Front Door", + "vendor": "Microsoft" + }, + "related": { + "hosts": [ + "example.1.azurefd.net" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 53170 + }, "url": { - "original": "http://example.1.azurefd.net:80/", "domain": "example.1.azurefd.net", - "top_level_domain": "net", - "subdomain": "example.1", - "registered_domain": "azurefd.net", + "original": "http://example.1.azurefd.net:80/", "path": "/", "port": 80, - "scheme": "http" + "registered_domain": "azurefd.net", + "scheme": "http", + "subdomain": "example.1", + "top_level_domain": "net" }, "user_agent": { - "original": "curl/7.77.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.77.0", + "original": "curl/7.77.0", "os": { "name": "Other" - } - }, - "network": { - "protocol": "HTTP" - }, - "azure_front_door": { - "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", - "category": "FrontDoorAccessLog", - "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==", - "operation_name": "Microsoft.Cdn/Profiles/AccessLog/Write" - }, - "related": { - "hosts": [ - "example.1.azurefd.net" - ], - "ip": [ - "1.2.3.4" - ] + }, + "version": "7.77.0" } } @@ -121,24 +121,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-08-28T13:01:19.0427677Z\",\"resourceId\":\"/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ\",\"category\":\"FrontDoorHealthProbeLog\",\"operationName\":\"Microsoft.Cdn/Profiles/FrontDoorHealthProbeLog/Write\",\"properties\":{\"healthProbeId\":\"A07EBB1B3DF34A71A8AC75CBA4C33607\",\"POP\":\"BUD\",\"httpVerb\":\"HEAD\",\"result\":\"OriginError\",\"httpStatusCode\":\"301\",\"probeURL\":\"http://example.azurestaticapps.net:80/\",\"originName\":\"example.azurestaticapps.net\",\"originIP\":\"1.2.3.4\",\"totalLatencyMilliseconds\":\"97\",\"connectionLatencyMilliseconds\":\"24\",\"DNSLatencyMicroseconds\":\"48133\"}}", "event": { - "kind": "event", "category": [ "web" ], - "module": "azure.waf", "dataset": "health", + "kind": "event", + "module": "azure.waf", "type": [ "info" ] }, "@timestamp": "2022-08-28T13:01:19.042767Z", + "azure_front_door": { + "category": "FrontDoorHealthProbeLog", + "health_probe_id": "A07EBB1B3DF34A71A8AC75CBA4C33607", + "operation_name": "Microsoft.Cdn/Profiles/FrontDoorHealthProbeLog/Write", + "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ" + }, "cloud": { "provider": "azure" }, - "observer": { - "vendor": "Microsoft", - "product": "Azure Front Door" - }, "http": { "request": { "method": "HEAD" @@ -147,30 +149,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 301 } }, - "url": { - "original": "http://example.azurestaticapps.net:80/", - "domain": "example.azurestaticapps.net", - "top_level_domain": "net", - "subdomain": "example", - "registered_domain": "azurestaticapps.net", - "path": "/", - "port": 80, - "scheme": "http" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "azure_front_door": { - "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", - "health_probe_id": "A07EBB1B3DF34A71A8AC75CBA4C33607", - "category": "FrontDoorHealthProbeLog", - "operation_name": "Microsoft.Cdn/Profiles/FrontDoorHealthProbeLog/Write" + "observer": { + "product": "Azure Front Door", + "vendor": "Microsoft" }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.azurestaticapps.net", + "original": "http://example.azurestaticapps.net:80/", + "path": "/", + "port": 80, + "registered_domain": "azurestaticapps.net", + "scheme": "http", + "subdomain": "example", + "top_level_domain": "net" } } @@ -184,50 +184,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-08-04T11:15:23.5527699Z\",\"resourceId\":\"/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ\",\"category\":\"FrontDoorWebApplicationFirewallLog\",\"operationName\":\"Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write\",\"properties\":{\"clientIP\":\"1.2.3.4\",\"clientPort\":\"44200\",\"socketIP\":\"1.2.3.4\",\"requestUri\":\"http://example.1.azurefd.net:80/\",\"ruleName\":\"Microsoft_BotManagerRuleSet-1.0-BadBots-Bot100200\",\"policy\":\"wafpolicy\",\"action\":\"Block\",\"host\":\"example.1.azurefd.net\",\"trackingReference\":\"0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==\",\"policyMode\":\"prevention\",\"details\":{\"matches\":[{\"matchVariableName\":\"HeaderValue:user-agent\",\"matchVariableValue\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\"},{\"matchVariableName\":\"HeaderValue:user-agent\",\"matchVariableValue\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1\"},{\"matchVariableName\":\"TX:MAJOR\",\"matchVariableValue\":\"40\"}],\"msg\":\"Malicious bots that have falsified their identity\"}}}", "event": { - "kind": "event", + "action": "block", "category": [ "web" ], - "action": "block", - "reason": "Malicious bots that have falsified their identity", - "module": "azure.waf", "dataset": "access", + "kind": "event", + "module": "azure.waf", + "reason": "Malicious bots that have falsified their identity", "type": [ "access" ] }, "@timestamp": "2023-08-04T11:15:23.552769Z", - "cloud": { - "provider": "azure" - }, - "observer": { - "vendor": "Microsoft", - "product": "Azure Front Door" - }, - "source": { - "port": 44200, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "url": { - "original": "http://example.1.azurefd.net:80/", - "domain": "example.1.azurefd.net", - "top_level_domain": "net", - "subdomain": "example.1", - "registered_domain": "azurefd.net", - "path": "/", - "port": 80, - "scheme": "http" - }, - "rule": { - "name": "Microsoft_BotManagerRuleSet-1.0-BadBots-Bot100200", - "ruleset": "wafpolicy" - }, "azure_front_door": { - "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", "category": "FrontDoorWebApplicationFirewallLog", - "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==", "operation_name": "Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write", + "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", + "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==", "waf": { "details": { "matches": [ @@ -249,10 +223,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "policy_mode": "prevention" } }, + "cloud": { + "provider": "azure" + }, + "observer": { + "product": "Azure Front Door", + "vendor": "Microsoft" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "rule": { + "name": "Microsoft_BotManagerRuleSet-1.0-BadBots-Bot100200", + "ruleset": "wafpolicy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 44200 + }, + "url": { + "domain": "example.1.azurefd.net", + "original": "http://example.1.azurefd.net:80/", + "path": "/", + "port": 80, + "registered_domain": "azurefd.net", + "scheme": "http", + "subdomain": "example.1", + "top_level_domain": "net" } } @@ -266,68 +266,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2023-08-04T11:45:20.9059637Z\",\"resourceId\":\"/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ\",\"category\":\"FrontdoorWebApplicationFirewallLog\",\"operationName\":\"Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write\",\"properties\":{\"clientIP\":\"1.2.3.4\",\"clientPort\":\"61956\",\"socketIP\":\"1.2.3.4\",\"requestUri\":\"http://example.1.azurefd.net:80/\",\"ruleName\":\"Microsoft_DefaultRuleSet-2.1-General-200003\",\"policy\":\"wafpolicy\",\"action\":\"Log\",\"host\":\"example.1.azurefd.net\",\"trackingReference\":\"0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==\",\"policyMode\":\"prevention\",\"details\":{\"matches\":[{\"matchVariableName\":\"MultipartStrictError\",\"matchVariableValue\":\"MULTIPART_BOUNDARY_QUOTED\"}],\"msg\":\"Multipart request body failed strict validation\",\"data\":\"MultipartStrictError=MULTIPART_BOUNDARY_QUOTED\"}}}", "event": { - "kind": "event", + "action": "log", "category": [ "web" ], - "action": "log", - "reason": "Multipart request body failed strict validation", - "module": "azure.waf", "dataset": "access", + "kind": "event", + "module": "azure.waf", + "reason": "Multipart request body failed strict validation", "type": [ "access" ] }, "@timestamp": "2023-08-04T11:45:20.905963Z", - "cloud": { - "provider": "azure" - }, - "observer": { - "vendor": "Microsoft", - "product": "Azure Front Door" - }, - "source": { - "port": 61956, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "url": { - "original": "http://example.1.azurefd.net:80/", - "domain": "example.1.azurefd.net", - "top_level_domain": "net", - "subdomain": "example.1", - "registered_domain": "azurefd.net", - "path": "/", - "port": 80, - "scheme": "http" - }, - "rule": { - "name": "Microsoft_DefaultRuleSet-2.1-General-200003", - "ruleset": "wafpolicy" - }, "azure_front_door": { - "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", "category": "FrontdoorWebApplicationFirewallLog", - "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==", "operation_name": "Microsoft.Cdn/Profiles/WebApplicationFirewallLog/Write", + "resource_id": "/SUBSCRIPTIONS/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/RESOURCEGROUPS/YYYYYYYYYYYYYYYYY/PROVIDERS/MICROSOFT.CDN/PROFILES/ZZZZZZZZZZZZZZZ", + "tracking_reference": "0PdUMYwAAAAAA35SK7dpvSZxm/Y92xsH7UEFSMjAxMDgwMzg1MDQ5ADkxZjFmYTAyLWMzZGEtNDBlMi04ZWM2LWQ0OTQ1OWJiNzc5OQ==", "waf": { "details": { + "data": "MultipartStrictError=MULTIPART_BOUNDARY_QUOTED", "matches": [ { "matchVariableName": "MultipartStrictError", "matchVariableValue": "MULTIPART_BOUNDARY_QUOTED" } ], - "msg": "Multipart request body failed strict validation", - "data": "MultipartStrictError=MULTIPART_BOUNDARY_QUOTED" + "msg": "Multipart request body failed strict validation" }, "policy_mode": "prevention" } }, + "cloud": { + "provider": "azure" + }, + "observer": { + "product": "Azure Front Door", + "vendor": "Microsoft" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "rule": { + "name": "Microsoft_DefaultRuleSet-2.1-General-200003", + "ruleset": "wafpolicy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 61956 + }, + "url": { + "domain": "example.1.azurefd.net", + "original": "http://example.1.azurefd.net:80/", + "path": "/", + "port": 80, + "registered_domain": "azurefd.net", + "scheme": "http", + "subdomain": "example.1", + "top_level_domain": "net" } } diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 512638bd1d..586a2a9e98 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -70,22 +70,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FOREGROUND_WINDOW_CHANGED", "kind": "event" }, - "wallix": { - "type": "FOREGROUND_WINDOW_CHANGED" - }, - "user": { - "name": "adm-foobar@corp.net" - }, - "service": { - "name": "RDP" - }, "destination": { - "ip": "2.2.2.2", - "address": "2.2.2.2" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "address": "2.2.2.2", + "ip": "2.2.2.2" }, "related": { "ip": [ @@ -95,6 +82,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "adm-foobar@corp.net" ] + }, + "service": { + "name": "RDP" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "adm-foobar@corp.net" + }, + "wallix": { + "type": "FOREGROUND_WINDOW_CHANGED" } } @@ -111,22 +111,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FOREGROUND_WINDOW_CHANGED", "kind": "event" }, - "wallix": { - "type": "FOREGROUND_WINDOW_CHANGED" - }, - "user": { - "name": "adm-bar" - }, - "service": { - "name": "RDP" - }, "destination": { - "ip": "2.2.2.2", - "address": "2.2.2.2" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + "address": "2.2.2.2", + "ip": "2.2.2.2" }, "related": { "ip": [ @@ -136,6 +123,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "adm-bar" ] + }, + "service": { + "name": "RDP" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "adm-bar" + }, + "wallix": { + "type": "FOREGROUND_WINDOW_CHANGED" } } @@ -169,18 +169,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "event", "provider": "sshproxy" }, - "wallix": { - "type": "INCOMING_CONNECTION" - }, - "source": { - "port": 53344, - "ip": "10.17.86.250", - "address": "10.17.86.250" - }, "related": { "ip": [ "10.17.86.250" ] + }, + "source": { + "address": "10.17.86.250", + "ip": "10.17.86.250", + "port": 53344 + }, + "wallix": { + "type": "INCOMING_CONNECTION" } } @@ -197,26 +197,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "SESSION_DISCONNECTION", "kind": "event" }, - "wallix": { - "type": "SESSION_DISCONNECTION" - }, - "user": { - "name": "user01" - }, - "service": { - "name": "ssh" + "destination": { + "address": "10.10.47.53", + "ip": "10.10.47.53" }, "host": { "ip": "10.10.47.53" }, - "destination": { - "ip": "10.10.47.53", - "address": "10.10.47.53" - }, - "source": { - "ip": "10.10.43.84", - "address": "10.10.43.84" - }, "related": { "ip": [ "10.10.43.84", @@ -225,6 +212,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user01" ] + }, + "service": { + "name": "ssh" + }, + "source": { + "address": "10.10.43.84", + "ip": "10.10.43.84" + }, + "user": { + "name": "user01" + }, + "wallix": { + "type": "SESSION_DISCONNECTION" } } @@ -242,26 +242,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "event", "provider": "SSH Session" }, - "wallix": { - "type": "SESSION_DISCONNECTION" - }, - "user": { - "name": "username123@corp.net" - }, - "service": { - "name": "SSH" + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" }, "host": { "ip": "1.1.1.1" }, - "destination": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "ip": [ "1.1.1.1" @@ -269,6 +256,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "username123@corp.net" ] + }, + "service": { + "name": "SSH" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "username123@corp.net" + }, + "wallix": { + "type": "SESSION_DISCONNECTION" } } @@ -286,19 +286,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "event", "provider": "SSH Session" }, - "wallix": { - "type": "SESSION_ESTABLISHED_SUCCESSFULLY" - }, - "user": { - "name": "user.name@corp.net" - }, - "service": { - "name": "SSH" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "ip": [ "1.1.1.1" @@ -306,6 +293,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user.name@corp.net" ] + }, + "service": { + "name": "SSH" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "user.name@corp.net" + }, + "wallix": { + "type": "SESSION_ESTABLISHED_SUCCESSFULLY" } } @@ -322,10 +322,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "event", "provider": "sudo" }, - "wallix": {}, - "user": { - "name": "wabuser ;" - }, "process": { "command_line": "/opt/wab/bin/WABCleanApprovals close" }, @@ -333,7 +329,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "wabuser ;" ] - } + }, + "user": { + "name": "wabuser ;" + }, + "wallix": {} } ``` @@ -347,24 +347,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"ConnectionPolicy\" object=\"QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services [], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING and 1 other(s)], Data [server_pubkey[server_pubkey_check]: '1', server_pubkey[server_pubkey_create_message]: '1', server_pubkey[server_access_allowed_message]: '0', server_pubkey[server_pubkey_success_message]: '0', server_pubkey[server_pubkey_failure_message]: '1', server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False', startup_scenario[ask_startup]: 'False', startup_scenario[show_output]: 'True', startup_scenario[enable]: 'False', startup_scenario[timeout]: '10', startup_scenario[scenario]: '', general[transformation_rule]: '', session[inactivity_timeout]: '0', session[allow_multi_channels]: 'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '', algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']\"", "event": { "action": "ConnectionPolicy", - "reason": "cn [QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services [], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING and 1 other(s)], Data [server_pubkey[server_pubkey_check]: '1', server_pubkey[server_pubkey_create_message]: '1', server_pubkey[server_access_allowed_message]: '0', server_pubkey[server_pubkey_success_message]: '0', server_pubkey[server_pubkey_failure_message]: '1', server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False', startup_scenario[ask_startup]: 'False', startup_scenario[show_output]: 'True', startup_scenario[enable]: 'False', startup_scenario[timeout]: '10', startup_scenario[scenario]: '', general[transformation_rule]: '', session[inactivity_timeout]: '0', session[allow_multi_channels]: 'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '', algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']", "kind": "event", + "provider": "wabengine", + "reason": "cn [QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services [], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING and 1 other(s)], Data [server_pubkey[server_pubkey_check]: '1', server_pubkey[server_pubkey_create_message]: '1', server_pubkey[server_access_allowed_message]: '0', server_pubkey[server_pubkey_success_message]: '0', server_pubkey[server_pubkey_failure_message]: '1', server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False', startup_scenario[ask_startup]: 'False', startup_scenario[show_output]: 'True', startup_scenario[enable]: 'False', startup_scenario[timeout]: '10', startup_scenario[scenario]: '', general[transformation_rule]: '', session[inactivity_timeout]: '0', session[allow_multi_channels]: 'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '', algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING", - "type": "ConnectionPolicy", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -373,6 +361,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING", + "type": "ConnectionPolicy" } } @@ -387,24 +387,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CredChgInfo\" object=\"local1/None\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"service_name ['None' to 'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']\"", "event": { "action": "CredChgInfo", - "reason": "service_name ['None' to 'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']", "kind": "event", + "provider": "wabengine", + "reason": "service_name ['None' to 'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "local1/None", - "type": "CredChgInfo", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -413,6 +401,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "local1/None", + "type": "CredChgInfo" } } @@ -427,24 +427,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CredChgPolicy\" object=\"QA_PASSWORD_CHANGE_POLICY\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"pwdLength [8], specialChars [1], changePeriod []\"", "event": { "action": "CredChgPolicy", - "reason": "pwdLength [8], specialChars [1], changePeriod []", "kind": "event", + "provider": "wabengine", + "reason": "pwdLength [8], specialChars [1], changePeriod []", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_PASSWORD_CHANGE_POLICY", - "type": "CredChgPolicy", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -453,6 +441,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_PASSWORD_CHANGE_POLICY", + "type": "CredChgPolicy" } } @@ -467,24 +467,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Globaldomain\" object=\"QA_DOMAIN_SIMPLE\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [QA_DOMAIN_SIMPLE], name [QA_DOMAIN_SIMPLE]\"", "event": { "action": "Globaldomain", - "reason": "cn [QA_DOMAIN_SIMPLE], name [QA_DOMAIN_SIMPLE]", "kind": "event", + "provider": "wabengine", + "reason": "cn [QA_DOMAIN_SIMPLE], name [QA_DOMAIN_SIMPLE]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DOMAIN_SIMPLE", - "type": "Globaldomain", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -493,6 +481,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DOMAIN_SIMPLE", + "type": "Globaldomain" } } @@ -507,24 +507,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"LdapMapping\" object=\" in user_group_154954913825 GROUP\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"ldapGroup [OU=Group], domain [QA_DOMAIN_1], group [user_group_154954913825]\"", "event": { "action": "LdapMapping", - "reason": "ldapGroup [OU=Group], domain [QA_DOMAIN_1], group [user_group_154954913825]", "kind": "event", + "provider": "wabengine", + "reason": "ldapGroup [OU=Group], domain [QA_DOMAIN_1], group [user_group_154954913825]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": " in user_group_154954913825 GROUP", - "type": "LdapMapping", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -533,6 +521,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": " in user_group_154954913825 GROUP", + "type": "LdapMapping" } } @@ -547,24 +547,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Ldapdomain\" object=\"QA_DOMAIN_1\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"description [], ldapDomain [domain1.qa], defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute [memberOf], snAttribute [displayName], emailAttribute [mail], languageAttribute [preferredLanguage], isDefaultDomain [True]\"", "event": { "action": "Ldapdomain", - "reason": "description [], ldapDomain [domain1.qa], defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute [memberOf], snAttribute [displayName], emailAttribute [mail], languageAttribute [preferredLanguage], isDefaultDomain [True]", "kind": "event", + "provider": "wabengine", + "reason": "description [], ldapDomain [domain1.qa], defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute [memberOf], snAttribute [displayName], emailAttribute [mail], languageAttribute [preferredLanguage], isDefaultDomain [True]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DOMAIN_1", - "type": "Ldapdomain", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -573,9 +561,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] - } - } - + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DOMAIN_1", + "type": "Ldapdomain" + } + } + ``` @@ -587,24 +587,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Localdomain\" object=\"local\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [local], device [QA_DEVICE_SSH_SHELL_SESSION]\"", "event": { "action": "Localdomain", - "reason": "cn [local], device [QA_DEVICE_SSH_SHELL_SESSION]", "kind": "event", + "provider": "wabengine", + "reason": "cn [local], device [QA_DEVICE_SSH_SHELL_SESSION]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "local", - "type": "Localdomain", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -613,6 +601,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "local", + "type": "Localdomain" } } @@ -627,24 +627,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Notification\" object=\"notification_154955208543\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"dest [qa-notify@wallix.com], flag [0], isNotificationEnable [True], type [EMAIL]\"", "event": { "action": "Notification", - "reason": "dest [qa-notify@wallix.com], flag [0], isNotificationEnable [True], type [EMAIL]", "kind": "event", + "provider": "wabengine", + "reason": "dest [qa-notify@wallix.com], flag [0], isNotificationEnable [True], type [EMAIL]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "notification_154955208543", - "type": "Notification", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -653,6 +641,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "notification_154955208543", + "type": "Notification" } } @@ -667,24 +667,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Period\" object=\"<2030-01-01 to 2099-12-31 , 00:00:00 to 23:59:00, 127>\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"startDate [2030-01-01], endDate [2099-12-31], startTime [00:00:00], endTime [23:59:00], weekmask [127]\"", "event": { "action": "Period", - "reason": "startDate [2030-01-01], endDate [2099-12-31], startTime [00:00:00], endTime [23:59:00], weekmask [127]", "kind": "event", + "provider": "wabengine", + "reason": "startDate [2030-01-01], endDate [2099-12-31], startTime [00:00:00], endTime [23:59:00], weekmask [127]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "<2030-01-01 to 2099-12-31 , 00:00:00 to 23:59:00, 127>", - "type": "Period", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -693,6 +681,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "<2030-01-01 to 2099-12-31 , 00:00:00 to 23:59:00, 127>", + "type": "Period" } } @@ -707,24 +707,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Profile\" object=\"QA_PROFILE_IP_FORBIDDEN\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"ip_limitation [1.1.1.1], habilitationFlag [1], groups_limitation [], groups_member []\"", "event": { "action": "Profile", - "reason": "ip_limitation [1.1.1.1], habilitationFlag [1], groups_limitation [], groups_member []", "kind": "event", + "provider": "wabengine", + "reason": "ip_limitation [1.1.1.1], habilitationFlag [1], groups_limitation [], groups_member []", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_PROFILE_IP_FORBIDDEN", - "type": "Profile", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -733,6 +721,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_PROFILE_IP_FORBIDDEN", + "type": "Profile" } } @@ -747,24 +747,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Restriction\" object=\" in GROUP QA_USER_GROUP_UNIX_KILL\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"action [kill], data [Kill.+Softly], groups [QA_USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]\"", "event": { "action": "Restriction", - "reason": "action [kill], data [Kill.+Softly], groups [QA_USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]", "kind": "event", + "provider": "wabengine", + "reason": "action [kill], data [Kill.+Softly], groups [QA_USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": " in GROUP QA_USER_GROUP_UNIX_KILL", - "type": "Restriction", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -773,6 +761,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": " in GROUP QA_USER_GROUP_UNIX_KILL", + "type": "Restriction" } } @@ -787,24 +787,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Service\" object=\"QA_DEVICE_SSH_SHELL_SESSION:SSH\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"protocol [SSH], port [22], subprotocols [SSH_SHELL_SESSION], connectionPolicy [SSH]\"", "event": { "action": "Service", - "reason": "protocol [SSH], port [22], subprotocols [SSH_SHELL_SESSION], connectionPolicy [SSH]", "kind": "event", + "provider": "wabengine", + "reason": "protocol [SSH], port [22], subprotocols [SSH_SHELL_SESSION], connectionPolicy [SSH]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DEVICE_SSH_SHELL_SESSION:SSH", - "type": "Service", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -813,6 +801,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DEVICE_SSH_SHELL_SESSION:SSH", + "type": "Service" } } @@ -827,24 +827,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Targetgroup\" object=\"QA_DEVICE_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Users [], Targets [__WIL__@am_il_domain@QA_DEVICE_TELNET:TELNET, __WAM__@am_il_domain@QA_DEVICE_SSH_SCP_DOWN:SSH, pubkey_account_without_password@local@QA_DEVICE_SSH_FORWARDING:SSH and 35 other(s)], Profiles_limit [], Timeframes [allthetime]\"", "event": { "action": "Targetgroup", - "reason": "Users [], Targets [__WIL__@am_il_domain@QA_DEVICE_TELNET:TELNET, __WAM__@am_il_domain@QA_DEVICE_SSH_SCP_DOWN:SSH, pubkey_account_without_password@local@QA_DEVICE_SSH_FORWARDING:SSH and 35 other(s)], Profiles_limit [], Timeframes [allthetime]", "kind": "event", + "provider": "wabengine", + "reason": "Users [], Targets [__WIL__@am_il_domain@QA_DEVICE_TELNET:TELNET, __WAM__@am_il_domain@QA_DEVICE_SSH_SCP_DOWN:SSH, pubkey_account_without_password@local@QA_DEVICE_SSH_FORWARDING:SSH and 35 other(s)], Profiles_limit [], Timeframes [allthetime]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DEVICE_GROUP_UNIX", - "type": "Targetgroup", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -853,6 +841,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DEVICE_GROUP_UNIX", + "type": "Targetgroup" } } @@ -867,24 +867,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"TimeFrame\" object=\"timeframe_154954856399\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"description [], isOvertimable [False]\"", "event": { "action": "TimeFrame", - "reason": "description [], isOvertimable [False]", "kind": "event", + "provider": "wabengine", + "reason": "description [], isOvertimable [False]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "timeframe_154954856399", - "type": "TimeFrame", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -893,6 +881,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "timeframe_154954856399", + "type": "TimeFrame" } } @@ -907,24 +907,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"User\" object=\"QA_USER_IP_FORBIDDEN\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"email [qa-notify@wallix.com], preferredLanguage [en], host [1.1.1.1], profile [user], groups [QA_USER_GROUP_UNIX], forceChangePwd [False], userPassword [********], userauths [local]\"", "event": { "action": "User", - "reason": "email [qa-notify@wallix.com], preferredLanguage [en], host [1.1.1.1], profile [user], groups [QA_USER_GROUP_UNIX], forceChangePwd [False], userPassword [********], userauths [local]", "kind": "event", + "provider": "wabengine", + "reason": "email [qa-notify@wallix.com], preferredLanguage [en], host [1.1.1.1], profile [user], groups [QA_USER_GROUP_UNIX], forceChangePwd [False], userPassword [********], userauths [local]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_USER_IP_FORBIDDEN", - "type": "User", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -933,6 +921,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_USER_IP_FORBIDDEN", + "type": "User" } } @@ -947,24 +947,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"UserAuth\" object=\"QA_USER_AUTH_KERBEROS\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"wabAuthType [KERBEROS], description [], port [88], host [10.10.45.148], kerDomControler [QA.IFR.LAN]\"", "event": { "action": "UserAuth", - "reason": "wabAuthType [KERBEROS], description [], port [88], host [10.10.45.148], kerDomControler [QA.IFR.LAN]", "kind": "event", + "provider": "wabengine", + "reason": "wabAuthType [KERBEROS], description [], port [88], host [10.10.45.148], kerDomControler [QA.IFR.LAN]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_USER_AUTH_KERBEROS", - "type": "UserAuth", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -973,6 +961,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_USER_AUTH_KERBEROS", + "type": "UserAuth" } } @@ -987,24 +987,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Usergroup\" object=\"QA_USER_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Users [], Profiles_limit [], Timeframes [allthetime]\"", "event": { "action": "Usergroup", - "reason": "Users [], Profiles_limit [], Timeframes [allthetime]", "kind": "event", + "provider": "wabengine", + "reason": "Users [], Profiles_limit [], Timeframes [allthetime]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_USER_GROUP_UNIX", - "type": "Usergroup", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1013,6 +1001,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_USER_GROUP_UNIX", + "type": "Usergroup" } } @@ -1027,23 +1027,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [url fetched hourly]\"", "event": { "action": "X509 Parameters", - "reason": "CRL [url fetched hourly]", "kind": "event", + "provider": "wabengine", + "reason": "CRL [url fetched hourly]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "X509 Parameters", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + ] }, "related": { "ip": [ @@ -1052,6 +1041,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "type": "X509 Parameters" } } @@ -1066,24 +1066,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Account\" object=\"account_with_approval@QA_DOMAIN_SIMPLE\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"name [account_with_approval], login [account_with_approval], autoChangePassword [True], autoChangeSSHKey [True], isExternalVault [False]\"", "event": { "action": "Account", - "reason": "name [account_with_approval], login [account_with_approval], autoChangePassword [True], autoChangeSSHKey [True], isExternalVault [False]", "kind": "event", + "provider": "wabengine", + "reason": "name [account_with_approval], login [account_with_approval], autoChangePassword [True], autoChangeSSHKey [True], isExternalVault [False]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "account_with_approval@QA_DOMAIN_SIMPLE", - "type": "Account", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1092,6 +1080,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "account_with_approval@QA_DOMAIN_SIMPLE", + "type": "Account" } } @@ -1107,22 +1107,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "accountactivity", "kind": "event", + "provider": "wabengine", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "168c1c48f141e911005056b60af6", - "type": "accountactivity", - "action": "list" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.43.84", - "address": "10.10.43.84" + ] }, "related": { "ip": [ @@ -1131,6 +1119,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.43.84", + "ip": "10.10.43.84" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "list", + "object": "168c1c48f141e911005056b60af6", + "type": "accountactivity" } } @@ -1145,24 +1145,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Apikey\" object=\"apikey_154954880399\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"cn [apikey_154954880399], apikey [********], ipLimitation []\"", "event": { "action": "Apikey", - "reason": "cn [apikey_154954880399], apikey [********], ipLimitation []", "kind": "event", + "provider": "wabengine", + "reason": "cn [apikey_154954880399], apikey [********], ipLimitation []", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "apikey_154954880399", - "type": "Apikey", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1171,6 +1159,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "apikey_154954880399", + "type": "Apikey" } } @@ -1185,24 +1185,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Application\" object=\"QA_APP_DUMMY\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"target [account@local@QA_DEVICE_DUMMY_WIN:RDP]\"", "event": { "action": "Application", - "reason": "target [account@local@QA_DEVICE_DUMMY_WIN:RDP]", "kind": "event", + "provider": "wabengine", + "reason": "target [account@local@QA_DEVICE_DUMMY_WIN:RDP]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_APP_DUMMY", - "type": "Application", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1211,6 +1199,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_APP_DUMMY", + "type": "Application" } } @@ -1225,24 +1225,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Apppath\" object=\"account@local@QA_DEVICE_DUMMY_WIN:RDP[:]\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"program [C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe], workingdir [C:\\]\"", "event": { "action": "Apppath", - "reason": "program [C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe], workingdir [C:\\]", "kind": "event", + "provider": "wabengine", + "reason": "program [C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe], workingdir [C:\\]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "account@local@QA_DEVICE_DUMMY_WIN:RDP[:]", - "type": "Apppath", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1251,6 +1239,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "account@local@QA_DEVICE_DUMMY_WIN:RDP[:]", + "type": "Apppath" } } @@ -1265,24 +1265,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Approval\" object=\"\\n\" user=\"user_154954851465\" client_ip=\"10.10.45.212\" infos=\"status [3], begin [2019-02-07 15:08:00], creation [2019-02-07 15:08:35.382824], duration [600], end [2019-02-07 15:18:00], username [user_154954851465], targetname [user_1@local@QA_DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH], quorum [1], email [qa-notify@wallix.com], language [en]\"", "event": { "action": "Approval", - "reason": "status [3], begin [2019-02-07 15:08:00], creation [2019-02-07 15:08:35.382824], duration [600], end [2019-02-07 15:18:00], username [user_154954851465], targetname [user_1@local@QA_DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH], quorum [1], email [qa-notify@wallix.com], language [en]", "kind": "event", + "provider": "wabengine", + "reason": "status [3], begin [2019-02-07 15:08:00], creation [2019-02-07 15:08:35.382824], duration [600], end [2019-02-07 15:18:00], username [user_154954851465], targetname [user_1@local@QA_DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH], quorum [1], email [qa-notify@wallix.com], language [en]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "\\n", - "type": "Approval", - "action": "add" - }, - "user": { - "name": "user_154954851465" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1291,6 +1279,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user_154954851465" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "user_154954851465" + }, + "wallix": { + "action": "add", + "object": "\\n", + "type": "Approval" } } @@ -1305,24 +1305,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Authorization\" object=\"QA_USER_GROUP_UNIX:QA_DEVICE_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [unix_group], targetGroupIdentifier [QA_DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess [False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired [False], hasComment [False], mandatoryComment [False], hasTicket [False], mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]\"", "event": { "action": "Authorization", - "reason": "cn [unix_group], targetGroupIdentifier [QA_DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess [False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired [False], hasComment [False], mandatoryComment [False], hasTicket [False], mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]", "kind": "event", + "provider": "wabengine", + "reason": "cn [unix_group], targetGroupIdentifier [QA_DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess [False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired [False], hasComment [False], mandatoryComment [False], hasTicket [False], mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_USER_GROUP_UNIX:QA_DEVICE_GROUP_UNIX", - "type": "Authorization", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1331,6 +1319,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_USER_GROUP_UNIX:QA_DEVICE_GROUP_UNIX", + "type": "Authorization" } } @@ -1345,24 +1345,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CheckoutPolicy\" object=\"QA_CHECKOUT_POLICY_LOCK\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"enableLock [True], duration [600], extension [0], maxDuration [600], checkinChange [0]\"", "event": { "action": "CheckoutPolicy", - "reason": "enableLock [True], duration [600], extension [0], maxDuration [600], checkinChange [0]", "kind": "event", + "provider": "wabengine", + "reason": "enableLock [True], duration [600], extension [0], maxDuration [600], checkinChange [0]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_CHECKOUT_POLICY_LOCK", - "type": "CheckoutPolicy", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1371,6 +1359,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_CHECKOUT_POLICY_LOCK", + "type": "CheckoutPolicy" } } @@ -1385,24 +1385,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Cluster\" object=\"cluster_154954837225\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"member_targets [account_154954837122@local1@device_154954837021:rdp, account_154954837224@local1@device_154954837123:rdp]\"", "event": { "action": "Cluster", - "reason": "member_targets [account_154954837122@local1@device_154954837021:rdp, account_154954837224@local1@device_154954837123:rdp]", "kind": "event", + "provider": "wabengine", + "reason": "member_targets [account_154954837122@local1@device_154954837021:rdp, account_154954837224@local1@device_154954837123:rdp]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "cluster_154954837225", - "type": "Cluster", - "action": "add" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1411,6 +1399,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "add", + "object": "cluster_154954837225", + "type": "Cluster" } } @@ -1425,24 +1425,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Device\" object=\"QA_DEVICE_SSH_SHELL_SESSION\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]\"", "event": { "action": "Device", - "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "kind": "event", + "provider": "wabengine", + "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DEVICE_SSH_SHELL_SESSION", - "type": "Device", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1451,6 +1439,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DEVICE_SSH_SHELL_SESSION", + "type": "Device" } } @@ -1465,23 +1465,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"backup\" type=\"Backup/Restore\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' saved]\"", "event": { "action": "Backup/Restore", - "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' saved]", - "kind": "event", "category": [ "database" ], - "provider": "wabengine" - }, - "wallix": { - "type": "Backup/Restore", - "action": "backup" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + "kind": "event", + "provider": "wabengine", + "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' saved]" }, "related": { "ip": [ @@ -1490,6 +1479,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "backup", + "type": "Backup/Restore" } } @@ -1505,22 +1505,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "ConnectionPolicy", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "connection_policy_154954884812", - "type": "ConnectionPolicy", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1529,6 +1517,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "connection_policy_154954884812", + "type": "ConnectionPolicy" } } @@ -1544,22 +1544,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CredChgInfo", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "\\n", - "type": "CredChgInfo", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1568,6 +1556,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "\\n", + "type": "CredChgInfo" } } @@ -1583,22 +1583,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CredChgPolicy", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "password_change_policy_name_154954918141", - "type": "CredChgPolicy", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1607,6 +1595,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "password_change_policy_name_154954918141", + "type": "CredChgPolicy" } } @@ -1622,22 +1622,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Globaldomain", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "global_domain_154954904181", - "type": "Globaldomain", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1646,6 +1634,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "global_domain_154954904181", + "type": "Globaldomain" } } @@ -1661,22 +1661,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "LdapMapping", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": " in user_group_154954913825 GROUP", - "type": "LdapMapping", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1685,6 +1673,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": " in user_group_154954913825 GROUP", + "type": "LdapMapping" } } @@ -1700,22 +1700,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Ldapdomain", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "domain_154955334782", - "type": "Ldapdomain", - "action": "delete" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.122.1", - "address": "192.168.122.1" + ] }, "related": { "ip": [ @@ -1724,6 +1712,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.122.1", + "ip": "192.168.122.1" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "delete", + "object": "domain_154955334782", + "type": "Ldapdomain" } } @@ -1739,22 +1739,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Localdomain", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "local1", - "type": "Localdomain", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1763,6 +1751,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "local1", + "type": "Localdomain" } } @@ -1778,22 +1778,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Notification", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "notification_154955204621", - "type": "Notification", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1802,6 +1790,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "notification_154955204621", + "type": "Notification" } } @@ -1817,22 +1817,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Period", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "<2010-01-01 to 2020-01-01 , 09:30:00 to 18:30:00, 124>", - "type": "Period", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1841,6 +1829,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "<2010-01-01 to 2020-01-01 , 09:30:00 to 18:30:00, 124>", + "type": "Period" } } @@ -1856,22 +1856,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Profile", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "profile_154954924847", - "type": "Profile", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1880,6 +1868,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "profile_154954924847", + "type": "Profile" } } @@ -1895,22 +1895,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Service", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "device_154954928856:ssh", - "type": "Service", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1919,6 +1907,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "device_154954928856:ssh", + "type": "Service" } } @@ -1934,22 +1934,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Targetgroup", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "target_group_154954938767", - "type": "Targetgroup", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1958,6 +1946,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "target_group_154954938767", + "type": "Targetgroup" } } @@ -1973,22 +1973,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "TimeFrame", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "timeframe_154954953374", - "type": "TimeFrame", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -1997,6 +1985,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "timeframe_154954953374", + "type": "TimeFrame" } } @@ -2012,22 +2012,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "User", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "UNKNOWN_USER", - "type": "User", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2036,6 +2024,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "UNKNOWN_USER", + "type": "User" } } @@ -2051,22 +2051,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "UserAuth", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "auth_LDAP_154955198487", - "type": "UserAuth", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2075,6 +2063,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "auth_LDAP_154955198487", + "type": "UserAuth" } } @@ -2090,22 +2090,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Usergroup", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "user_group_154954962345", - "type": "Usergroup", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2114,6 +2102,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "user_group_154954962345", + "type": "Usergroup" } } @@ -2128,23 +2128,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [deleted]\"", "event": { "action": "X509 Parameters", - "reason": "CRL [deleted]", "kind": "event", + "provider": "wabengine", + "reason": "CRL [deleted]", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "X509 Parameters", - "action": "delete" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + ] }, "related": { "ip": [ @@ -2153,6 +2142,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "delete", + "type": "X509 Parameters" } } @@ -2168,22 +2168,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Account", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "account_154954844398@local1@application_154954844399", - "type": "Account", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2192,6 +2180,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "account_154954844398@local1@application_154954844399", + "type": "Account" } } @@ -2207,22 +2207,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Apikey", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "apikey_154954882800", - "type": "Apikey", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2231,6 +2219,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "apikey_154954882800", + "type": "Apikey" } } @@ -2246,22 +2246,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Application", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "application_154954836612", - "type": "Application", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2270,6 +2258,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "application_154954836612", + "type": "Application" } } @@ -2279,28 +2279,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. === "wabaudit_action_delete_type_apppath.json" ```json - - { - "message": "[wabaudit] action=\"delete\" type=\"Apppath\" object=\"account_154954841440@local1@device_154954841439:rdp[:]\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", - "event": { - "action": "Apppath", - "kind": "event", - "type": [ - "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "account_154954841440@local1@device_154954841439:rdp[:]", - "type": "Apppath", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + + { + "message": "[wabaudit] action=\"delete\" type=\"Apppath\" object=\"account_154954841440@local1@device_154954841439:rdp[:]\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", + "event": { + "action": "Apppath", + "kind": "event", + "provider": "wabengine", + "type": [ + "deletion" + ] }, "related": { "ip": [ @@ -2309,6 +2297,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "account_154954841440@local1@device_154954841439:rdp[:]", + "type": "Apppath" } } @@ -2324,22 +2324,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Approval", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "\\n", - "type": "Approval", - "action": "delete" - }, - "user": { - "name": "OPERATOR" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + ] }, "related": { "ip": [ @@ -2348,6 +2336,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "OPERATOR" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "name": "OPERATOR" + }, + "wallix": { + "action": "delete", + "object": "\\n", + "type": "Approval" } } @@ -2363,22 +2363,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Authorization", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "user_group_154954865272:target_group_154954865373", - "type": "Authorization", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2387,6 +2375,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "user_group_154954865272:target_group_154954865373", + "type": "Authorization" } } @@ -2402,22 +2402,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CheckoutPolicy", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "checkout_policy_154954874456", - "type": "CheckoutPolicy", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2426,6 +2414,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "checkout_policy_154954874456", + "type": "CheckoutPolicy" } } @@ -2441,22 +2441,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Cluster", "kind": "event", + "provider": "wabengine", "type": [ "deletion" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "cluster_154954875802", - "type": "Cluster", - "action": "delete" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2465,6 +2453,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "delete", + "object": "cluster_154954875802", + "type": "Cluster" } } @@ -2479,24 +2479,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Device\" object=\"QA_DEVICE_SSH_SHELL_SESSION\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]\"", "event": { "action": "Device", - "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "kind": "event", + "provider": "wabengine", + "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "type": [ "creation" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "QA_DEVICE_SSH_SHELL_SESSION", - "type": "Device", - "action": "add" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2505,6 +2493,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "add", + "object": "QA_DEVICE_SSH_SHELL_SESSION", + "type": "Device" } } @@ -2519,23 +2519,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"download\" type=\"Backup/Restore\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' downloaded]\"", "event": { "action": "Backup/Restore", - "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' downloaded]", - "kind": "event", "category": [ "database" ], - "provider": "wabengine" - }, - "wallix": { - "type": "Backup/Restore", - "action": "download" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + "kind": "event", + "provider": "wabengine", + "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' downloaded]" }, "related": { "ip": [ @@ -2544,6 +2533,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "download", + "type": "Backup/Restore" } } @@ -2558,24 +2558,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"ConnectionPolicy\" object=\"SSH\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"methods [Add < PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >, Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s) >], Data [session[allow_multi_channels]: 'False' => 'on']\"", "event": { "action": "ConnectionPolicy", - "reason": "methods [Add < PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >, Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s) >], Data [session[allow_multi_channels]: 'False' => 'on']", "kind": "event", + "provider": "wabengine", + "reason": "methods [Add < PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >, Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s) >], Data [session[allow_multi_channels]: 'False' => 'on']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "SSH", - "type": "ConnectionPolicy", - "action": "edit" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2584,6 +2572,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "edit", + "object": "SSH", + "type": "ConnectionPolicy" } } @@ -2599,22 +2599,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CredChgInfo", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "local1/None", - "type": "CredChgInfo", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2623,6 +2611,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "local1/None", + "type": "CredChgInfo" } } @@ -2638,22 +2638,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CredChgPolicy", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "password_change_policy_name_154954918865", - "type": "CredChgPolicy", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2662,6 +2650,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "password_change_policy_name_154954918865", + "type": "CredChgPolicy" } } @@ -2676,24 +2676,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Globaldomain\" object=\"global_domain_154954904486\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"credchgplugin ['None' to 'Windows'], credchgpolicy ['None' to 'default'], adminAccount ['None' to 'account_154954904487...']\"", "event": { "action": "Globaldomain", - "reason": "credchgplugin ['None' to 'Windows'], credchgpolicy ['None' to 'default'], adminAccount ['None' to 'account_154954904487...']", "kind": "event", + "provider": "wabengine", + "reason": "credchgplugin ['None' to 'Windows'], credchgpolicy ['None' to 'default'], adminAccount ['None' to 'account_154954904487...']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "global_domain_154954904486", - "type": "Globaldomain", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2702,6 +2690,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "global_domain_154954904486", + "type": "Globaldomain" } } @@ -2716,24 +2716,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Ldapdomain\" object=\"domain_154955334798\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"description ['some description' to 'updated'], snAttribute ['' to 'updated']\"", "event": { "action": "Ldapdomain", - "reason": "description ['some description' to 'updated'], snAttribute ['' to 'updated']", "kind": "event", + "provider": "wabengine", + "reason": "description ['some description' to 'updated'], snAttribute ['' to 'updated']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "domain_154955334798", - "type": "Ldapdomain", - "action": "edit" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2742,6 +2730,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "edit", + "object": "domain_154955334798", + "type": "Ldapdomain" } } @@ -2756,24 +2756,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Localdomain\" object=\"local1\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"adminAccount ['None' to 'account_154954837938...']\"", "event": { "action": "Localdomain", - "reason": "adminAccount ['None' to 'account_154954837938...']", "kind": "event", + "provider": "wabengine", + "reason": "adminAccount ['None' to 'account_154954837938...']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "local1", - "type": "Localdomain", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2782,6 +2770,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "local1", + "type": "Localdomain" } } @@ -2794,26 +2794,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[wabaudit] action=\"edit\" type=\"Notification\" object=\"notification_154955216694\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"flag ['16' to '0']\"", - "event": { - "action": "Notification", - "reason": "flag ['16' to '0']", - "kind": "event", - "type": [ - "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "notification_154955216694", - "type": "Notification", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + "event": { + "action": "Notification", + "kind": "event", + "provider": "wabengine", + "reason": "flag ['16' to '0']", + "type": [ + "change" + ] }, "related": { "ip": [ @@ -2822,6 +2810,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "notification_154955216694", + "type": "Notification" } } @@ -2837,22 +2837,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Profile", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "profile_154954927022", - "type": "Profile", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2861,6 +2849,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "profile_154954927022", + "type": "Profile" } } @@ -2875,24 +2875,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"PwdPolicy\" object=\"default\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"pwdMinLowerLetter ['1' to '0'], rsaMinLength ['4096' to '1024']\"", "event": { "action": "PwdPolicy", - "reason": "pwdMinLowerLetter ['1' to '0'], rsaMinLength ['4096' to '1024']", "kind": "event", + "provider": "wabengine", + "reason": "pwdMinLowerLetter ['1' to '0'], rsaMinLength ['4096' to '1024']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "default", - "type": "PwdPolicy", - "action": "edit" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2901,6 +2889,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "edit", + "object": "default", + "type": "PwdPolicy" } } @@ -2915,23 +2915,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Recording Options\" user=\"admin\" client_ip=\"10.10.43.28\" infos=\"Recording Options ['No encryption, with checksum' to 'No encryption, no checksum']\"", "event": { "action": "Recording Options", - "reason": "Recording Options ['No encryption, with checksum' to 'No encryption, no checksum']", "kind": "event", + "provider": "wabengine", + "reason": "Recording Options ['No encryption, with checksum' to 'No encryption, no checksum']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "Recording Options", - "action": "edit" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.43.28", - "address": "10.10.43.28" + ] }, "related": { "ip": [ @@ -2940,6 +2929,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.43.28", + "ip": "10.10.43.28" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "edit", + "type": "Recording Options" } } @@ -2955,22 +2955,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Service", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "device_154954931097:ssh", - "type": "Service", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -2979,6 +2967,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "device_154954931097:ssh", + "type": "Service" } } @@ -2993,24 +2993,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Targetgroup\" object=\"target_group_154954945465\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"Description ['some desc' to 'some other desc']\"", "event": { "action": "Targetgroup", - "reason": "Description ['some desc' to 'some other desc']", "kind": "event", + "provider": "wabengine", + "reason": "Description ['some desc' to 'some other desc']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "target_group_154954945465", - "type": "Targetgroup", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3019,6 +3007,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "target_group_154954945465", + "type": "Targetgroup" } } @@ -3034,22 +3034,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "TimeFrame", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "timeframe_154954954305", - "type": "TimeFrame", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3058,6 +3046,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "timeframe_154954954305", + "type": "TimeFrame" } } @@ -3072,24 +3072,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"User\" object=\"user_154954924239\" user=\"user_154954924239\" client_ip=\"10.10.45.212\" infos=\"email ['qa-notify@wallix.com...' to 'qa-notify+1@wallix.c...']\"", "event": { "action": "User", - "reason": "email ['qa-notify@wallix.com...' to 'qa-notify+1@wallix.c...']", "kind": "event", + "provider": "wabengine", + "reason": "email ['qa-notify@wallix.com...' to 'qa-notify+1@wallix.c...']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "user_154954924239", - "type": "User", - "action": "edit" - }, - "user": { - "name": "user_154954924239" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3098,6 +3086,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user_154954924239" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "user_154954924239" + }, + "wallix": { + "action": "edit", + "object": "user_154954924239", + "type": "User" } } @@ -3112,24 +3112,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"UserAuth\" object=\"auth_LDAP_154955202505\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"description ['None' to 'updated while used b...']\"", "event": { "action": "UserAuth", - "reason": "description ['None' to 'updated while used b...']", "kind": "event", + "provider": "wabengine", + "reason": "description ['None' to 'updated while used b...']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "auth_LDAP_154955202505", - "type": "UserAuth", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3138,6 +3126,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "auth_LDAP_154955202505", + "type": "UserAuth" } } @@ -3152,24 +3152,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Usergroup\" object=\"user_group_154954965326\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"Description ['some desc' to 'some other desc']\"", "event": { "action": "Usergroup", - "reason": "Description ['some desc' to 'some other desc']", "kind": "event", + "provider": "wabengine", + "reason": "Description ['some desc' to 'some other desc']", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "user_group_154954965326", - "type": "Usergroup", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3178,6 +3166,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "user_group_154954965326", + "type": "Usergroup" } } @@ -3192,23 +3192,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [file updated]\"", "event": { "action": "X509 Parameters", - "reason": "CRL [file updated]", "kind": "event", + "provider": "wabengine", + "reason": "CRL [file updated]", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "X509 Parameters", - "action": "edit" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + ] }, "related": { "ip": [ @@ -3217,6 +3206,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "edit", + "type": "X509 Parameters" } } @@ -3232,22 +3232,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Account", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "account_154954837938@local1@application_154954837837", - "type": "Account", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3256,6 +3244,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "account_154954837938@local1@application_154954837837", + "type": "Account" } } @@ -3271,22 +3271,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Application", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "application_154954842057", - "type": "Application", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3295,6 +3283,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "application_154954842057", + "type": "Application" } } @@ -3307,26 +3307,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[wabaudit] action=\"edit\" type=\"Approval\" object=\"\\n\" user=\"QA_USER_APPROVER_1\" client_ip=\"10.10.45.212\" infos=\"status ['3' to '1']\"", - "event": { - "action": "Approval", - "reason": "status ['3' to '1']", - "kind": "event", - "type": [ - "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "\\n", - "type": "Approval", - "action": "edit" - }, - "user": { - "name": "QA_USER_APPROVER_1" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + "event": { + "action": "Approval", + "kind": "event", + "provider": "wabengine", + "reason": "status ['3' to '1']", + "type": [ + "change" + ] }, "related": { "ip": [ @@ -3335,6 +3323,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_USER_APPROVER_1" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_USER_APPROVER_1" + }, + "wallix": { + "action": "edit", + "object": "\\n", + "type": "Approval" } } @@ -3350,22 +3350,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Authorization", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "user_group_154954869778:target_group_154954869779", - "type": "Authorization", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3374,6 +3362,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "user_group_154954869778:target_group_154954869779", + "type": "Authorization" } } @@ -3389,22 +3389,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CheckoutPolicy", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "checkout_policy_154954875282", - "type": "CheckoutPolicy", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3413,6 +3401,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "checkout_policy_154954875282", + "type": "CheckoutPolicy" } } @@ -3428,22 +3428,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Cluster", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "cluster_154954878267", - "type": "Cluster", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3452,6 +3440,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "cluster_154954878267", + "type": "Cluster" } } @@ -3467,22 +3467,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Device", "kind": "event", + "provider": "wabengine", "type": [ "change" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "device_154954892089", - "type": "Device", - "action": "edit" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3491,6 +3479,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "edit", + "object": "device_154954892089", + "type": "Device" } } @@ -3506,22 +3506,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "accountactivity", "kind": "event", + "provider": "wabengine", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "object": "168c1c48f141e911005056b60af6", - "type": "accountactivity", - "action": "list" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "10.10.43.84", - "address": "10.10.43.84" + ] }, "related": { "ip": [ @@ -3530,6 +3518,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "10.10.43.84", + "ip": "10.10.43.84" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "list", + "object": "168c1c48f141e911005056b60af6", + "type": "accountactivity" } } @@ -3545,21 +3545,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Approval", "kind": "event", + "provider": "wabengine", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "Approval", - "action": "list" - }, - "user": { - "name": "QA_ADMIN" - }, - "source": { - "ip": "10.10.45.212", - "address": "10.10.45.212" + ] }, "related": { "ip": [ @@ -3568,6 +3557,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "QA_ADMIN" ] + }, + "source": { + "address": "10.10.45.212", + "ip": "10.10.45.212" + }, + "user": { + "name": "QA_ADMIN" + }, + "wallix": { + "action": "list", + "type": "Approval" } } @@ -3582,26 +3582,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"sessionlog\" user=\"OPERATOR\" client_ip=\"127.0.0.1\" infos=\"Current sessions\"", "event": { "action": "sessionlog", - "reason": "Current sessions", - "kind": "event", "category": [ "authentication" ], + "kind": "event", + "provider": "wabengine", + "reason": "Current sessions", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "sessionlog", - "action": "list" - }, - "user": { - "name": "OPERATOR" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + ] }, "related": { "ip": [ @@ -3610,6 +3599,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "OPERATOR" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "name": "OPERATOR" + }, + "wallix": { + "action": "list", + "type": "sessionlog" } } @@ -3624,23 +3624,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"restore\" type=\"Backup/Restore\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' restored]\"", "event": { "action": "Backup/Restore", - "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' restored]", - "kind": "event", "category": [ "database" ], - "provider": "wabengine" - }, - "wallix": { - "type": "Backup/Restore", - "action": "restore" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "192.168.0.12", - "address": "192.168.0.12" + "kind": "event", + "provider": "wabengine", + "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' restored]" }, "related": { "ip": [ @@ -3649,6 +3638,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "restore", + "type": "Backup/Restore" } } @@ -3664,21 +3664,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Approvals", "kind": "event", + "provider": "wabengine", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "Approvals", - "action": "list" - }, - "user": { - "name": "OPERATOR" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + ] }, "related": { "ip": [ @@ -3687,6 +3676,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "OPERATOR" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "name": "OPERATOR" + }, + "wallix": { + "action": "list", + "type": "Approvals" } } @@ -3700,21 +3700,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[wabauth] action=\"authentify\" user=\"admin\" client_ip=\"1.1.1.1\" status=\"success\" infos=\"diagnostic [Authentication success: identified with local(LOCAL), authentified with: API key Bastion(APIKEY).]\"", "event": { - "reason": "diagnostic [Authentication success: identified with local(LOCAL), authentified with: API key Bastion(APIKEY).]", - "kind": "event", "category": [ "authentication" - ] - }, - "wallix": { - "action": "authentify" - }, - "user": { - "name": "admin" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + ], + "kind": "event", + "reason": "diagnostic [Authentication success: identified with local(LOCAL), authentified with: API key Bastion(APIKEY).]" }, "related": { "ip": [ @@ -3723,6 +3713,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "admin" + }, + "wallix": { + "action": "authentify" } } @@ -3736,25 +3736,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "action=\"authentify\" user=\"username123\" client_ip=\"1.1.1.1\" status=\"failure\" infos=\"diagnostic [Authentication failed]", "event": { - "reason": "\"diagnostic [Authentication failed]", - "kind": "event", "category": [ "authentication" ], + "kind": "event", + "reason": "\"diagnostic [Authentication failed]", "type": [ "denied" ] }, - "wallix": { - "action": "authentify" - }, - "user": { - "name": "username123" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "ip": [ "1.1.1.1" @@ -3762,6 +3752,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "username123" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "username123" + }, + "wallix": { + "action": "authentify" } } @@ -3776,26 +3776,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"sessionlog\" user=\"OPERATOR\" client_ip=\"127.0.0.1\" infos=\"Closed sessions, Sessionlogs newly terminated\"\n", "event": { "action": "sessionlog", - "reason": "Closed sessions, Sessionlogs newly terminated", - "kind": "event", "category": [ "authentication" ], + "kind": "event", + "provider": "wabengine", + "reason": "Closed sessions, Sessionlogs newly terminated", "type": [ "access" - ], - "provider": "wabengine" - }, - "wallix": { - "type": "sessionlog", - "action": "list" - }, - "user": { - "name": "OPERATOR" - }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + ] }, "related": { "ip": [ @@ -3804,6 +3793,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "OPERATOR" ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "user": { + "name": "OPERATOR" + }, + "wallix": { + "action": "list", + "type": "sessionlog" } } @@ -3817,25 +3817,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[wabauth] action=\"authentify\" user=\"username123\" client_ip=\"1.1.1.1\" status=\"failure\" infos=\"diagnostic [Authentication failed]", "event": { - "reason": "\"diagnostic [Authentication failed]", - "kind": "event", "category": [ "authentication" ], + "kind": "event", + "reason": "\"diagnostic [Authentication failed]", "type": [ "denied" ] }, - "wallix": { - "action": "authentify" - }, - "user": { - "name": "username123" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "ip": [ "1.1.1.1" @@ -3843,6 +3833,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "username123" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "name": "username123" + }, + "wallix": { + "action": "authentify" } } diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index ab2bad2885..4b2883cda0 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -35,38 +35,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org ad97ec2b41c342ebbb1fec1fc283fff3: - - - 5.6.7.8 - - [23/May/2023:14:24:09 +0200] \"GET /path/ape/logo.png HTTP/1.1\" 404 1245 \"https://referer.example.com/\" \"Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1\"", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "event", "category": [ "web" ], + "dataset": "ubika-waf", + "kind": "event", + "module": "ubika.waf", "type": [ "access" ] }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" - }, "@timestamp": "2023-05-23T12:24:09Z", - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "user_agent": { - "original": "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1", - "device": { - "name": "iPad" - }, - "name": "Chrome Mobile iOS", - "version": "113.0.5672", - "os": { - "name": "iOS", - "version": "16.5" - } - }, "http": { "request": { "method": "GET", @@ -79,9 +58,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 404 } }, - "url": { - "original": "/path/ape/logo.png", - "path": "/path/ape/logo.png" + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "ip": [ + "5.6.7.8" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" }, "ubika": { "waap": { @@ -90,10 +79,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "related": { - "ip": [ - "5.6.7.8" - ] + "url": { + "original": "/path/ape/logo.png", + "path": "/path/ape/logo.png" + }, + "user_agent": { + "device": { + "name": "iPad" + }, + "name": "Chrome Mobile iOS", + "original": "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1", + "os": { + "name": "iOS", + "version": "16.5" + }, + "version": "113.0.5672" } } @@ -107,37 +107,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "5.6.7.8 - - [23/May/2023:14:24:09 +0200] \"GET /path/ape/logo.png HTTP/1.1\" 404 1245 \"https://referer.example.com/\" \"Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1\"", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "event", "category": [ "web" ], + "dataset": "ubika-waf", + "kind": "event", + "module": "ubika.waf", "type": [ "access" ] }, - "observer": { - "vendor": "Ubika", - "product": "Ubika WAAP" - }, "@timestamp": "2023-05-23T12:24:09Z", - "source": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "user_agent": { - "original": "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1", - "device": { - "name": "iPad" - }, - "name": "Chrome Mobile iOS", - "version": "113.0.5672", - "os": { - "name": "iOS", - "version": "16.5" - } - }, "http": { "request": { "method": "GET", @@ -150,14 +130,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 404 } }, - "url": { - "original": "/path/ape/logo.png", - "path": "/path/ape/logo.png" + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" }, "related": { "ip": [ "5.6.7.8" ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "url": { + "original": "/path/ape/logo.png", + "path": "/path/ape/logo.png" + }, + "user_agent": { + "device": { + "name": "iPad" + }, + "name": "Chrome Mobile iOS", + "original": "Mozilla/5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/113.0.5672.121 Mobile/15E148 Safari/604.1", + "os": { + "name": "iOS", + "version": "16.5" + }, + "version": "113.0.5672" } } @@ -171,56 +171,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"2576cdd6c17d441234567891234\",\"@timestamp\":\"1688012345678\",\"timestamp\":\"1688012345678\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"monespacetest.com\"},{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"User-Agent\",\"value\":\"ContentSquare Static Resource Scraper\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip,deflate\"},{\"key\":\"X-Forwarded-For\",\"value\":\"1.2.3.4\"}],\"hostname\":\"monespacetest.com\",\"ipDst\":\"1.2.3.4\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/redirect\",\"portDst\":443,\"protocol\":\"HTTP/1.1\",\"query\":\"token=123456789123456789\",\"requestUid\":\"ZJ1EyTzEESxHZlPdslM1MgAAAQw\"},\"context\":{\"tags\":\"\",\"applianceName\":\"zzzzz.test\",\"applianceUid\":\"bde804caa644121234567891234567\",\"backendHost\":\"monespacetest.com\",\"backendPort\":443,\"reverseProxyName\":\"Rp-test-02\",\"reverseProxyUid\":\"61d95350a8f99874123456789\",\"tunnelName\":\"NEC PROD v10 #1\",\"tunnelUid\":\"317a891996f275b12345678912345\",\"workflowName\":\"Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter\",\"workflowUid\":\"f00058d7c75c34e123456789987654\"},\"events\":[{\"eventUid\":\"fe767ff2e8574789941b998e6\",\"tokens\":{\"date\":14012345678999,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ContentSquare Static Resource Scraper\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"43333333333333333333\",\"botMitigationConfigurationName\":\"PREVOIR Bot mitigation Configuration\"}}]}", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "alert", "category": [ "threat" ], + "dataset": "ubika-waf", + "kind": "alert", + "module": "ubika.waf", + "provider": "Bot Mitigation", "type": [ "indicator" - ], - "provider": "Bot Mitigation" - }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" + ] }, "@timestamp": "2023-06-29T04:19:05.678000Z", - "host": { - "name": "monespacetest.com" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 443, - "address": "1.2.3.4" + "port": 443 }, - "user_agent": { - "original": "ContentSquare Static Resource Scraper", - "device": { - "name": "Spider" - }, - "name": "Resource Scraper", - "os": { - "name": "Other" - } + "host": { + "name": "monespacetest.com" }, "http": { "request": { "method": "GET" } }, - "url": { - "path": "/redirect", - "query": "token=123456789123456789", - "domain": "monespacetest.com", - "top_level_domain": "com", - "registered_domain": "monespacetest.com" + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "hosts": [ + "monespacetest.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "description": "Basic bot detected" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "indicator": { + "type": "Bots and Web Scraping" + } }, "ubika": { "waap": { @@ -234,24 +233,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "rule": { - "description": "Basic bot detected" - }, - "vulnerability": { - "id": "CWE-799" + "url": { + "domain": "monespacetest.com", + "path": "/redirect", + "query": "token=123456789123456789", + "registered_domain": "monespacetest.com", + "top_level_domain": "com" }, - "threat": { - "indicator": { - "type": "Bots and Web Scraping" + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "Resource Scraper", + "original": "ContentSquare Static Resource Scraper", + "os": { + "name": "Other" } }, - "related": { - "ip": [ - "1.2.3.4" - ], - "hosts": [ - "monespacetest.com" - ] + "vulnerability": { + "id": "CWE-799" } } @@ -265,55 +265,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"ddf61af5388949b486059409e9a10d23\",\"@timestamp\":\"1570176199762\",\"timestamp\":\"1570176199762\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"\",\"requestUid\":\"e380e3bef3814649aebc50e940c8bf98\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - Bot Mitigation\",\"workflowUid\":\"8c73e669cea1a99016ccacb21eccfa69\"},\"events\":[{\"eventUid\":\"3ce7643dbe52433bb481ff8a401c6301\",\"tokens\":{\"date\":140422462751864,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ApacheBench/2.3\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"0d990aa0b2f5265ad8ea74cc0e3e09f7\",\"botMitigationConfigurationName\":\"BM_conf\"}}]}", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "alert", "category": [ "threat" ], + "dataset": "ubika-waf", + "kind": "alert", + "module": "ubika.waf", + "provider": "Bot Mitigation", "type": [ "indicator" - ], - "provider": "Bot Mitigation" - }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" + ] }, "@timestamp": "2019-10-04T08:03:19.762000Z", - "host": { - "name": "example.org" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 80, - "address": "5.6.7.8" + "port": 80 }, - "user_agent": { - "original": "ApacheBench/2.3", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Other" - } + "host": { + "name": "example.org" }, "http": { "request": { "method": "GET" } }, - "url": { - "path": "/", - "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "description": "Basic bot detected" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "indicator": { + "type": "Bots and Web Scraping" + } }, "ubika": { "waap": { @@ -327,25 +328,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "rule": { - "description": "Basic bot detected" - }, - "vulnerability": { - "id": "CWE-799" + "url": { + "domain": "example.org", + "path": "/", + "registered_domain": "example.org", + "top_level_domain": "org" }, - "threat": { - "indicator": { - "type": "Bots and Web Scraping" + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "ApacheBench/2.3", + "os": { + "name": "Other" } }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "hosts": [ - "example.org" - ] + "vulnerability": { + "id": "CWE-799" } } @@ -359,55 +359,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "alert", "category": [ "threat" ], + "dataset": "ubika-waf", + "kind": "alert", + "module": "ubika.waf", + "provider": "ICX Engine", "type": [ "indicator" - ], - "provider": "ICX Engine" - }, - "observer": { - "vendor": "Ubika", - "product": "Ubika WAAP" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", - "host": { - "name": "example.org" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 80, - "address": "5.6.7.8" + "port": 80 }, - "user_agent": { - "original": "ApacheBench/2.3", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Other" - } + "host": { + "name": "example.org" }, "http": { "request": { "method": "GET" } }, - "url": { - "path": "/afs/login", - "query": "username=test&passwd=*****", - "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "description": "ICX Engine: SQL Injection in Var_GET 'passwd'", + "id": "fbfb5aec58e3ff3bea900f646351cc30", + "name": "Default policy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "indicator": { + "type": "SQL Injection" + } }, "ubika": { "waap": { @@ -421,27 +423,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "rule": { - "name": "Default policy", - "id": "fbfb5aec58e3ff3bea900f646351cc30", - "description": "ICX Engine: SQL Injection in Var_GET 'passwd'" - }, - "vulnerability": { - "id": "CWE-89" + "url": { + "domain": "example.org", + "path": "/afs/login", + "query": "username=test&passwd=*****", + "registered_domain": "example.org", + "top_level_domain": "org" }, - "threat": { - "indicator": { - "type": "SQL Injection" + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "ApacheBench/2.3", + "os": { + "name": "Other" } }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "hosts": [ - "example.org" - ] + "vulnerability": { + "id": "CWE-89" } } @@ -455,55 +455,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "alert", "category": [ "threat" ], + "dataset": "ubika-waf", + "kind": "alert", + "module": "ubika.waf", + "provider": "ICX Engine", "type": [ "indicator" - ], - "provider": "ICX Engine" - }, - "observer": { - "vendor": "Ubika", - "product": "Ubika WAAP" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", - "host": { - "name": "example.org" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 80, - "address": "5.6.7.8" + "port": 80 }, - "user_agent": { - "original": "ApacheBench/2.3", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Other" - } + "host": { + "name": "example.org" }, "http": { "request": { "method": "GET" } }, - "url": { - "path": "/afs/login", - "query": "username=test&passwd=*****", - "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "description": "ICX Engine: SQL Injection in Var_GET 'passwd'", + "id": "fbfb5aec58e3ff3bea900f646351cc30", + "name": "Default policy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "threat": { + "indicator": { + "type": "SQL Injection" + } }, "ubika": { "waap": { @@ -517,27 +519,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "rule": { - "name": "Default policy", - "id": "fbfb5aec58e3ff3bea900f646351cc30", - "description": "ICX Engine: SQL Injection in Var_GET 'passwd'" - }, - "vulnerability": { - "id": "CWE-89" + "url": { + "domain": "example.org", + "path": "/afs/login", + "query": "username=test&passwd=*****", + "registered_domain": "example.org", + "top_level_domain": "org" }, - "threat": { - "indicator": { - "type": "SQL Injection" + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "ApacheBench/2.3", + "os": { + "name": "Other" } }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "hosts": [ - "example.org" - ] + "vulnerability": { + "id": "CWE-89" } } @@ -551,52 +551,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"fe79950502024cf1951504b01b28cb60\",\"@timestamp\":\"1570179501178\",\"timestamp\":\"1570179501178\",\"request\":{\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0\"},{\"key\":\"Accept\",\"value\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},{\"key\":\"Accept-Language\",\"value\":\"en-US,en;q=0.5\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip, deflate\"},{\"key\":\"Content-Type\",\"value\":\"application/x-www-form-urlencoded\"},{\"key\":\"Content-Length\",\"value\":\"45\"},{\"key\":\"Connection\",\"value\":\"keep-alive\"},{\"key\":\"Referer\",\"value\":\"http://example.org/auth/login\"},{\"key\":\"Upgrade-Insecure-Requests\",\"value\":\"1\"}],\"hostname\":\"example.org\",\"ipSrc\":\"1.2.3.4\",\"method\":\"POST\",\"path\":\"/auth/authentication\",\"query\":\"username=test&context=111111111\",\"requestUid\":\"6bf5057e1ad64b1c99ee6ad8c21f098e\"},\"context\":{\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - WAM\",\"workflowUid\":\"061b2aaca542ad07e9873fcb6f3e2a85\"},\"events\":[{\"eventUid\":\"90e826d3889443b286ab4fdd4854d379\",\"eventType\":1,\"eventDetails\":\"Perimeter authentication failed\",\"userId\":\"user1\",\"sessionId\":\"5jfh2myazzq6l6gjmz9qtabw4e\",\"resource\":\"Perim1\",\"ticketId\":\"\",\"logindate\":1570179496322223,\"expiredate\":1570183101178725}]}", "event": { - "dataset": "ubika-waf", - "module": "ubika.waf", - "kind": "alert", "category": [ "threat" ], + "dataset": "ubika-waf", + "kind": "alert", + "module": "ubika.waf", "type": [ "indicator" ] }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" - }, "@timestamp": "2019-10-04T08:58:21.178000Z", "host": { "name": "example.org" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0", - "device": { - "name": "Other" - }, - "name": "Firefox", - "version": "69.0", - "os": { - "name": "Fedora" - } - }, "http": { "request": { "method": "POST", "referrer": "http://example.org/auth/login" } }, - "url": { - "path": "/auth/authentication", - "query": "username=test&context=111111111", - "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "ubika": { "waap": { @@ -610,13 +600,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "related": { - "ip": [ - "1.2.3.4" - ], - "hosts": [ - "example.org" - ] + "url": { + "domain": "example.org", + "path": "/auth/authentication", + "query": "username=test&context=111111111", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0", + "os": { + "name": "Fedora" + }, + "version": "69.0" } } diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md index 03e416a2b5..7e0d39e8c0 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md @@ -37,26 +37,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE03.LOCAL: Mar 6 2023 08:04:45.866 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down", "event": { - "kind": "event", + "action": "down", "category": [ "host" ], - "severity": 5, "code": "UPDOWN", + "kind": "event", "reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to down", - "action": "down", + "severity": 5, "type": [ "info" ] }, "@timestamp": "2023-03-06T07:04:45.866000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE03.LOCAL" - }, "cisco": { "ios": { "event": { @@ -68,6 +61,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "host": { + "name": "FE03.LOCAL" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" } } @@ -81,26 +81,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "STN01.LOCAL: Mar 6 2023 08:04:45.866 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up", "event": { - "kind": "event", + "action": "up", "category": [ "host" ], - "severity": 5, "code": "UPDOWN", + "kind": "event", "reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to up", - "action": "up", + "severity": 5, "type": [ "info" ] }, "@timestamp": "2023-03-06T07:04:45.866000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "STN01.LOCAL" - }, "cisco": { "ios": { "event": { @@ -112,6 +105,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "host": { + "name": "STN01.LOCAL" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" } } @@ -125,26 +125,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE05: Mar 6 2023 08:04:45.866: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/13, changed state to down", "event": { - "kind": "event", + "action": "down", "category": [ "host" ], - "severity": 3, "code": "UPDOWN", + "kind": "event", "reason": "Interface GigabitEthernet2/0/13, changed state to down", - "action": "down", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-03-06T08:04:45.866000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE05" - }, "cisco": { "ios": { "event": { @@ -156,6 +149,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "host": { + "name": "FE05" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" } } @@ -169,26 +169,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE05: Mar 6 2023 08:04:45.866: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/25, changed state to up", "event": { - "kind": "event", + "action": "up", "category": [ "host" ], - "severity": 3, "code": "UPDOWN", + "kind": "event", "reason": "Interface GigabitEthernet2/0/25, changed state to up", - "action": "up", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-03-06T08:04:45.866000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE05" - }, "cisco": { "ios": { "event": { @@ -200,6 +193,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "host": { + "name": "FE05" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" } } @@ -213,34 +213,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE08: Jan 13 2023 10:16:05.33: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: jdoe] [Source: 1.2.3.4] [localport: 22] at 10:16:05 GMT Fri Jan 13 2023", "event": { - "kind": "event", "category": [ "host" ], - "severity": 5, "code": "LOGIN_SUCCESS", + "kind": "event", "reason": "Login Success [user: jdoe] [Source: 1.2.3.4] [localport: 22] at 10:16:05 GMT Fri Jan 13 2023", + "severity": 5, "type": [ "access", "start" ] }, "@timestamp": "2023-01-13T10:16:05.330000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE08" - }, - "source": { - "ip": "1.2.3.4", - "port": 22, - "address": "1.2.3.4" - }, - "user": { - "name": "jdoe" - }, "cisco": { "ios": { "event": { @@ -248,6 +233,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "host": { + "name": "FE08" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + }, "related": { "ip": [ "1.2.3.4" @@ -255,6 +247,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jdoe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 22 + }, + "user": { + "name": "jdoe" } } @@ -268,31 +268,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE08: Jan 13 2023 10:16:05.33: %SYS-3-LOGGINGHOST_FAIL: Logging to host 3.2.4.5 port 514 failed", "event": { - "kind": "event", "category": [ "host" ], - "severity": 3, "code": "LOGGINGHOST_FAIL", + "kind": "event", "reason": "Logging to host 3.2.4.5 port 514 failed", + "severity": 3, "type": [ "access", "end" ] }, "@timestamp": "2023-01-13T10:16:05.330000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE08" - }, - "destination": { - "ip": "3.2.4.5", - "port": 514, - "address": "3.2.4.5" - }, "cisco": { "ios": { "event": { @@ -300,6 +288,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "3.2.4.5", + "ip": "3.2.4.5", + "port": 514 + }, + "host": { + "name": "FE08" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + }, "related": { "ip": [ "3.2.4.5" @@ -317,33 +317,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE08: Jan 13 2023 10:16:05.33: %SYS-6-LOGOUT: User jdoe has exited tty session 2(1.2.3.4)", "event": { - "kind": "event", "category": [ "host" ], - "severity": 6, "code": "LOGOUT", + "kind": "event", "reason": "User jdoe has exited tty session 2(1.2.3.4)", + "severity": 6, "type": [ "access", "end" ] }, "@timestamp": "2023-01-13T10:16:05.330000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE08" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "jdoe" - }, "cisco": { "ios": { "event": { @@ -354,6 +340,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "host": { + "name": "FE08" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + }, "related": { "ip": [ "1.2.3.4" @@ -361,6 +354,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jdoe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" } } @@ -374,33 +374,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "DN04.LOCAL: Feb 21 06:59:55.692: %SW_MATM-4-MACFLAP_NOTIF: Host 0011.2233.4455 in vlan 20 is flapping between port Gi1/0/9 and port Gi2/0/9", "event": { - "kind": "event", "category": [ "host" ], - "severity": 4, "code": "MACFLAP_NOTIF", + "kind": "event", "reason": "Host 0011.2233.4455 in vlan 20 is flapping between port Gi1/0/9 and port Gi2/0/9", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-02-21T06:59:55.692000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "DN04.LOCAL" - }, - "source": { - "mac": "00:11:22:33:44:55" - }, - "network": { - "vlan": { - "id": "20" - } - }, "cisco": { "ios": { "event": { @@ -415,6 +400,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } + }, + "host": { + "name": "DN04.LOCAL" + }, + "network": { + "vlan": { + "id": "20" + } + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + }, + "source": { + "mac": "00:11:22:33:44:55" } } @@ -428,32 +428,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FE08: Jan 13 2023 10:16:05.33: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 2 (1.2.3.4)), user jdoe", "event": { - "kind": "event", "category": [ "host" ], - "severity": 6, "code": "TTY_EXPIRE_TIMER", + "kind": "event", "reason": "(exec timer expired, tty 2 (1.2.3.4)), user jdoe", + "severity": 6, "type": [ "info" ] }, "@timestamp": "2023-01-13T10:16:05.330000Z", - "observer": { - "vendor": "Cisco", - "product": "ios" - }, - "host": { - "name": "FE08" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "jdoe" - }, "cisco": { "ios": { "event": { @@ -464,6 +450,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "host": { + "name": "FE08" + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + }, "related": { "ip": [ "1.2.3.4" @@ -471,6 +464,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jdoe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" } } diff --git a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md index 9a398b485a..dca9a475ec 100644 --- a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md +++ b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md @@ -51,18 +51,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, - "user": { - "email": "john.doe@example.org", - "id": "042fb38530054d63921f9ca81a33d5d2" - }, - "source": { - "ip": "78.197.123.35", - "address": "78.197.123.35" - }, "cloudflare": { "ActionResult": true, "ActorType": "user", @@ -71,10 +59,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ResourceID": "09cec157-0de7-4143-8c08-d905c6e1be76", "ResourceType": "gateway.rule" }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" + }, "related": { "ip": [ "78.197.123.35" ] + }, + "source": { + "address": "78.197.123.35", + "ip": "78.197.123.35" + }, + "user": { + "email": "john.doe@example.org", + "id": "042fb38530054d63921f9ca81a33d5d2" } } @@ -104,37 +104,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, - "user": { - "email": "john.doe@example.org", - "id": "042fb38530054d63921f9ca81a33d5d2" - }, - "source": { - "ip": "78.197.123.35", - "address": "78.197.123.35" - }, "cloudflare": { "ActionResult": true, "ActorType": "user", "ID": "5cd42473-600e-4610-a85e-ab194b8155ae", + "Interface": "UI", + "ResourceID": "a26c188f10c243338ed4c823fafa06f6", + "ResourceType": "gateway.location", "request_client_default": false, "request_name": "AWS VM", "request_networks": [ { "network": "15.188.186.81/32" } - ], - "Interface": "UI", - "ResourceID": "a26c188f10c243338ed4c823fafa06f6", - "ResourceType": "gateway.location" + ] + }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "ip": [ "78.197.123.35" ] + }, + "source": { + "address": "78.197.123.35", + "ip": "78.197.123.35" + }, + "user": { + "email": "john.doe@example.org", + "id": "042fb38530054d63921f9ca81a33d5d2" } } @@ -164,18 +164,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, - "user": { - "email": "john.doe@example.org", - "id": "042fb38530054d63921f9ca81a33d5d2" - }, - "source": { - "ip": "78.197.123.35", - "address": "78.197.123.35" - }, "cloudflare": { "ActorType": "user", "ID": "3cca43bb-2fb4-4acf-bfe8-06f12e3cce84", @@ -183,10 +171,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ResourceID": "1d1e650b3385b95db72bba7cfb1287e9", "ResourceType": "gateway.config" }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" + }, "related": { "ip": [ "78.197.123.35" ] + }, + "source": { + "address": "78.197.123.35", + "ip": "78.197.123.35" + }, + "user": { + "email": "john.doe@example.org", + "id": "042fb38530054d63921f9ca81a33d5d2" } } @@ -216,18 +216,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, - "user": { - "email": "john.doe@example.org", - "id": "042fb38530054d63921f9ca81a33d5d2" - }, - "source": { - "ip": "78.197.123.35", - "address": "78.197.123.35" - }, "cloudflare": { "ActionResult": true, "ActorType": "user", @@ -236,10 +224,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ResourceID": "184770", "ResourceType": "logpush job" }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" + }, "related": { "ip": [ "78.197.123.35" ] + }, + "source": { + "address": "78.197.123.35", + "ip": "78.197.123.35" + }, + "user": { + "email": "john.doe@example.org", + "id": "042fb38530054d63921f9ca81a33d5d2" } } @@ -269,32 +269,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, - "user": { - "email": "john.doe@example.org", - "id": "042fb38530054d63921f9ca81a33d5d2" - }, - "source": { - "ip": "78.197.123.35", - "address": "78.197.123.35" - }, "cloudflare": { "ActionResult": true, "ActorType": "user", "ID": "90c1f5cb-f7e0-48bf-9021-14cb2102a2e1", - "zone_tag": "284fc005c3dfd7e2f3c602aaa5dabac9", - "zone_name": "foo-bar-baz.xyz", "Interface": "UI", "ResourceID": "183719", - "ResourceType": "logpush job" + "ResourceType": "logpush job", + "zone_name": "foo-bar-baz.xyz", + "zone_tag": "284fc005c3dfd7e2f3c602aaa5dabac9" + }, + "observer": { + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "ip": [ "78.197.123.35" ] + }, + "source": { + "address": "78.197.123.35", + "ip": "78.197.123.35" + }, + "user": { + "email": "john.doe@example.org", + "id": "042fb38530054d63921f9ca81a33d5d2" } } diff --git a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md index 64f5cbb30e..8a6f869481 100644 --- a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md +++ b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md @@ -38,81 +38,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=\"2022-03-17 14:49:51\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-17 14:49:51\" pri=5 confid=01 slotlevel=5 ruleid=48 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=55.66.77.88 srcport=39618 srcportname=ephemeral_fw_tcp srcname=MGDFS-Proxy-02 srcmac=00:00:00:00:00:00 dst=11.22.33.44 dstport=443 dstportname=https dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=0.00 logtype=\"filter\"", "event": { - "start": "2022-03-17T13:49:51Z", - "kind": "event", "category": [ "network" ], + "duration": 0.0, + "kind": "event", + "risk_score": 5, + "start": "2022-03-17T13:49:51Z", + "timezone": "+0100", "type": [ "connection" - ], - "timezone": "+0100", - "risk_score": 5, - "duration": 0.0 - }, - "stormshield": { - "logtype": "filter", - "dstportname": "https", - "srcportname": "ephemeral_fw_tcp", - "slotlevel": 5, - "confid": 1 + ] }, "@timestamp": "2022-03-17T13:49:51Z", - "observer": { - "serial_number": "SN12345678912345", - "ingress": { - "interface": { - "name": "Ethernet3", - "alias": "in" - } - }, - "egress": { - "interface": { - "name": "Ethernet2", - "alias": "out" - } - } - }, - "network": { - "transport": "tcp", - "bytes": 0, - "protocol": "https", - "type": "4" - }, - "source": { - "ip": "55.66.77.88", - "port": 39618, - "mac": "00:00:00:00:00:00", - "address": "55.66.77.88" - }, "destination": { - "ip": "11.22.33.44", - "port": 443, + "address": "11.22.33.44", "geo": { "continent_name": "na", "country_iso_code": "us" }, - "address": "11.22.33.44" + "ip": "11.22.33.44", + "port": 443 }, "host": { "network": { - "ingress": { + "egress": { "bytes": 0 }, - "egress": { + "ingress": { "bytes": 0 } } }, - "rule": { - "id": "48", - "category": "5" + "network": { + "bytes": 0, + "protocol": "https", + "transport": "tcp", + "type": "4" + }, + "observer": { + "egress": { + "interface": { + "alias": "out", + "name": "Ethernet2" + } + }, + "ingress": { + "interface": { + "alias": "in", + "name": "Ethernet3" + } + }, + "serial_number": "SN12345678912345" }, "related": { "ip": [ "11.22.33.44", "55.66.77.88" ] + }, + "rule": { + "category": "5", + "id": "48" + }, + "source": { + "address": "55.66.77.88", + "ip": "55.66.77.88", + "mac": "00:00:00:00:00:00", + "port": 39618 + }, + "stormshield": { + "confid": 1, + "dstportname": "https", + "logtype": "filter", + "slotlevel": 5, + "srcportname": "ephemeral_fw_tcp" } } @@ -126,85 +126,85 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=\"2022-03-03 14:21:10\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-03 14:21:10\" pri=5 confid=01 slotlevel=2 ruleid=100 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=42.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=DLEM-AMPD02 srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=2.00 action=pass logtype=\"filter\"", "event": { - "start": "2022-03-03T13:21:10Z", - "kind": "event", "category": [ "network" ], + "duration": 2000000000.0, + "kind": "event", + "risk_score": 5, + "start": "2022-03-03T13:21:10Z", + "timezone": "+0100", "type": [ "connection" - ], - "timezone": "+0100", - "risk_score": 5, - "duration": 2000000000.0 - }, - "stormshield": { - "logtype": "filter", - "dstname": "example_dest", - "dstportname": "https", - "srcportname": "ad2009-dyn_tcp", - "slotlevel": 2, - "confid": 1, - "filter": { - "action": "pass" - } + ] }, "@timestamp": "2022-03-03T13:21:10Z", - "observer": { - "serial_number": "SN12345678912345", - "ingress": { - "interface": { - "name": "Ethernet3", - "alias": "in" - } - }, - "egress": { - "interface": { - "name": "Ethernet2", - "alias": "out" - } - } - }, - "network": { - "transport": "tcp", - "bytes": 0, - "protocol": "https", - "type": "4" - }, - "source": { - "ip": "42.123.123.123", - "port": 60355, - "mac": "00:00:00:00:00:00", - "address": "42.123.123.123" - }, "destination": { - "ip": "11.11.11.11", - "port": 443, + "address": "11.11.11.11", "geo": { "continent_name": "na", "country_iso_code": "us" }, - "address": "11.11.11.11" + "ip": "11.11.11.11", + "port": 443 }, "host": { "network": { - "ingress": { + "egress": { "bytes": 0 }, - "egress": { + "ingress": { "bytes": 0 } } }, - "rule": { - "id": "100", - "category": "2" + "network": { + "bytes": 0, + "protocol": "https", + "transport": "tcp", + "type": "4" + }, + "observer": { + "egress": { + "interface": { + "alias": "out", + "name": "Ethernet2" + } + }, + "ingress": { + "interface": { + "alias": "in", + "name": "Ethernet3" + } + }, + "serial_number": "SN12345678912345" }, "related": { "ip": [ "11.11.11.11", "42.123.123.123" ] + }, + "rule": { + "category": "2", + "id": "100" + }, + "source": { + "address": "42.123.123.123", + "ip": "42.123.123.123", + "mac": "00:00:00:00:00:00", + "port": 60355 + }, + "stormshield": { + "confid": 1, + "dstname": "example_dest", + "dstportname": "https", + "filter": { + "action": "pass" + }, + "logtype": "filter", + "slotlevel": 2, + "srcportname": "ad2009-dyn_tcp" } } @@ -218,87 +218,87 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "time=\"2022-03-16 19:36:03\" fw=\"SN12345678912345\" tz=+0100 startime=\"\" pri=5 confid=01 slotlevel=2 ruleid=103 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=11.11.11.11 srcport=49586 srcportname=ephemeral_fw_tcp srcname=foo_bar srcmac=00:00:00:00:00:00 srccontinent=\"na\" srccountry=\"us\" dst=22.22.22.22 dstport=443 dstportname=https dstcontinent=\"eu\" dstcountry=\"be\" modsrc=11.11.11.11 modsrcport=49586 origdst=22.22.22.22 origdstport=443 ipv=4 sent=2827291 rcvd=2728401 duration=107331.18 action=pass logtype=\"connection\"", "event": { - "kind": "event", "category": [ "network" ], + "duration": 107331180000000.0, + "kind": "event", + "risk_score": 5, + "timezone": "+0100", "type": [ "connection" - ], - "timezone": "+0100", - "risk_score": 5, - "duration": 107331180000000.0 - }, - "stormshield": { - "logtype": "connection", - "dstportname": "https", - "srcportname": "ephemeral_fw_tcp", - "slotlevel": 2, - "confid": 1, - "filter": { - "action": "pass" - } + ] }, "@timestamp": "2022-03-16T18:36:03Z", - "observer": { - "serial_number": "SN12345678912345", - "ingress": { - "interface": { - "name": "Ethernet3", - "alias": "in" - } - }, - "egress": { - "interface": { - "name": "Ethernet2", - "alias": "out" - } - } - }, - "network": { - "transport": "tcp", - "bytes": 5555692, - "protocol": "https", - "type": "4" - }, - "source": { - "ip": "11.11.11.11", - "port": 49586, - "mac": "00:00:00:00:00:00", - "geo": { - "continent_name": "na", - "country_iso_code": "us" - }, - "address": "11.11.11.11" - }, "destination": { - "ip": "22.22.22.22", - "port": 443, + "address": "22.22.22.22", "geo": { "continent_name": "eu", "country_iso_code": "be" }, - "address": "22.22.22.22" + "ip": "22.22.22.22", + "port": 443 }, "host": { "network": { - "ingress": { - "bytes": 2728401 - }, "egress": { "bytes": 2827291 + }, + "ingress": { + "bytes": 2728401 } } }, - "rule": { - "id": "103", - "category": "2" + "network": { + "bytes": 5555692, + "protocol": "https", + "transport": "tcp", + "type": "4" + }, + "observer": { + "egress": { + "interface": { + "alias": "out", + "name": "Ethernet2" + } + }, + "ingress": { + "interface": { + "alias": "in", + "name": "Ethernet3" + } + }, + "serial_number": "SN12345678912345" }, "related": { "ip": [ "11.11.11.11", "22.22.22.22" ] + }, + "rule": { + "category": "2", + "id": "103" + }, + "source": { + "address": "11.11.11.11", + "geo": { + "continent_name": "na", + "country_iso_code": "us" + }, + "ip": "11.11.11.11", + "mac": "00:00:00:00:00:00", + "port": 49586 + }, + "stormshield": { + "confid": 1, + "dstportname": "https", + "filter": { + "action": "pass" + }, + "logtype": "connection", + "slotlevel": 2, + "srcportname": "ephemeral_fw_tcp" } } diff --git a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md index 2e0d1c16b9..666522b91c 100644 --- a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md +++ b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md @@ -37,45 +37,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2021-01-28 13:46:08\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Root user=bob realm=\"SEKOIA_User\" roles=\"VDI-Pulse_User_Role\" proto=auth src=176.134.164.62 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT24804: Host Checker policy 'Sekoia_Host Checker' failed on host '176.134.164.62' address '00-d8-61-35-80-81' for user 'bob' reason 'Rule-Antivirus_Check:Le logiciel antivirus indiqu\u00e9 dans les exigences de s\u00e9curit\u00e9 n'est pas install\u00e9.'.\"", "event": { + "category": [ + "host" + ], "code": "AUT24804", "provider": "auth", + "reason": "Rule-Antivirus_Check:Le logiciel antivirus indiqu\u00e9 dans les exigences de s\u00e9curit\u00e9 n'est pas install\u00e9.", "type": [ "info" - ], - "category": [ - "host" - ], - "reason": "Rule-Antivirus_Check:Le logiciel antivirus indiqu\u00e9 dans les exigences de s\u00e9curit\u00e9 n'est pas install\u00e9." + ] }, "action": { "name": "AUT24804" }, - "network": { - "forwarded_ip": "172.16.128.22" - }, - "service": { - "name": "CB2XXPCS02", - "type": "vpn" - }, - "user": { - "name": "bob", - "domain": "SEKOIA_User", - "roles": [ - "VDI-Pulse_User_Role" - ] - }, - "observer": { - "ip": [ - "172.16.128.22" - ] - }, - "source": { - "ip": "176.134.164.62", - "address": "176.134.164.62" - }, - "rule": { - "name": "Sekoia_Host Checker" - }, "host": { "ip": [ "176.134.164.62" @@ -84,6 +58,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "00-d8-61-35-80-81" ] }, + "network": { + "forwarded_ip": "172.16.128.22" + }, + "observer": { + "ip": [ + "172.16.128.22" + ] + }, "related": { "ip": [ "172.16.128.22", @@ -92,6 +74,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "bob" ] + }, + "rule": { + "name": "Sekoia_Host Checker" + }, + "service": { + "name": "CB2XXPCS02", + "type": "vpn" + }, + "source": { + "address": "176.134.164.62", + "ip": "176.134.164.62" + }, + "user": { + "domain": "SEKOIA_User", + "name": "bob", + "roles": [ + "VDI-Pulse_User_Role" + ] } } @@ -105,45 +105,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2021-01-28 13:46:05\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Root user=alice realm=\"SEKOIA_User\" roles=\"SEKOIA_User_Role\" proto=auth src=19.160.74.9 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT24803: Host Checker policy 'Sekoia_Host Checker' passed on host '19.160.74.9' address '60-f2-62-ea-2d-a1' for user 'alice'.\"", "event": { + "category": [ + "host" + ], "code": "AUT24803", "provider": "auth", + "reason": " Host Checker policy 'Sekoia_Host Checker' passed on host '19.160.74.9' address '60-f2-62-ea-2d-a1' for user 'alice'.", "type": [ "info" - ], - "reason": " Host Checker policy 'Sekoia_Host Checker' passed on host '19.160.74.9' address '60-f2-62-ea-2d-a1' for user 'alice'.", - "category": [ - "host" ] }, "action": { "name": "AUT24803" }, - "network": { - "forwarded_ip": "172.16.128.22" - }, - "service": { - "name": "CB2XXPCS02", - "type": "vpn" - }, - "user": { - "name": "alice", - "domain": "SEKOIA_User", - "roles": [ - "SEKOIA_User_Role" - ] - }, - "observer": { - "ip": [ - "172.16.128.22" - ] - }, - "source": { - "ip": "19.160.74.9", - "address": "19.160.74.9" - }, - "rule": { - "name": "Sekoia_Host Checker" - }, "host": { "ip": [ "19.160.74.9" @@ -152,6 +126,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "60-f2-62-ea-2d-a1" ] }, + "network": { + "forwarded_ip": "172.16.128.22" + }, + "observer": { + "ip": [ + "172.16.128.22" + ] + }, "related": { "ip": [ "172.16.128.22", @@ -160,6 +142,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "alice" ] + }, + "rule": { + "name": "Sekoia_Host Checker" + }, + "service": { + "name": "CB2XXPCS02", + "type": "vpn" + }, + "source": { + "address": "19.160.74.9", + "ip": "19.160.74.9" + }, + "user": { + "domain": "SEKOIA_User", + "name": "alice", + "roles": [ + "SEKOIA_User_Role" + ] } } @@ -173,14 +173,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2021-01-28 14:14:04\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Default Network user=bob realm=\"SEKOIA_User\" roles=\"\" proto=auth src=176.168.192.159 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT23457: Login failed using auth server RSA (ACE Server). Reason: Failed\"", "event": { + "category": [ + "authentication" + ], "code": "AUT23457", "provider": "auth", + "reason": " Login failed using auth server RSA (ACE Server). Reason: Failed", "type": [ "info" - ], - "reason": " Login failed using auth server RSA (ACE Server). Reason: Failed", - "category": [ - "authentication" ] }, "action": { @@ -189,23 +189,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "172.16.128.22" }, - "service": { - "name": "CB2XXPCS02", - "type": "vpn" - }, - "user": { - "name": "bob", - "domain": "SEKOIA_User" - }, "observer": { "ip": [ "172.16.128.22" ] }, - "source": { - "ip": "176.168.192.159", - "address": "176.168.192.159" - }, "related": { "ip": [ "172.16.128.22", @@ -214,6 +202,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "bob" ] + }, + "service": { + "name": "CB2XXPCS02", + "type": "vpn" + }, + "source": { + "address": "176.168.192.159", + "ip": "176.168.192.159" + }, + "user": { + "domain": "SEKOIA_User", + "name": "bob" } } @@ -227,14 +227,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 10:21:15\" pri=6 fw=3.4.5.6 vpn=EX023-V6 user=MYDomain\\\\johndoe realm=\"Example\" roles=\"Example_Sales\" type=mgmt proto=auth src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"AUT20920: Connection from IP 1.2.3.4 not authenticated yet (URL=/cgi/pal?tm=26&key=1234567890)\"\n", "event": { + "category": [ + "network" + ], "code": "AUT20920", "provider": "auth", + "reason": " Connection from IP 1.2.3.4 not authenticated yet (URL=/cgi/pal?tm=26&key=1234567890)", "type": [ "info" - ], - "reason": " Connection from IP 1.2.3.4 not authenticated yet (URL=/cgi/pal?tm=26&key=1234567890)", - "category": [ - "network" ] }, "action": { @@ -243,29 +243,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "MYDomain\\\\johndoe", - "domain": "Example", - "roles": [ - "Example_Sales" - ] - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "url": { - "path": "/cgi/pal?tm=26&key=1234567890" - }, "related": { "ip": [ "1.2.3.4", @@ -274,6 +256,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "MYDomain\\\\johndoe" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "path": "/cgi/pal?tm=26&key=1234567890" + }, + "user": { + "domain": "Example", + "name": "MYDomain\\\\johndoe", + "roles": [ + "Example_Sales" + ] } } @@ -287,41 +287,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 10:21:14\" pri=4 fw=3.4.5.6 vpn=EX023-V6 user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"AUT24604: SSL negotiation failed while client at source IP '1.2.3.4' was trying to connect to '5.6.7.8'. Reason: 'sslv3 alert bad certificate'\"\n\n", "event": { - "code": "AUT24604", - "type": [ - "info" - ], "category": [ "network" ], - "reason": "sslv3 alert bad certificate" + "code": "AUT24604", + "reason": "sslv3 alert bad certificate", + "type": [ + "info" + ] }, "action": { "name": "AUT24604" }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "related": { "ip": [ "1.2.3.4", @@ -331,6 +320,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "System" } } @@ -344,13 +344,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 18:18:12\" pri=6 fw=3.4.5.6 vpn=EX023-V6 ivs=Root user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"LIC30499: Leased 0 units of 'Virtual CPUs' from 1.2.3.4 - reserved: 0 maximum: 0 incremental quantum: 0\"\n", "event": { + "category": [ + "network" + ], "code": "LIC30499", + "reason": " Leased 0 units of 'Virtual CPUs' from 1.2.3.4 - reserved: 0 maximum: 0 incremental quantum: 0", "type": [ "info" - ], - "reason": " Leased 0 units of 'Virtual CPUs' from 1.2.3.4 - reserved: 0 maximum: 0 incremental quantum: 0", - "category": [ - "network" ] }, "action": { @@ -359,22 +359,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4", @@ -383,6 +372,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "System" } } @@ -396,42 +396,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 10:19:03\" pri=0 fw=3.4.5.6 vpn=EX023-V6 user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"SYS20704: Sending iveLogNearlyFull [ logFullPercent='93' logName='event' ] SNMP trap to 5.6.7.8:162\"\n", "event": { + "category": [ + "network" + ], "code": "SYS20704", + "reason": " Sending iveLogNearlyFull [ logFullPercent='93' logName='event' ] SNMP trap to 5.6.7.8:162", "type": [ "info" - ], - "reason": " Sending iveLogNearlyFull [ logFullPercent='93' logName='event' ] SNMP trap to 5.6.7.8:162", - "category": [ - "network" ] }, "action": { "name": "SYS20704" }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 162 + }, "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "port": 162, - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "related": { "ip": [ "1.2.3.4", @@ -441,6 +430,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "System" } } @@ -454,13 +454,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 18:18:16\" pri=6 fw=3.4.5.6 vpn=EX023-V6 ivs=Default Network user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"SYS31231: Successfully executed 'Post Settings Request'.\"\n", "event": { + "category": [ + "network" + ], "code": "SYS31231", + "reason": " Successfully executed 'Post Settings Request'.", "type": [ "info" - ], - "reason": " Successfully executed 'Post Settings Request'.", - "category": [ - "network" ] }, "action": { @@ -469,22 +469,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4", @@ -493,6 +482,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "System" } } @@ -506,13 +506,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2023-10-17 10:14:05\" pri=6 fw=3.4.5.6 vpn=EX023-V6 user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"SYS32083: LMDB shards usage stats shard: 0:1% 1:1% 2:1% 3:1% 4:1% 5:1% 6:1% 7:1% 8:1% 9:1% a:1% b:1% c:1% d:1% e:1% f:1% \"\n", "event": { + "category": [ + "network" + ], "code": "SYS32083", + "reason": " LMDB shards usage stats shard: 0:1% 1:1% 2:1% 3:1% 4:1% 5:1% 6:1% 7:1% 8:1% 9:1% a:1% b:1% c:1% d:1% e:1% f:1%", "type": [ "info" - ], - "reason": " LMDB shards usage stats shard: 0:1% 1:1% 2:1% 3:1% 4:1% 5:1% 6:1% 7:1% 8:1% 9:1% a:1% b:1% c:1% d:1% e:1% f:1%", - "category": [ - "network" ] }, "action": { @@ -521,22 +521,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "3.4.5.6" }, - "service": { - "name": "EX023-V6", - "type": "mgmt" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "3.4.5.6" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4", @@ -545,6 +534,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "System" } } @@ -558,13 +558,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=firewall time=\"2021-03-04 17:05:15\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Default Network user=System realm=\"\" roles=\"\" proto= src=93.19.66.118 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT31556: Unauthenticated request url /dana/js?prot=1&svc=4 came from IP 93.19.66.118.\"", "event": { + "category": [ + "network" + ], "code": "AUT31556", + "reason": " Unauthenticated request url /dana/js?prot=1&svc=4 came from IP 93.19.66.118.", "type": [ "info" - ], - "reason": " Unauthenticated request url /dana/js?prot=1&svc=4 came from IP 93.19.66.118.", - "category": [ - "network" ] }, "action": { @@ -573,25 +573,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "172.16.128.22" }, - "service": { - "name": "CB2XXPCS02", - "type": "vpn" - }, - "user": { - "name": "System" - }, "observer": { "ip": [ "172.16.128.22" ] }, - "source": { - "ip": "93.19.66.118", - "address": "93.19.66.118" - }, - "url": { - "path": "/dana/js?prot=1&svc=4" - }, "related": { "ip": [ "172.16.128.22", @@ -600,6 +586,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "System" ] + }, + "service": { + "name": "CB2XXPCS02", + "type": "vpn" + }, + "source": { + "address": "93.19.66.118", + "ip": "93.19.66.118" + }, + "url": { + "path": "/dana/js?prot=1&svc=4" + }, + "user": { + "name": "System" } } diff --git a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md index baef940d16..af98b52cad 100644 --- a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md +++ b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md @@ -44,17 +44,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "@timestamp": "2023-02-24T12:12:07Z", + "cloudflare": { + "ApplicationID": 0, + "ColoCode": "CDG", + "ColoID": 533, + "Location": "AWS VM", + "LocationID": "a26c188f-10c2-4333-8ed4-c823fafa06f6", + "QueryNameReversed": "internal.compute.eu-west-3.ip-111-30-40-252", + "QuerySize": 72, + "QueryType": "1", + "ResolverDecision": "allowedOnNoPolicyMatch", + "TimeZoneInferredMethod": "noScheduleConfigured" + }, "destination": { + "address": "172.12.12.1", "ip": "172.12.12.1", - "port": 23, - "address": "172.12.12.1" + "port": 23 }, - "@timestamp": "2023-02-24T12:12:07Z", "dns": { "question": { "name": "ip-111-30-40-252.eu-west-3.compute.internal", - "type": "A", - "subdomain": "ip-111-30-40-252.eu-west-3.compute" + "subdomain": "ip-111-30-40-252.eu-west-3.compute", + "type": "A" }, "resolved_ip": [ "104.18.4.35", @@ -70,33 +82,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "dns", "vendor": "Cloudflare" }, - "source": { - "port": 42424, - "ip": "12.122.186.81", - "address": "12.122.186.81" - }, - "cloudflare": { - "ApplicationID": 0, - "ColoCode": "CDG", - "ColoID": 533, - "Location": "AWS VM", - "LocationID": "a26c188f-10c2-4333-8ed4-c823fafa06f6", - "QueryNameReversed": "internal.compute.eu-west-3.ip-111-30-40-252", - "QuerySize": 72, - "QueryType": "1", - "ResolverDecision": "allowedOnNoPolicyMatch", - "TimeZoneInferredMethod": "noScheduleConfigured" - }, "related": { + "hosts": [ + "ip-111-30-40-252.eu-west-3.compute.internal" + ], "ip": [ "104.18.4.35", "104.18.5.35", "12.122.186.81", "172.12.12.1" - ], - "hosts": [ - "ip-111-30-40-252.eu-west-3.compute.internal" ] + }, + "source": { + "address": "12.122.186.81", + "ip": "12.122.186.81", + "port": 42424 } } @@ -119,22 +119,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "@timestamp": "2023-05-02T16:24:19Z", + "cloudflare": { + "ApplicationID": 0, + "ColoCode": "CDG", + "ColoID": 534, + "Location": "loc-01", + "LocationID": "a26c158f-10c2-4223-8ed4-c845fafa06f6", + "QueryCategoryIDs": [ + 21, + 80 + ], + "QueryCategoryNames": [ + "Command and Control & Botnet", + "Security threats" + ], + "QueryNameReversed": "com.testcategory.commandandcontrolandbotnet", + "QuerySize": 72, + "QueryType": "65", + "RData": [ + { + "data": "GmNvbW1hbmRhbmRjb250cm9sYW5kYm90bmV0DHRlc3RjYXRlZ29yeQNjb20AAEEAAQAAADwAOgABAAABAAMCaDIABAAIaBIEI2gSBSMABgAgJgZHAAAAAAAAAAAAaBIEIyYGRwAAAAAAAAAAAGgSBSM=", + "type": "65" + } + ], + "ResolverDecision": "allowedOnNoPolicyMatch", + "TimeZoneInferredMethod": "noScheduleConfigured" + }, "destination": { + "address": "162.159.36.1", "ip": "162.159.36.1", - "port": 443, - "address": "162.159.36.1" + "port": 443 }, - "@timestamp": "2023-05-02T16:24:19Z", "device": { "id": "b72ac397-e5c3-913e-11ed-03face9f2b6b" }, "dns": { "question": { "name": "commandandcontrolandbotnet.testcategory.com", - "type": "HTTPS", - "top_level_domain": "com", + "registered_domain": "testcategory.com", "subdomain": "commandandcontrolandbotnet", - "registered_domain": "testcategory.com" + "top_level_domain": "com", + "type": "HTTPS" }, "resolved_ip": [], "response_code": "NoError" @@ -151,41 +177,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "dns", "vendor": "Cloudflare" }, - "source": { - "port": 0, - "ip": "15.188.186.81", - "address": "15.188.186.81" - }, - "user": { - "email": "john.doe@test.com", - "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3" - }, - "cloudflare": { - "ApplicationID": 0, - "ColoCode": "CDG", - "ColoID": 534, - "Location": "loc-01", - "LocationID": "a26c158f-10c2-4223-8ed4-c845fafa06f6", - "QueryCategoryIDs": [ - 21, - 80 - ], - "QueryCategoryNames": [ - "Security threats", - "Command and Control & Botnet" - ], - "QueryNameReversed": "com.testcategory.commandandcontrolandbotnet", - "QuerySize": 72, - "QueryType": "65", - "RData": [ - { - "type": "65", - "data": "GmNvbW1hbmRhbmRjb250cm9sYW5kYm90bmV0DHRlc3RjYXRlZ29yeQNjb20AAEEAAQAAADwAOgABAAABAAMCaDIABAAIaBIEI2gSBSMABgAgJgZHAAAAAAAAAAAAaBIEIyYGRwAAAAAAAAAAAGgSBSM=" - } - ], - "ResolverDecision": "allowedOnNoPolicyMatch", - "TimeZoneInferredMethod": "noScheduleConfigured" - }, "related": { "hosts": [ "DESKTOP-ABCDEF", @@ -195,6 +186,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "15.188.186.81", "162.159.36.1" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 0 + }, + "user": { + "email": "john.doe@test.com", + "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3" } } diff --git a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md index 4026da72d4..a1aa2fd7f6 100644 --- a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md +++ b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md @@ -35,66 +35,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs1=joh.doe@gmail.com cs3=runme.exe cs5=Mon Aug 1 06:40:30 2022 deviceCustomDate1=Mon Aug 1 06:40:35 2022 suser=fool rt=2023-06-09T14:16:15.212418 cs2=Abnormal admin behavior: access to atypical mailboxes cn1=Rule Name end=2023-06-09T14:16:15.212435 duser=root dhost=127.0.0.1 filePath=~/pub.key act=Alert dvchost=HOSTNAME dvc=192.168.0.1 outcome=failure msg=Hello externalId=172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481", "event": { - "kind": "alert", + "action": "Alert", "category": [ "email" ], - "type": [ - "info" - ], "dataset": "Alert", - "action": "Alert", "end": "2023-06-09T14:16:15.212435Z", - "reason": "Hello" + "kind": "alert", + "reason": "Hello", + "type": [ + "info" + ] }, "@timestamp": "2023-06-09T14:16:15.212418Z", - "observer": { - "vendor": "Varonis", - "product": "DatAdvantage", - "version": "0.0.1" - }, - "rule": { - "id": "666", - "name": "Rule Name", - "description": "Abnormal admin behavior: access to atypical mailboxes" - }, - "user": { - "name": "root" - }, - "host": { - "name": "127.0.0.1" - }, - "file": { - "path": "~/pub.key", - "name": "pub.key", - "directory": "~" - }, - "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" - }, "email": { "attachments": [ { "file": { - "name": "runme.exe", - "mime_type": "" + "mime_type": "", + "name": "runme.exe" } } ], "delivery_timestamp": "2022-08-01T06:40:35Z", - "to": { - "address": "joh.doe@gmail.com" - }, "from": { "address": "fool" + }, + "to": { + "address": "joh.doe@gmail.com" } }, - "varonis": { - "datalert": { - "outcome": "failure", - "id": "172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481" - } + "file": { + "directory": "~", + "name": "pub.key", + "path": "~/pub.key" + }, + "host": { + "name": "127.0.0.1" + }, + "observer": { + "product": "DatAdvantage", + "vendor": "Varonis", + "version": "0.0.1" }, "related": { "ip": [ @@ -103,6 +85,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "rule": { + "description": "Abnormal admin behavior: access to atypical mailboxes", + "id": "666", + "name": "Rule Name" + }, + "source": { + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "user": { + "name": "root" + }, + "varonis": { + "datalert": { + "id": "172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481", + "outcome": "failure" + } } } @@ -116,27 +116,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs2=SomeRule cs2Label=RuleName cn1=Some rule description cn1Label=RuleID end= duser= dhost=1.2.3.4 filePath= fname= act= dvchost= outcome= msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission=555 filePermission=777 dpriv= start=", "event": { - "kind": "alert", "category": [ "network" ], + "dataset": "Alert", + "kind": "alert", "type": [ "info" - ], - "dataset": "Alert" + ] + }, + "host": { + "name": "1.2.3.4" }, "observer": { - "vendor": "Varonis", "product": "DatAdvantage", + "vendor": "Varonis", "version": "0.0.1" }, "rule": { + "description": "SomeRule", "id": "666", - "name": "Some rule description", - "description": "SomeRule" - }, - "host": { - "name": "1.2.3.4" + "name": "Some rule description" }, "varonis": { "datalert": { diff --git a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md index 90faa3b92a..f4158830b8 100644 --- a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md +++ b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md @@ -36,69 +36,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,2,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,1,2,11,\"VPN TEST\",0,\"311 1 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,,,,,,,,,,,,,,,4,2,\"VPN TEST\",1,,,,", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "allowed" ] }, "@timestamp": "2022-09-22T13:32:06Z", + "network": { + "protocol": "PPP" + }, "observer": { "hostname": "VPNTEST1" }, - "service": { - "name": "RAS" + "related": { + "hosts": [ + "VPNTEST1" + ], + "user": [ + "doe-j" + ] }, "rule": { "name": "VPN TEST" }, + "service": { + "name": "RAS" + }, "user": { "domain": "DOMAIN", "name": "doe-j" }, - "network": { - "protocol": "PPP" - }, "windows": { "remote_access_server": { "authentication": { - "type": 11, - "name": "PEAP" - }, - "reason": { - "code": 0, - "name": "IAS_SUCCESS" + "name": "PEAP", + "type": 11 }, "class": "311 1 08/25/2022 03:41:37 317092", - "session": { - "id": "317093" + "framed_protocol": { + "name": "PPP", + "type": 1 }, "packet": { - "type": 2, - "name": "Access-Accept" - }, - "service": { - "type": 2, - "name": "Framed" - }, - "framed_protocol": { - "type": 1, - "name": "PPP" + "name": "Access-Accept", + "type": 2 }, "provider": { "type": 1 + }, + "reason": { + "code": 0, + "name": "IAS_SUCCESS" + }, + "service": { + "name": "Framed", + "type": 2 + }, + "session": { + "id": "317093" } } - }, - "related": { - "hosts": [ - "VPNTEST1" - ], - "user": [ - "doe-j" - ] } } @@ -112,10 +112,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,11,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,,,11,\"VPN TEST\",0,\"311 1 08/25/2022 03:41:37 317091\",30,,,,,,,,\"317092\",,,,,,,,,,,,,,,,,,,,,,,,,\"VPN TEST\",1,,,,", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "info" ] @@ -124,12 +124,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "hostname": "VPNTEST1" }, - "service": { - "name": "RAS" + "related": { + "hosts": [ + "VPNTEST1" + ], + "user": [ + "doe-j" + ] }, "rule": { "name": "VPN TEST" }, + "service": { + "name": "RAS" + }, "user": { "domain": "DOMAIN", "name": "doe-j" @@ -137,34 +145,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "windows": { "remote_access_server": { "authentication": { - "type": 11, - "name": "PEAP" - }, - "reason": { - "code": 0, - "name": "IAS_SUCCESS" + "name": "PEAP", + "type": 11 }, "class": "311 1 08/25/2022 03:41:37 317091", - "session": { - "timeout": 30, - "id": "317092" - }, "packet": { - "type": 11, - "name": "Access-Challenge" + "name": "Access-Challenge", + "type": 11 }, "provider": { "type": 1 + }, + "reason": { + "code": 0, + "name": "IAS_SUCCESS" + }, + "session": { + "id": "317092", + "timeout": 30 } } - }, - "related": { - "hosts": [ - "VPNTEST1" - ], - "user": [ - "doe-j" - ] } } @@ -178,86 +178,86 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,1,\"jdoe@mydomain.org\",\"DOMAIN\\doe-j\",\"5.6.7.8\",\"4.3.2.1\",,,\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",,,5,,1,2,11,\"VPN TEST\",0,\"311 1 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,,,\"VPN TEST\",1,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-09-22T13:32:06Z", + "network": { + "protocol": "PPP" + }, "observer": { "hostname": "VPNTEST1" }, + "related": { + "hosts": [ + "VPNTEST1" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1" + ], + "user": [ + "doe-j" + ] + }, + "rule": { + "name": "VPN TEST" + }, "service": { "name": "RAS" }, - "user": { - "email": "jdoe@mydomain.org", - "domain": "DOMAIN", - "name": "doe-j" - }, "source": { - "nat": { - "port": 1519, - "ip": "4.3.2.1" - }, + "address": "1.2.3.4", "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "rule": { - "name": "VPN TEST" + "nat": { + "ip": "4.3.2.1", + "port": 1519 + } }, - "network": { - "protocol": "PPP" + "user": { + "domain": "DOMAIN", + "email": "jdoe@mydomain.org", + "name": "doe-j" }, "windows": { "remote_access_server": { "authentication": { - "type": 11, - "name": "PEAP" + "name": "PEAP", + "type": 11 + }, + "class": "311 1 08/25/2022 03:41:37 317092", + "framed_protocol": { + "name": "PPP", + "type": 1 + }, + "packet": { + "name": "Access-Request", + "type": 1 + }, + "provider": { + "type": 1 }, "reason": { "code": 0, "name": "IAS_SUCCESS" }, - "class": "311 1 08/25/2022 03:41:37 317092", + "service": { + "name": "Framed", + "type": 2 + }, "session": { "id": "317093" }, - "packet": { - "type": 1, - "name": "Access-Request" - }, - "service": { - "type": 2, - "name": "Framed" - }, "tunnel_medium": { - "type": 1, - "name": "IPv4" - }, - "framed_protocol": { - "type": 1, - "name": "PPP" - }, - "provider": { + "name": "IPv4", "type": 1 } } - }, - "related": { - "hosts": [ - "VPNTEST1" - ], - "ip": [ - "1.2.3.4", - "4.3.2.1" - ], - "user": [ - "doe-j" - ] } } @@ -271,71 +271,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,4,\"jdoe@mydomain.org\",,\"5.6.7.8\",\"4.3.2.1\",,\"172.16.2.58\",\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",1663846326,,5,,1,2,,,0,\"311 1 08/25/2022 03:41:37 317092\",,,,,1,,,,\"317093\",3,,,,,\"50765\",1,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,0,,\"VPN TEST\",,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-09-22T13:32:06Z", + "network": { + "protocol": "PPP" + }, "observer": { "hostname": "VPNTEST1" }, + "related": { + "hosts": [ + "VPNTEST1" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1" + ] + }, "service": { "name": "RAS" }, - "user": { - "email": "jdoe@mydomain.org" - }, "source": { - "nat": { - "port": 1519, - "ip": "4.3.2.1" - }, + "address": "1.2.3.4", "ip": "1.2.3.4", - "address": "1.2.3.4" + "nat": { + "ip": "4.3.2.1", + "port": 1519 + } }, - "network": { - "protocol": "PPP" + "user": { + "email": "jdoe@mydomain.org" }, "windows": { "remote_access_server": { + "class": "311 1 08/25/2022 03:41:37 317092", + "framed_protocol": { + "name": "PPP", + "type": 1 + }, + "packet": { + "name": "Accounting-Request", + "type": 4 + }, "reason": { "code": 0, "name": "IAS_SUCCESS" }, - "class": "311 1 08/25/2022 03:41:37 317092", + "service": { + "name": "Framed", + "type": 2 + }, "session": { "id": "317093" }, - "packet": { - "type": 4, - "name": "Accounting-Request" - }, - "service": { - "type": 2, - "name": "Framed" - }, "tunnel_medium": { - "type": 1, - "name": "IPv4" - }, - "framed_protocol": { - "type": 1, - "name": "PPP" + "name": "IPv4", + "type": 1 } } - }, - "related": { - "hosts": [ - "VPNTEST1" - ], - "ip": [ - "1.2.3.4", - "4.3.2.1" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md index 3260126ee7..39e5155e07 100644 --- a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md +++ b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md @@ -41,10 +41,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "event", "type": [ - "info", "change", - "denied", "creation", + "denied", + "info", "user" ] }, @@ -52,37 +52,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "geo": { "country_iso_code": "FR" }, + "github": { + "audit_logs": { + "_document_id": "ioehzret57biefb87", + "blocked_user": "aaa", + "operation_type": "create" + } + }, "organization": { "id": "123123995", "name": "Test-org" }, + "related": { + "user": [ + "Admin" + ] + }, "user": { "id": "6493123", "name": "Admin" }, "user_agent": { - "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "device": { "name": "Samsung SM-S906N" }, "name": "Chrome Mobile WebView", - "version": "80.0.3987", + "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "os": { "name": "Android", "version": "12" - } - }, - "github": { - "audit_logs": { - "_document_id": "ioehzret57biefb87", - "blocked_user": "aaa", - "operation_type": "create" - } - }, - "related": { - "user": [ - "Admin" - ] + }, + "version": "80.0.3987" } } @@ -102,44 +102,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "event", "type": [ - "info", - "change" + "change", + "info" ] }, "@timestamp": "2023-06-07T15:11:23.340000Z", "geo": { "country_iso_code": "FR" }, + "github": { + "audit_logs": { + "_document_id": "w-eifejgjg877jjf", + "operation_type": "modify" + } + }, "organization": { "id": "123123995", "name": "Test-org" }, + "related": { + "user": [ + "Admin" + ] + }, "user": { "id": "6123123", "name": "Admin" }, "user_agent": { - "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "device": { "name": "Samsung SM-S906N" }, "name": "Chrome Mobile WebView", - "version": "80.0.3987", + "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "os": { "name": "Android", "version": "12" - } - }, - "github": { - "audit_logs": { - "_document_id": "w-eifejgjg877jjf", - "operation_type": "modify" - } - }, - "related": { - "user": [ - "Admin" - ] + }, + "version": "80.0.3987" } } @@ -159,46 +159,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "event", "type": [ - "info", - "change" + "change", + "info" ] }, "@timestamp": "2023-06-07T15:11:16.330000Z", "geo": { "country_iso_code": "FR" }, + "github": { + "audit_logs": { + "_document_id": "s-ioehzret57biefb87", + "operation_type": "modify", + "user": "Admin", + "user_id": 6123123 + } + }, "organization": { "id": "123123995", "name": "Test-org" }, + "related": { + "user": [ + "Admin" + ] + }, "user": { "id": "6123123", "name": "Admin" }, "user_agent": { - "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "device": { "name": "Samsung SM-S906N" }, "name": "Chrome Mobile WebView", - "version": "80.0.3987", + "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "os": { "name": "Android", "version": "12" - } - }, - "github": { - "audit_logs": { - "_document_id": "s-ioehzret57biefb87", - "operation_type": "modify", - "user": "Admin", - "user_id": 6123123 - } - }, - "related": { - "user": [ - "Admin" - ] + }, + "version": "80.0.3987" } } @@ -218,45 +218,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "event", "type": [ - "info", - "change" + "change", + "info" ] }, "@timestamp": "2023-06-07T15:11:12.357000Z", "geo": { "country_iso_code": "FR" }, + "github": { + "audit_logs": { + "_document_id": "ioehzret57biefb87", + "operation_type": "modify", + "permission": "false" + } + }, "organization": { "id": "123123995", "name": "Test-org" }, + "related": { + "user": [ + "Admin" + ] + }, "user": { "id": "6123123", "name": "Admin" }, "user_agent": { - "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "device": { "name": "Samsung SM-S906N" }, "name": "Chrome Mobile WebView", - "version": "80.0.3987", + "original": "Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36", "os": { "name": "Android", "version": "12" - } - }, - "github": { - "audit_logs": { - "_document_id": "ioehzret57biefb87", - "operation_type": "modify", - "permission": "false" - } - }, - "related": { - "user": [ - "Admin" - ] + }, + "version": "80.0.3987" } } diff --git a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md index 21cb4d256a..04b432962e 100644 --- a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md +++ b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md @@ -35,43 +35,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"message\":\"2023-07-20T09:15:02+00:00 localhost ulog[568]: [0000F4E4] qid=aaa1bbb2cc3,ip=1.2.3.4,sender=test@test.com,site=VSC000001,domain=maildomain.com,recipient=demo_1@maildomain.com: action=drop,status=virus,spamlevel=unknwon,tag=[VIRUS],stop=nil,reply=2,subject=\\\"Some subject\\\"\",\"site\":\"VSC000001\",\"from\":\"test@test.com\",\"to\":\"demo_1@maildomain.com\",\"subject\":\"Some subject\",\"date\":1689844502000,\"operationType\":\"DROP\",\"messageType\":\"VIRUS\",\"messageId\":\"aaa1bbb2cc3\",\"hostname\":\"localhost\",\"filterType\":\"UNKNOWN\",\"filterReason\":\"2\",\"spamLevel\":\"UNKNWON\",\"domain\":\"maildomain.com\",\"ip\":\"1.2.3.4\",\"tag\":\"[VIRUS]\"}", "event": { - "kind": "event", + "action": "DROP", "category": [ "email" ], + "kind": "event", + "reason": "2", "type": [ "info" - ], - "reason": "2", - "action": "DROP" + ] }, "@timestamp": "2023-07-20T09:15:02Z", + "destination": { + "address": "maildomain.com", + "domain": "maildomain.com", + "ip": "1.2.3.4", + "registered_domain": "maildomain.com", + "top_level_domain": "com" + }, "email": { "from": { "address": [ "test@test.com" ] }, + "local_id": "aaa1bbb2cc3", + "subject": "Some subject", "to": { "address": [ "demo_1@maildomain.com" ] - }, - "subject": "Some subject", - "local_id": "aaa1bbb2cc3" - }, - "destination": { - "domain": "maildomain.com", - "ip": "1.2.3.4", - "address": "maildomain.com", - "top_level_domain": "com", - "registered_domain": "maildomain.com" - }, - "vadecloud": { - "filter_type": "UNKNOWN", - "site": "VSC000001", - "spam_level": "UNKNWON", - "tag": "[VIRUS]" + } }, "related": { "hosts": [ @@ -80,6 +74,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "vadecloud": { + "filter_type": "UNKNOWN", + "site": "VSC000001", + "spam_level": "UNKNWON", + "tag": "[VIRUS]" } } diff --git a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md index 7af0dc0b2f..289dbc9b84 100644 --- a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md +++ b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md @@ -36,47 +36,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"__metadata\": {\"id\": \"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTrace(0)\", \"uri\": \"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTrace(0)\", \"type\": \"TenantReporting.MessageTrace\"}, \"Organization\": \"examplecorp.onmicrosoft.com\", \"MessageId\": \"<3a273efc-cd65-4335-96ec-5f6934f0fb10@az.uksouth.production.microsoft.com>\", \"Received\":\"/Date(1658751973240)/\", \"SenderAddress\": \"azure-noreply@microsoft.com\", \"RecipientAddress\": \"foo.bar@example.corp\", \"Subject\": \"PIM: MessageTrace API service account has the Privileged Role Administrator role\", \"Status\": \"GettingStatus\", \"ToIP\": null, \"FromIP\": \"1.1.1.1\", \"Size\": 87680, \"MessageTraceId\": \"3b4fc661-180d-4c2f-60c9-08da6e38dd10\", \"StartDate\":\"/Date(1658579297628)/\", \"EndDate\":\"/Date(1658752097628)/\", \"Index\": 0}", "event": { - "kind": "event", + "action": "GettingStatus", "category": [ "email" ], + "kind": "event", "type": [ "info" - ], - "action": "GettingStatus" + ] }, "@timestamp": "2022-07-25T12:26:13.240000Z", - "office365": { - "message_trace": { - "MessageTraceId": "3b4fc661-180d-4c2f-60c9-08da6e38dd10", - "Size": 87680 - } - }, "email": { - "message_id": "<3a273efc-cd65-4335-96ec-5f6934f0fb10@az.uksouth.production.microsoft.com>", "from": { "address": [ "azure-noreply@microsoft.com" ] }, + "message_id": "<3a273efc-cd65-4335-96ec-5f6934f0fb10@az.uksouth.production.microsoft.com>", + "subject": "PIM: MessageTrace API service account has the Privileged Role Administrator role", "to": { "address": [ "foo.bar@example.corp" ] - }, - "subject": "PIM: MessageTrace API service account has the Privileged Role Administrator role" + } + }, + "office365": { + "message_trace": { + "MessageTraceId": "3b4fc661-180d-4c2f-60c9-08da6e38dd10", + "Size": 87680 + } }, "organization": { "name": "examplecorp.onmicrosoft.com" }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -90,35 +90,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"__metadata\":{\"id\":\"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTrace(5)\",\"uri\":\"https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTrace(5)\",\"type\":\"TenantReporting.MessageTrace\"},\"Organization\":\"abc.onmicrosoft.com\",\"MessageId\":\"<123456@abc-prod2.mcc-soft.com>\",\"Received\":\"/Date(1661344992170)/\",\"SenderAddress\":\"support@abc.com\",\"RecipientAddress\":\"user@abc.fr\",\"Subject\":null,\"Status\":\"Delivered\",\"ToIP\":null,\"FromIP\":null,\"Size\":0,\"MessageTraceId\":\"1203cd7a-18d5-4a92-4343-08da85ce34c9\",\"StartDate\":\"/Date(1661344937835)/\",\"EndDate\":\"/Date(1661344997835)/\",\"Index\":5}\n", "event": { - "kind": "event", + "action": "Delivered", "category": [ "email" ], + "kind": "event", "type": [ "info" - ], - "action": "Delivered" + ] }, "@timestamp": "2022-08-24T12:43:12.170000Z", - "office365": { - "message_trace": { - "MessageTraceId": "1203cd7a-18d5-4a92-4343-08da85ce34c9", - "Size": 0 - } - }, "email": { - "message_id": "<123456@abc-prod2.mcc-soft.com>", "from": { "address": [ "support@abc.com" ] }, + "message_id": "<123456@abc-prod2.mcc-soft.com>", "to": { "address": [ "user@abc.fr" ] } }, + "office365": { + "message_trace": { + "MessageTraceId": "1203cd7a-18d5-4a92-4343-08da85ce34c9", + "Size": 0 + } + }, "organization": { "name": "abc.onmicrosoft.com" } diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md index 731e7615b0..610fde27bc 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md @@ -35,29 +35,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet.9,match,block,out,4,0x0,,63,18292,0,DF,112,vrrp,72,1.2.3.4,5.6.7.8,3,255,13,2,0,1", "event": { - "reason": "match", "action": "block", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "denied" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" }, - "rule": { - "id": "183" + "network": { + "bytes": 72, + "direction": "outbound", + "iana_number": "112", + "transport": "vrrp" + }, + "observer": { + "egress": { + "interface": { + "name": "vtnet.9" + } + } }, "openbsd": { "pf": { + "carp": { + "advbase": "1", + "advskew": "0", + "type": 3, + "version": "2", + "vhid": "13" + }, "event": { "tracker": { "id": "41cbdd1cea144179a26efd069e1ee54f" @@ -65,29 +78,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "routing": { "class": "0x0", + "flags": "DF", "hoplimit": 255, - "offset": 0, - "flags": "DF" - }, - "carp": { - "vhid": "13", - "version": "2", - "advskew": "0", - "advbase": "1", - "type": 3 - } - } - }, - "network": { - "direction": "outbound", - "iana_number": "112", - "transport": "vrrp", - "bytes": 72 - }, - "observer": { - "egress": { - "interface": { - "name": "vtnet.9" + "offset": 0 } } }, @@ -96,6 +89,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "id": "183" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -109,26 +109,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "70,,,6524e587872444838f901ac45cbf807c,vtnet1,match,pass,in,4,0x0,,19,36147,0,none,1,icmp,128,1.2.3.4,5.6.7.8,datalength=108", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" }, - "rule": { - "id": "70" + "network": { + "bytes": 128, + "direction": "inbound", + "iana_number": "1", + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "vtnet1" + } + } }, "openbsd": { "pf": { @@ -137,27 +143,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "6524e587872444838f901ac45cbf807c" } }, + "icmp": { + "datalength": 108 + }, "routing": { "class": "0x0", + "flags": "none", "hoplimit": 19, - "offset": 0, - "flags": "none" - }, - "icmp": { - "datalength": 108 - } - } - }, - "network": { - "direction": "inbound", - "iana_number": "1", - "transport": "icmp", - "bytes": 128 - }, - "observer": { - "ingress": { - "interface": { - "name": "vtnet1" + "offset": 0 } } }, @@ -166,6 +159,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "id": "70" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -179,28 +179,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "341,,,138b9664ed0d438b9fa1a14116606d50,vtnet9,match,pass,in,4,0x0,,63,26567,0,DF,6,tcp,60,1.2.3.4,5.6.7.8,40234,10050,0,S,3917296601:3917296620,,64240,,mss", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "1.2.3.4", - "port": 40234, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 10050, - "address": "5.6.7.8" + "port": 10050 }, - "rule": { - "id": "341" + "network": { + "bytes": 60, + "direction": "inbound", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "vtnet9" + } + } }, "openbsd": { "pf": { @@ -211,36 +216,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "routing": { "class": "0x0", + "flags": "DF", "hoplimit": 63, - "offset": 0, - "flags": "DF" + "offset": 0 }, "transport": { "bytes": 0, - "tcp_flags": "S", "seq_number": "3917296601:3917296620", + "tcp_flags": "S", "window_size": 64240 } } }, - "network": { - "direction": "inbound", - "iana_number": "6", - "transport": "tcp", - "bytes": 60 - }, - "observer": { - "ingress": { - "interface": { - "name": "vtnet9" - } - } - }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "id": "341" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 40234 } } @@ -254,28 +254,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "1.2.3.4", - "port": 18448, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 53, - "address": "5.6.7.8" + "port": 53 }, - "rule": { - "id": "183" + "network": { + "bytes": 72, + "direction": "inbound", + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "vtnet9" + } + } }, "openbsd": { "pf": { @@ -286,33 +291,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "routing": { "class": "0x0", + "flags": "DF", "hoplimit": 63, - "offset": 0, - "flags": "DF" + "offset": 0 }, "transport": { "bytes": 52 } } }, - "network": { - "direction": "inbound", - "iana_number": "17", - "transport": "udp", - "bytes": 72 - }, - "observer": { - "ingress": { - "interface": { - "name": "vtnet9" - } - } - }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "id": "183" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 18448 } } @@ -326,32 +326,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,123,64,12345,0,DF,vrrp,6,80,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,3,64,1,2,3,4", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "2001:db8:85a3::8a2e:370:7334", - "address": "2001:db8:85a3::8a2e:370:7334" - }, "destination": { - "ip": "2001:db8:85a3::ac1f:1:23", - "address": "2001:db8:85a3::ac1f:1:23" + "address": "2001:db8:85a3::ac1f:1:23", + "ip": "2001:db8:85a3::ac1f:1:23" }, - "rule": { - "id": "123", - "ruleset": "anchor1" + "network": { + "bytes": 80, + "direction": "inbound", + "iana_number": "6", + "transport": "vrrp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } }, "openbsd": { "pf": { - "rule": { - "subrulenr": "001" + "carp": { + "advbase": "4", + "advskew": "3", + "type": 3, + "version": "2", + "vhid": "1" }, "event": { "tracker": { @@ -359,28 +368,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "routing": { - "hoplimit": 64, - "flow": "123" + "flow": "123", + "hoplimit": 64 }, - "carp": { - "vhid": "1", - "version": "2", - "advskew": "3", - "advbase": "4", - "type": 3 - } - } - }, - "network": { - "direction": "inbound", - "iana_number": "6", - "transport": "vrrp", - "bytes": 80 - }, - "observer": { - "ingress": { - "interface": { - "name": "eth0" + "rule": { + "subrulenr": "001" } } }, @@ -389,6 +381,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2001:db8:85a3::8a2e:370:7334", "2001:db8:85a3::ac1f:1:23" ] + }, + "rule": { + "id": "123", + "ruleset": "anchor1" + }, + "source": { + "address": "2001:db8:85a3::8a2e:370:7334", + "ip": "2001:db8:85a3::8a2e:370:7334" } } @@ -402,64 +402,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,tcp,6,60,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,20,AP,1234,5678,8192,0,MMS=1460 NOP WS=256 SACK_PERM=1", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "2001:db8:85a3::8a2e:370:7334", - "port": 12345, - "address": "2001:db8:85a3::8a2e:370:7334" - }, "destination": { + "address": "2001:db8:85a3::ac1f:1:23", "ip": "2001:db8:85a3::ac1f:1:23", - "port": 80, - "address": "2001:db8:85a3::ac1f:1:23" + "port": 80 }, - "rule": { - "id": "123", - "ruleset": "anchor1" + "network": { + "bytes": 60, + "direction": "inbound", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } }, "openbsd": { "pf": { - "rule": { - "subrulenr": "001" - }, "event": { "tracker": { "id": "label2" } }, "routing": { - "hoplimit": 64, - "flow": "1234" + "flow": "1234", + "hoplimit": 64 + }, + "rule": { + "subrulenr": "001" }, "transport": { + "ack": "5678", "bytes": 20, - "tcp_flags": "AP", "seq_number": "1234", - "ack": "5678", - "window_size": 8192, - "urgency": "0" - } - } - }, - "network": { - "direction": "inbound", - "iana_number": "6", - "transport": "tcp", - "bytes": 60 - }, - "observer": { - "ingress": { - "interface": { - "name": "eth0" + "tcp_flags": "AP", + "urgency": "0", + "window_size": 8192 } } }, @@ -468,6 +459,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2001:db8:85a3::8a2e:370:7334", "2001:db8:85a3::ac1f:1:23" ] + }, + "rule": { + "id": "123", + "ruleset": "anchor1" + }, + "source": { + "address": "2001:db8:85a3::8a2e:370:7334", + "ip": "2001:db8:85a3::8a2e:370:7334", + "port": 12345 } } @@ -481,67 +481,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "123,001,anchor1,label2,eth0,match,pass,in,6,,1234,64,udp,17,1024,2001:0db8:85a3:0000:0000:8a2e:0370:7334,2001:0db8:85a3:0000:0000:ac1f:0001:0023,12345,80,1024", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "2001:db8:85a3::8a2e:370:7334", - "port": 12345, - "address": "2001:db8:85a3::8a2e:370:7334" - }, "destination": { + "address": "2001:db8:85a3::ac1f:1:23", "ip": "2001:db8:85a3::ac1f:1:23", - "port": 80, - "address": "2001:db8:85a3::ac1f:1:23" + "port": 80 }, - "rule": { - "id": "123", - "ruleset": "anchor1" + "network": { + "bytes": 1024, + "direction": "inbound", + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } }, "openbsd": { "pf": { - "rule": { - "subrulenr": "001" - }, "event": { "tracker": { "id": "label2" } }, "routing": { - "hoplimit": 64, - "flow": "1234" + "flow": "1234", + "hoplimit": 64 + }, + "rule": { + "subrulenr": "001" }, "transport": { "bytes": 1024 } } }, - "network": { - "direction": "inbound", - "iana_number": "17", - "transport": "udp", - "bytes": 1024 - }, - "observer": { - "ingress": { - "interface": { - "name": "eth0" - } - } - }, "related": { "ip": [ "2001:db8:85a3::8a2e:370:7334", "2001:db8:85a3::ac1f:1:23" ] + }, + "rule": { + "id": "123", + "ruleset": "anchor1" + }, + "source": { + "address": "2001:db8:85a3::8a2e:370:7334", + "ip": "2001:db8:85a3::8a2e:370:7334", + "port": 12345 } } @@ -555,28 +555,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "183,,,41cbdd1cea144179a26efd069e1ee54f,vtnet9,match,pass,in,4,0x0,,63,18292,0,DF,17,udp,72,1.2.3.4,5.6.7.8,18448,53,52", "event": { - "reason": "match", "action": "pass", - "kind": "event", "category": [ "network" ], + "kind": "event", + "reason": "match", "type": [ "allowed" ] }, - "source": { - "ip": "1.2.3.4", - "port": 18448, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 53, - "address": "5.6.7.8" + "port": 53 }, - "rule": { - "id": "183" + "network": { + "bytes": 72, + "direction": "inbound", + "iana_number": "17", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "vtnet9" + } + } }, "openbsd": { "pf": { @@ -587,33 +592,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "routing": { "class": "0x0", + "flags": "DF", "hoplimit": 63, - "offset": 0, - "flags": "DF" + "offset": 0 }, "transport": { "bytes": 52 } } }, - "network": { - "direction": "inbound", - "iana_number": "17", - "transport": "udp", - "bytes": 72 - }, - "observer": { - "ingress": { - "interface": { - "name": "vtnet9" - } - } - }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "id": "183" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 18448 } } diff --git a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md index c84e7538f3..5e69a473d9 100644 --- a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md +++ b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md @@ -26,32 +26,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client @0x7f62b80115d0 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA + (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } @@ -64,24 +64,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "queries: client @0x7f62b80115d0 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA + (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "infoblox": { "ddi": { @@ -89,12 +84,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } @@ -107,36 +107,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA +TC (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "CD", + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD", - "CD" - ] + "type": "query" }, "network": { "transport": "tcp" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } @@ -149,33 +149,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#42811 (ipv6.google.com): query: ipv6.google.com IN A +EDC (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 42811, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [ + "CD", + "RD" + ], "question": { "class": "IN", - "type": "A", "name": "ipv6.google.com", - "top_level_domain": "com", + "registered_domain": "google.com", "subdomain": "ipv6", - "registered_domain": "google.com" + "top_level_domain": "com", + "type": "A" }, - "type": "query", - "header_flags": [ - "RD", - "CD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "ipv6.google.com" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 42811 } } @@ -188,32 +188,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client @0x7f4f8003d9e0 192.168.101.61#38251 (global.vortex.data.trafficmanager.net): query: global.vortex.data.trafficmanager.net IN AAAA +E(0) (192.168.100.102)", - "source": { - "ip": "192.168.101.61", - "port": 38251, - "address": "192.168.101.61" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "global.vortex.data.trafficmanager.net", - "top_level_domain": "net", + "registered_domain": "trafficmanager.net", "subdomain": "global.vortex.data", - "registered_domain": "trafficmanager.net" + "top_level_domain": "net", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.101.61" - ], "hosts": [ "global.vortex.data.trafficmanager.net" + ], + "ip": [ + "192.168.101.61" ] + }, + "source": { + "address": "192.168.101.61", + "ip": "192.168.101.61", + "port": 38251 } } @@ -226,30 +226,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#57980 (ipv6.google.com): query: ipv6.google.com IN AAAA - (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 57980, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [], "question": { "class": "IN", - "type": "AAAA", "name": "ipv6.google.com", - "top_level_domain": "com", + "registered_domain": "google.com", "subdomain": "ipv6", - "registered_domain": "google.com" + "top_level_domain": "com", + "type": "AAAA" }, - "type": "query", - "header_flags": [] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "ipv6.google.com" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 57980 } } @@ -262,32 +262,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#45041 (107.100.168.192.in-addr.arpa): query: 107.100.168.192.in-addr.arpa IN PTR +E (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 45041, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "PTR", "name": "107.100.168.192.in-addr.arpa", - "top_level_domain": "in-addr.arpa", + "registered_domain": "192.in-addr.arpa", "subdomain": "107.100.168", - "registered_domain": "192.in-addr.arpa" + "top_level_domain": "in-addr.arpa", + "type": "PTR" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "107.100.168.192.in-addr.arpa" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 45041 } } @@ -300,35 +300,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA +ET (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "network": { "transport": "tcp" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } diff --git a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md index 83c3aaba54..14c8d2b32a 100644 --- a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md +++ b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md @@ -37,18 +37,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADAPAlerts|1|cat=ADAPAlerts cn3=7054 cs4=Unusual Activity -Logon Failure Count (Based on Host) cs1=AD Analytics cs5=2 rt=1694682115000 msg=10+ number of Logon Failure Activity occured on SERVER02.example.org within 11AM - 12PM. Usual average is 0, Threshold calculated is 10. Anomaly category:Unusual Activity -Logon Failure Count (Based on Host) cs3=User Behaviour Analytics sntdom=example.org", "event": { + "dataset": "ADAPAlerts", "kind": "alert", "module": "EventLog", - "severity": 1, - "dataset": "ADAPAlerts", - "reason": "10+ number of Logon Failure Activity occured on SERVER02.example.org within 11AM - 12PM. Usual average is 0, Threshold calculated is 10. Anomaly category:Unusual Activity -Logon Failure Count (Based on Host)" + "reason": "10+ number of Logon Failure Activity occured on SERVER02.example.org within 11AM - 12PM. Usual average is 0, Threshold calculated is 10. Anomaly category:Unusual Activity -Logon Failure Count (Based on Host)", + "severity": 1 }, "@timestamp": "2023-09-14T09:01:55Z", "observer": { - "vendor": "ManageEngine", + "hostname": "User Behaviour Analytics", "product": "ADAuditPlus", - "version": "1", - "hostname": "User Behaviour Analytics" + "vendor": "ManageEngine", + "version": "1" }, "related": { "hosts": [ @@ -67,18 +67,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADAPAlerts|1|cat=ADAPAlerts cn3=119667 cs4=Group Membership Changes cs1=Security Group Membership Changes cs5=2 rt=1694682147000 msg=Member 'CN\\=JaneDoe,OU\\=UTILISATEURS,DC\\=example,DC\\=org' was added to Global Security Group 'MyGROUP' by 'EXAMPLE\\J_DOE'. cs3=SERVER02.example.org sntdom=example.org", "event": { + "dataset": "ADAPAlerts", "kind": "alert", "module": "EventLog", - "severity": 1, - "dataset": "ADAPAlerts", - "reason": "Member 'CN\\=JaneDoe,OU\\=UTILISATEURS,DC\\=example,DC\\=org' was added to Global Security Group 'MyGROUP' by 'EXAMPLE\\J_DOE'." + "reason": "Member 'CN\\=JaneDoe,OU\\=UTILISATEURS,DC\\=example,DC\\=org' was added to Global Security Group 'MyGROUP' by 'EXAMPLE\\J_DOE'.", + "severity": 1 }, "@timestamp": "2023-09-14T09:02:27Z", "observer": { - "vendor": "ManageEngine", + "hostname": "SERVER02.example.org", "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" + "vendor": "ManageEngine", + "version": "1" }, "related": { "hosts": [ @@ -97,35 +97,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADObjectsAuditReports|1|cat=ADObjectsAuditReports cs1=Configuration Changes cn1=1234 rt=1694681920000 outcome=Success cs3=SERVER02.example.org reason=Write Property : msExchOAB duser=Default Offline Address Book cs4=null suser=JDX2093$ type=msExchOAB msg=msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970 cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444 sntdom=example.org", "event": { - "kind": "event", "category": [ "configuration" ], - "type": [ - "change" - ], + "dataset": "ADObjectsAuditReports", + "kind": "event", "module": "EventLog", + "reason": "msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970", "severity": 1, - "dataset": "ADObjectsAuditReports", - "reason": "msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970" + "type": [ + "change" + ] }, "@timestamp": "2023-09-14T08:58:40Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "user": { - "name": "JDX2093$", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444", - "target": { - "name": "Default Offline Address Book" - } - }, "action": { "outcome": "Success" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -133,6 +126,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "JDX2093$" ] + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "JDX2093$", + "target": { + "name": "Default Offline Address Book" + } } } @@ -146,35 +146,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|DNSAuditReports|1|cat=DNSAuditReports cs1=DNS Permission Changes cn1=1234 rt=1694681538000 outcome=Success cs3=SERVER02.example.org reason=No changes on the Security Descriptor duser=119251-P10 suser=SYSTEM msg=dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor cn2=1234567890 suid=S-1-5-18 sntdom=example.org", "event": { - "kind": "event", "category": [ "configuration" ], - "type": [ - "change" - ], + "dataset": "DNSAuditReports", + "kind": "event", "module": "EventLog", + "reason": "dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor", "severity": 1, - "dataset": "DNSAuditReports", - "reason": "dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor" + "type": [ + "change" + ] }, "@timestamp": "2023-09-14T08:52:18Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "user": { - "name": "SYSTEM", - "id": "S-1-5-18", - "target": { - "name": "119251-P10" - } - }, "action": { "outcome": "Success" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -182,6 +175,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "id": "S-1-5-18", + "name": "SYSTEM", + "target": { + "name": "119251-P10" + } } } @@ -195,32 +195,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|GroupMgmtReports|1|cat=GroupMgmtReports cs1=Group Attributes Changed cs3=SERVER02.example.org type=member msg=Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org rt=1694682151000 duser=MyGROUP sntdom=example.org duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cn1=1234 reason=Group Attribute Added cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", "event": { - "kind": "event", "category": [ "iam" ], - "type": [ - "change" - ], + "dataset": "GroupMgmtReports", + "kind": "event", "module": "EventLog", + "reason": "Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org", "severity": 1, - "dataset": "GroupMgmtReports", - "reason": "Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org" + "type": [ + "change" + ] }, "@timestamp": "2023-09-14T09:02:31Z", "observer": { - "vendor": "ManageEngine", + "hostname": "SERVER02.example.org", "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "user": { - "name": "J_DOE", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444", - "target": { - "name": "MyGROUP", - "id": "S-1-5-21-111111111-2222222222-3333333333-55555" - } + "vendor": "ManageEngine", + "version": "1" }, "related": { "hosts": [ @@ -229,6 +221,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "J_DOE" ] + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "J_DOE", + "target": { + "id": "S-1-5-21-111111111-2222222222-3333333333-55555", + "name": "MyGROUP" + } } } @@ -242,36 +242,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|UserMgmtReports|1|cat=UserMgmtReports cs1=User Attributes Changed type=primaryGroupID rt=1694682151000 msg=User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513 duser=JaneDoe sntdom=example.org duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cs3=SERVER02.example.org cn1=1234 reason=User Modified outcome=Success cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", "event": { - "kind": "event", "category": [ "iam" ], - "type": [ - "change" - ], + "dataset": "UserMgmtReports", + "kind": "event", "module": "EventLog", + "reason": "User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513", "severity": 1, - "dataset": "UserMgmtReports", - "reason": "User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513" + "type": [ + "change" + ] }, "@timestamp": "2023-09-14T09:02:31Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "user": { - "name": "J_DOE", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444", - "target": { - "name": "JaneDoe", - "id": "S-1-5-21-111111111-2222222222-3333333333-55555" - } - }, "action": { "outcome": "Success" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -279,6 +271,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "J_DOE" ] + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "J_DOE", + "target": { + "id": "S-1-5-21-111111111-2222222222-3333333333-55555", + "name": "JaneDoe" + } } } @@ -292,36 +292,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|UserMgmtReports|1|cat=UserMgmtReports cs1=Password Changed Users type=Change Password Attempt rt=1694681589000 msg=Change Password Attempt by user 'J_DOE'. Status:Failure' duser=J_DOE sntdom=EXAMPLE duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cs3=SERVER02.example.org cn1=1234 reason=Change Password Attempt outcome=Failure cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", "event": { - "kind": "event", "category": [ "iam" ], - "type": [ - "change" - ], + "dataset": "UserMgmtReports", + "kind": "event", "module": "EventLog", + "reason": "Change Password Attempt by user 'J_DOE'. Status:Failure'", "severity": 1, - "dataset": "UserMgmtReports", - "reason": "Change Password Attempt by user 'J_DOE'. Status:Failure'" + "type": [ + "change" + ] }, "@timestamp": "2023-09-14T08:53:09Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "user": { - "name": "J_DOE", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444", - "target": { - "name": "J_DOE", - "id": "S-1-5-21-111111111-2222222222-3333333333-55555" - } - }, "action": { "outcome": "Failure" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -329,6 +321,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "J_DOE" ] + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "J_DOE", + "target": { + "id": "S-1-5-21-111111111-2222222222-3333333333-55555", + "name": "J_DOE" + } } } @@ -342,36 +342,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|LogonReports|1|cat=LogonReports cs1=All Users Logon suser=johndoe cs2=1.2.3.4 shost=1.2.3.4 rt=1694681391000 cn2=1234567890 outcome=Failure sntdom=example.org cs3=SERVER02.example.org suid=S-1-5-21-111111111-2222222222-3333333333-44444 reason=Bad password cn1=1234 msg=Kerberos pre-authentication failed.", "event": { - "kind": "event", "category": [ "authentication" ], - "type": [ - "start" - ], + "dataset": "LogonReports", + "kind": "event", "module": "EventLog", + "reason": "Kerberos pre-authentication failed.", "severity": 1, - "dataset": "LogonReports", - "reason": "Kerberos pre-authentication failed." + "type": [ + "start" + ] }, "@timestamp": "2023-09-14T08:49:51Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "johndoe", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444" - }, "action": { "outcome": "Failure" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -382,6 +374,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "johndoe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "johndoe" } } @@ -395,36 +395,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "0|ManageEngine|ADAuditPlus|1|EventLog|LogonReports|1|cat=LogonReports cs1=All Users Logon suser=johndoe cs2=1.2.3.4 shost=LAPTOP234.example.org rt=1694682196000 cn2=1234567890 outcome=Success sntdom=example.org cs3=SERVER02.example.org suid=S-1-5-21-111111111-2222222222-3333333333-44444 reason=- cn1=1234 msg=A Kerberos authentication ticket (TGT) was requested.", "event": { - "kind": "event", "category": [ "authentication" ], - "type": [ - "start" - ], + "dataset": "LogonReports", + "kind": "event", "module": "EventLog", + "reason": "A Kerberos authentication ticket (TGT) was requested.", "severity": 1, - "dataset": "LogonReports", - "reason": "A Kerberos authentication ticket (TGT) was requested." + "type": [ + "start" + ] }, "@timestamp": "2023-09-14T09:03:16Z", - "observer": { - "vendor": "ManageEngine", - "product": "ADAuditPlus", - "version": "1", - "hostname": "SERVER02.example.org" - }, - "source": { - "ip": "1.2.3.4", - "address": "LAPTOP234.example.org" - }, - "user": { - "name": "johndoe", - "id": "S-1-5-21-111111111-2222222222-3333333333-44444" - }, "action": { "outcome": "Success" }, + "observer": { + "hostname": "SERVER02.example.org", + "product": "ADAuditPlus", + "vendor": "ManageEngine", + "version": "1" + }, "related": { "hosts": [ "SERVER02.example.org" @@ -435,6 +427,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "johndoe" ] + }, + "source": { + "address": "LAPTOP234.example.org", + "ip": "1.2.3.4" + }, + "user": { + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "name": "johndoe" } } diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index 65aabc5515..5f88ceb450 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -37,34 +37,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INFO: Configuration Changed: Admin=john.doe; Object Type=EPPurgeScheduler; Object Name=f36afcff-e3af-4a70-99c0-5e5304c1c336", "event": { + "category": [ + "configuration" + ], "kind": "event", "type": [ "change" - ], - "category": [ - "configuration" ] }, - "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" - }, - "user": { - "name": "john.doe" - }, "cisco": { "ise": { + "config_action": "Changed", "config_object": { "name": "f36afcff-e3af-4a70-99c0-5e5304c1c336", "type": "EPPurgeScheduler" - }, - "config_action": "Changed" + } } }, + "observer": { + "product": "Cisco ISE", + "vendor": "Cisco" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "name": "john.doe" } } @@ -79,14 +79,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "INFO: 5 endpoint(s) purged successfully", "event": { "kind": "event", + "reason": " 5 endpoint(s) purged successfully", "type": [ "info" - ], - "reason": " 5 endpoint(s) purged successfully" + ] }, "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" + "product": "Cisco ISE", + "vendor": "Cisco" } } @@ -100,18 +100,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-06-07 04:26:17.306 +0200 60198 INFO null: MnT purge event occurred, MESSAGE=completed successfully,", "event": { - "kind": "event", - "type": [ - "info" - ], "category": [ "network" ], - "reason": "MnT purge event occurred" - }, - "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" + "kind": "event", + "reason": "MnT purge event occurred", + "type": [ + "info" + ] }, "cisco": { "ise": { @@ -119,6 +115,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outcome": "success" } } + }, + "observer": { + "product": "Cisco ISE", + "vendor": "Cisco" } } @@ -132,18 +132,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "WARN: AcsSyslogContentAaaDiagnostics:: ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete", "event": { - "kind": "event", - "type": [ - "info" - ], "category": [ "network" ], - "reason": ": ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete" + "kind": "event", + "reason": ": ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete", + "type": [ + "info" + ] }, "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" + "product": "Cisco ISE", + "vendor": "Cisco" } } @@ -157,23 +157,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INFO: EAP Connection Timeout : Server=servername; NAS IP Address=1.2.3.4; NAS Identifier=A4:57:00:64:47:C0:test1", "event": { + "category": [ + "network" + ], "kind": "event", "type": [ "info" - ], - "category": [ - "network" ] }, "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" - }, - "source": { - "domain": "servername", - "mac": "A4:57:00:64:47:C0", - "ip": "1.2.3.4", - "address": "servername" + "product": "Cisco ISE", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -182,6 +176,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "servername", + "domain": "servername", + "ip": "1.2.3.4", + "mac": "A4:57:00:64:47:C0" } } @@ -195,25 +195,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "WARN: Dynamic Authorization Failed for Device : Server=servername; Calling Station Id=N/A; Network device IP=1.2.3.4; Network Device", "event": { + "category": [ + "network" + ], "kind": "event", "type": [ "info" - ], - "category": [ - "network" ] }, "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" - }, - "source": { - "domain": "servername", - "ip": "1.2.3.4", - "address": "servername" - }, - "user": { - "name": "N/A" + "product": "Cisco ISE", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -225,6 +217,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "N/A" ] + }, + "source": { + "address": "servername", + "domain": "servername", + "ip": "1.2.3.4" + }, + "user": { + "name": "N/A" } } @@ -238,18 +238,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "WARN: Profiler SNMP Request Failure : Server= servername; NAD Address=1.2.3.4; Error Message=Request timed out.", "event": { - "kind": "event", - "type": [ - "info" - ], "category": [ "network" ], - "reason": "Request timed out." - }, - "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" + "kind": "event", + "reason": "Request timed out.", + "type": [ + "info" + ] }, "cisco": { "ise": { @@ -258,10 +254,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "source": { - "domain": "servername", - "ip": "1.2.3.4", - "address": "servername" + "observer": { + "product": "Cisco ISE", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -270,6 +265,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "servername", + "domain": "servername", + "ip": "1.2.3.4" } } @@ -283,28 +283,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "WARN: TrustSec deploy verification failed to reach NAD.: Device Name=device005.internal.example.org; Device Ip=1.2.3.4; Device login username=admin", "event": { + "category": [ + "network" + ], "kind": "event", "type": [ "info" - ], - "category": [ - "network" ] }, "observer": { - "vendor": "Cisco", - "product": "Cisco ISE" - }, - "user": { - "name": "admin" - }, - "source": { - "domain": "device005.internal.example.org", - "ip": "1.2.3.4", - "address": "device005.internal.example.org", - "top_level_domain": "org", - "subdomain": "device005.internal", - "registered_domain": "example.org" + "product": "Cisco ISE", + "vendor": "Cisco" }, "related": { "hosts": [ @@ -316,6 +305,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "device005.internal.example.org", + "domain": "device005.internal.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "device005.internal", + "top_level_domain": "org" + }, + "user": { + "name": "admin" } } diff --git a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md index 557bb1130b..6427f9a127 100644 --- a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md +++ b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md @@ -47,6 +47,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, + "indicator": { + "category": "BI_EVASION", + "classification": "PUA", + "description": "Code injection to other process memory space during the target process' initialization", + "id": "WD109", + "metadata": "To Process[ Name: \"chrome.exe\", Pid: \"19720\", UID: \"7DC20CD7D1BEDF9F\", TrueContextID: \"6B188EE5E8C5F24F\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", + "name": "PreloadInjection", + "tactics": [ + { + "name": "Defense Evasion", + "source": "MITRE", + "techniques": [ + { + "link": "https://attack.mitre.org/techniques/T1055/012/", + "name": "T1055.012" + } + ] + }, + { + "name": "Privilege Escalation", + "source": "MITRE", + "techniques": [ + { + "link": "https://attack.mitre.org/techniques/T1055/012/", + "name": "T1055.012" + } + ] + } + ] + }, "process": { "counters": { "module_load": 70, @@ -76,13 +106,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "7DC20CD7D1BEDF9F" }, "parent": { - "node": { - "key": "0D7A69B0C2C26E73" - }, "counters": { + "cross_process": 590449, "cross_process_dup_process_handle": 585159, "cross_process_dup_thread_handle": 5290, - "cross_process": 590449, "dns_lookups": 16, "file_creation": 490788, "file_deletion": 466017, @@ -113,6 +140,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_FALSE", + "node": { + "key": "0D7A69B0C2C26E73" + }, "parent": { "node": { "key": "41CA3A862279A7BC" @@ -135,36 +165,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" } - }, - "indicator": { - "id": "WD109", - "name": "PreloadInjection", - "description": "Code injection to other process memory space during the target process' initialization", - "category": "BI_EVASION", - "classification": "PUA", - "metadata": "To Process[ Name: \"chrome.exe\", Pid: \"19720\", UID: \"7DC20CD7D1BEDF9F\", TrueContextID: \"6B188EE5E8C5F24F\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "tactics": [ - { - "name": "Defense Evasion", - "source": "MITRE", - "techniques": [ - { - "name": "T1055.012", - "link": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - }, - { - "name": "Privilege Escalation", - "source": "MITRE", - "techniques": [ - { - "name": "T1055.012", - "link": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ] } }, "host": { @@ -177,33 +177,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=icon_reader --mojo-platform-channel-handle=30744 /prefetch:8", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "pid": 19720, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "hash": { "md5": "a766188d75e570ea3f9b09fb9d82cb54", "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" }, - "start": "2021-09-16T13:02:27.668000Z", "name": "chrome.exe", "parent": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "title": "Google Chrome", - "pid": 26188, "hash": { "md5": "a766188d75e570ea3f9b09fb9d82cb54", "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" }, "name": "chrome.exe", + "pid": 26188, + "title": "Google Chrome", "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - } - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187" + }, + "pid": 19720, + "start": "2021-09-16T13:02:27.668000Z", + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { "hash": [ @@ -214,6 +210,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", + "name": "CORP\\user.name" } } @@ -240,6 +240,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "trace_id": "BA1BE2835D6E4FF7B023C72DCE8B3829", "uuid": "4d311e18709146cba8797a22e3c20762" }, + "dns": { + "answers": { + "results": "type: 5 googlehosted.l.googleusercontent.com;142.250.179.65;" + } + }, "event": { "type": "dns" }, @@ -248,9 +253,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "C20F3967ACBB2FE7" - }, "process": { "counters": { "dns_lookups": 35, @@ -297,10 +299,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-1525252525-7987987987-1111111111-6174" } }, - "dns": { - "answers": { - "results": "type: 5 googlehosted.l.googleusercontent.com;142.250.179.65;" - } + "true_context": { + "key": "C20F3967ACBB2FE7" + } + }, + "dns": { + "question": { + "name": "lh5.googleusercontent.com", + "registered_domain": "googleusercontent.com", + "subdomain": "lh5", + "top_level_domain": "com" } }, "host": { @@ -313,32 +321,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,16822032697640791725,9639588106693567222,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", "pid": 13796, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "start": "2021-08-09T13:28:54.223000Z", - "name": "chrome.exe" - }, - "user": { - "name": "CLIENT\\t.Naohisa", - "id": "S-1-5-21-1525252525-7987987987-1111111111-6174" - }, - "dns": { - "question": { - "name": "lh5.googleusercontent.com", - "top_level_domain": "com", - "subdomain": "lh5", - "registered_domain": "googleusercontent.com" - } + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { - "user": [ - "CLIENT\\t.Naohisa" - ], "hosts": [ "lh5.googleusercontent.com" + ], + "user": [ + "CLIENT\\t.Naohisa" ] + }, + "user": { + "id": "S-1-5-21-1525252525-7987987987-1111111111-6174", + "name": "CLIENT\\t.Naohisa" } } @@ -368,19 +368,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileCreation" }, + "file": { + "location": "Local", + "node": { + "key": "737373ABCDEF7373" + } + }, "host": { "os": { "revision": "88888" } }, - "true_context": { - "key": "CCC43343435EABDF" - }, "process": { "counters": { + "cross_process": 1610, "cross_process_dup_process_handle": 1590, "cross_process_dup_thread_handle": 20, - "cross_process": 1610, "file_creation": 148, "file_deletion": 58, "file_modification": 416, @@ -426,13 +429,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" } }, - "file": { - "location": "Local", - "node": { - "key": "737373ABCDEF7373" - } + "true_context": { + "key": "CCC43343435EABDF" } }, + "file": { + "created": "2021-08-09T13:28:53.666000Z", + "directory": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome", + "name": "User Data", + "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data", + "type": "dir" + }, "host": { "name": "LAPTOP-COM13", "os": { @@ -443,28 +450,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", "pid": 14896, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "start": "2021-08-09T13:28:53.321000Z", - "name": "chrome.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-6562365326-8585787878-2021012021-6543" - }, - "file": { - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data", - "type": "dir", - "created": "2021-08-09T13:28:53.666000Z", - "name": "User Data", - "directory": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome" + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-6562365326-8585787878-2021012021-6543", + "name": "CORP\\user.name" } } @@ -494,19 +494,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileCreation" }, + "file": { + "location": "Local", + "node": { + "key": "737373ABCDEF7373" + } + }, "host": { "os": { "revision": "88888" } }, - "true_context": { - "key": "CCC43343435EABDF" - }, "process": { "counters": { + "cross_process": 1610, "cross_process_dup_process_handle": 1590, "cross_process_dup_thread_handle": 20, - "cross_process": 1610, "file_creation": 148, "file_deletion": 58, "file_modification": 416, @@ -552,13 +555,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" } }, - "file": { - "location": "Local", - "node": { - "key": "737373ABCDEF7373" - } + "true_context": { + "key": "CCC43343435EABDF" } }, + "file": { + "created": "2206-11-13T06:23:32.121000Z", + "extension": "tmp", + "name": "98798798-bbb2-9898-aaaa-1212121212f.tmp", + "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data\\98798798-bbb2-9898-aaaa-1212121212f.tmp", + "type": "file" + }, "host": { "name": "LAPTOP-COM13", "os": { @@ -569,28 +576,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", "pid": 14896, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "start": "2021-08-09T13:28:53.932000Z", - "name": "chrome.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-6562365326-8585787878-2021012021-6543" - }, - "file": { - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data\\98798798-bbb2-9898-aaaa-1212121212f.tmp", - "type": "file", - "name": "98798798-bbb2-9898-aaaa-1212121212f.tmp", - "extension": "tmp", - "created": "2206-11-13T06:23:32.121000Z" + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-6562365326-8585787878-2021012021-6543", + "name": "CORP\\user.name" } } @@ -619,14 +619,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileCreation" }, + "file": { + "location": "Local", + "node": { + "key": "39AD9E819F6BE850" + } + }, "host": { "os": { "revision": "17763" } }, - "true_context": { - "key": "CB18415B7D5C7DC1" - }, "process": { "counters": { "file_creation": 3, @@ -651,13 +654,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "CB18415B7D5C7DC1" } }, - "file": { - "location": "Local", - "node": { - "key": "39AD9E819F6BE850" - } + "true_context": { + "key": "CB18415B7D5C7DC1" } }, + "file": { + "created": "2022-08-17T09:13:05.201000Z", + "extension": "Anonymized Data", + "name": "Anonymized Data", + "path": "Anonymized Data", + "type": "file" + }, "host": { "name": "123", "os": { @@ -667,16 +674,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "server" }, "process": { - "title": "Unknown file", "pid": 22545, - "start": "2022-08-17T09:13:02.129000Z" - }, - "file": { - "path": "Anonymized Data", - "type": "file", - "name": "Anonymized Data", - "extension": "Anonymized Data", - "created": "2022-08-17T09:13:05.201000Z" + "start": "2022-08-17T09:13:02.129000Z", + "title": "Unknown file" } } @@ -706,14 +706,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileCreation" }, + "file": { + "location": "Local", + "node": { + "key": "4685AD1C6BC7D31D" + } + }, "host": { "os": { "revision": "19043" } }, - "true_context": { - "key": "0506A768B8828E35" - }, "process": { "counters": { "dns_lookups": 30, @@ -754,13 +757,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-18" } }, - "file": { - "location": "Local", - "node": { - "key": "4685AD1C6BC7D31D" - } + "true_context": { + "key": "0506A768B8828E35" } }, + "file": { + "extension": "bin", + "name": "0.bin", + "path": "C:\\Program Files\\Fortinet\\FortiClient\\large_data_upload\\0.bin", + "type": "file" + }, "host": { "name": "LAPTOP-COM4", "os": { @@ -771,27 +777,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "FortiESNAC.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000018", - "title": "FortiClient Network Access Control", "executable": "C:\\Program Files\\Fortinet\\FortiClient\\FortiESNAC.exe", + "name": "FortiESNAC.exe", "pid": 6104, - "working_directory": "C:\\Program Files\\Fortinet\\FortiClient", "start": "2021-08-25T07:58:18.032000Z", - "name": "FortiESNAC.exe" - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "id": "S-1-5-18" - }, - "file": { - "path": "C:\\Program Files\\Fortinet\\FortiClient\\large_data_upload\\0.bin", - "type": "file", - "name": "0.bin", - "extension": "bin" + "title": "FortiClient Network Access Control", + "working_directory": "C:\\Program Files\\Fortinet\\FortiClient" }, "related": { "user": [ "AUTORITE NT\\Syst\u00e8me" ] + }, + "user": { + "id": "S-1-5-18", + "name": "AUTORITE NT\\Syst\u00e8me" } } @@ -820,19 +820,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileDeletion" }, + "file": { + "location": "Local", + "node": { + "key": "780E03EC9E64BBE3" + } + }, "host": { "os": { "revision": "19042" } }, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, "process": { "counters": { + "cross_process": 332191, "cross_process_dup_process_handle": 329760, "cross_process_dup_thread_handle": 2431, - "cross_process": 332191, "dns_lookups": 5, "file_creation": 295369, "file_deletion": 282078, @@ -880,13 +883,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" } }, - "file": { - "location": "Local", - "node": { - "key": "780E03EC9E64BBE3" - } + "true_context": { + "key": "6B188EE5E8C5F24F" } }, + "file": { + "created": "2021-09-14T15:51:45.524000Z", + "extension": "exe", + "name": "todelete_429a860c9774094b_0_1.exe", + "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Service Worker\\CacheStorage\\1ab01c3b969bd7dcc799e2be1a4ce60699f20543\\650d1e12-cd20-438f-8c15-b58c713de9c7\\todelete_429a860c9774094b_0_1.exe", + "type": "file" + }, "host": { "name": "LAPTOP-TECH20", "os": { @@ -897,28 +904,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "pid": 26188, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "hash": { "md5": "a766188d75e570ea3f9b09fb9d82cb54", "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" }, + "name": "chrome.exe", + "pid": 26188, "start": "2021-09-13T07:07:56.708000Z", - "name": "chrome.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "file": { - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Service Worker\\CacheStorage\\1ab01c3b969bd7dcc799e2be1a4ce60699f20543\\650d1e12-cd20-438f-8c15-b58c713de9c7\\todelete_429a860c9774094b_0_1.exe", - "type": "file", - "name": "todelete_429a860c9774094b_0_1.exe", - "extension": "exe", - "created": "2021-09-14T15:51:45.524000Z" + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { "hash": [ @@ -929,6 +925,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", + "name": "CORP\\user.name" } } @@ -957,14 +957,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileModification" }, + "file": { + "is_kernel_module": false, + "location": "Local" + }, "host": { "os": { "revision": "Amazon 2 4.14.246-187.474.amzn2.x86_64" } }, - "true_context": { - "key": "0f4c8c9c-7440-2977-64af-11505a86f00d" - }, "process": { "counters": { "file_creation": 537, @@ -1000,11 +1001,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "3397" } }, - "file": { - "location": "Local", - "is_kernel_module": false + "true_context": { + "key": "0f4c8c9c-7440-2977-64af-11505a86f00d" } }, + "file": { + "created": "2022-08-29T07:28:39.966000Z", + "directory": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec", + "name": "2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", + "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", + "size": 1347, + "type": "dir" + }, "host": { "name": "ip-1-1-1-1.eu-west-1.compute.internal", "os": { @@ -1015,26 +1023,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": " node /usr/local/bin/npm install", - "title": "node", "executable": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/usr/local/bin/node", - "pid": 12322, "hash": { "sha1": "837e6fbd33802ec0d56ac1bb3754af0046c9a220" }, + "name": "node", + "pid": 12322, "start": "2022-08-29T07:30:22.250000Z", - "name": "node" - }, - "user": { - "name": "root", - "id": "3397" - }, - "file": { - "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", - "size": 1347, - "type": "dir", - "created": "2022-08-29T07:28:39.966000Z", - "name": "2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", - "directory": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec" + "title": "node" }, "related": { "hash": [ @@ -1043,6 +1039,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "user": { + "id": "3397", + "name": "root" } } @@ -1071,14 +1071,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileDeletion" }, + "file": { + "node": { + "key": "024A7D89-2663-48AF-9DF4-C95494454E37" + } + }, "host": { "os": { "revision": "12.5.1 (21G83)" } }, - "true_context": { - "key": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" - }, "process": { "excluded": "E_FALSE", "executable": { @@ -1105,12 +1107,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" } }, - "file": { - "node": { - "key": "024A7D89-2663-48AF-9DF4-C95494454E37" - } + "true_context": { + "key": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" } }, + "file": { + "created": "2022-08-26T08:51:42.152000Z", + "directory": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy", + "name": "ff558ca8ac21977f6850e3a3a719ed4f.plist", + "path": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist" + }, "host": { "name": "MAC12345678", "os": { @@ -1121,25 +1127,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint lint --in-process-sourcekit --config /Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/plugins/Styleguide.output/Styleguide/SwiftLintPlugin/swiftlint.yml /Users/user.name/Documents/Development/djij/djij_design_system_ios/Styleguide", - "title": "swiftlint", "executable": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint", - "pid": 6933, "hash": { "md5": "7180a848026de2bef01fb7383bd03ba0", "sha1": "88bd62f8a3ee159d4f4611b324073d1e56ef76de", "sha256": "03298adf7dae5700891033ddeabecea7f5850fedefadfa9fa6ba389a38ba354f" }, + "name": "swiftlint", + "pid": 6933, "start": "2022-08-26T08:51:42.034000Z", - "name": "swiftlint" - }, - "user": { - "name": "user.name" - }, - "file": { - "path": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist", - "created": "2022-08-26T08:51:42.152000Z", - "name": "ff558ca8ac21977f6850e3a3a719ed4f.plist", - "directory": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy" + "title": "swiftlint" }, "related": { "hash": [ @@ -1150,6 +1147,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user.name" ] + }, + "user": { + "name": "user.name" } } @@ -1178,14 +1178,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileModification" }, + "file": { + "is_kernel_module": false, + "location": "Local" + }, "host": { "os": { "revision": "19042" } }, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, "process": { "counters": { "dns_lookups": 5131, @@ -1232,11 +1233,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" } }, - "file": { - "location": "Local", - "is_kernel_module": false + "true_context": { + "key": "6B188EE5E8C5F24F" } }, + "file": { + "created": "2021-09-14T14:41:46.782000Z", + "extension": "CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", + "name": "TransportSecurity", + "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" + }, "host": { "name": "LAPTOP-TECH20", "os": { @@ -1247,27 +1253,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8", - "title": "Google Chrome", "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "pid": 17924, - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application", "hash": { "md5": "a766188d75e570ea3f9b09fb9d82cb54", "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" }, + "name": "chrome.exe", + "pid": 17924, "start": "2021-09-13T07:07:57.934000Z", - "name": "chrome.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "file": { - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", - "name": "TransportSecurity", - "extension": "CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", - "created": "2021-09-14T14:41:46.782000Z" + "title": "Google Chrome", + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" }, "related": { "hash": [ @@ -1278,6 +1274,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", + "name": "CORP\\user.name" } } @@ -1306,14 +1306,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "fileModification" }, + "file": { + "is_kernel_module": false, + "location": "Local" + }, "host": { "os": { "revision": "17763" } }, - "true_context": { - "key": "07CF4F73FE08319F" - }, "process": { "counters": { "dns_lookups": 72, @@ -1359,11 +1360,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-21-4154652123-1702891081-745747720-13627" } }, - "file": { - "location": "Local", - "is_kernel_module": false + "true_context": { + "key": "07CF4F73FE08319F" } }, + "file": { + "created": "2022-08-17T09:14:31.758000Z", + "extension": "Anonymized Data", + "hash": { + "md5": "2e63349a674acda41d8e1dcbff91b209", + "sha1": "9045966e5e375754d7789d487996d0314b5f77e1", + "sha256": "28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d" + }, + "name": "Anonymized Data", + "path": "Anonymized Data", + "size": 1075 + }, "host": { "name": "123", "os": { @@ -1374,33 +1386,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"STATISTIQUES\" -v \"v4.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm21bdf632-40c6-4b01-aa13-238d4c12d066 -h \"C:\\inetpub\\temp\\apppools\\STATISTIQUES\\STATISTIQUES.config\" -w \"\" -m 0 -t 20 -ta 0", - "title": "IIS Worker Process", "executable": "C:\\Windows\\System32\\inetsrv\\w3wp.exe", - "pid": 3748, - "working_directory": "C:\\Windows\\System32\\inetsrv", "hash": { "md5": "0406e327338ccea5ef7dcf58268a8bfe", "sha1": "447ec979c4b2c53c21b17bd9c2f7d67a9f967108", "sha256": "1eb51ea7407f41bc212cc699e37727ad6e6d52ec6746119ea066bd901f5e143b" }, + "name": "w3wp.exe", + "pid": 3748, "start": "2022-08-17T06:12:44.710000Z", - "name": "w3wp.exe" - }, - "user": { - "name": "123\\foo.statistiques", - "id": "S-1-5-21-4154652123-1702891081-745747720-13627" - }, - "file": { - "path": "Anonymized Data", - "hash": { - "md5": "2e63349a674acda41d8e1dcbff91b209", - "sha1": "9045966e5e375754d7789d487996d0314b5f77e1", - "sha256": "28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d" - }, - "size": 1075, - "name": "Anonymized Data", - "extension": "Anonymized Data", - "created": "2022-08-17T09:14:31.758000Z" + "title": "IIS Worker Process", + "working_directory": "C:\\Windows\\System32\\inetsrv" }, "related": { "hash": [ @@ -1414,6 +1410,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "123\\foo.statistiques" ] + }, + "user": { + "id": "S-1-5-21-4154652123-1702891081-745747720-13627", + "name": "123\\foo.statistiques" } } @@ -1448,9 +1448,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19043" } }, - "true_context": { - "key": "A1FFB5A30161CDC0" - }, "process": { "counters": { "dns_lookups": 81, @@ -1499,6 +1496,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-21-3542462677-1213864171-2030164332-6195" } + }, + "true_context": { + "key": "A1FFB5A30161CDC0" } }, "host": { @@ -1509,40 +1509,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "laptop" }, + "http": { + "request": { + "method": "GET" + } + }, "process": { "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"", - "title": "Microsoft Outlook", "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "pid": 14144, - "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16", "hash": { "md5": "bafa8a3a020648b57622e0b79104468a", "sha1": "676b4e6a3c2c06fd7df3b83527a5570fd6687c8f", "sha256": "97564d2938bebaaf1741fe5f675366cf1d8d3b6328fe38a5cf8e7133fe533ed1" }, + "name": "OUTLOOK.EXE", + "pid": 14144, "start": "2021-09-16T07:02:10.819000Z", - "name": "OUTLOOK.EXE" - }, - "user": { - "name": "CORP\\m.benyounes", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6195" - }, - "http": { - "request": { - "method": "GET" - } - }, - "url": { - "original": "https://automation.alticap.com/media/images/1548943185788.jpg?foo=bar#frag", - "domain": "automation.alticap.com", - "top_level_domain": "com", - "subdomain": "automation", - "registered_domain": "alticap.com", - "fragment": "frag", - "path": "/media/images/1548943185788.jpg", - "query": "foo=bar", - "scheme": "https", - "port": 443 + "title": "Microsoft Outlook", + "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16" }, "related": { "hash": [ @@ -1553,6 +1537,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\m.benyounes" ] + }, + "url": { + "domain": "automation.alticap.com", + "fragment": "frag", + "original": "https://automation.alticap.com/media/images/1548943185788.jpg?foo=bar#frag", + "path": "/media/images/1548943185788.jpg", + "port": 443, + "query": "foo=bar", + "registered_domain": "alticap.com", + "scheme": "https", + "subdomain": "automation", + "top_level_domain": "com" + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6195", + "name": "CORP\\m.benyounes" } } @@ -1588,14 +1588,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { - "relations": "PR_OTHER", - "desired_access": 5240, "counters": { "cross_process": 5262, "dns_lookups": 51, "module_load": 222, "net_conn_out": 1813 }, + "desired_access": 5240, "excluded": "E_FALSE", "executable": { "is_dir": "E_FALSE", @@ -1620,9 +1619,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "2A2CC1C3468CB3D8" }, "parent": { - "node": { - "key": "611EAD3E998CF40A" - }, "excluded": "E_FALSE", "executable": { "is_dir": "E_FALSE", @@ -1643,6 +1639,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_FALSE", + "node": { + "key": "611EAD3E998CF40A" + }, "parent": { "node": { "key": "0D332A871A7DB912" @@ -1656,14 +1655,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sid": "S-1-5-18" } }, + "relations": "PR_OTHER", "root": "E_TRUE", - "true_context": { - "key": "A2DC49811AF8CC72" - }, - "user": { - "sid": "S-1-5-18" - }, "target": { + "command_line": "taskhostw.exe Install $(Arg0)", "counters": { "module_load": 44 }, @@ -1683,10 +1678,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start": "18446732429235951616" }, "family": "SYS_WIN32", + "hash": { + "md5": "564e4806ab18f93b93d551cd10c1598e", + "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", + "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" + }, "integrity_level": "MEDIUM", "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_FALSE", + "name": "Host Process for Windows Tasks", "node": { "key": "E94742BA9CF1A186" }, @@ -1695,24 +1696,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "399C73C0494DC82C" } }, + "pid": 15728, "root": "E_TRUE", "session_id": 7, + "start": "2021-09-14T15:51:51.621000Z", "true_context": { "key": "AB55C980E679578F" }, "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6152" - }, - "command_line": "taskhostw.exe Install $(Arg0)", - "name": "Host Process for Windows Tasks", - "pid": 15728, - "working_directory": "C:\\WINDOWS\\system32", - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" + "sid": "S-1-5-21-3542462677-1213864171-2030164332-6152" }, - "start": "2021-09-14T15:51:51.621000Z" + "working_directory": "C:\\WINDOWS\\system32" + }, + "true_context": { + "key": "A2DC49811AF8CC72" + }, + "user": { + "sid": "S-1-5-18" } } }, @@ -1726,33 +1726,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\WINDOWS\\system32\\lsass.exe", - "title": "Local Security Authority Process", "executable": "C:\\WINDOWS\\system32\\lsass.exe", - "pid": 992, - "working_directory": "C:\\WINDOWS\\system32", "hash": { "md5": "15a556def233f112d127025ab51ac2d3", "sha1": "28f7fb54c7bcd9d6e71669ea5bddf72ea65311ce", "sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427" }, - "start": "2021-09-06T09:11:02.523000Z", "name": "lsass.exe", "parent": { "command_line": "wininit.exe", - "title": "Windows Start-Up Application", - "pid": 900, "hash": { "md5": "9ef51c8ad595c5e2a123c06ad39fccd7", "sha1": "915ea28bdaa9a2230ce52080693d7f7e27620ed5", "sha256": "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86" }, "name": "wininit.exe", + "pid": 900, + "title": "Windows Start-Up Application", "working_directory": "C:\\WINDOWS\\system32" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "id": "S-1-5-18" + }, + "pid": 992, + "start": "2021-09-06T09:11:02.523000Z", + "title": "Local Security Authority Process", + "working_directory": "C:\\WINDOWS\\system32" }, "related": { "hash": [ @@ -1766,6 +1762,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AUTORITE NT\\Syst\u00e8me" ] + }, + "user": { + "id": "S-1-5-18", + "name": "AUTORITE NT\\Syst\u00e8me" } } @@ -1800,9 +1800,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "03E80496A6DE3247" - }, "process": { "counters": { "module_load": 44 @@ -1831,9 +1828,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "F85B96F9DB3700A5" }, "parent": { - "node": { - "key": "BAA63DA271B07548" - }, "counters": { "cross_process": 324, "model_child_process": 2096, @@ -1860,6 +1854,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_FALSE", + "node": { + "key": "BAA63DA271B07548" + }, "parent": { "node": { "key": "C36E5F6CB1EFE1FA" @@ -1881,6 +1878,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" } + }, + "true_context": { + "key": "03E80496A6DE3247" + } + }, + "file": { + "hash": { + "md5": "564e4806ab18f93b93d551cd10c1598e", + "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", + "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" } }, "host": { @@ -1891,49 +1898,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "laptop" }, - "file": { - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - } - }, "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS", + "valid": true + }, "command_line": "taskhostw.exe Install $(Arg0)", "executable": "C:\\Windows\\System32\\taskhostw.exe", - "title": "Host Process for Windows Tasks", - "pid": 15104, - "working_directory": "C:\\Windows\\System32", "hash": { "md5": "564e4806ab18f93b93d551cd10c1598e", "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" }, - "start": "2021-09-14T14:41:46.706000Z", "name": "taskhostw.exe", "parent": { "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "title": "Host Process for Windows Services", - "pid": 1900, "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { "md5": "f586835082f632dc8d9404d83bc16316", "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" }, - "start": "2021-09-05T15:56:08.855000Z", "name": "svchost.exe", + "pid": 1900, + "start": "2021-09-05T15:56:08.855000Z", + "title": "Host Process for Windows Services", "working_directory": "C:\\Windows\\System32" }, - "code_signature": { - "subject_name": "MICROSOFT WINDOWS", - "exists": true, - "valid": true - } - }, - "user": { - "name": "CORP\\l.maoui", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6168" + "pid": 15104, + "start": "2021-09-14T14:41:46.706000Z", + "title": "Host Process for Windows Tasks", + "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ @@ -1947,6 +1943,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\l.maoui" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6168", + "name": "CORP\\l.maoui" } } @@ -1981,9 +1981,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19043" } }, - "true_context": { - "key": "3B49B9603DFF38C9" - }, "process": { "counters": { "module_load": 212 @@ -2012,9 +2009,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "03B4B5C3910B72FF" }, "parent": { - "node": { - "key": "6308FCA4876DA87C" - }, "counters": { "cross_process": 39, "model_child_process": 1095, @@ -2041,6 +2035,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_FALSE", + "node": { + "key": "6308FCA4876DA87C" + }, "parent": { "node": { "key": "6B6B39C296E3FD3D" @@ -2061,6 +2058,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-18" } + }, + "true_context": { + "key": "3B49B9603DFF38C9" } }, "host": { @@ -2073,35 +2073,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\WINDOWS\\system32\\wermgr.exe -upload", - "title": "Windows Problem Reporting", "executable": "C:\\WINDOWS\\System32\\wermgr.exe", - "pid": 9876, - "working_directory": "C:\\WINDOWS\\System32", "hash": { "md5": "f7991343cf02ed92cb59f394e8b89f1f", "sha1": "573ad9af63a6a0ab9b209ece518fd582b54cfef5", "sha256": "1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc" }, - "start": "2021-09-14T15:51:43.718000Z", "name": "wermgr.exe", "parent": { "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "title": "Host Process for Windows Services", - "pid": 1744, "executable": "C:\\WINDOWS\\System32\\svchost.exe", "hash": { "md5": "f586835082f632dc8d9404d83bc16316", "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" }, - "start": "2021-09-07T13:40:21.170000Z", "name": "svchost.exe", + "pid": 1744, + "start": "2021-09-07T13:40:21.170000Z", + "title": "Host Process for Windows Services", "working_directory": "C:\\WINDOWS\\System32" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "id": "S-1-5-18" + }, + "pid": 9876, + "start": "2021-09-14T15:51:43.718000Z", + "title": "Windows Problem Reporting", + "working_directory": "C:\\WINDOWS\\System32" }, "related": { "hash": [ @@ -2115,6 +2111,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AUTORITE NT\\Syst\u00e8me" ] + }, + "user": { + "id": "S-1-5-18", + "name": "AUTORITE NT\\Syst\u00e8me" } } @@ -2149,9 +2149,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "D1A7307582B51DFF" - }, "process": { "counters": { "module_load": 52 @@ -2195,6 +2192,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "registry": { "security_information": 4 + }, + "true_context": { + "key": "D1A7307582B51DFF" } }, "host": { @@ -2207,21 +2207,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "taskhostw.exe", - "title": "Host Process for Windows Tasks", "executable": "C:\\Windows\\system32\\taskhostw.exe", - "pid": 25104, - "working_directory": "C:\\Windows\\system32", "hash": { "md5": "564e4806ab18f93b93d551cd10c1598e", "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" }, + "name": "taskhostw.exe", + "pid": 25104, "start": "2021-09-16T06:58:44.677000Z", - "name": "taskhostw.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6186" + "title": "Host Process for Windows Tasks", + "working_directory": "C:\\Windows\\system32" }, "registry": { "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001", @@ -2236,6 +2232,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6186", + "name": "CORP\\user.name" } } @@ -2270,9 +2270,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "D1A7307582B51DFF" - }, "process": { "counters": { "module_load": 52 @@ -2316,6 +2313,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "registry": { "value_type": "1" + }, + "true_context": { + "key": "D1A7307582B51DFF" } }, "host": { @@ -2328,28 +2328,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "taskhostw.exe", - "title": "Host Process for Windows Tasks", "executable": "C:\\Windows\\system32\\taskhostw.exe", - "pid": 25104, - "working_directory": "C:\\Windows\\system32", "hash": { "md5": "564e4806ab18f93b93d551cd10c1598e", "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" }, + "name": "taskhostw.exe", + "pid": 25104, "start": "2021-09-16T06:58:44.677000Z", - "name": "taskhostw.exe" - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6186" + "title": "Host Process for Windows Tasks", + "working_directory": "C:\\Windows\\system32" }, "registry": { - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\12000002\\Element", - "value": "Element", "data": { "type": "REG_SZ" - } + }, + "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\12000002\\Element", + "value": "Element" }, "related": { "hash": [ @@ -2360,6 +2356,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6186", + "name": "CORP\\user.name" } } @@ -2394,9 +2394,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "6508114A467ECCA8" - }, "process": { "counters": { "file_modification": 1, @@ -2436,6 +2433,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "true_context": { "key": "6508114A467ECCA8" } + }, + "true_context": { + "key": "6508114A467ECCA8" } }, "host": { @@ -2447,18 +2447,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "laptop" }, "process": { - "title": "NT Kernel & System", "executable": "C:\\Windows\\System32\\ntoskrnl.exe", - "pid": 4, - "working_directory": "C:\\Windows\\System32", "hash": { "sha1": "560b6a3b55112d9834e28def41d5ac3de0e03928" }, + "name": "ntoskrnl.exe", + "pid": 4, "start": "2021-09-16T08:31:07.519000Z", - "name": "ntoskrnl.exe" - }, - "user": { - "name": "SYSTEM" + "title": "NT Kernel & System", + "working_directory": "C:\\Windows\\System32" }, "registry": { "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\SentinelDeviceControl\\Enum\\53", @@ -2471,6 +2468,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "name": "SYSTEM" } } @@ -2505,9 +2505,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "B3E0EF7ECFD0D296" - }, "process": { "counters": { "model_child_process": 25, @@ -2555,14 +2552,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "value_type": "3" }, "old": { - "value_type": "1", "data": { - "type": "REG_SZ", "strings": [ "00C0F0FF" - ] - } + ], + "type": "REG_SZ" + }, + "value_type": "1" } + }, + "true_context": { + "key": "B3E0EF7ECFD0D296" } }, "host": { @@ -2575,29 +2575,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p", - "title": "Host Process for Windows Services", "executable": "C:\\Windows\\System32\\svchost.exe", - "pid": 3504, - "working_directory": "C:\\Windows\\System32", "hash": { "md5": "f586835082f632dc8d9404d83bc16316", "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" }, + "name": "svchost.exe", + "pid": 3504, "start": "2021-09-14T13:24:10.355000Z", - "name": "svchost.exe" - }, - "user": { - "name": "AUTORITE NT\\SERVICE LOCAL", - "id": "S-1-5-19" + "title": "Host Process for Windows Services", + "working_directory": "C:\\Windows\\System32" }, "registry": { - "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\0003\\GlobalSettings\\AnalogDigitalCapture\\Node000\\Chan001", - "value": "Chan001", "data": { - "type": "REG_BINARY", - "bytes": "0040EEFF" - } + "bytes": "0040EEFF", + "type": "REG_BINARY" + }, + "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\0003\\GlobalSettings\\AnalogDigitalCapture\\Node000\\Chan001", + "value": "Chan001" }, "related": { "hash": [ @@ -2608,6 +2604,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AUTORITE NT\\SERVICE LOCAL" ] + }, + "user": { + "id": "S-1-5-19", + "name": "AUTORITE NT\\SERVICE LOCAL" } } @@ -2642,12 +2642,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "4FE2F2ADB5655DDF" - }, - "scheduled_task": { - "name": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work" - }, "process": { "counters": { "dns_lookups": 1, @@ -2691,6 +2685,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-18" } + }, + "scheduled_task": { + "name": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work" + }, + "true_context": { + "key": "4FE2F2ADB5655DDF" } }, "host": { @@ -2703,21 +2703,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\Windows\\System32\\mousocoreworker.exe -Embedding", - "title": "MoUSO Core Worker Process", "executable": "C:\\WINDOWS\\system32\\MoUsoCoreWorker.exe", - "pid": 8588, - "working_directory": "C:\\WINDOWS\\system32", "hash": { "md5": "475c5e07f8375dab6e5888301b1705e6", "sha1": "a5a6716e38b06d44f4803b5167db2a0862b1d6bf", "sha256": "a250e2af9b662d6a81552178ac7514e81032c5a4b7031666f8e777f597ea5a9d" }, + "name": "MoUsoCoreWorker.exe", + "pid": 8588, "start": "2021-09-10T16:02:48.083000Z", - "name": "MoUsoCoreWorker.exe" - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "id": "S-1-5-18" + "title": "MoUSO Core Worker Process", + "working_directory": "C:\\WINDOWS\\system32" }, "related": { "hash": [ @@ -2728,6 +2724,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AUTORITE NT\\Syst\u00e8me" ] + }, + "user": { + "id": "S-1-5-18", + "name": "AUTORITE NT\\Syst\u00e8me" } } @@ -2795,12 +2795,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "key": "35A565744E7A266A" }, "parent": { - "node": { - "key": "04DEDAAF23E16398" - }, "counters": { - "cross_process_dup_process_handle": 2, "cross_process": 2, + "cross_process_dup_process_handle": 2, "file_creation": 1, "file_deletion": 1, "file_modification": 32, @@ -2830,6 +2827,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interactive": "E_FALSE", "is_redirected_command_processor": "E_FALSE", "is_wow64": "E_TRUE", + "node": { + "key": "04DEDAAF23E16398" + }, "parent": { "node": { "key": "EDA8D6AB348AAE7D" @@ -2857,6 +2857,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "app_name": "DotNet" } }, + "file": { + "size": 612864 + }, "host": { "name": "LAPTOP-TECH20", "os": { @@ -2868,33 +2871,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "\"C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe\" /child", "executable": "C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe", - "pid": 14832, - "working_directory": "C:\\ProgramData\\PCDr\\CSAW", "hash": { "md5": "423050654da76dab9c2866ba3c13ce38", "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa" }, - "start": "2021-09-16T14:22:42.671000Z", "name": "CSAW_Child.exe", "parent": { "command_line": "\"C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries\\CSAW.exe\" /NA /noui", - "pid": 1780, "hash": { "md5": "423050654da76dab9c2866ba3c13ce38", "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa" }, "name": "csaw.exe", + "pid": 1780, "working_directory": "C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries" - } - }, - "user": { - "name": "CORP\\user.name", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "file": { - "size": 612864 + }, + "pid": 14832, + "start": "2021-09-16T14:22:42.671000Z", + "working_directory": "C:\\ProgramData\\PCDr\\CSAW" }, "related": { "hash": [ @@ -2905,6 +2901,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\user.name" ] + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", + "name": "CORP\\user.name" } } @@ -2939,9 +2939,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "revision": "19042" } }, - "true_context": { - "key": "C5307F702A45841C" - }, "process": { "counters": { "dns_lookups": 108, @@ -2988,8 +2985,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" } + }, + "true_context": { + "key": "C5307F702A45841C" } }, + "destination": { + "address": "52.182.143.208", + "ip": "52.182.143.208", + "port": 443 + }, "host": { "name": "LAPTOP-COM11", "os": { @@ -2998,36 +3003,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "laptop" }, + "network": { + "direction": "outbound" + }, "process": { "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\" /vu \"C:\\Users\\l.maoui\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\GMYOE03V\\S36 -2021.xlsx\"", - "title": "Microsoft Excel", "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE", - "pid": 19376, - "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16", "hash": { "md5": "3dcef51688df91a37bc07d8a261a9427", "sha1": "c20704e15fa16fd333cf61c5611dc74299284d7d", "sha256": "02cbdab1431442fbaa216a9361d3127c1de5a247db279aba9a4df421b973bdf4" }, + "name": "EXCEL.EXE", + "pid": 19376, "start": "2021-09-14T07:13:48.039000Z", - "name": "EXCEL.EXE" - }, - "user": { - "name": "CORP\\l.maoui", - "id": "S-1-5-21-3542462677-1213864171-2030164332-6168" - }, - "source": { - "address": "10.26.8.27", - "port": 50965, - "ip": "10.26.8.27" - }, - "destination": { - "port": 443, - "ip": "52.182.143.208", - "address": "52.182.143.208" - }, - "network": { - "direction": "outbound" + "title": "Microsoft Excel", + "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16" }, "related": { "hash": [ @@ -3042,6 +3033,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "CORP\\l.maoui" ] + }, + "source": { + "address": "10.26.8.27", + "ip": "10.26.8.27", + "port": 50965 + }, + "user": { + "id": "S-1-5-21-3542462677-1213864171-2030164332-6168", + "name": "CORP\\l.maoui" } } diff --git a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md index 062c54d321..bb8d5a5162 100644 --- a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md +++ b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md @@ -38,90 +38,90 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-10-28T12:03:08.954602+00:00\",\n \"lvl\": 4,\n \"module\": \"das\",\n \"eventName\": \"antivirusAlert\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130161020000004,\n \"domain__\": \"example.org\",\n \"location\": \"Task: \\\\Microsoft\\\\Windows\\\\InstallService\\\\ScanForUpdates\",\n \"atime\": \"2022-10-28T06:47:03.009122+00:00\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"pid\": null,\n \"description\": \"Antivirus detection: 1/65 (1%)\\nAutostart entry\",\n \"username\": null,\n \"hostname__\": \"MR11111\",\n \"os_architecture__\": \"x86_64\",\n \"os_release__\": \"10\",\n \"hash_last_update\": \"2022-10-27T14:45:12.038340+00:00\",\n \"tags\": \"\",\n \"cmdline\": \"C:\\\\Windows\\\\System32\\\\InstallServiceTasks.dll\",\n \"uid\": \"a262506e-3c9e-4afe-9233-f2335167ea86;windows;MR11111;example.org\",\n \"total\": 65,\n \"ppid\": null,\n \"ctime\": \"2021-09-13T07:11:02.365029+00:00\",\n \"os__\": \"windows\",\n \"os_version__\": \"10.0.19041\",\n \"positives\": 1,\n \"os_server__\": false,\n \"pCreateDatetime\": null,\n \"uuid__\": \"a262506e-3c9e-4afe-9233-f2335167ea86\",\n \"path\": \"C:\\\\WINDOWS\\\\System32\\\\InstallServiceTasks.dll\",\n \"tag\": \"TRI_AAA_WIN\",\n \"mtime\": \"2021-09-13T07:11:02.349390+00:00\",\n \"id\": 999999999\n}\n", "event": { + "category": [ + "malware" + ], + "code": "130161020000004", "kind": "alert", - "reason": "Antivirus detection: 1/65 (1%)\nAutostart entry", "module": "das", + "reason": "Antivirus detection: 1/65 (1%)\nAutostart entry", "severity": 4, "type": [ "info" - ], - "code": "130161020000004", - "category": [ - "malware" ] }, "@timestamp": "2022-10-28T12:03:08.954602Z", "agent": { "id": "a262506e-3c9e-4afe-9233-f2335167ea86" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" - }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" + }, "process": { "command_line": "C:\\Windows\\System32\\InstallServiceTasks.dll", "executable": "C:\\WINDOWS\\System32\\InstallServiceTasks.dll", "name": "InstallServiceTasks.dll" }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "tehtris": { "edr": { + "antivirus": { + "positives": 1, + "total": 65 + }, "event": { - "id": "999999999", "appliance": { "id": "1" }, "egKBId": "130161020000004", + "id": "999999999", + "location": "Task: \\Microsoft\\Windows\\InstallService\\ScanForUpdates", "tag": "TRI_AAA_WIN", - "type": "antivirusAlert", - "location": "Task: \\Microsoft\\Windows\\InstallService\\ScanForUpdates" + "type": "antivirusAlert" }, "host": { + "is_server": false, "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false - }, - "antivirus": { - "total": 65, - "positives": 1 + "architecture": "x86_64", + "release": "10" + } } } - }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] } } @@ -135,96 +135,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-10-28T11:58:20.377350+00:00\",\n \"lvl\": 5,\n \"module\": \"das\",\n \"eventName\": \"HeuristicAlert\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130181011000003,\n \"ppid\": 14172,\n \"os_architecture__\": \"x86_64\",\n \"description\": \"Suspect spawn tree detected\\n\u2500 (EXAMPLE-NT\\\\doe-j) C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe (14172)\\n\u2500\u2500 (EXAMPLE-NT\\\\doe-j) C:\\\\Windows\\\\System32\\\\cmd.exe (10544)\\n\\nNo remediation taken\",\n \"os_version__\": \"10.0.19041\",\n \"pCreateDatetime\": \"2022-10-28T11:45:14.751830+00:00\",\n \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"os_server__\": false,\n \"os__\": \"windows\",\n \"domain__\": \"example.org\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"uuid__\": \"5c3ff0bc-5101-4152-a330-923e569c9229\",\n \"os_release__\": \"10\",\n \"username\": \"EXAMPLE-NT\\\\doe-j\",\n \"cmdline\": \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /c \\\"C:\\\\Users\\\\doe-j\\\\AppData\\\\Local\\\\Programs\\\\Fake Company\\\\program.exe\\\" chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/ --parent-window=0 < \\\\\\\\.\\\\pipe\\\\LOCAL\\\\1111111111111111111111111111111111111111 > \\\\\\\\.\\\\pipe\\\\LOCAL\\\\11111111111111111111111111111111111111111\",\n \"location\": \"\",\n \"hostname__\": \"MR11111\",\n \"uid\": \"5c3ff0bc-5101-4152-a330-923e569c9229;windows;MR11111;example.org\",\n \"tag\": \"TRI_AAA_WIN\",\n \"pid\": 10544,\n \"id\": 888888888\n}\n", "event": { + "category": [ + "process" + ], + "code": "130181011000003", "kind": "alert", - "reason": "Suspect spawn tree detected\n\u2500 (EXAMPLE-NT\\doe-j) C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe (14172)\n\u2500\u2500 (EXAMPLE-NT\\doe-j) C:\\Windows\\System32\\cmd.exe (10544)\n\nNo remediation taken", "module": "das", + "reason": "Suspect spawn tree detected\n\u2500 (EXAMPLE-NT\\doe-j) C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe (14172)\n\u2500\u2500 (EXAMPLE-NT\\doe-j) C:\\Windows\\System32\\cmd.exe (10544)\n\nNo remediation taken", "severity": 5, "type": [ "info" - ], - "code": "130181011000003", - "category": [ - "process" ] }, "@timestamp": "2022-10-28T11:58:20.377350Z", "agent": { "id": "5c3ff0bc-5101-4152-a330-923e569c9229" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" - }, - "user": { - "name": "doe-j", - "domain": "EXAMPLE-NT" - }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" + }, "process": { - "pid": 10544, "command_line": "C:\\WINDOWS\\system32\\cmd.exe /d /c \"C:\\Users\\doe-j\\AppData\\Local\\Programs\\Fake Company\\program.exe\" chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/ --parent-window=0 < \\\\.\\pipe\\LOCAL\\1111111111111111111111111111111111111111 > \\\\.\\pipe\\LOCAL\\11111111111111111111111111111111111111111", + "executable": "C:\\Windows\\System32\\cmd.exe", + "name": "cmd.exe", "parent": { "pid": 14172 }, - "executable": "C:\\Windows\\System32\\cmd.exe", - "name": "cmd.exe" + "pid": 10544 + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "doe-j" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tehtris": { "edr": { "event": { - "id": "888888888", "appliance": { "id": "1" }, "egKBId": "130181011000003", + "id": "888888888", "tag": "TRI_AAA_WIN", "type": "HeuristicAlert" }, "host": { + "is_server": false, "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false + "architecture": "x86_64", + "release": "10" + } } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "doe-j" - ] + "user": { + "domain": "EXAMPLE-NT", + "name": "doe-j" } } @@ -238,93 +238,93 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-10-28T15:23:27.128665+00:00\",\n \"lvl\": 5,\n \"module\": \"das\",\n \"eventName\": \"oletools\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130181040000001,\n \"domain__\": \"example.org\",\n \"uid\": \"5c3ff0bc-5101-4152-a330-923e569c9229;windows;MR11111;example.org\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"os__\": \"windows\",\n \"maliciousMacro\": null,\n \"firstTimeMacro\": null,\n \"unknownMacro\": null,\n \"description\": \"URLs detected in a document file\\n\\nRemediation: no remediation taken\\n\\nSuspicious URLs:\\n- http://www.google.com\",\n \"os_version__\": \"10.0.19041\",\n \"os_architecture__\": \"x86_64\",\n \"os_server__\": false,\n \"hostname__\": \"MR11111\",\n \"uuid__\": \"5c3ff0bc-5101-4152-a330-923e569c9229\",\n \"os_release__\": \"10\",\n \"path\": \"C:\\\\Users\\\\doe-j\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\AAAAA\\\\suspicious.docx\",\n \"tag\": \"TRI_AAA_WIN\",\n \"report\": \"\",\n \"id\": 555555555\n}\n", "event": { + "category": [ + "process" + ], + "code": "130181040000001", "kind": "event", - "reason": "URLs detected in a document file\n\nRemediation: no remediation taken\n\nSuspicious URLs:\n- http://www.google.com", "module": "das", + "reason": "URLs detected in a document file\n\nRemediation: no remediation taken\n\nSuspicious URLs:\n- http://www.google.com", "severity": 5, "type": [ "info" - ], - "code": "130181040000001", - "category": [ - "process" ] }, "@timestamp": "2022-10-28T15:23:27.128665Z", "agent": { "id": "5c3ff0bc-5101-4152-a330-923e569c9229" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "directory": "C:\\Users\\doe-j\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\AAAAA", + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "suspicious.docx", + "path": "C:\\Users\\doe-j\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\AAAAA\\suspicious.docx" }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" + } }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - }, - "path": "C:\\Users\\doe-j\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\AAAAA\\suspicious.docx", - "name": "suspicious.docx", - "directory": "C:\\Users\\doe-j\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\AAAAA" + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" }, - "url": { - "original": "http://www.google.com", - "domain": "www.google.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "google.com", - "scheme": "http", - "port": 80 + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tehtris": { "edr": { "event": { - "id": "555555555", "appliance": { "id": "1" }, "egKBId": "130181040000001", + "id": "555555555", + "remediation_status": "no remediation taken", "tag": "TRI_AAA_WIN", - "type": "oletools", - "remediation_status": "no remediation taken" + "type": "oletools" }, "host": { + "is_server": false, "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false + "architecture": "x86_64", + "release": "10" + } } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] + "url": { + "domain": "www.google.com", + "original": "http://www.google.com", + "port": 80, + "registered_domain": "google.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" } } @@ -338,92 +338,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-11-02T08:13:10.566734+00:00\",\n \"lvl\": 6,\n \"module\": \"das\",\n \"eventName\": \"oletools\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130181041000003,\n \"os_server__\": false,\n \"tag\": \"TRI_AAA_WIN\",\n \"report\": \"Document file sha256: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"uid\": \"5c3ff0bc-5101-4152-a330-923e569c9229;windows;MR11111;example.org\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"hostname__\": \"MR11111\",\n \"maliciousMacro\": 1,\n \"os__\": \"windows\",\n \"domain__\": \"example.org\",\n \"os_version__\": \"10.0.19041\",\n \"uuid__\": \"5c3ff0bc-5101-4152-a330-923e569c9229\",\n \"description\": \"Potential malicious VBA code detected in a document file\\n- Suspicious macros detected (1)\\n\\nRemediation: no remediation taken\\n\\nBehaviors:\\n- Suspicious | May run PowerShell commands\\n\\nSuspicious macros sha1:\\n- adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"os_release__\": \"10\",\n \"os_architecture__\": \"x86_64\",\n \"firstTimeMacro\": 0,\n \"unknownMacro\": 28,\n \"path\": \"C:\\\\Users\\\\doe-j\\\\AppData\\\\Local\\\\Analysis\\\\FUNCRES.XLAM\",\n \"id\": 837562963\n}\n", "event": { + "category": [ + "process" + ], + "code": "130181041000003", "kind": "event", - "reason": "Potential malicious VBA code detected in a document file\n- Suspicious macros detected (1)\n\nRemediation: no remediation taken\n\nBehaviors:\n- Suspicious | May run PowerShell commands\n\nSuspicious macros sha1:\n- adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", "module": "das", + "reason": "Potential malicious VBA code detected in a document file\n- Suspicious macros detected (1)\n\nRemediation: no remediation taken\n\nBehaviors:\n- Suspicious | May run PowerShell commands\n\nSuspicious macros sha1:\n- adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", "severity": 6, "type": [ "info" - ], - "code": "130181041000003", - "category": [ - "process" ] }, "@timestamp": "2022-11-02T08:13:10.566734Z", "agent": { "id": "5c3ff0bc-5101-4152-a330-923e569c9229" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "directory": "C:\\Users\\doe-j\\AppData\\Local\\Analysis", + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "FUNCRES.XLAM", + "path": "C:\\Users\\doe-j\\AppData\\Local\\Analysis\\FUNCRES.XLAM" }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" + } }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - }, - "path": "C:\\Users\\doe-j\\AppData\\Local\\Analysis\\FUNCRES.XLAM", - "name": "FUNCRES.XLAM", - "directory": "C:\\Users\\doe-j\\AppData\\Local\\Analysis" + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tehtris": { "edr": { "event": { - "id": "837562963", "appliance": { "id": "1" }, "egKBId": "130181041000003", + "id": "837562963", + "remediation_status": "no remediation taken", "tag": "TRI_AAA_WIN", - "type": "oletools", - "remediation_status": "no remediation taken" - }, - "host": { - "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false + "type": "oletools" }, "file": { "macro": { - "is_malicious": true, - "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", "behavior_status": "Suspicious | May run PowerShell commands", - "detection_status": "Suspicious macros detected (1)" + "detection_status": "Suspicious macros detected (1)", + "is_malicious": true, + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + } + }, + "host": { + "is_server": false, + "os": { + "architecture": "x86_64", + "release": "10" } } } - }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] } } @@ -437,106 +437,106 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-10-28T14:49:14.869905+00:00\",\n \"lvl\": 6,\n \"module\": \"das\",\n \"eventName\": \"HeuristicAlert\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130171010000001,\n \"ppid\": 12296,\n \"os_architecture__\": \"x86_64\",\n \"description\": \"Application policy: COPS WINDOWS v2 ([I] T1204.001 User Execution: Web requests from unusual sources)\",\n \"os_version__\": \"10.0.19041\",\n \"pCreateDatetime\": \"2022-10-28T14:31:26.157008+00:00\",\n \"path\": \"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\106.0.1370.52\\\\identity_helper.exe\",\n \"os_server__\": false,\n \"os__\": \"windows\",\n \"domain__\": \"example.org\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"uuid__\": \"5c3ff0bc-5101-4152-a330-923e569c9229\",\n \"os_release__\": \"10\",\n \"username\": \"EXAMPLE-NT\\\\doe-j\",\n \"cmdline\": \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\106.0.1370.52\\\\identity_helper.exe\\\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --unsafely-treat-insecure-origin-as-secure=http://astgedgecp.region.local,http://astgedgecq.region.local,http://astgedrheq.region.local,http://astgedrhep.region.local --mojo-platform-channel-handle=3564 --field-trial-handle=2140,i,6139612544440408755,5345815150035985187,131072 /prefetch:8\",\n \"location\": \"\",\n \"hostname__\": \"MR11111\",\n \"uid\": \"5c3ff0bc-5101-4152-a330-923e569c9229;windows;MR11111;example.org\",\n \"tag\": \"TRI_AAA_WIN\",\n \"pid\": 2424,\n \"id\": 666666666\n}\n", "event": { + "category": [ + "process" + ], + "code": "130171010000001", "kind": "alert", - "reason": "Application policy: COPS WINDOWS v2 ([I] T1204.001 User Execution: Web requests from unusual sources)", "module": "das", + "reason": "Application policy: COPS WINDOWS v2 ([I] T1204.001 User Execution: Web requests from unusual sources)", "severity": 6, "type": [ "info" - ], - "code": "130171010000001", - "category": [ - "process" ] }, "@timestamp": "2022-10-28T14:49:14.869905Z", "agent": { "id": "5c3ff0bc-5101-4152-a330-923e569c9229" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" - }, - "user": { - "name": "doe-j", - "domain": "EXAMPLE-NT" - }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, - "rule": { - "name": "COPS WINDOWS v2" + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" }, "process": { - "pid": 2424, "command_line": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\106.0.1370.52\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --unsafely-treat-insecure-origin-as-secure=http://astgedgecp.region.local,http://astgedgecq.region.local,http://astgedrheq.region.local,http://astgedrhep.region.local --mojo-platform-channel-handle=3564 --field-trial-handle=2140,i,6139612544440408755,5345815150035985187,131072 /prefetch:8", + "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\106.0.1370.52\\identity_helper.exe", + "name": "identity_helper.exe", "parent": { "pid": 12296 }, - "executable": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\106.0.1370.52\\identity_helper.exe", - "name": "identity_helper.exe" + "pid": 2424 }, - "threat": { - "technique": { - "id": "T1204.001", - "name": "User Execution: Web requests from unusual sources" - }, - "framework": "MITRE ATT&CK" + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "doe-j" + ] + }, + "rule": { + "name": "COPS WINDOWS v2" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tehtris": { "edr": { "event": { - "id": "666666666", "appliance": { "id": "1" }, "egKBId": "130171010000001", + "id": "666666666", "tag": "TRI_AAA_WIN", "type": "HeuristicAlert" }, "host": { + "is_server": false, "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false + "architecture": "x86_64", + "release": "10" + } } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "doe-j" - ] + "threat": { + "framework": "MITRE ATT&CK", + "technique": { + "id": "T1204.001", + "name": "User Execution: Web requests from unusual sources" + } + }, + "user": { + "domain": "EXAMPLE-NT", + "name": "doe-j" } } @@ -550,96 +550,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"rflId\": 1,\n \"time\": \"2022-10-28T11:58:20.778323+00:00\",\n \"lvl\": 5,\n \"module\": \"das\",\n \"eventName\": \"sandboxAlert\",\n \"ipSrc\": \"1.2.3.4\",\n \"ipDst\": \"5.6.7.8\",\n \"egKBId\": 130181030000003,\n \"ppid\": 3520,\n \"os_architecture__\": \"x86_64\",\n \"description\": \"Sandbox detection: 45%\",\n \"os_version__\": \"10.0.19041\",\n \"pCreateDatetime\": \"2022-10-28T11:48:08.373808+00:00\",\n \"path\": \"C:\\\\Program Files\\\\Vendor\\\\Product\\\\program.exe\",\n \"os_server__\": false,\n \"os__\": \"windows\",\n \"domain__\": \"example.org\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"uuid__\": \"64a2fa85-0852-4745-81d6-0815eb2d5248\",\n \"os_release__\": \"10\",\n \"username\": \"EXAMPLE-NT\\\\doe-j\",\n \"cmdline\": \"program.exe\",\n \"hostname__\": \"MR11111\",\n \"signatures\": \"45%\",\n \"uid\": \"64a2fa85-0852-4745-81d6-0815eb2d5248;windows;MR11111;example.org\",\n \"tag\": \"TRI_AAA_WIN\",\n \"pid\": 3920,\n \"id\": 777777777\n}\n", "event": { + "category": [ + "process" + ], + "code": "130181030000003", "kind": "alert", - "reason": "Sandbox detection: 45%", "module": "das", + "reason": "Sandbox detection: 45%", "severity": 5, "type": [ "info" - ], - "code": "130181030000003", - "category": [ - "process" ] }, "@timestamp": "2022-10-28T11:58:20.778323Z", "agent": { "id": "64a2fa85-0852-4745-81d6-0815eb2d5248" }, - "observer": { - "type": "sensor", - "vendor": "Tehtris", - "product": "Tehtris EDR" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } }, "host": { "domain": "example.org", "hostname": "MR11111", + "name": "MR11111", "os": { "platform": "windows", "version": "10.0.19041" - }, - "name": "MR11111" - }, - "user": { - "name": "doe-j", - "domain": "EXAMPLE-NT" - }, - "file": { - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, + "observer": { + "product": "Tehtris EDR", + "type": "sensor", + "vendor": "Tehtris" + }, "process": { - "pid": 3920, "command_line": "program.exe", + "executable": "C:\\Program Files\\Vendor\\Product\\program.exe", + "name": "program.exe", "parent": { "pid": 3520 }, - "executable": "C:\\Program Files\\Vendor\\Product\\program.exe", - "name": "program.exe" + "pid": 3920 + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "MR11111" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "doe-j" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tehtris": { "edr": { "event": { - "id": "777777777", "appliance": { "id": "1" }, "egKBId": "130181030000003", + "id": "777777777", "tag": "TRI_AAA_WIN", "type": "sandboxAlert" }, "host": { + "is_server": false, "os": { - "release": "10", - "architecture": "x86_64" - }, - "is_server": false + "architecture": "x86_64", + "release": "10" + } } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "hosts": [ - "MR11111" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "doe-j" - ] + "user": { + "domain": "EXAMPLE-NT", + "name": "doe-j" } } diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index d5bae38f2c..9047f008a3 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -36,11 +36,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2020/12/04 16:00:02,016401002222,USERID,login,2305,2020/12/04 16:00:02,vsys,1.2.3.4,user1,srv1.example.local,0,1,12000,0,0,active-directory,,968683723,0x8000000000000000,12,0,0,0,,hostexample,1,,2020/12/04 16:00:02,1,0x80,user1", "event": { - "dataset": "userid", - "kind": "event", "category": [ "authentication" ], + "dataset": "userid", + "kind": "event", "type": [ "start" ] @@ -52,6 +52,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "destination": { "port": 0 }, + "host": { + "name": "hostexample" + }, "log": { "hostname": "hostexample", "logger": "userid" @@ -60,23 +63,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "016401002222" }, - "source": { - "ip": "1.2.3.4", - "port": 0, - "address": "1.2.3.4" - }, - "user": { - "name": "user1" - }, "paloalto": { - "VirtualLocation": "vsys", - "EventID": "0", "DGHierarchyLevel1": "12", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", - "VirtualSystemID": "1", - "Threat_ContentType": "login" + "EventID": "0", + "Threat_ContentType": "login", + "VirtualLocation": "vsys", + "VirtualSystemID": "1" }, "related": { "ip": [ @@ -86,8 +81,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user1" ] }, - "host": { - "name": "hostexample" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 0 + }, + "user": { + "name": "user1" } } @@ -101,11 +101,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2020/12/04 16:00:02,01640103000,USERID,login,2200,2020/12/04 16:00:02,vsys,10.0.0.2,user1,srv1.example.local,0,1,13000,0,0,active-directory,,968700000,0x8000000000000000,12,0,0,0,,hostname_example,1,,2020/12/04 16:00:02,1,0x0,user1", "event": { - "dataset": "userid", - "kind": "event", "category": [ "authentication" ], + "dataset": "userid", + "kind": "event", "type": [ "start" ] @@ -117,6 +117,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "destination": { "port": 0 }, + "host": { + "name": "hostname_example" + }, "log": { "hostname": "hostname_example", "logger": "userid" @@ -125,23 +128,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "01640103000" }, - "source": { - "ip": "10.0.0.2", - "port": 0, - "address": "10.0.0.2" - }, - "user": { - "name": "user1" - }, "paloalto": { - "VirtualLocation": "vsys", - "EventID": "0", "DGHierarchyLevel1": "12", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", - "VirtualSystemID": "1", - "Threat_ContentType": "login" + "EventID": "0", + "Threat_ContentType": "login", + "VirtualLocation": "vsys", + "VirtualSystemID": "1" }, "related": { "ip": [ @@ -151,8 +146,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user1" ] }, - "host": { - "name": "hostname_example" + "source": { + "address": "10.0.0.2", + "ip": "10.0.0.2", + "port": 0 + }, + "user": { + "name": "user1" } } @@ -166,17 +166,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\\\xxxxx cs2=paloaltonetwork\\\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=", "event": { - "start": "2021-02-28T18:20:40Z", - "timezone": "UTC", - "dataset": "auth", - "kind": "event", "category": [ "authentication" ], + "dataset": "auth", + "kind": "event", + "severity": 3, + "start": "2021-02-28T18:20:40Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 3 + ] }, "@timestamp": "2021-02-28T18:20:54Z", "destination": { @@ -186,9 +186,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "xxxxx", - "name": "xxxxx", "id": "xxxxxxxxxxxxx", "mac": "src_mac_list-2", + "name": "xxxxx", "os": { "family": "src_osfamily_list-0", "version": "src_osversion_list-2" @@ -211,15 +211,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, "paloalto": { "PanOSSourceDeviceHost": "src_host_list-0", - "PanOSSourceDeviceVendor": "src_vendor_list-1", "PanOSSourceDeviceModel": "src_model_list-1", "PanOSSourceDeviceProfile": "src_profile_list-1", + "PanOSSourceDeviceVendor": "src_vendor_list-1", "VirtualLocation": "vsys1" }, "related": { @@ -242,18 +242,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\\\\\xxxxx duser=paloaltonetwork\\\\\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx", "event": { - "start": "2021-03-01T20:35:54Z", "action": "deny", - "timezone": "UTC", - "dataset": "decryption", - "kind": "event", "category": [ "network" ], + "dataset": "decryption", + "kind": "event", + "severity": 3, + "start": "2021-03-01T20:35:54Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T20:35:54Z", "destination": { @@ -279,27 +279,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "ethernet4Zone-test1", - "name": "tunnel.901", - "id": "tunnel.901" + "id": "tunnel.901", + "name": "tunnel.901" } }, "ingress": { "interface": { "alias": "datacenter", - "name": "1", - "id": "tunnel.901" + "id": "tunnel.901", + "name": "1" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, + "paloalto": { + "VirtualLocation": "vsys1" + }, + "related": { + "ip": [ + "1.1.1.1" + ], + "user": [ + "paloaltonetwork\\\\\\\\xxxxx" + ] + }, "rule": { "name": "allow-all-employees", "uuid": "fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e" }, "source": { + "address": "1.1.1.1", "ip": "1.1.1.1", "nat": { "ip": "1.1.1.1", @@ -308,22 +320,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 16524, "user": { "name": "paloaltonetwork\\\\\\\\xxxxx" - }, - "address": "1.1.1.1" + } }, "user": { "name": "paloaltonetwork\\\\\\\\xxxxx" - }, - "paloalto": { - "VirtualLocation": "vsys1" - }, - "related": { - "user": [ - "paloaltonetwork\\\\\\\\xxxxx" - ], - "ip": [ - "1.1.1.1" - ] } } @@ -337,18 +337,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=1.1.1.1 PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=1.1.1.1-1.1.1.1 PanOSDestinationLocation=1.1.1.1-1.1.1.1 fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType=", "event": { - "start": "2021-03-01T21:06:06Z", "action": "alert", - "timezone": "UTC", - "dataset": "threat", - "kind": "event", "category": [ "file" ], + "dataset": "threat", + "kind": "event", + "severity": 3, + "start": "2021-03-01T21:06:06Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T21:06:06Z", "destination": { @@ -362,8 +362,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "PA-5220", - "name": "PA-5220", - "id": "xxxxxxxxxxxxx" + "id": "xxxxxxxxxxxxx", + "name": "PA-5220" }, "log": { "hostname": "PA-5220", @@ -377,39 +377,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "tap", - "name": "ethernet1/19", - "id": "19" + "id": "19", + "name": "ethernet1/19" } }, "ingress": { "interface": { "alias": "tap", - "name": "9", - "id": "19" + "id": "19", + "name": "9" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "dg-log-policy" - }, - "source": { - "ip": "1.1.1.1", - "nat": { - "ip": "1.1.1.1", - "port": 0 - }, - "port": 37404, - "address": "1.1.1.1" - }, "paloalto": { "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSSourceLocation": "1.1.1.1-1.1.1.1", - "VirtualLocation": "smtp", "URLCategory": "any", + "VirtualLocation": "smtp", "endpoint": { "serial_number": "xxxxxxxxxxxxxx" } @@ -421,6 +409,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "rule": { + "name": "dg-log-policy" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1", + "port": 0 + }, + "port": 37404 } } @@ -434,12 +434,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domain\\pusername,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,15,tcp,allow,2346,1974,372,9,90,16,30,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,", "event": { - "duration": 30, - "dataset": "traffic", - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 30, + "kind": "event", "type": [ "end" ] @@ -447,8 +447,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-06-16T10:41:44Z", "action": { "name": "2346", - "type": "end", - "outcome": "success" + "outcome": "success", + "type": "end" }, "destination": { "address": "5.6.7.8", @@ -463,22 +463,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "windows-remote-management" } }, + "log": { + "logger": "traffic" + }, "network": { - "packets": 90, "bytes": 1974, + "packets": 90, "transport": "allow" }, - "log": { - "logger": "traffic" - }, "observer": { "product": "PAN-OS", "serial_number": "001701003551" }, + "paloalto": { + "Threat_ContentType": "end", + "VirtualLocation": "PDT_STD" + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "domain\\pusername", + "windows-remote-management" + ] + }, "rule": { "name": "GEN_WINLOG_Users" }, "source": { + "address": "1.2.3.4", "bytes": 372, "ip": "1.2.3.4", "nat": { @@ -489,26 +505,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 5985, "user": { "name": "domain\\pusername" - }, - "address": "1.2.3.4" + } }, "user": { "name": "domain\\pusername" - }, - "paloalto": { - "VirtualLocation": "PDT_STD", - "Threat_ContentType": "end" - }, - "related": { - "user": [ - "domain\\pusername", - "windows-remote-management" - ], - "ip": [ - "0.0.0.0", - "1.2.3.4", - "5.6.7.8" - ] } } @@ -522,11 +522,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domainusername,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,0x1c,tcp,allow,2346,1974,372,9,2023/06/16 10:41:26,16,not-resolved,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,", "event": { - "dataset": "traffic", - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "kind": "event", "type": [ "end" ] @@ -534,8 +534,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-06-16T10:41:44Z", "action": { "name": "2346", - "type": "end", - "outcome": "success" + "outcome": "success", + "type": "end" }, "destination": { "address": "5.6.7.8", @@ -560,10 +560,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "001701003551" }, + "paloalto": { + "Threat_ContentType": "end", + "VirtualLocation": "PDT_STD" + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "domainusername", + "windows-remote-management" + ] + }, "rule": { "name": "GEN_WINLOG_Users" }, "source": { + "address": "1.2.3.4", "bytes": 372, "ip": "1.2.3.4", "nat": { @@ -574,26 +590,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 5985, "user": { "name": "domainusername" - }, - "address": "1.2.3.4" + } }, "user": { "name": "domainusername" - }, - "paloalto": { - "VirtualLocation": "PDT_STD", - "Threat_ContentType": "end" - }, - "related": { - "user": [ - "domainusername", - "windows-remote-management" - ], - "ip": [ - "0.0.0.0", - "1.2.3.4", - "5.6.7.8" - ] } } @@ -607,18 +607,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=1.1.1.1 PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=1.1.1.1 PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1", "event": { - "start": "2021-03-01T20:35:54Z", - "timezone": "UTC", - "dataset": "globalprotect", - "kind": "event", - "reason": "Client cert not present", "category": [ "session" ], + "dataset": "globalprotect", + "kind": "event", + "reason": "Client cert not present", + "severity": 3, + "start": "2021-03-01T20:35:54Z", + "timezone": "UTC", "type": [ "start" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T20:35:54Z", "host": { @@ -636,26 +636,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "source": { - "user": { - "name": "xxxxx\\\\\\\\xxxxx" - } - }, - "user": { - "name": "xxxxx\\\\\\\\xxxxx" - }, "paloalto": { "PanOSQuarantineReason": "Malicious Traffic", - "connection": { - "stage": "connected", - "method": "connect_method_list-1" - }, "authentication": { "method": "RADIUS" + }, + "connection": { + "method": "connect_method_list-1", + "stage": "connected" } }, "related": { @@ -665,6 +657,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "xxxxx\\\\\\\\xxxxx" ] + }, + "source": { + "user": { + "name": "xxxxx\\\\\\\\xxxxx" + } + }, + "user": { + "name": "xxxxx\\\\\\\\xxxxx" } } @@ -678,20 +678,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2020/12/08 14:30:55,011111114444,GLOBALPROTECT,0,2305,2020/12/08 13:30:55,vsys1,gw-auth,login,Other,,user,FR,AAAABBBBB,1.2.3.4,0.0.0.0,0.0.0.0,0.0.0.0,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee,ABCDEFG,5.1.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,user-logon,0,gw1,1234567,0x8000000000000000", "event": { - "dataset": "globalprotect", - "kind": "event", "category": [ "session" ], + "dataset": "globalprotect", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2020-12-08T14:30:55Z", "action": { - "type": "0", "name": "gw-auth", - "outcome": "success" + "outcome": "success", + "type": "0" }, "host": { "name": "AAAABBBBB", @@ -706,40 +706,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "ABCDEFG" }, + "paloalto": { + "EventID": "gw-auth", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "connection": { + "stage": "login" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "user" + ] + }, "source": { - "ip": "1.2.3.4", + "address": "1.2.3.4", "geo": { "country_iso_code": "FR" }, + "ip": "1.2.3.4", "user": { "name": "user" - }, - "address": "1.2.3.4" - }, - "user_agent": { - "os": { - "name": "Windows", - "version": "Microsoft Windows 10 Pro , 64-bit" } }, "user": { "name": "user" }, - "paloalto": { - "VirtualLocation": "vsys1", - "EventID": "gw-auth", - "Threat_ContentType": "0", - "connection": { - "stage": "login" + "user_agent": { + "os": { + "name": "Windows", + "version": "Microsoft Windows 10 Pro , 64-bit" } - }, - "related": { - "user": [ - "user" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -753,19 +753,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2023/06/28 14:40:42,015451000032715,GLOBALPROTECT,0,2562,2023/06/28 14:40:42,vsys1,gateway-config-release,configuration,,,example.org\\\\test,EN,2021-02707,88.120.236.74,0.0.0.0,10.0.0.232,0.0.0.0,8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3,DFN3535D,6.0.4,Windows,\\\"Microsoft Windows 10 Enterprise , 64-bit\\\",1,,,,success,,0,,0,VPN_GATEWAY,5555555555555555555,0x8000000000000000,2023-06-28T14:40:43.134+02:00,,,,,,0,0,0,0,,VPN-DOM-01,1\n", "event": { - "dataset": "globalprotect", - "kind": "event", "category": [ "session" ], + "dataset": "globalprotect", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-06-28T14:40:42Z", "action": { - "type": "0", - "name": "gateway-config-release" + "name": "gateway-config-release", + "type": "0" }, "host": { "name": "2021-02707", @@ -780,40 +780,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "DFN3535D" }, + "paloalto": { + "EventID": "gateway-config-release", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "connection": { + "stage": "configuration" + } + }, + "related": { + "ip": [ + "88.120.236.74" + ], + "user": [ + "example.org\\\\test" + ] + }, "source": { - "ip": "88.120.236.74", + "address": "88.120.236.74", "geo": { "country_iso_code": "EN" }, + "ip": "88.120.236.74", "user": { "name": "example.org\\\\test" - }, - "address": "88.120.236.74" - }, - "user_agent": { - "os": { - "name": "Windows", - "version": "\\\"Microsoft Windows 10 Enterprise " } }, "user": { "name": "example.org\\\\test" }, - "paloalto": { - "VirtualLocation": "vsys1", - "EventID": "gateway-config-release", - "Threat_ContentType": "0", - "connection": { - "stage": "configuration" + "user_agent": { + "os": { + "name": "Windows", + "version": "\\\"Microsoft Windows 10 Enterprise " } - }, - "related": { - "user": [ - "example.org\\\\test" - ], - "ip": [ - "88.120.236.74" - ] } } @@ -827,17 +827,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=1.1.1.1 dst=1.1.1.1 cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "start": "2021-03-01T21:20:13Z", - "timezone": "UTC", - "dataset": "hipmatch", - "kind": "event", "category": [ "network" ], + "dataset": "hipmatch", + "kind": "event", + "severity": 3, + "start": "2021-03-01T21:20:13Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T21:20:13Z", "destination": { @@ -849,8 +849,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "PA-5220", - "name": "PA-5220", - "id": "xxxxxxxxxxxxx" + "id": "xxxxxxxxxxxxx", + "name": "PA-5220" }, "log": { "hostname": "PA-5220", @@ -858,20 +858,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "source": { - "ip": "1.1.1.1", - "user": { - "name": "xxxxx xxxxx" - }, - "address": "1.1.1.1" - }, - "user": { - "name": "xxxxx xxxxx" - }, "paloalto": { "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "VirtualLocation": "vsys1", @@ -884,12 +874,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "PA-5220" ], - "user": [ - "xxxxx xxxxx" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx xxxxx" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "user": { + "name": "xxxxx xxxxx" + } + }, + "user": { + "name": "xxxxx xxxxx" } } @@ -903,12 +903,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0", "event": { - "duration": 0, - "dataset": "traffic", - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 0, + "kind": "event", "type": [ "start" ] @@ -916,8 +916,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2019-09-16T10:00:00Z", "action": { "name": "allow", - "type": "start", - "outcome": "success" + "outcome": "success", + "type": "start" }, "destination": { "address": "4.3.2.1", @@ -930,22 +930,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 0, "port": 0 }, + "log": { + "logger": "traffic" + }, "network": { - "packets": 3, "bytes": 222, + "packets": 3, "transport": "icmp" }, - "log": { - "logger": "traffic" - }, "observer": { "product": "PAN-OS", "serial_number": "1801017000" }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.1.2", + "4.3.2.1" + ] + }, "rule": { "name": "PING" }, "source": { + "address": "1.2.3.4", "bytes": 222, "ip": "1.2.3.4", "nat": { @@ -953,19 +965,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 0 }, "packets": 3, - "port": 0, - "address": "1.2.3.4" - }, - "paloalto": { - "VirtualLocation": "vsys", - "Threat_ContentType": "start" - }, - "related": { - "ip": [ - "1.2.3.4", - "10.0.1.2", - "4.3.2.1" - ] + "port": 0 } } @@ -979,17 +979,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10 PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "start": "2021-03-01T21:20:13Z", - "timezone": "UTC", - "dataset": "iptag", - "kind": "event", "category": [ "network" ], + "dataset": "iptag", + "kind": "event", + "severity": 3, + "start": "2021-03-01T21:20:13Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T21:20:13Z", "destination": { @@ -998,8 +998,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "PA-VM", - "name": "PA-VM", - "id": "xxxxxxxxxxxxx" + "id": "xxxxxxxxxxxxx", + "name": "PA-VM" }, "log": { "hostname": "PA-VM", @@ -1007,14 +1007,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "paloalto": { "VirtualLocation": "vsys1", "VirtualSystemID": "1" @@ -1026,6 +1022,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -1039,33 +1039,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|SCTP||9|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:22:02 deviceExternalId=xxxxxxxxxxxxx PanOSCaptivePortal= PanOSContentVersion= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceMac= PanOSDestinationDeviceModel= PanOSDestinationDeviceOS= PanOSDestinationDeviceVendor= PanOSDestinationLocation=IN PanOSDestinationUUID= PanOSDestinationUserDomain=paloaltonetwork PanOSDestinationUserName=xxxxx PanOSDestinationUserUUID= PanOSInboundInterfaceDetailsPort=1 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer= PanOSIsContainer= PanOSIsDecryptMirror= PanOSIsDecryptedLog= PanOSIsDecryptedPayloadForward= PanOSIsDuplicateLog=false PanOSIsIPV6= PanOSIsInspectrionBeforeSession= PanOSIsMptcpOn= PanOSIsNonStandardDestinationPort= PanOSIsPacketCapture= PanOSIsPhishing= PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy= PanOSIsReconExcluded= PanOSIsServertoClient= PanOSIsSourceXForwarded= PanOSIsSystemReturn= PanOSIsTransaction= PanOSIsTunnelInspected= PanOSIsURLDenied= PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT= PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSSessionEndReason= PanOSSessionOwnerMidx= PanOSSessionTracker= PanOSSeverity=Critical PanOSSourceDeviceClass= PanOSSourceDeviceMac= PanOSSourceDeviceModel= PanOSSourceDeviceOS= PanOSSourceDeviceVendor= PanOSSourceLocation=US PanOSSourceUUID= PanOSSourceUserDomain=paloaltonetwork PanOSSourceUserName=xxxxx PanOSSourceUserUUID= PanOSTunnel=N/A PanOSVirtualSystemID=1 PanOSConfigVersion= start=Mar 01 2021 21:22:02 src=1.1.1.1 dst=1.1.1.1 PanOSNATSource=1.1.1.1 PanOSNATDestination=1.1.1.1 cs1=allow-business-apps cs1Label=Rule PanOSSourceUser=paloaltonetwork\\\\xxxxx PanOSDestinationUser=paloaltonetworkxxxxx PanOSApplication=panorama cs3=vsys1 cs3Label=VirtualLocation cs4=corporate cs4Label=FromZone cs5=untrust cs5Label=ToZone PanOSInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6=test cs6Label=LogSetting PanOSSessionID=391582 cnt=1 spt=3033 dpt=5496 PanOSNATSourcePort=26714 PanOSNATDestinationPort=15054 proto=tcp act=alert PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 externalId=xxxxxxxxxxxxx PanOSEndpointAssociationID=2086888838 PanOSPayloadProtocolID=-1 PanOSSctpChunkType=9 PanOSSCTPEventType=Kerberos single sign-on failed PanOSEventCode=3 PanOSVerificationTag1=0x3bae3042 PanOSVerificationTag2=0x1911015e PanOSSctpCauseCode=0 PanOSDiamAppID=-1 PanOSDiameterCommandCode=-1 PanOSDiamAvpCode=0 PanOSStreamID=0 PanOSAssocationEndReason= PanOSMapAppCode=0 PanOSSccpCallingSSN=0 PanOSSccpCallingGt= PanOSSctpFilter= PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSPacketsTotal=0 PanOSPacketsSent=0 PanOSPacketsReceived=0 PanOSRuleUUID= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "start": "2021-03-01T21:22:02Z", "action": "alert", - "timezone": "UTC", - "dataset": "sctp", - "kind": "event", "category": [ "network" ], + "dataset": "sctp", + "kind": "event", + "severity": 9, + "start": "2021-03-01T21:22:02Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 9 + ] }, "@timestamp": "2021-03-01T21:22:02Z", "destination": { "address": "1.1.1.1", - "ip": "1.1.1.1", - "packets": 0, - "port": 5496, "geo": { "country_iso_code": "IN" - } + }, + "ip": "1.1.1.1", + "packets": 0, + "port": 5496 }, "host": { "hostname": "PA-5220", - "name": "PA-5220", - "id": "xxxxxxxxxxxxx" + "id": "xxxxxxxxxxxxx", + "name": "PA-5220" }, "log": { "hostname": "PA-5220", @@ -1078,8 +1078,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "untrust", - "name": "ethernet1/2", - "id": "2" + "id": "2", + "name": "ethernet1/2" } }, "ingress": { @@ -1088,25 +1088,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "allow-business-apps" - }, - "source": { - "ip": "1.1.1.1", - "packets": 0, - "port": 3033, - "user": { - "name": "xxxxx" - }, - "address": "1.1.1.1" - }, - "user": { - "name": "xxxxx" - }, "paloalto": { "PanOSSourceLocation": "US", "VirtualLocation": "vsys1" @@ -1121,6 +1106,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "xxxxx" ] + }, + "rule": { + "name": "allow-business-apps" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "packets": 0, + "port": 3033, + "user": { + "name": "xxxxx" + } + }, + "user": { + "name": "xxxxx" } } @@ -1134,20 +1134,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1,2020/12/08 13:44:55,11111114444,SYSTEM,auth,0,2020/12/08 13:44:55,,auth-success,GP,0,0,general,informational,\"authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.\",5211100,0x8000000000000000,0,0,0,0,,fw1", "event": { - "dataset": "system", - "kind": "event", - "reason": "authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.", "category": [ "authentication" ], + "dataset": "system", + "kind": "event", + "reason": "authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.", "type": [ "start" ] }, "@timestamp": "2020-12-08T13:44:55Z", "action": { - "type": "auth", - "name": "auth-success" + "name": "auth-success", + "type": "auth" + }, + "host": { + "name": "fw1" }, "log": { "hostname": "fw1", @@ -1158,19 +1161,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "11111114444" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "user1" - }, "paloalto": { - "EventID": "auth-success", "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "EventID": "auth-success", "Threat_ContentType": "auth" }, "related": { @@ -1181,8 +1177,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user1" ] }, - "host": { - "name": "fw1" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "user1" } } @@ -1196,12 +1196,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0", "event": { - "duration": 0, - "dataset": "traffic", - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 0, + "kind": "event", "type": [ "start" ] @@ -1209,8 +1209,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2019-09-16T10:00:00Z", "action": { "name": "allow", - "type": "start", - "outcome": "success" + "outcome": "success", + "type": "start" }, "destination": { "address": "4.3.2.1", @@ -1223,22 +1223,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 1, "port": 80 }, + "log": { + "logger": "traffic" + }, "network": { - "packets": 2, "bytes": 800, + "packets": 2, "transport": "tcp" }, - "log": { - "logger": "traffic" - }, "observer": { "product": "PAN-OS", "serial_number": "1801016000" }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1234" + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "4.3.2.1" + ] + }, "rule": { "name": "proxy1" }, "source": { + "address": "1.2.3.4", "bytes": 700, "ip": "1.2.3.4", "nat": { @@ -1246,19 +1258,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 0 }, "packets": 2, - "port": 61000, - "address": "1.2.3.4" - }, - "paloalto": { - "VirtualLocation": "vsys1234", - "Threat_ContentType": "start" - }, - "related": { - "ip": [ - "0.0.0.0", - "1.2.3.4", - "4.3.2.1" - ] + "port": 61000 } } @@ -1272,12 +1272,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:36:37.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"url-filtering\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:36:23.000000Z\",\"VirtualLocation\":null,\"EventName\":\"cloud-election\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.\",\"SequenceNo\":7200776623254143113,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:36:23.710000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.", "type": [ "info" ] @@ -1287,12 +1287,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "url-filtering" }, "destination": { + "address": "serverlist2.urlcloud.paloaltonetworks.com", "domain": "serverlist2.urlcloud.paloaltonetworks.com", "ip": "35.244.229.101", - "address": "serverlist2.urlcloud.paloaltonetworks.com", - "top_level_domain": "com", + "registered_domain": "paloaltonetworks.com", "subdomain": "serverlist2.urlcloud", - "registered_domain": "paloaltonetworks.com" + "top_level_domain": "com" }, "host": { "name": "PA-VM" @@ -1331,12 +1331,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T17:08:26.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dhcp\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:08:17.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-renew-trigger\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"SequenceNo\":7200776623254143234,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:08:17.774000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "type": [ "info" ] @@ -1363,10 +1363,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -1378,6 +1374,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1391,12 +1391,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dnsproxy\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-inherit\",\"EventComponent\":\"mgmt-obj\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::\",\"SequenceNo\":7200776623254142979,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.584000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::", "type": [ "info" ] @@ -1434,13 +1434,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:49:04.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:48:57.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Installed contents package: panupv2-all-contents-8676-7858.tgz\",\"SequenceNo\":7200776623254143152,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:48:57.395000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz", - "module": "contents", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "contents", + "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz", "type": [ "info" ] @@ -1481,12 +1481,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:46:40.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"ntpd\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:46:33.000000Z\",\"VirtualLocation\":null,\"EventName\":\"sync\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"NTP sync to server de.pool.ntp.org\",\"SequenceNo\":7200776623254143145,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:46:33.917000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "NTP sync to server de.pool.ntp.org", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "NTP sync to server de.pool.ntp.org", "type": [ "info" ] @@ -1528,12 +1528,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"port\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"link-change\",\"EventComponent\":\"ethernet1/2\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Port ethernet1/2: Up 10Gb/s-full duplex\",\"SequenceNo\":7200776623254143073,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.851000Z\"}\n", "event": { "action": "Up", - "dataset": "system", - "kind": "event", - "reason": "Port ethernet1/2: Up 10Gb/s-full duplex", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "Port ethernet1/2: Up 10Gb/s-full duplex", "type": [ "info" ] @@ -1577,12 +1577,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:51.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Medium\",\"EventDescription\":\"Successfully registered to Public Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143102,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:51.387000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "Successfully registered to Public Cloud wildfire.paloaltonetworks.com", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "Successfully registered to Public Cloud wildfire.paloaltonetworks.com", "type": [ "info" ] @@ -1592,11 +1592,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "fb" }, "destination": { - "domain": "wildfire.paloaltonetworks.com", "address": "wildfire.paloaltonetworks.com", - "top_level_domain": "com", + "domain": "wildfire.paloaltonetworks.com", + "registered_domain": "paloaltonetworks.com", "subdomain": "wildfire", - "registered_domain": "paloaltonetworks.com" + "top_level_domain": "com" }, "host": { "name": "PA-VM" @@ -1632,12 +1632,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:31:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:32:07.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170508,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:31:56.151000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def", "type": [ "info" ] @@ -1647,9 +1647,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "general" }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 3978, - "address": "5.6.7.8" + "port": 3978 }, "host": { "name": "PA-VM" @@ -1685,13 +1685,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"PAN-DB was upgraded to version 20230203.20250.\",\"EventName\": \"upgrade-url-database-success\",\"EventTime\": \"2023-02-03T16:37:22.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:37:31.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170511,\"Subtype\": \"url-filtering\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:37:22.476000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "PAN-DB was upgraded to version 20230203.20250.", - "module": "PAN-DB", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "module": "PAN-DB", + "reason": "PAN-DB was upgraded to version 20230203.20250.", "type": [ "info" ] @@ -1729,12 +1729,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"EventName\": \"if-renew-trigger\",\"EventTime\": \"2023-02-03T16:39:46.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:39:55.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170512,\"Subtype\": \"dhcp\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:39:46.612000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "type": [ "info" ] @@ -1761,10 +1761,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -1776,6 +1772,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1789,13 +1789,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:30:44.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:30:52.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170505,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:30:44.868000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz", "type": [ "info" ] @@ -1836,13 +1836,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire update job succeeded for user Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:46:05.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170521,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:56.725000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "WildFire update job succeeded for user Auto update agent", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "WildFire update job succeeded for user Auto update agent", "type": [ "info" ] @@ -1880,12 +1880,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server: completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:51.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170515,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:51.118000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "Connection to Update server: completed successfully, initiated by 1.2.3.4", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Connection to Update server: completed successfully, initiated by 1.2.3.4", "type": [ "info" ] @@ -1904,10 +1904,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -1919,6 +1915,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1932,13 +1932,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72. \",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170518,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.888000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72. ", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72. ", "type": [ "info" ] @@ -1976,13 +1976,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:55.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170520,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:55.982000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent", "type": [ "info" ] @@ -2020,13 +2020,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72. . Type: Full\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170517,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72. . Type: Full", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72. . Type: Full", "type": [ "info" ] @@ -2064,12 +2064,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:49.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170514,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:49.557000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4", "type": [ "info" ] @@ -2091,10 +2091,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -2106,6 +2102,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -2119,13 +2119,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:54.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170519,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:54.757000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz", "type": [ "info" ] @@ -2166,13 +2166,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire version 739613-742993 downloaded by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170516,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}", "event": { - "dataset": "system", - "kind": "event", - "reason": "WildFire version 739613-742993 downloaded by Auto update agent", - "module": "WildFire", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "WildFire version 739613-742993 downloaded by Auto update agent", "type": [ "info" ] @@ -2210,20 +2210,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": ": 1,2023/08/01 04:03:24,026701002348,SYSTEM,general,2816,2023/08/01 04:03:24,,general,,0,0,general,informational,\"Request made to server \"\"app-registry-service.apps.paloaltonetworks.com\"\" is successful . \",7261972653022396272,0x8000000000000000,0,0,0,0,,fwwan-hdr,0,0,2023-08-01T04:03:24.705+02:00", "event": { - "dataset": "system", - "kind": "event", - "reason": "Request made to server \"app-registry-service.apps.paloaltonetworks.com\" is successful . ", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Request made to server \"app-registry-service.apps.paloaltonetworks.com\" is successful . ", "type": [ "info" ] }, "@timestamp": "2023-08-01T04:03:24Z", "action": { - "type": "general", - "name": "general" + "name": "general", + "type": "general" + }, + "host": { + "name": "fwwan-hdr" }, "log": { "hostname": "fwwan-hdr", @@ -2235,15 +2238,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "serial_number": "026701002348" }, "paloalto": { - "EventID": "general", "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "EventID": "general", "Threat_ContentType": "general" - }, - "host": { - "name": "fwwan-hdr" } } @@ -2257,13 +2257,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187101,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17635,\"SessionStartTime\": \"2023-02-03T16:46:00.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:46:07.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:46:07.584000Z\",\"TimeReceived\": \"2023-02-03T16:46:14.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}", "event": { - "start": "2023-02-03T16:46:00Z", - "dataset": "traffic", - "duration": 0, - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 0, + "kind": "event", + "start": "2023-02-03T16:46:00Z", "type": [ "end" ] @@ -2271,19 +2271,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-02-03T16:46:07Z", "action": { "name": "allow", - "type": "end", - "outcome": "success" + "outcome": "success", + "type": "end" }, "destination": { "address": "5.6.7.8", + "geo": { + "country_iso_code": "US" + }, "ip": "5.6.7.8", "nat": { "port": 0 }, - "port": 443, - "geo": { - "country_iso_code": "US" - } + "port": 443 + }, + "host": { + "name": "PA-VM" }, "log": { "hostname": "PA-VM", @@ -2307,24 +2310,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "007954000351998" }, - "rule": { - "name": "intrazone-default", - "uuid": "f903db52-4b89-4610-b908-67be412704f0" - }, - "source": { - "bytes": 74, - "ip": "1.2.3.4", - "port": 59087, - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "Threat_ContentType": "end", "URLCategory": "any", - "VirtualLocation": "vsys1", - "Threat_ContentType": "end" + "VirtualLocation": "vsys1" }, "related": { "ip": [ @@ -2332,8 +2325,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "5.6.7.8" ] }, - "host": { - "name": "PA-VM" + "rule": { + "name": "intrazone-default", + "uuid": "f903db52-4b89-4610-b908-67be412704f0" + }, + "source": { + "address": "1.2.3.4", + "bytes": 74, + "ip": "1.2.3.4", + "port": 59087 } } @@ -2347,13 +2347,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187100,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17634,\"SessionStartTime\": \"2023-02-03T16:45:44.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:45:52.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.582000Z\",\"TimeReceived\": \"2023-02-03T16:45:56.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}", "event": { - "start": "2023-02-03T16:45:44Z", - "dataset": "traffic", - "duration": 0, - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 0, + "kind": "event", + "start": "2023-02-03T16:45:44Z", "type": [ "end" ] @@ -2361,19 +2361,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-02-03T16:45:52Z", "action": { "name": "allow", - "type": "end", - "outcome": "success" + "outcome": "success", + "type": "end" }, "destination": { "address": "5.6.7.8", + "geo": { + "country_iso_code": "US" + }, "ip": "5.6.7.8", "nat": { "port": 0 }, - "port": 443, - "geo": { - "country_iso_code": "US" - } + "port": 443 + }, + "host": { + "name": "PA-VM" }, "log": { "hostname": "PA-VM", @@ -2397,24 +2400,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "007954000351998" }, - "rule": { - "name": "intrazone-default", - "uuid": "f903db52-4b89-4610-b908-67be412704f0" - }, - "source": { - "bytes": 74, - "ip": "1.2.3.4", - "port": 59087, - "address": "1.2.3.4" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "Threat_ContentType": "end", "URLCategory": "any", - "VirtualLocation": "vsys1", - "Threat_ContentType": "end" + "VirtualLocation": "vsys1" }, "related": { "ip": [ @@ -2422,8 +2415,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "5.6.7.8" ] }, - "host": { - "name": "PA-VM" + "rule": { + "name": "intrazone-default", + "uuid": "f903db52-4b89-4610-b908-67be412704f0" + }, + "source": { + "address": "1.2.3.4", + "bytes": 74, + "ip": "1.2.3.4", + "port": 59087 } } @@ -2437,12 +2437,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:50:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:50:14.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content update job succeeded for user admin\",\"SequenceNo\":7200776623254143155,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:50:14.343000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "Content update job succeeded for user admin", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Content update job succeeded for user admin", "type": [ "info" ] @@ -2461,9 +2461,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "user": { - "name": "admin" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -2475,6 +2472,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "user": { + "name": "admin" } } @@ -2488,12 +2488,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:49:49.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:49:34.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content package upgraded from version 8671-7826 to 8676-7858 by admin\",\"SequenceNo\":7200776623254143153,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:49:34.604000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "Content package upgraded from version 8671-7826 to 8676-7858 by admin", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "Content package upgraded from version 8671-7826 to 8676-7858 by admin", "type": [ "info" ] @@ -2512,9 +2512,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "user": { - "name": "admin" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -2526,6 +2523,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "user": { + "name": "admin" } } @@ -2539,12 +2539,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"auth\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":null,\"EventName\":\"auth-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"authenticated for user 'admin'. From: 1.2.3.4.\",\"SequenceNo\":7200776623254143115,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.813000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "authenticated for user 'admin'. From: 1.2.3.4.", "category": [ "authentication" ], + "dataset": "system", + "kind": "event", + "reason": "authenticated for user 'admin'. From: 1.2.3.4.", "type": [ "info" ] @@ -2563,13 +2563,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "admin" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -2584,6 +2577,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" } } @@ -2597,12 +2597,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"User admin logged in via Web from 1.2.3.4 using https\",\"SequenceNo\":7200776623254143116,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.825000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "User admin logged in via Web from 1.2.3.4 using https", "category": [ "host" ], + "dataset": "system", + "kind": "event", + "reason": "User admin logged in via Web from 1.2.3.4 using https", "type": [ "info" ] @@ -2624,13 +2624,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "product": "PAN-OS" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "user": { - "name": "admin" - }, "paloalto": { "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", @@ -2645,6 +2638,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" } } @@ -2658,13 +2658,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"LogTime\":\"2023-02-16T17:45:55.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:45:43.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-failed\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143341,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:45:43.111000Z\"}\n", "event": { - "dataset": "system", - "kind": "event", - "reason": "Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com", - "module": "WildFire", "category": [ "network" ], + "dataset": "system", + "kind": "event", + "module": "WildFire", + "reason": "Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com", "type": [ "info" ] @@ -2674,11 +2674,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "fb" }, "destination": { - "domain": "wildfire.paloaltonetworks.com", "address": "wildfire.paloaltonetworks.com", - "top_level_domain": "com", + "domain": "wildfire.paloaltonetworks.com", + "registered_domain": "paloaltonetworks.com", "subdomain": "wildfire", - "registered_domain": "paloaltonetworks.com" + "top_level_domain": "com" }, "host": { "name": "PA-VM" @@ -2714,21 +2714,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\\\xxxxx duser0=paloaltonetwork\\\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc", "event": { - "start": "2021-03-01T20:48:16Z", "action": "drop-all", - "timezone": "UTC", - "dataset": "threat", - "kind": "event", "category": [ "malware" ], + "dataset": "threat", + "kind": "event", + "severity": 1, + "start": "2021-03-01T20:48:16Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 1 + ] }, "@timestamp": "2021-03-01T20:48:21Z", "destination": { + "geo": { + "country_iso_code": "BR" + }, "nat": { "ip": "1.1.1.1", "port": 20966 @@ -2736,16 +2739,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 4228, "user": { "name": "xxxxx" - }, - "geo": { - "country_iso_code": "BR" } }, "host": { "hostname": "xxxxx", - "name": "xxxxx", "id": "xxxxxxxxxxxxx", "mac": "596703749274", + "name": "xxxxx", "os": { "family": "K6", "version": "Android v9" @@ -2764,56 +2764,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "ethernet4Zone-test4", - "name": "unknown", - "id": "unknown" + "id": "unknown", + "name": "unknown" } }, "ingress": { "interface": { "alias": "datacenter", - "name": "n", - "id": "unknown" + "id": "unknown", + "name": "n" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "deny-attackers", - "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615" - }, - "source": { - "nat": { - "ip": "1.1.1.1", - "port": 30116 - }, - "port": 13884, - "user": { - "name": "xxxxx" - } - }, - "user": { - "name": "xxxxx" - }, "paloalto": { - "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSContainerNameSpace": "pns_default", - "PanOSDestinationDeviceMac": "620797415366", + "PanOSDestinationDeviceCategory": "X-Phone", "PanOSDestinationDeviceHost": "pan-622", - "PanOSDestinationDeviceOSVersion": "Android v9.1", - "PanOSDestinationDeviceOSFamily": "A1", - "PanOSDestinationDeviceVendor": "Xiaomi", + "PanOSDestinationDeviceMac": "620797415366", "PanOSDestinationDeviceModel": "MI", + "PanOSDestinationDeviceOSFamily": "A1", + "PanOSDestinationDeviceOSVersion": "Android v9.1", "PanOSDestinationDeviceProfile": "x-profile", - "PanOSDestinationDeviceCategory": "X-Phone", + "PanOSDestinationDeviceVendor": "Xiaomi", + "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSSourceDeviceHost": "pan-505", - "PanOSSourceDeviceVendor": "Lenovo", "PanOSSourceDeviceModel": "Note 4G", "PanOSSourceDeviceProfile": "x-profile", - "PanOSThreatCategory": "unknown", + "PanOSSourceDeviceVendor": "Lenovo", "PanOSSourceLocation": "LY", + "PanOSThreatCategory": "unknown", "PanOSThreatID": "27379(27379)", "VirtualLocation": "vsys1", "endpoint": { @@ -2827,12 +2810,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "xxxxx" ], - "user": [ - "xxxxx" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx" ] + }, + "rule": { + "name": "deny-attackers", + "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615" + }, + "source": { + "nat": { + "ip": "1.1.1.1", + "port": 30116 + }, + "port": 13884, + "user": { + "name": "xxxxx" + } + }, + "user": { + "name": "xxxxx" } } @@ -2847,12 +2847,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,", "event": { "action": "code-execution", - "dataset": "threat", - "kind": "event", - "reason": "PDF Exploit Evasion Found(34805)", "category": [ "vulnerability" ], + "dataset": "threat", + "kind": "event", + "reason": "PDF Exploit Evasion Found(34805)", "type": [ "info" ] @@ -2860,8 +2860,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2021-08-31T14:00:02Z", "action": { "name": "alert", - "type": "vulnerability", - "outcome": "success" + "outcome": "success", + "type": "vulnerability" }, "destination": { "address": "10.2.0.1", @@ -2873,8 +2873,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 80 }, "file": { - "path": "EXAMPLE.PDF", - "name": "EXAMPLE.PDF" + "name": "EXAMPLE.PDF", + "path": "EXAMPLE.PDF" + }, + "host": { + "name": "FW" }, "log": { "hostname": "FW", @@ -2888,25 +2891,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "001701000000" }, - "rule": { - "name": "abcd" - }, - "source": { - "ip": "10.0.0.2", - "nat": { - "ip": "0.0.0.0", - "port": 0 - }, - "port": 12345, - "address": "10.0.0.2" - }, "paloalto": { - "VirtualLocation": "vsys", "DGHierarchyLevel1": "0", "DGHierarchyLevel2": "0", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", - "Threat_ContentType": "vulnerability" + "Threat_ContentType": "vulnerability", + "VirtualLocation": "vsys" }, "related": { "ip": [ @@ -2915,8 +2906,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.2.0.1" ] }, - "host": { - "name": "FW" + "rule": { + "name": "abcd" + }, + "source": { + "address": "10.0.0.2", + "ip": "10.0.0.2", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 12345 } } @@ -2930,40 +2930,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Jul 31 2022 12:46:24 deviceExternalId=000000000000 PanOSConfigVersion=10.1 start=Jul 31 2022 12:46:07 src=1.2.3.4 dst=5.6.7.8 sourceTranslatedAddress=4.3.2.1 destinationTranslatedAddress=8.7.6.5 cs1=SO Access cs1Label=Rule suser= duser= app=outlook-web-online cs3=vsys1 cs3Label=VirtualLocation cs4=Trust cs4Label=FromZone cs5=Untrust cs5Label=ToZone deviceInboundInterface=ethernet1/10 deviceOutboundInterface=ethernet1/11 cs6=Panorama_LOF cs6Label=LogSetting cn1=595456 cn1Label=SessionID cnt=1 spt=52066 dpt=443 sourceTranslatedPort=47252 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=12503 out=5651 in=6852 cn2=24 cn2Label=PacketsTotal PanOSSessionStartTime=Jul 31 2022 12:43:06 cn3=178 cn3Label=SessionDuration cs2=computer-and-internet-info cs2Label=URLCategory externalId=1111111111111111111 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=UK PanOSPacketsSent=13 PanOSPacketsReceived=11 reason=tcp-fin PanOSDGHierarchyLevel1=997 PanOSDGHierarchyLevel2=738 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=LF-5698-NR cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=2e259acc-c7ce-43d0-857f-f1a457e02699 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Jul 31 2022 12:46:07 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=\n", "event": { - "start": "2022-07-31T12:46:07Z", "action": "allow", - "timezone": "UTC", + "category": [ + "network" + ], "dataset": "traffic", "duration": 178, "kind": "event", "reason": "tcp-fin", - "category": [ - "network" - ], + "severity": 3, + "start": "2022-07-31T12:46:07Z", + "timezone": "UTC", "type": [ "allowed" - ], - "severity": 3 + ] }, "@timestamp": "2022-07-31T12:46:24Z", "destination": { "address": "5.6.7.8", "bytes": 5651, + "geo": { + "country_iso_code": "UK" + }, "ip": "5.6.7.8", "nat": { "ip": "8.7.6.5", "port": 443 }, "packets": 11, - "port": 443, - "geo": { - "country_iso_code": "UK" - } + "port": 443 }, "host": { "hostname": "LF-5698-NR", - "name": "LF-5698-NR", - "id": "000000000000" + "id": "000000000000", + "name": "LF-5698-NR" }, "log": { "hostname": "LF-5698-NR", @@ -2979,42 +2979,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "Untrust", - "name": "ethernet1/11", - "id": "11" + "id": "11", + "name": "ethernet1/11" } }, "ingress": { "interface": { "alias": "Trust", - "name": "0", - "id": "11" + "id": "11", + "name": "0" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "SO Access", - "uuid": "2e259acc-c7ce-43d0-857f-f1a457e02699" - }, - "source": { - "bytes": 6852, - "ip": "1.2.3.4", - "nat": { - "ip": "4.3.2.1", - "port": 47252 - }, - "packets": 13, - "port": 52066, - "address": "1.2.3.4" - }, "paloalto": { - "PanOSSourceLocation": "10.0.0.0-10.255.255.255", "PanOSSessionStartTime": "Jul 31 2022 12:43:06", - "VirtualLocation": "vsys1", - "URLCategory": "computer-and-internet-info" + "PanOSSourceLocation": "10.0.0.0-10.255.255.255", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" }, "related": { "hosts": [ @@ -3026,53 +3011,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. "5.6.7.8", "8.7.6.5" ] - } - } - - ``` - - -=== "traffic2_csv.json" - - ```json + }, + "rule": { + "name": "SO Access", + "uuid": "2e259acc-c7ce-43d0-857f-f1a457e02699" + }, + "source": { + "address": "1.2.3.4", + "bytes": 6852, + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 47252 + }, + "packets": 13, + "port": 52066 + } + } + + ``` + + +=== "traffic2_csv.json" + + ```json { "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Aug 02 2022 06:42:20 deviceExternalId=no-serial PanOSConfigVersion=10.0 start=Aug 02 2022 06:42:01 src= dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=Global_Outbound_internet_access cs1Label=Rule suser=user.name@corp.com duser= app=ssl cs3=vsys1 cs3Label=VirtualLocation cs4=trust cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=tunnel.1 deviceOutboundInterface=ethernet1/1 cs6=default cs6Label=LogSetting cn1=689028 cn1Label=SessionID cnt=1 spt=63516 dpt=443 sourceTranslatedPort=43823 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=13443 out=2755 in=10688 cn2=32 cn2Label=PacketsTotal PanOSSessionStartTime=Aug 02 2022 06:41:44 cn3=0 cn3Label=SessionDuration cs2=low-risk cs2Label=URLCategory externalId=1112030318 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=EU PanOSPacketsSent=13 PanOSPacketsReceived=19 reason=tcp-fin PanOSDGHierarchyLevel1=463 PanOSDGHierarchyLevel2=467 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=GP cloud service cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=c38e111b-43fc-4de4-a17c-c372af557193 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Aug 02 2022 06:42:02 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=", "event": { - "start": "2022-08-02T06:42:01Z", "action": "allow", - "timezone": "UTC", + "category": [ + "network" + ], "dataset": "traffic", "duration": 0, "kind": "event", "reason": "tcp-fin", - "category": [ - "network" - ], + "severity": 3, + "start": "2022-08-02T06:42:01Z", + "timezone": "UTC", "type": [ "allowed" - ], - "severity": 3 + ] }, "@timestamp": "2022-08-02T06:42:20Z", "destination": { "address": "1.1.1.1", "bytes": 2755, + "geo": { + "country_iso_code": "EU" + }, "ip": "1.1.1.1", "nat": { "ip": "1.1.1.1", "port": 443 }, "packets": 19, - "port": 443, - "geo": { - "country_iso_code": "EU" - } + "port": 443 }, "host": { "hostname": "GP cloud service", - "name": "GP cloud service", - "id": "no-serial" + "id": "no-serial", + "name": "GP cloud service" }, "log": { "hostname": "GP cloud service", @@ -3088,22 +3088,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "untrust", - "name": "ethernet1/1", - "id": "1" + "id": "1", + "name": "ethernet1/1" } }, "ingress": { "interface": { "alias": "trust", - "name": "1", - "id": "1" + "id": "1", + "name": "1" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, + "paloalto": { + "PanOSSessionStartTime": "Aug 02 2022 06:41:44", + "PanOSSourceLocation": "10.0.0.0-10.255.255.255", + "URLCategory": "low-risk", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "GP cloud service" + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "user.name@corp.com" + ] + }, "rule": { "name": "Global_Outbound_internet_access", "uuid": "c38e111b-43fc-4de4-a17c-c372af557193" @@ -3122,23 +3139,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "user": { "name": "user.name@corp.com" - }, - "paloalto": { - "PanOSSourceLocation": "10.0.0.0-10.255.255.255", - "PanOSSessionStartTime": "Aug 02 2022 06:41:44", - "VirtualLocation": "vsys1", - "URLCategory": "low-risk" - }, - "related": { - "hosts": [ - "GP cloud service" - ], - "ip": [ - "1.1.1.1" - ], - "user": [ - "user.name@corp.com" - ] } } @@ -3152,25 +3152,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=paloaltonetwork\\\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=1.1.1.1 PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5", "event": { - "start": "2021-02-27T20:16:17Z", - "duration": 56, "action": "deny", - "timezone": "UTC", - "dataset": "traffic", - "kind": "event", - "reason": "unknown", "category": [ "network" ], + "dataset": "traffic", + "duration": 56, + "kind": "event", + "reason": "unknown", + "severity": 3, + "start": "2021-02-27T20:16:17Z", + "timezone": "UTC", "type": [ "denied" - ], - "severity": 3 + ] }, "@timestamp": "2021-02-27T20:16:21Z", "destination": { "address": "1.1.1.1", "bytes": 400448, + "geo": { + "country_iso_code": "BR" + }, "ip": "1.1.1.1", "nat": { "ip": "1.1.1.1", @@ -3180,22 +3183,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 27092, "user": { "name": "xxxxx" - }, - "geo": { - "country_iso_code": "BR" } }, - "network": { - "packets": 314, - "application": "fileguri", - "bytes": 1370294, - "transport": "tcp" - }, "host": { "hostname": "xxxxx", - "name": "xxxxx", "id": "xxxxxxxxxxxxx", "mac": "839147449905", + "name": "xxxxx", "os": { "family": "LG-H790", "version": "Android v6" @@ -3206,71 +3200,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "xxxxx", "logger": "traffic" }, + "network": { + "application": "fileguri", + "bytes": 1370294, + "packets": 314, + "transport": "tcp" + }, "observer": { "egress": { "interface": { "alias": "ethernet4Zone-test1", - "name": "unknown", - "id": "unknown" + "id": "unknown", + "name": "unknown" } }, "ingress": { "interface": { "alias": "untrust", - "name": "n", - "id": "unknown" + "id": "unknown", + "name": "n" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "deny-attackers", - "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615" - }, - "source": { - "bytes": 969846, - "ip": "1.1.1.1", - "nat": { - "ip": "1.1.1.1", - "port": 24429 - }, - "packets": 194, - "port": 22871, - "user": { - "name": "xxxxx xxxxx" - }, - "address": "1.1.1.1" - }, - "user": { - "name": "xxxxx xxxxx" - }, "paloalto": { - "PanOSHASessionOwner": "session_owner-4", - "PanOSSourceDynamicAddressGroup": "aqua_dag", - "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", - "PanOSGPHostID": "xxxxxxxxxxxxxx", "PanOSContainerName": "pan-dp-77754f4", "PanOSContainerNameSpace": "pns_default", - "PanOSDestinationDeviceMac": "530589561221", + "PanOSDestinationDeviceCategory": "N-Phone", "PanOSDestinationDeviceHost": "pan-355", - "PanOSDestinationDeviceOSVersion": "Android v7", - "PanOSDestinationDeviceOSFamily": "H1511", - "PanOSDestinationDeviceVendor": "Google", + "PanOSDestinationDeviceMac": "530589561221", "PanOSDestinationDeviceModel": "Nexus", + "PanOSDestinationDeviceOSFamily": "H1511", + "PanOSDestinationDeviceOSVersion": "Android v7", "PanOSDestinationDeviceProfile": "n-profile", - "PanOSDestinationDeviceCategory": "N-Phone", + "PanOSDestinationDeviceVendor": "Google", + "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", + "PanOSGPHostID": "xxxxxxxxxxxxxx", + "PanOSHASessionOwner": "session_owner-4", + "PanOSSessionStartTime": "Feb 27 2021 20:15:48", "PanOSSourceDeviceHost": "pan-301", - "PanOSSourceDeviceVendor": "Google", "PanOSSourceDeviceModel": "Nexus", "PanOSSourceDeviceProfile": "n-profile", - "PanOSX-Forwarded-ForIP": "1.1.1.1", + "PanOSSourceDeviceVendor": "Google", + "PanOSSourceDynamicAddressGroup": "aqua_dag", "PanOSSourceLocation": "east-coast", - "PanOSSessionStartTime": "Feb 27 2021 20:15:48", - "VirtualLocation": "vsys1", + "PanOSX-Forwarded-ForIP": "1.1.1.1", "URLCategory": "custom-category", + "VirtualLocation": "vsys1", "endpoint": { "serial_number": "xxxxxxxxxxxxxx" } @@ -3279,13 +3258,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "xxxxx" ], + "ip": [ + "1.1.1.1" + ], "user": [ "xxxxx", "xxxxx xxxxx" - ], - "ip": [ - "1.1.1.1" ] + }, + "rule": { + "name": "deny-attackers", + "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615" + }, + "source": { + "address": "1.1.1.1", + "bytes": 969846, + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1", + "port": 24429 + }, + "packets": 194, + "port": 22871, + "user": { + "name": "xxxxx xxxxx" + } + }, + "user": { + "name": "xxxxx xxxxx" } } @@ -3299,12 +3299,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0", "event": { - "duration": 0, - "dataset": "traffic", - "kind": "event", "category": [ "network" ], + "dataset": "traffic", + "duration": 0, + "kind": "event", "type": [ "denied" ] @@ -3312,8 +3312,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2019-09-16T10:00:00Z", "action": { "name": "reset-both", - "type": "deny", - "outcome": "success" + "outcome": "success", + "type": "deny" }, "destination": { "address": "1.2.3.4", @@ -3326,22 +3326,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 0, "port": 53 }, + "log": { + "logger": "traffic" + }, "network": { - "packets": 1, "bytes": 284, + "packets": 1, "transport": "udp" }, - "log": { - "logger": "traffic" - }, "observer": { "product": "PAN-OS", "serial_number": "1801017000" }, + "paloalto": { + "Threat_ContentType": "deny", + "VirtualLocation": "vsys1" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.0.2", + "5.4.3.2", + "5.4.4.3" + ] + }, "rule": { "name": "DENYALL" }, "source": { + "address": "10.0.0.2", "bytes": 284, "ip": "10.0.0.2", "nat": { @@ -3349,20 +3362,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 6379 }, "packets": 1, - "port": 130000, - "address": "10.0.0.2" - }, - "paloalto": { - "VirtualLocation": "vsys1", - "Threat_ContentType": "deny" - }, - "related": { - "ip": [ - "1.2.3.4", - "10.0.0.2", - "5.4.3.2", - "5.4.4.3" - ] + "port": 130000 } } @@ -3376,22 +3376,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o\"'\"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=xxxxx\\\\xxxxx o\"'\"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,\u200b11008,\u200b38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5", "event": { - "start": "2021-03-01T20:48:16Z", "action": "block-url", - "timezone": "UTC", - "dataset": "threat", - "kind": "event", "category": [ "network" ], + "dataset": "threat", + "kind": "event", + "severity": 1, + "start": "2021-03-01T20:48:16Z", + "timezone": "UTC", "type": [ "info" - ], - "severity": 1 + ] }, "@timestamp": "2021-03-01T20:48:21Z", "destination": { "address": "1.1.1.1", + "geo": { + "country_iso_code": "PK" + }, "ip": "1.1.1.1", "nat": { "ip": "1.1.1.1", @@ -3400,16 +3403,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 1532, "user": { "name": "xxxxx o\"'\"test" - }, - "geo": { - "country_iso_code": "PK" } }, "host": { "hostname": "xxxxx", - "name": "xxxxx", "id": "xxxxxxxxxxxxx", "mac": "596703749274", + "name": "xxxxx", "os": { "family": "K6", "version": "Android v9" @@ -3428,61 +3428,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "egress": { "interface": { "alias": "untrust", - "name": "ethernet1/2", - "id": "2" + "id": "2", + "name": "ethernet1/2" } }, "ingress": { "interface": { "alias": "ethernet4Zone-test4", - "name": "n", - "id": "2" + "id": "2", + "name": "n" } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "rule": { - "name": "allow-business-apps", - "uuid": "ec14df0b-c845-4435-87a2-d207730f5ae8" - }, - "source": { - "ip": "1.1.1.1", - "nat": { - "ip": "1.1.1.1", - "port": 26236 - }, - "port": 32350, - "user": { - "name": "xxxxx xxxxx" - }, - "address": "1.1.1.1" - }, - "user": { - "name": "xxxxx xxxxx" - }, "paloalto": { - "PanOSSourceDynamicAddressGroup": "blue_dag", - "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSContainerName": "pan-dp-77754f4", "PanOSContainerNameSpace": "pns_default", - "PanOSDestinationDeviceMac": "150083646537", + "PanOSDestinationDeviceCategory": "L-Phone", "PanOSDestinationDeviceHost": "pan-506", - "PanOSDestinationDeviceOSVersion": "Android v8", - "PanOSDestinationDeviceOSFamily": "K8", - "PanOSDestinationDeviceVendor": "Lenovo", + "PanOSDestinationDeviceMac": "150083646537", "PanOSDestinationDeviceModel": "Note XT", + "PanOSDestinationDeviceOSFamily": "K8", + "PanOSDestinationDeviceOSVersion": "Android v8", "PanOSDestinationDeviceProfile": "l-profile", - "PanOSDestinationDeviceCategory": "L-Phone", + "PanOSDestinationDeviceVendor": "Lenovo", + "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSSourceDeviceHost": "pan-505", - "PanOSSourceDeviceVendor": "Lenovo", "PanOSSourceDeviceModel": "Note 4G", "PanOSSourceDeviceProfile": "l-profile", + "PanOSSourceDeviceVendor": "Lenovo", + "PanOSSourceDynamicAddressGroup": "blue_dag", "PanOSSourceLocation": "west-coast", - "VirtualLocation": "vsys1", "URLCategory": "sports", + "VirtualLocation": "vsys1", "endpoint": { "serial_number": "xxxxxxxxxxxxxx" } @@ -3491,13 +3472,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "xxxxx" ], + "ip": [ + "1.1.1.1" + ], "user": [ "xxxxx o\"'\"test", "xxxxx xxxxx" - ], - "ip": [ - "1.1.1.1" ] + }, + "rule": { + "name": "allow-business-apps", + "uuid": "ec14df0b-c845-4435-87a2-d207730f5ae8" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1", + "port": 26236 + }, + "port": 32350, + "user": { + "name": "xxxxx xxxxx" + } + }, + "user": { + "name": "xxxxx xxxxx" } } @@ -3511,17 +3511,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 duser0=paloaltonetworks\\\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12", "event": { - "start": "2021-03-01T21:06:02Z", - "timezone": "UTC", - "dataset": "userid", - "kind": "event", "category": [ "authentication" ], + "dataset": "userid", + "kind": "event", + "severity": 3, + "start": "2021-03-01T21:06:02Z", + "timezone": "UTC", "type": [ "end" - ], - "severity": 3 + ] }, "@timestamp": "2021-03-01T21:06:02Z", "destination": { @@ -3534,8 +3534,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "host": { "hostname": "PA-5220", - "name": "PA-5220", - "id": "xxxxxxxxxxxxx" + "id": "xxxxxxxxxxxxx", + "name": "PA-5220" }, "log": { "hostname": "PA-5220", @@ -3553,29 +3553,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "product": "PAN-OS", - "vendor": "Palo Alto Networks", "type": "LF", + "vendor": "Palo Alto Networks", "version": "2.0" }, - "source": { - "ip": "1.1.1.1", - "port": 21015, - "address": "1.1.1.1" - }, "paloalto": { - "VirtualSystemID": "1", - "VirtualLocation": "vsys1" + "VirtualLocation": "vsys1", + "VirtualSystemID": "1" }, "related": { "hosts": [ "PA-5220" ], - "user": [ - "xxxxx" - ], "ip": [ "1.1.1.1" + ], + "user": [ + "xxxxx" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 21015 } } @@ -3589,11 +3589,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n", "event": { - "dataset": "threat", - "kind": "event", "category": [ "malware" ], + "dataset": "threat", + "kind": "event", "type": [ "info" ] @@ -3601,19 +3601,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-05-30T06:52:13Z", "action": { "name": "block", - "type": "wildfire", - "outcome": "success" + "outcome": "success", + "type": "wildfire" }, "destination": { "address": "5.6.7.8", + "geo": { + "country_iso_code": "CN" + }, "ip": "5.6.7.8", "nat": { "port": 80 }, - "port": 80, - "geo": { - "country_iso_code": "CN" - } + "port": 80 + }, + "host": { + "name": "MyDevice" }, "log": { "hostname": "MyDevice", @@ -3634,31 +3637,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "product": "PAN-OS", "serial_number": "111111111111" }, - "rule": { - "name": "Normal Internet Access browser", - "uuid": "50afdf91-0d37-4729-8052-1382912d9895" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "port": 40114 - }, - "port": 55555, - "user": { - "name": "john.doe@example.org" - }, - "address": "1.2.3.4" - }, - "user": { - "name": "john.doe@example.org" - }, "paloalto": { - "VirtualLocation": "vsys1", "DGHierarchyLevel1": "997", "DGHierarchyLevel2": "738", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "Threat_ContentType": "wildfire", + "VirtualLocation": "vsys1", "endpoint": { "serial_number": "xxxxxxxxxxx" }, @@ -3675,8 +3660,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "john.doe@example.org" ] }, - "host": { - "name": "MyDevice" + "rule": { + "name": "Normal Internet Access browser", + "uuid": "50afdf91-0d37-4729-8052-1382912d9895" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "port": 40114 + }, + "port": 55555, + "user": { + "name": "john.doe@example.org" + } + }, + "user": { + "name": "john.doe@example.org" } } diff --git a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md index ad25fc97a2..608118fe3f 100644 --- a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md +++ b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md @@ -35,35 +35,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "DHCPACK on 10.100.102.108 to 6c:88:14:1d:97:1c (PDB746) via 10.100.100.4", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "connection" ] }, - "source": { - "ip": "10.100.102.108", - "domain": "PDB746", - "mac": "6c:88:14:1d:97:1c", - "address": "PDB746" - }, "destination": { - "ip": "10.100.100.4", - "address": "10.100.100.4" + "address": "10.100.100.4", + "ip": "10.100.100.4" }, "dhcpd": { "query": "ack" }, "related": { + "hosts": [ + "PDB746" + ], "ip": [ "10.100.100.4", "10.100.102.108" - ], - "hosts": [ - "PDB746" ] + }, + "source": { + "address": "PDB746", + "domain": "PDB746", + "ip": "10.100.102.108", + "mac": "6c:88:14:1d:97:1c" } } @@ -77,20 +77,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "DHCPDISCOVER from ac:cc:8e:b0:2b:8c via 192.168.102.7: network 192.168.102.0/23: no free leases", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "connection" ] }, - "source": { - "mac": "ac:cc:8e:b0:2b:8c" - }, "destination": { - "ip": "192.168.102.7", - "address": "192.168.102.7" + "address": "192.168.102.7", + "ip": "192.168.102.7" }, "dhcpd": { "query": "discover" @@ -99,6 +96,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "192.168.102.7" ] + }, + "source": { + "mac": "ac:cc:8e:b0:2b:8c" } } @@ -112,20 +112,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "DHCPRELEASE of 10.17.81.182 from 00:08:5d:71:92:15 (6867i00085D719105) via enp4s0f0 (found)", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "connection" ] }, - "source": { - "ip": "10.17.81.182", - "domain": "6867i00085D719105", - "mac": "00:08:5d:71:92:15", - "address": "6867i00085D719105" - }, "dhcpd": { "query": "release" }, @@ -136,6 +130,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "10.17.81.182" ] + }, + "source": { + "address": "6867i00085D719105", + "domain": "6867i00085D719105", + "ip": "10.17.81.182", + "mac": "00:08:5d:71:92:15" } } @@ -149,35 +149,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "DHCPREQUEST for 10.100.102.108 from 6c:88:14:1d:96:0c (PDB746) via 10.100.100.4", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "connection" ] }, - "source": { - "ip": "10.100.102.108", - "domain": "PDB746", - "mac": "6c:88:14:1d:96:0c", - "address": "PDB746" - }, "destination": { - "ip": "10.100.100.4", - "address": "10.100.100.4" + "address": "10.100.100.4", + "ip": "10.100.100.4" }, "dhcpd": { "query": "request" }, "related": { + "hosts": [ + "PDB746" + ], "ip": [ "10.100.100.4", "10.100.102.108" - ], - "hosts": [ - "PDB746" ] + }, + "source": { + "address": "PDB746", + "domain": "PDB746", + "ip": "10.100.102.108", + "mac": "6c:88:14:1d:96:0c" } } diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 3e8cebb36a..d9f57b22b6 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -41,54 +41,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-01-07 14:09:58\",\"Hostname\":\"HOSTFOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6416,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13316,\"OpcodeValue\":0,\"RecordNumber\":16859866,\"ProcessID\":4,\"ThreadID\":6432,\"Channel\":\"Security\",\"Message\":\"A new external device was recognized by the system.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tHOSTFOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nDevice ID:\\tSCSI\\\\Disk&Ven_VMware&Prod_Virtual_disk\\\\5&e55476b&0&000100\\r\\n\\r\\nDevice Name:\\tVMware Virtual disk SCSI Disk Device\\r\\n\\r\\nClass ID:\\t\\t{4d36e967-e325-11ce-bfc1-08002be10318}\\r\\n\\r\\nClass Name:\\tDiskDrive\\r\\n\\r\\nVendor IDs:\\t\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____2.0_\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____\\r\\n\\t\\tSCSI\\\\DiskVMware__\\r\\n\\t\\tSCSI\\\\VMware__Virtual_disk____2\\r\\n\\t\\tVMware__Virtual_disk____2\\r\\n\\t\\tGenDisk\\r\\n\\t\\t\\r\\n\\t\\t\\r\\n\\r\\nCompatible IDs:\\t\\r\\n\\t\\tSCSI\\\\Disk\\r\\n\\t\\tSCSI\\\\RAW\\r\\n\\t\\t\\r\\n\\t\\t\\r\\n\\r\\nLocation Information:\\t\\r\\n\\t\\tBus Number 0, Target Id 1, LUN 0\\r\\n\\t\\t\",\"Category\":\"Plug and Play Events\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"HOSTFOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"DeviceId\":\"SCSI\\\\Disk&Ven_VMware&Prod_Virtual_disk\\\\5&e55476b&0&000100\",\"DeviceDescription\":\"VMware Virtual disk SCSI Disk Device\",\"ClassId\":\"{4d36e967-e325-11ce-bfc1-08002be10318}\",\"ClassName\":\"DiskDrive\",\"VendorIds\":\"\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____2.0_\\r\\n\\t\\tSCSI\\\\DiskVMware__Virtual_disk____\\r\\n\\t\\tSCSI\\\\DiskVMware__\\r\\n\\t\\tSCSI\\\\VMware__Virtual_disk____2\\r\\n\\t\\tVMware__Virtual_disk____2\\r\\n\\t\\tGenDisk\\r\\n\\t\\t\\r\\n\\t\\t\",\"CompatibleIds\":\"\\r\\n\\t\\tSCSI\\\\Disk\\r\\n\\t\\tSCSI\\\\RAW\\r\\n\\t\\t\\r\\n\\t\\t\",\"LocationInformation\":\"\\r\\n\\t\\tBus Number 0, Target Id 1, LUN 0\\r\\n\\t\\t\",\"EventReceivedTime\":\"2011-01-07 14:09:59\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6416", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tHOSTFOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&e55476b&0&000100\r\n\r\nDevice Name:\tVMware Virtual disk SCSI Disk Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tSCSI\\DiskVMware__Virtual_disk____2.0_\r\n\t\tSCSI\\DiskVMware__Virtual_disk____\r\n\t\tSCSI\\DiskVMware__\r\n\t\tSCSI\\VMware__Virtual_disk____2\r\n\t\tVMware__Virtual_disk____2\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tSCSI\\Disk\r\n\t\tSCSI\\RAW\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tBus Number 0, Target Id 1, LUN 0\r\n\t\t" + "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tHOSTFOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&e55476b&0&000100\r\n\r\nDevice Name:\tVMware Virtual disk SCSI Disk Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tSCSI\\DiskVMware__Virtual_disk____2.0_\r\n\t\tSCSI\\DiskVMware__Virtual_disk____\r\n\t\tSCSI\\DiskVMware__\r\n\t\tSCSI\\VMware__Virtual_disk____2\r\n\t\tVMware__Virtual_disk____2\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tSCSI\\Disk\r\n\t\tSCSI\\RAW\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tBus Number 0, Target Id 1, LUN 0\r\n\t\t", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 16859866, - "type": "Security", "id": 6416, + "name": "A new external device was recognized by the system.", + "outcome": "success", "properties": { "ClassName": "DiskDrive", "DeviceDescription": "VMware Virtual disk SCSI Disk Device", "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "HOSTFOO$", "SubjectUserSid": "S-1-5-18", - "Task": 13316, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13316 }, - "name": "A new external device was recognized by the system.", - "outcome": "success" - }, - "log": { - "hostname": "HOSTFOO", - "level": "info" + "record_id": 16859866, + "type": "Security" }, "host": { "hostname": "HOSTFOO", "name": "HOSTFOO" }, + "log": { + "hostname": "HOSTFOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 4, + "pid": 4, "thread": { "id": 6432 - }, - "pid": 4, - "id": 4 - }, - "user": { - "id": "S-1-5-18", - "name": "HOSTFOO$", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -97,6 +92,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "HOSTFOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "HOSTFOO$" } } @@ -110,33 +110,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"Channel\":\"Security\",\"Hostname\":\"vm-foo\",\"LogonType\":\"3\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"IpPort\":\"-\",\"Severity\":\"Info\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserName\":\"VM-FOO$\",\"EventID\":\"4625\",\"IpAddress\":\"-\",\"SubjectDomainName\":\"CORPDOMAIN\",\"ProcessId\":\"0x354\",\"LogonProcessName\":\"Schannel\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetUserSid\":\"S-1-0-0\"}", "event": { - "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing", + "action": "authentication_network", "category": [ "authentication" ], + "code": "4625", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "action": "authentication_network" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "vm-foo" - }, - "server": { - "name": "vm-foo", - "os": { - "type": "windows" - } - } + ] }, "action": { - "type": "Security", "id": 4625, + "name": "An account failed to log on", + "outcome": "failure", "properties": { "IpAddress": "-", "IpPort": "-", @@ -144,36 +131,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "LogonType": "3", "ProcessName": "c:\\windows\\system32\\lsass.exe", "Severity": "Info", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "CORPDOMAIN", "SubjectLogonId": "0x3e7", "SubjectUserName": "VM-FOO$", "SubjectUserSid": "S-1-5-18", - "TargetUserSid": "S-1-0-0", - "SourceName": "Microsoft-Windows-Security-Auditing" + "TargetUserSid": "S-1-0-0" }, - "name": "An account failed to log on", - "outcome": "failure" - }, - "log": { - "hostname": "vm-foo", - "level": "info" + "type": "Security" }, "host": { "hostname": "vm-foo", "name": "vm-foo" }, + "log": { + "hostname": "vm-foo", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "target": { - "id": "S-1-0-0" - }, - "name": "VM-FOO$", - "domain": "CORPDOMAIN" - }, "process": { "executable": "c:\\windows\\system32\\lsass.exe", "name": "Schannel", @@ -186,6 +164,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "VM-FOO$" ] + }, + "sekoiaio": { + "client": { + "name": "vm-foo", + "os": { + "type": "windows" + } + }, + "server": { + "name": "vm-foo", + "os": { + "type": "windows" + } + } + }, + "user": { + "domain": "CORPDOMAIN", + "id": "S-1-5-18", + "name": "VM-FOO$", + "target": { + "id": "S-1-0-0" + } } } @@ -199,48 +199,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EventTime\":\"2023-10-04 10:24:15\",\"Hostname\":\"foo.net\",\"Keywords\":-9218868437227405312,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":4625,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12544,\"OpcodeValue\":0,\"RecordNumber\":3443172796,\"ProcessID\":704,\"ThreadID\":9992,\"Channel\":\"Security\",\"Message\":\"\u00c9chec d\u2019ouverture de session d\u2019un compte.\\r\\n\\r\\nSujet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-0-0\\r\\n\\tNom du compte :\\t\\t-\\r\\n\\tDomaine du compte :\\t\\t-\\r\\n\\tID d\u2019ouverture de session :\\t\\t0x0\\r\\n\\r\\nType d\u2019ouverture de session :\\t\\t\\t3\\r\\n\\r\\nCompte pour lequel l\u2019ouverture de session a \u00e9chou\u00e9 :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-0-0\\r\\n\\tNom du compte :\\t\\tFooSSO\\r\\n\\tDomaine du compte :\\t\\tFOO\\r\\n\\r\\nInformations sur l\u2019\u00e9chec :\\r\\n\\tRaison de l\u2019\u00e9chec :\\t\\tNom d\u2019utilisateur inconnu ou mot de passe incorrect.\\r\\n\\t\u00c9tat :\\t\\t\\t0xC000006D\\r\\n\\tSous-\u00e9tat :\\t\\t0xC0000064\\r\\n\\r\\nInformations sur le processus :\\r\\n\\tID du processus de l\u2019appelant :\\t0x0\\r\\n\\tNom du processus de l\u2019appelant :\\t-\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tNom de la station de travail :\\tFOO-AD1\\r\\n\\tAdresse du r\u00e9seau source :\\t1.1.1.1\\r\\n\\tPort source :\\t\\t60917\\r\\n\\r\\nInformations d\u00e9taill\u00e9es sur l\u2019authentification :\\r\\n\\tProcessus d\u2019ouverture de session :\\t\\tNtLmSsp \\r\\n\\tPackage d\u2019authentification :\\tNTLM\\r\\n\\tServices en transit :\\t-\\r\\n\\tNom du package (NTLM uniquement) :\\t-\\r\\n\\tLongueur de cl\u00e9 :\\t\\t0\\r\\n\\r\\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une demande d\u2019ouverture de session \u00e9choue. Il est g\u00e9n\u00e9r\u00e9 sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s a \u00e9t\u00e9 tent\u00e9.\\r\\n\\r\\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l\u2019ouverture de session. Il s\u2019agit le plus souvent d\u2019un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\\r\\n\\r\\nLe champ Type d\u2019ouverture de session indique le type d\u2019ouverture de session qui a \u00e9t\u00e9 demand\u00e9. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\\r\\n\\r\\nLes champs relatifs aux informations sur le processus indiquent quel est le compte et le processus sur le syst\u00e8me qui ont demand\u00e9 l\u2019ouverture de session.\\r\\n\\r\\nLes champs relatifs aux informations sur le r\u00e9seau indiquent la provenance de la demande d\u2019ouverture de session distante. Le nom de la station de travail n\u2019\u00e9tant pas toujours disponible, peut rester vide dans certains cas.\\r\\n\\r\\nLes champs relatifs aux informations d\u2019authentification fournissent des d\u00e9tails sur cette demande d\u2019ouverture de session sp\u00e9cifique.\\r\\n\\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d\u2019ouverture de session.\\r\\n\\t- Le nom du package indique quel a \u00e9t\u00e9 le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\\r\\n\\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n\u2019a \u00e9t\u00e9 demand\u00e9e.\",\"Category\":\"Logon\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-0-0\",\"SubjectUserName\":\"-\",\"SubjectDomainName\":\"-\",\"SubjectLogonId\":\"0x0\",\"TargetUserSid\":\"S-1-0-0\",\"TargetUserName\":\"FooSSO\",\"TargetDomainName\":\"FOO\",\"Status\":\"0xc000006d\",\"FailureReason\":\"%%2313\",\"SubStatus\":\"0xc0000064\",\"LogonType\":\"3\",\"LogonProcessName\":\"NtLmSsp \",\"AuthenticationPackageName\":\"NTLM\",\"WorkstationName\":\"FOO-AD1\",\"TransmittedServices\":\"-\",\"LmPackageName\":\"-\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"IpAddress\":\"1.1.1.1\",\"IpPort\":\"60917\",\"EventReceivedTime\":\"2023-10-04 10:24:16\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { - "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "\u00c9chec d\u2019ouverture de session d\u2019un compte.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-0-0\r\n\tNom du compte :\t\t-\r\n\tDomaine du compte :\t\t-\r\n\tID d\u2019ouverture de session :\t\t0x0\r\n\r\nType d\u2019ouverture de session :\t\t\t3\r\n\r\nCompte pour lequel l\u2019ouverture de session a \u00e9chou\u00e9 :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-0-0\r\n\tNom du compte :\t\tFooSSO\r\n\tDomaine du compte :\t\tFOO\r\n\r\nInformations sur l\u2019\u00e9chec :\r\n\tRaison de l\u2019\u00e9chec :\t\tNom d\u2019utilisateur inconnu ou mot de passe incorrect.\r\n\t\u00c9tat :\t\t\t0xC000006D\r\n\tSous-\u00e9tat :\t\t0xC0000064\r\n\r\nInformations sur le processus :\r\n\tID du processus de l\u2019appelant :\t0x0\r\n\tNom du processus de l\u2019appelant :\t-\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\tFOO-AD1\r\n\tAdresse du r\u00e9seau source :\t1.1.1.1\r\n\tPort source :\t\t60917\r\n\r\nInformations d\u00e9taill\u00e9es sur l\u2019authentification :\r\n\tProcessus d\u2019ouverture de session :\t\tNtLmSsp \r\n\tPackage d\u2019authentification :\tNTLM\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une demande d\u2019ouverture de session \u00e9choue. Il est g\u00e9n\u00e9r\u00e9 sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s a \u00e9t\u00e9 tent\u00e9.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l\u2019ouverture de session. Il s\u2019agit le plus souvent d\u2019un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d\u2019ouverture de session indique le type d\u2019ouverture de session qui a \u00e9t\u00e9 demand\u00e9. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLes champs relatifs aux informations sur le processus indiquent quel est le compte et le processus sur le syst\u00e8me qui ont demand\u00e9 l\u2019ouverture de session.\r\n\r\nLes champs relatifs aux informations sur le r\u00e9seau indiquent la provenance de la demande d\u2019ouverture de session distante. Le nom de la station de travail n\u2019\u00e9tant pas toujours disponible, peut rester vide dans certains cas.\r\n\r\nLes champs relatifs aux informations d\u2019authentification fournissent des d\u00e9tails sur cette demande d\u2019ouverture de session sp\u00e9cifique.\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d\u2019ouverture de session.\r\n\t- Le nom du package indique quel a \u00e9t\u00e9 le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n\u2019a \u00e9t\u00e9 demand\u00e9e.", + "action": "authentication_network", "category": [ "authentication" ], + "code": "4625", + "message": "\u00c9chec d\u2019ouverture de session d\u2019un compte.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-0-0\r\n\tNom du compte :\t\t-\r\n\tDomaine du compte :\t\t-\r\n\tID d\u2019ouverture de session :\t\t0x0\r\n\r\nType d\u2019ouverture de session :\t\t\t3\r\n\r\nCompte pour lequel l\u2019ouverture de session a \u00e9chou\u00e9 :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-0-0\r\n\tNom du compte :\t\tFooSSO\r\n\tDomaine du compte :\t\tFOO\r\n\r\nInformations sur l\u2019\u00e9chec :\r\n\tRaison de l\u2019\u00e9chec :\t\tNom d\u2019utilisateur inconnu ou mot de passe incorrect.\r\n\t\u00c9tat :\t\t\t0xC000006D\r\n\tSous-\u00e9tat :\t\t0xC0000064\r\n\r\nInformations sur le processus :\r\n\tID du processus de l\u2019appelant :\t0x0\r\n\tNom du processus de l\u2019appelant :\t-\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\tFOO-AD1\r\n\tAdresse du r\u00e9seau source :\t1.1.1.1\r\n\tPort source :\t\t60917\r\n\r\nInformations d\u00e9taill\u00e9es sur l\u2019authentification :\r\n\tProcessus d\u2019ouverture de session :\t\tNtLmSsp \r\n\tPackage d\u2019authentification :\tNTLM\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une demande d\u2019ouverture de session \u00e9choue. Il est g\u00e9n\u00e9r\u00e9 sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s a \u00e9t\u00e9 tent\u00e9.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l\u2019ouverture de session. Il s\u2019agit le plus souvent d\u2019un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d\u2019ouverture de session indique le type d\u2019ouverture de session qui a \u00e9t\u00e9 demand\u00e9. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLes champs relatifs aux informations sur le processus indiquent quel est le compte et le processus sur le syst\u00e8me qui ont demand\u00e9 l\u2019ouverture de session.\r\n\r\nLes champs relatifs aux informations sur le r\u00e9seau indiquent la provenance de la demande d\u2019ouverture de session distante. Le nom de la station de travail n\u2019\u00e9tant pas toujours disponible, peut rester vide dans certains cas.\r\n\r\nLes champs relatifs aux informations d\u2019authentification fournissent des d\u00e9tails sur cette demande d\u2019ouverture de session sp\u00e9cifique.\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d\u2019ouverture de session.\r\n\t- Le nom du package indique quel a \u00e9t\u00e9 le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n\u2019a \u00e9t\u00e9 demand\u00e9e.", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", "type": [ "start" - ], - "action": "authentication_network", - "reason": "user_not_exist" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "FOO-AD1" - }, - "server": { - "name": "foo.net", - "os": { - "type": "windows" - } - } + ] }, "action": { - "record_id": 3443172796, - "type": "Security", "id": 4625, + "name": "An account failed to log on", + "outcome": "failure", "properties": { "AuthenticationPackageName": "NTLM", "EventType": "AUDIT_FAILURE", "IpAddress": "1.1.1.1", "IpPort": "60917", "KeyLength": "0", + "Keywords": "-9218868437227405312", "LogonProcessName": "NtLmSsp ", "LogonType": "3", "OpcodeValue": 0, "ProcessName": "-", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing", "Status": "0xc000006d", "SubStatus": "0xc0000064", "SubjectDomainName": "-", @@ -251,46 +239,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetUserName": "FooSSO", "TargetUserSid": "S-1-0-0", "Task": 12544, - "WorkstationName": "FOO-AD1", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9218868437227405312" + "WorkstationName": "FOO-AD1" }, - "name": "An account failed to log on", - "outcome": "failure" + "record_id": 3443172796, + "type": "Security" }, - "log": { - "hostname": "foo.net", - "level": "error" + "client": { + "ip": "1.1.1.1" }, "host": { "hostname": "foo.net", "name": "foo.net" }, + "log": { + "hostname": "foo.net", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 704, + "name": "NtLmSsp ", + "pid": 704, "thread": { "id": 9992 - }, - "pid": 704, - "id": 704, - "name": "NtLmSsp " - }, - "user": { - "id": "S-1-0-0", - "target": { - "name": "FooSSO", - "domain": "FOO", - "id": "S-1-0-0" - }, - "name": "-", - "domain": "-" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + } }, "related": { "hosts": [ @@ -303,8 +278,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "-" ] }, - "client": { + "sekoiaio": { + "client": { + "name": "FOO-AD1", + "os": { + "type": "windows" + } + }, + "server": { + "name": "foo.net", + "os": { + "type": "windows" + } + } + }, + "source": { + "address": "1.1.1.1", "ip": "1.1.1.1" + }, + "user": { + "domain": "-", + "id": "S-1-0-0", + "name": "-", + "target": { + "domain": "FOO", + "id": "S-1-0-0", + "name": "FooSSO" + } } } @@ -319,49 +319,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-01-29 10:10:59\",\"Hostname\":\"HOSTFOO\",\"Keywords\":-9218868437227405312,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":4825,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12551,\"OpcodeValue\":0,\"RecordNumber\":5298486139,\"ProcessID\":1400,\"ThreadID\":1996,\"Channel\":\"Security\",\"Message\":\"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\\r\\n\\r\\nSubject:\\r\\n\\tUser Name:\\tUSERFOO\\r\\n\\tDomain:\\t\\tKEY\\r\\n\\tLogon ID:\\t0x67D43768\\r\\n\\r\\nAdditional Information:\\r\\n\\tClient Address:\\t1.1.1.1\\r\\n\\r\\n\\r\\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\",\"Category\":\"Other Logon/Logoff Events\",\"Opcode\":\"Info\",\"AccountName\":\"USERFOO\",\"AccountDomain\":\"KEY\",\"LogonID\":\"0x67d43768\",\"ClientAddress\":\"1.1.1.1\",\"EventReceivedTime\":\"2011-01-29 10:11:00\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4825", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tUSERFOO\r\n\tDomain:\t\tKEY\r\n\tLogon ID:\t0x67D43768\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.1.1.1\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop." + "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tUSERFOO\r\n\tDomain:\t\tKEY\r\n\tLogon ID:\t0x67D43768\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.1.1.1\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 5298486139, - "type": "Security", "id": 4825, + "name": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group", + "outcome": "failure", "properties": { "AccountName": "USERFOO", "ClientAddress": "1.1.1.1", "EventType": "AUDIT_FAILURE", + "Keywords": "-9218868437227405312", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "ERROR", - "Task": 12551, "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9218868437227405312" + "Task": 12551 }, - "name": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group", - "outcome": "failure" - }, - "log": { - "hostname": "HOSTFOO", - "level": "error" + "record_id": 5298486139, + "type": "Security" }, "host": { "hostname": "HOSTFOO", "name": "HOSTFOO" }, + "log": { + "hostname": "HOSTFOO", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1400, + "pid": 1400, "thread": { "id": 1996 - }, - "pid": 1400, - "id": 1400 - }, - "user": { - "name": "USERFOO", - "domain": "HOSTFOO" + } }, "related": { "hosts": [ @@ -370,6 +366,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "USERFOO" ] + }, + "user": { + "domain": "HOSTFOO", + "name": "USERFOO" } } @@ -384,51 +384,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-23 11:20:47\",\"Hostname\":\"VWSERV.CORP.LOCAL\",\"Keywords\":4611686018427912192,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":514,\"SourceName\":\"Microsoft-Windows-DNSServer\",\"ProviderGuid\":\"{EB79061A-A566-4698-9119-3ED2807060E7}\",\"Version\":0,\"Task\":5,\"OpcodeValue\":0,\"RecordNumber\":1285844,\"ProcessID\":2580,\"ThreadID\":3344,\"Channel\":\"Microsoft-Windows-DNSServer/Audit\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .].\",\"Category\":\"ZONE_OP\",\"Opcode\":\"Info\",\"Zone\":\"mail.corp.net\",\"PropertyKey\":\"MasterServers\",\"NewValue\":\"1.1.1.1,2.2.2.2\",\"VirtualizationID\":\".\",\"EventReceivedTime\":\"2023-08-23 11:20:48\",\"SourceModuleName\":\"evtx_other\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "514", - "provider": "Microsoft-Windows-DNSServer", - "message": "The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .]." + "message": "The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .].", + "provider": "Microsoft-Windows-DNSServer" }, "action": { - "record_id": 1285844, - "type": "Microsoft-Windows-DNSServer/Audit", "id": 514, "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Keywords": "4611686018427912192", "NewValue": "1.1.1.1,2.2.2.2", "OpcodeValue": 0, "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", "Severity": "INFO", - "Task": 5, - "Zone": "mail.corp.net", "SourceName": "Microsoft-Windows-DNSServer", - "Keywords": "4611686018427912192" - } - }, - "log": { - "hostname": "VWSERV.CORP.LOCAL", - "level": "info" + "Task": 5, + "Zone": "mail.corp.net" + }, + "record_id": 1285844, + "type": "Microsoft-Windows-DNSServer/Audit" }, "host": { "hostname": "VWSERV.CORP.LOCAL", "name": "VWSERV.CORP.LOCAL" }, + "log": { + "hostname": "VWSERV.CORP.LOCAL", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 2580, + "pid": 2580, "thread": { "id": 3344 - }, - "pid": 2580, - "id": 2580 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -437,6 +432,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -454,45 +454,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-FailoverClustering" }, "action": { - "record_id": 764816422, - "type": "Microsoft-Windows-FailoverClustering/DiagnosticVerbose", "id": 5408, "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "VERBOSE", + "Keywords": "1152921504606846976", "OpcodeValue": 0, "ProviderGuid": "{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}", "Severity": "DEBUG", - "Task": 0, "SourceName": "Microsoft-Windows-FailoverClustering", - "Keywords": "1152921504606846976" - } - }, - "log": { - "hostname": "foo.net", - "level": "debug" + "Task": 0 + }, + "record_id": 764816422, + "type": "Microsoft-Windows-FailoverClustering/DiagnosticVerbose" }, "host": { "hostname": "foo.net", "name": "foo.net" }, + "log": { + "hostname": "foo.net", + "level": "debug" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5440, + "pid": 5440, "thread": { "id": 8428 - }, - "pid": 5440, - "id": 5440 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -501,6 +496,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -515,43 +515,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-10-05 23:50:40\",\"Hostname\":\"HOSTFOO\",\"Keywords\":36028797018963968,\"EventType\":\"ERROR\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":56,\"SourceName\":\"TermDD\",\"Task\":0,\"RecordNumber\":930150,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"System\",\"Message\":\"The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1.\",\"EventReceivedTime\":\"2011-10-18 09:34:39\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "56", - "provider": "TermDD", - "message": "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1." + "message": "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1.", + "provider": "TermDD" }, "action": { - "record_id": 930150, - "type": "System", "id": 56, "properties": { "EventType": "ERROR", + "Keywords": "36028797018963968", "Severity": "ERROR", - "Task": 0, "SourceName": "TermDD", - "Keywords": "36028797018963968" - } - }, - "log": { - "hostname": "HOSTFOO", - "level": "error" + "Task": 0 + }, + "record_id": 930150, + "type": "System" }, "host": { "hostname": "HOSTFOO", "name": "HOSTFOO" }, + "log": { + "hostname": "HOSTFOO", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 0, + "pid": 0, "thread": { "id": 0 - }, - "pid": 0, - "id": 0 - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + } }, "related": { "hosts": [ @@ -560,6 +556,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } @@ -574,72 +574,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-22 14:58:41\",\"Hostname\":\"hostfoo\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":4244505,\"ProcessID\":2932,\"ThreadID\":3956,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\\\r\\\\nRuleName: -\\\\r\\\\nUtcTime: 2023-08-22 12:58:41.279\\\\r\\\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\\\r\\\\nProcessId: 5524\\\\r\\\\nImage: C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\\r\\\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\\\r\\\\nDescription: Windows PowerShell\\\\r\\\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\\\r\\\\nCompany: Microsoft Corporation\\\\r\\\\nOriginalFileName: PowerShell.EXE\\\\r\\\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\\\r\\\\nCurrentDirectory: C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\\\\\r\\\\nUser: NT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\\\r\\\\nLogonId: 0x3E7\\\\r\\\\nTerminalSessionId: 0\\\\r\\\\nIntegrityLevel: System\\\\r\\\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\\\r\\\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\\\r\\\\nParentProcessId: 1776\\\\r\\\\nParentImage: C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\\r\\\\nParentCommandLine: \\\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\" service --run --name nscp\\\\r\\\\nParentUser: NT AUTHORITY\\\\\\\\SYSTEM\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2023-08-22 12:58:41.279\",\"ProcessGuid\":\"{478F86EF-B101-64E4-F904-00000000E900}\",\"Image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\",\"FileVersion\":\"10.0.14409.1005 (rs1_srvoob.161208-1155)\",\"Description\":\"Windows PowerShell\",\"Product\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"PowerShell.EXE\",\"CommandLine\":\"powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\",\"CurrentDirectory\":\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\\",\"User\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"LogonGuid\":\"{478F86EF-58DE-64E4-E703-000000000000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"0\",\"IntegrityLevel\":\"System\",\"Hashes\":\"SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\",\"ParentProcessGuid\":\"{478F86EF-58E2-64E4-2600-00000000E900}\",\"ParentProcessId\":\"1776\",\"ParentImage\":\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\",\"ParentCommandLine\":\"\\\"C:\\\\\\\\Program Files\\\\\\\\NSClient++\\\\\\\\nscp.exe\\\" service --run --name nscp\",\"ParentUser\":\"NT AUTHORITY\\\\\\\\SYSTEM\",\"EventReceivedTime\":\"2023-08-22 14:58:42\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", + "message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-22 12:58:41.279\\r\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\r\\nProcessId: 5524\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\r\\nCurrentDirectory: C:\\\\Program Files\\\\NSClient++\\\\\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\r\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\r\\nParentProcessId: 1776\\r\\nParentImage: C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\\r\\nParentCommandLine: \"C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\" service --run --name nscp\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows PowerShell", - "message": "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-22 12:58:41.279\\r\\nProcessGuid: {478F86EF-B101-64E4-F904-00000000E900}\\r\\nProcessId: 5524\\r\\nImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\nFileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)\\r\\nDescription: Windows PowerShell\\r\\nProduct: Microsoft\u00ae Windows\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: PowerShell.EXE\\r\\nCommandLine: powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1\\r\\nCurrentDirectory: C:\\\\Program Files\\\\NSClient++\\\\\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\r\\nLogonGuid: {478F86EF-58DE-64E4-E703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: SHA1=E5B0A0F4A59D6D5377332EECE20F8F3DF5CEBE4E,MD5=B3AD5364CF04B6AB05616DD483AAF618,SHA256=7375ADEDB82FD62CEFC6B6FD20A704A164E056022F3B8C2E1B94F3A9B8361478\\r\\nParentProcessGuid: {478F86EF-58E2-64E4-2600-00000000E900}\\r\\nParentProcessId: 1776\\r\\nParentImage: C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\\r\\nParentCommandLine: \"C:\\\\Program Files\\\\NSClient++\\\\nscp.exe\" service --run --name nscp\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM" + "reason": "Windows PowerShell" }, "@timestamp": "2023-08-22T12:58:41.279000Z", - "process": { - "command_line": "powershell.exe -file c:/dir/scripts/nagios/get-localadmgroupmembership/get-localadmgroupmembership.ps1", - "parent": { - "command_line": "c:\\\\program files\\\\nsclient++\\\\nscp.exe service --run --name nscp", - "executable": "c:\\\\program files\\\\nsclient++\\\\nscp.exe", - "name": "nscp.exe", - "working_directory": "c:\\\\program files\\\\nsclient++\\\\" - }, - "executable": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", - "ppid": "1776", - "thread": { - "id": 3956 - }, - "working_directory": "c:\\\\program files\\\\nsclient++\\\\", - "pid": 2932, - "id": 2932, - "hash": { - "sha1": "e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e", - "md5": "b3ad5364cf04b6ab05616dd483aaf618", - "sha256": "7375adedb82fd62cefc6b6fd20a704a164e056022f3b8c2e1b94f3a9b8361478" - }, - "name": "powershell.exe" - }, "action": { - "record_id": 4244505, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, + "name": "Process creation", "properties": { - "Keywords": "-9223372036854775808", + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "Keywords": "-9223372036854775808", + "OpcodeValue": 0, + "ParentImage": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe", + "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}", + "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Sysmon", - "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Task": 1, - "OpcodeValue": 0, - "Domain": "NT AUTHORITY", - "AccountName": "SYSTEM", - "AccountType": "User", - "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}", - "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", - "User": "NT AUTHORITY\\\\SYSTEM", - "ParentImage": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe" + "User": "NT AUTHORITY\\\\SYSTEM" }, - "name": "Process creation" - }, - "log": { - "hostname": "hostfoo", - "level": "info" + "record_id": 4244505, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "hostfoo", "name": "hostfoo" }, + "log": { + "hostname": "hostfoo", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "name": "NT AUTHORITY\\\\SYSTEM", - "domain": "NT AUTHORITY" + "process": { + "command_line": "powershell.exe -file c:/dir/scripts/nagios/get-localadmgroupmembership/get-localadmgroupmembership.ps1", + "executable": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "hash": { + "md5": "b3ad5364cf04b6ab05616dd483aaf618", + "sha1": "e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e", + "sha256": "7375adedb82fd62cefc6b6fd20a704a164e056022f3b8c2e1b94f3a9b8361478" + }, + "id": 2932, + "name": "powershell.exe", + "parent": { + "command_line": "c:\\\\program files\\\\nsclient++\\\\nscp.exe service --run --name nscp", + "executable": "c:\\\\program files\\\\nsclient++\\\\nscp.exe", + "name": "nscp.exe", + "working_directory": "c:\\\\program files\\\\nsclient++\\\\" + }, + "pid": 2932, + "ppid": "1776", + "thread": { + "id": 3956 + }, + "working_directory": "c:\\\\program files\\\\nsclient++\\\\" }, "related": { "hash": [ @@ -653,6 +648,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\\\SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NT AUTHORITY\\\\SYSTEM" } } @@ -667,67 +667,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-13 16:15:44\",\"Hostname\":\"\",\"Keywords\":-9182839640208441000,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":1201,\"SourceName\":\"AD FS Auditing\",\"Task\":3,\"RecordNumber\":1012533579,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Security\",\"Domain\":\"KEY\",\"AccountName\":\"\",\"UserID\":\"S-1-5-21-0000000000-0000000000-0000000000-000000\",\"AccountType\":\"User\",\"Message\":\"The Federation Service failed to issue a valid token. See XML for failure details. \\r\\n\\r\\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \\r\\n\\r\\nAdditional Data \\r\\nXML: \\r\\n\\r\\n AppToken\\r\\n Failure\\r\\n GenericError\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n N/A\\r\\n firstname.lastname@example.org\\r\\n \\r\\n \\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n false\\r\\n NotSet\\r\\n \\r\\n \\r\\n N/A\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n WSFederation\\r\\n Extranet\\r\\n 1.1.1.1,1.1.1.1,1.1.1.1\\r\\n 1.1.1.1,1.1.1.1,1.1.1.1\\r\\n N/A\\r\\n N/A\\r\\n proxy-server\\r\\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\\r\\n /adfs/ls/\\r\\n \\r\\n \\r\\n\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2012-09-13 16:15:45\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1201", - "provider": "AD FS Auditing", - "message": "The Federation Service failed to issue a valid token. See XML for failure details. \r\n\r\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n AppToken\r\n Failure\r\n GenericError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n firstname.lastname@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Extranet\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n N/A\r\n N/A\r\n proxy-server\r\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\r\n /adfs/ls/\r\n \r\n \r\n" + "message": "The Federation Service failed to issue a valid token. See XML for failure details. \r\n\r\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n AppToken\r\n Failure\r\n GenericError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n firstname.lastname@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Extranet\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n N/A\r\n N/A\r\n proxy-server\r\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\r\n /adfs/ls/\r\n \r\n \r\n", + "provider": "AD FS Auditing" }, "action": { - "record_id": 1012533579, - "type": "Security", "id": 1201, + "outcome": "failure", "properties": { "AccountName": "", "AccountType": "User", "Domain": "KEY", "EventType": "AUDIT_FAILURE", + "Keywords": "-9182839640208441000", + "ProxyServer": "proxy-server", "Severity": "ERROR", - "Task": 3, "SourceName": "AD FS Auditing", - "Keywords": "-9182839640208441000", - "ProxyServer": "proxy-server" + "Task": 3 }, - "outcome": "failure" - }, - "log": { - "hostname": "", - "level": "error" + "record_id": 1012533579, + "type": "Security" }, "host": { "hostname": "", "name": "" }, + "log": { + "hostname": "", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 0, + "pid": 0, "thread": { "id": 0 - }, - "pid": 0, - "id": 0 - }, - "user": { - "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", - "name": "", - "domain": "KEY", - "email": "firstname.lastname@example.org" - }, - "user_agent": { - "original": "Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36", - "device": { - "name": "Samsung SM-A217F" - }, - "name": "Chrome Mobile WebView", - "version": "94.0.4606", - "os": { - "name": "Android", - "version": "11" } }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "hosts": [ "" @@ -738,6 +716,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "domain": "KEY", + "email": "firstname.lastname@example.org", + "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", + "name": "" + }, + "user_agent": { + "device": { + "name": "Samsung SM-A217F" + }, + "name": "Chrome Mobile WebView", + "original": "Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36", + "os": { + "name": "Android", + "version": "11" + }, + "version": "94.0.4606" } } @@ -752,67 +752,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-20 15:54:13\",\"Hostname\":\"\",\"Keywords\":-9182839640208441000,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":1203,\"SourceName\":\"AD FS Auditing\",\"Task\":3,\"RecordNumber\":959944122,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Security\",\"Domain\":\"KEY\",\"AccountName\":\"\",\"UserID\":\"S-1-5-21-0000000000-0000000000-0000000000-000000\",\"AccountType\":\"User\",\"Message\":\"The Federation Service failed to validate a new credential. See XML for failure details. \\r\\n\\r\\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \\r\\n\\r\\nAdditional Data \\r\\nXML: \\r\\n\\r\\n FreshCredentials\\r\\n Failure\\r\\n CredentialValidationError\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n N/A\\r\\n username@example.org\\r\\n \\r\\n \\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n N/A\\r\\n false\\r\\n false\\r\\n NotSet\\r\\n \\r\\n \\r\\n N/A\\r\\n N/A\\r\\n \\r\\n \\r\\n http://auth.example.org/adfs/services/trust\\r\\n WSFederation\\r\\n Intranet\\r\\n 1.1.1.1\\r\\n \\r\\n N/A\\r\\n N/A\\r\\n N/A\\r\\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\\r\\n /adfs/ls/\\r\\n \\r\\n \\r\\n\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2012-09-20 15:54:15\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1203", - "provider": "AD FS Auditing", - "message": "The Federation Service failed to validate a new credential. See XML for failure details. \r\n\r\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n FreshCredentials\r\n Failure\r\n CredentialValidationError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n username@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Intranet\r\n 1.1.1.1\r\n \r\n N/A\r\n N/A\r\n N/A\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\r\n /adfs/ls/\r\n \r\n \r\n" + "message": "The Federation Service failed to validate a new credential. See XML for failure details. \r\n\r\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n FreshCredentials\r\n Failure\r\n CredentialValidationError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n username@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Intranet\r\n 1.1.1.1\r\n \r\n N/A\r\n N/A\r\n N/A\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\r\n /adfs/ls/\r\n \r\n \r\n", + "provider": "AD FS Auditing" }, "action": { - "record_id": 959944122, - "type": "Security", "id": 1203, + "outcome": "failure", "properties": { "AccountName": "", "AccountType": "User", "Domain": "KEY", "EventType": "AUDIT_FAILURE", + "Keywords": "-9182839640208441000", + "ProxyServer": "N/A", "Severity": "ERROR", - "Task": 3, "SourceName": "AD FS Auditing", - "Keywords": "-9182839640208441000", - "ProxyServer": "N/A" + "Task": 3 }, - "outcome": "failure" - }, - "log": { - "hostname": "", - "level": "error" + "record_id": 959944122, + "type": "Security" }, "host": { "hostname": "", "name": "" }, + "log": { + "hostname": "", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 0, + "pid": 0, "thread": { "id": 0 - }, - "pid": 0, - "id": 0 - }, - "user": { - "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", - "name": "", - "domain": "KEY", - "email": "username@example.org" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044", - "device": { - "name": "Other" - }, - "name": "Edge", - "version": "18.19044", - "os": { - "name": "Windows", - "version": "10" } }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" - }, "related": { "hosts": [ "" @@ -823,6 +801,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "domain": "KEY", + "email": "username@example.org", + "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", + "name": "" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "18.19044" } } @@ -837,72 +837,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2011-03-02 01:40:47\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":4611686018427387904,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":61,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":18732,\"ActivityID\":\"{5B327F5A-B797-4B7E-AB05-11A0E98A15AF}\",\"ProcessID\":5796,\"ThreadID\":12472,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.\",\"Opcode\":\"Arr\u00c3\u00aater\",\"transferId\":\"{5b327f5a-b797-4b7e-ab05-11a0e98a15af}\",\"name\":\"Font Download\",\"Id\":\"{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}\",\"url\":\"https://fs.microsoft.com/fs/windows/config.json\",\"hr\":\"2147954402\",\"fileTime\":\"1601-01-01T00:00:00.0000000Z\",\"fileLength\":\"18446744073709551615\",\"bytesTotal\":\"18446744073709551615\",\"bytesTransferred\":\"0\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2011-03-02 01:40:48\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "61", - "provider": "Microsoft-Windows-Bits-Client", - "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2." - }, - "file": { - "name": "font download", - "size": -1 + "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", + "provider": "Microsoft-Windows-Bits-Client" }, "action": { - "record_id": 18732, - "type": "Microsoft-Windows-Bits-Client/Operational", "id": 61, "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", + "BytesTotal": "-1", "Domain": "AUTORITE NT", "EventType": "WARNING", "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", + "Keywords": "4611686018427387904", "OpcodeValue": 2, "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", "Severity": "WARNING", - "Task": 0, - "bytesTransferred": "0", "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "-1" - } + "Task": 0, + "bytesTransferred": "0" + }, + "record_id": 18732, + "type": "Microsoft-Windows-Bits-Client/Operational" }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "warning" + "destination": { + "address": "fs.microsoft.com", + "domain": "fs.microsoft.com", + "size_in_char": 16 + }, + "file": { + "name": "font download", + "size": -1 }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "warning" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5796, + "pid": 5796, "thread": { "id": 12472 - }, - "pid": 5796, - "id": 5796 - }, - "url": { - "original": "https://fs.microsoft.com/fs/windows/config.json", - "full": "https://fs.microsoft.com/fs/windows/config.json", - "domain": "fs.microsoft.com", - "scheme": "https", - "path": "/fs/windows/config.json", - "top_level_domain": "com", - "subdomain": "fs", - "registered_domain": "microsoft.com", - "port": 443 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, - "destination": { - "domain": "fs.microsoft.com", - "address": "fs.microsoft.com", - "size_in_char": 16 + } }, "related": { "hosts": [ @@ -912,6 +896,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "url": { + "domain": "fs.microsoft.com", + "full": "https://fs.microsoft.com/fs/windows/config.json", + "original": "https://fs.microsoft.com/fs/windows/config.json", + "path": "/fs/windows/config.json", + "port": 443, + "registered_domain": "microsoft.com", + "scheme": "https", + "subdomain": "fs", + "top_level_domain": "com" + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -929,79 +929,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-Bits-Client" }, "action": { - "record_id": 199, - "type": "Microsoft-Windows-Bits-Client/Operational", "id": 16403, "properties": { "AccountName": "userXYZ", "AccountType": "User", "Domain": "DESKTOP-FOOBARZ", "EventType": "INFO", + "Keywords": "4611686018427387904", "LocalName": "C:\\Users\\userXYZ\\Downloads\\sharpbits.zip", "OpcodeValue": 0, "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Bits-Client", "Task": 0, "User": "DESKTOP-FOOBARZ\\userXYZ", - "jobTitle": "sharpbitsTest.zip", - "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904" - } + "jobTitle": "sharpbitsTest.zip" + }, + "record_id": 199, + "type": "Microsoft-Windows-Bits-Client/Operational" + }, + "destination": { + "address": "codeplexarchive.blob.core.windows.net", + "domain": "codeplexarchive.blob.core.windows.net", + "size_in_char": 37 }, "file": { - "owner": "DESKTOP-FOOBARZ\\userXYZ", "name": "sharpbits.zip", + "owner": "DESKTOP-FOOBARZ\\userXYZ", "path": "c:\\users\\userxyz\\downloads\\sharpbits.zip" }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" - }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 7908, + "pid": 7908, "thread": { "id": 2432 - }, - "pid": 7908, - "id": 7908 + } + }, + "related": { + "hosts": [ + "DESKTOP-FOOBARZ", + "codeplexarchive.blob.core.windows.net" + ], + "user": [ + "DESKTOP-FOOBARZ\\userXYZ", + "userXYZ" + ] }, "url": { - "original": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", - "full": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", "domain": "codeplexarchive.blob.core.windows.net", - "scheme": "https", + "full": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", + "original": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", "path": "/archive/projects/sharpbits/sharpbits.zip", - "top_level_domain": "net", - "subdomain": "codeplexarchive.blob.core", + "port": 443, "registered_domain": "windows.net", - "port": 443 + "scheme": "https", + "subdomain": "codeplexarchive.blob.core", + "top_level_domain": "net" }, "user": { + "domain": "DESKTOP-FOOBARZ", "id": "S-1-5-21-1808781047-1579666423-2539082804-1000", - "name": "userXYZ", - "domain": "DESKTOP-FOOBARZ" - }, - "destination": { - "domain": "codeplexarchive.blob.core.windows.net", - "address": "codeplexarchive.blob.core.windows.net", - "size_in_char": 37 - }, - "related": { - "user": [ - "DESKTOP-FOOBARZ\\userXYZ", - "userXYZ" - ], - "hosts": [ - "DESKTOP-FOOBARZ", - "codeplexarchive.blob.core.windows.net" - ] + "name": "userXYZ" } } @@ -1016,83 +1016,83 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-29 17:08:50\",\"Hostname\":\"DESKTOP-FOOBAR\",\"Keywords\":4611686018427387904,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":60,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":206,\"ActivityID\":\"{510DF63E-554F-4823-8F87-A23BDEDE0898}\",\"ProcessID\":7908,\"ThreadID\":2432,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0.\",\"Opcode\":\"Stop\",\"transferId\":\"{510df63e-554f-4823-8f87-a23bdede0898}\",\"name\":\"sharpbitsTestX.zip\",\"Id\":\"{c10c39b1-5f4e-47bc-a848-dc7505233471}\",\"url\":\"https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip\",\"hr\":\"0\",\"fileTime\":\"2018-02-05T22:41:26.0000000Z\",\"fileLength\":\"524444\",\"bytesTotal\":\"524444\",\"bytesTransferred\":\"524444\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2010-12-29 17:08:51\",\"SourceModuleName\":\"eventlog6\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "60", - "provider": "Microsoft-Windows-Bits-Client", - "message": "BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0." - }, - "file": { - "name": "sharpbitstestx.zip", - "size": 524444, - "path": "sharpbitstestx.zip" + "message": "BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0.", + "provider": "Microsoft-Windows-Bits-Client" }, "action": { - "record_id": 206, - "type": "Microsoft-Windows-Bits-Client/Operational", "id": 60, + "name": "BITS has stopped transferring the BITS Transfer job", "properties": { "AccountName": "SYSTEM", "AccountType": "User", + "BytesTotal": "524444", "Domain": "NT AUTHORITY", "EventType": "INFO", "Id": "{c10c39b1-5f4e-47bc-a848-dc7505233471}", + "Keywords": "4611686018427387904", "OpcodeValue": 2, "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", "Severity": "INFO", - "Task": 0, - "bytesTransferred": "524444", "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "524444" + "Task": 0, + "bytesTransferred": "524444" }, - "name": "BITS has stopped transferring the BITS Transfer job" + "record_id": 206, + "type": "Microsoft-Windows-Bits-Client/Operational" }, - "log": { - "hostname": "DESKTOP-FOOBAR", - "level": "info" + "destination": { + "address": "codeplexarchive.blob.core.windows.net", + "domain": "codeplexarchive.blob.core.windows.net", + "size_in_char": 37 + }, + "file": { + "name": "sharpbitstestx.zip", + "path": "sharpbitstestx.zip", + "size": 524444 }, "host": { "hostname": "DESKTOP-FOOBAR", "name": "DESKTOP-FOOBAR" }, + "log": { + "hostname": "DESKTOP-FOOBAR", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 7908, + "pid": 7908, "thread": { "id": 2432 - }, - "pid": 7908, - "id": 7908 + } + }, + "related": { + "hosts": [ + "DESKTOP-FOOBAR", + "codeplexarchive.blob.core.windows.net" + ], + "user": [ + "SYSTEM" + ] }, "url": { - "original": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", - "full": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", "domain": "codeplexarchive.blob.core.windows.net", - "scheme": "https", + "full": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", + "original": "https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip", "path": "/archive/projects/sharpbits/sharpbits.zip", - "top_level_domain": "net", - "subdomain": "codeplexarchive.blob.core", + "port": 443, "registered_domain": "windows.net", - "port": 443 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, - "destination": { - "domain": "codeplexarchive.blob.core.windows.net", - "address": "codeplexarchive.blob.core.windows.net", - "size_in_char": 37 + "scheme": "https", + "subdomain": "codeplexarchive.blob.core", + "top_level_domain": "net" }, - "related": { - "hosts": [ - "DESKTOP-FOOBAR", - "codeplexarchive.blob.core.windows.net" - ], - "user": [ - "SYSTEM" - ] + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -1107,13 +1107,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-05 15:26:31\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":1116,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":424,\"ProcessID\":2484,\"ThreadID\":9244,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\\r\\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\\r\\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\\r\\n \\tNom : HackTool:Win64/Mikatz!dha\\r\\n \\tID : 2147705511\\r\\n \\tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\\r\\n \\tCat\u00c3\u00a9gorie : Outil\\r\\n \\tChemin : file:_C:\\\\Users\\\\r1\\\\Downloads\\\\tmp2\\\\tmp2\\\\Win32\\\\mimidrv.sys\\r\\n \\tOrigine de la d\u00c3\u00a9tection : Ordinateur local\\r\\n \\tType de d\u00c3\u00a9tection : Concret\\r\\n \\tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\\r\\n \\tUtilisateur : DESKTOP-FOOBARZ\\\\r1\\r\\n \\tNom du processus : C:\\\\Windows\\\\explorer.exe\\r\\n \\tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\\r\\n \\tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4\",\"Opcode\":\"Informations\",\"Product Name\":\"%%827\",\"Product Version\":\"4.18.2009.7\",\"Detection ID\":\"{3A24708D-3147-43F8-B63D-60CAD6A64298}\",\"Detection Time\":\"2010-11-05T14:26:30.985Z\",\"Threat ID\":\"2147705511\",\"Threat Name\":\"HackTool:Win64/Mikatz!dha\",\"Severity ID\":\"4\",\"Severity Name\":\"\u00c3\u2030lev\u00c3\u00a9e\",\"Category ID\":\"34\",\"Category Name\":\"Outil\",\"FWLink\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\",\"Status Code\":\"1\",\"State\":\"1\",\"Source ID\":\"3\",\"Source Name\":\"%%818\",\"Process Name\":\"C:\\\\Windows\\\\explorer.exe\",\"Detection User\":\"DESKTOP-FOOBARZ\\\\r1\",\"Path\":\"file:_C:\\\\Users\\\\r1\\\\Downloads\\\\tmp2\\\\tmp2\\\\Win32\\\\mimidrv.sys\",\"Origin ID\":\"1\",\"Origin Name\":\"%%845\",\"Execution ID\":\"1\",\"Execution Name\":\"%%813\",\"Type ID\":\"0\",\"Type Name\":\"%%822\",\"Pre Execution Status\":\"0\",\"Action ID\":\"9\",\"Action Name\":\"%%887\",\"Error Code\":\"0x00000000\",\"Error Description\":\"L\u00e2\u20ac\u2122op\u00c3\u00a9ration a r\u00c3\u00a9ussi. \",\"Post Clean Status\":\"0\",\"Additional Actions ID\":\"0\",\"Additional Actions String\":\"No additional actions required\",\"Security intelligence Version\":\"AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\",\"Engine Version\":\"AM: 1.1.17500.4, NIS: 1.1.17500.4\",\"EventReceivedTime\":\"2010-11-05 15:26:39\",\"SourceModuleName\":\"eventlog2\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1116", - "provider": "Microsoft-Windows-Windows Defender", - "message": "Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\r\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\r\n \tNom : HackTool:Win64/Mikatz!dha\r\n \tID : 2147705511\r\n \tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\r\n \tCat\u00c3\u00a9gorie : Outil\r\n \tChemin : file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys\r\n \tOrigine de la d\u00c3\u00a9tection : Ordinateur local\r\n \tType de d\u00c3\u00a9tection : Concret\r\n \tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\r\n \tUtilisateur : DESKTOP-FOOBARZ\\r1\r\n \tNom du processus : C:\\Windows\\explorer.exe\r\n \tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\r\n \tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4" + "message": "Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\r\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\r\n \tNom : HackTool:Win64/Mikatz!dha\r\n \tID : 2147705511\r\n \tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\r\n \tCat\u00c3\u00a9gorie : Outil\r\n \tChemin : file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys\r\n \tOrigine de la d\u00c3\u00a9tection : Ordinateur local\r\n \tType de d\u00c3\u00a9tection : Concret\r\n \tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\r\n \tUtilisateur : DESKTOP-FOOBARZ\\r1\r\n \tNom du processus : C:\\Windows\\explorer.exe\r\n \tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\r\n \tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4", + "provider": "Microsoft-Windows-Windows Defender" }, "action": { - "record_id": 424, - "type": "Microsoft-Windows-Windows Defender/Operational", "id": 1116, + "name": "The antimalware platform detected malware or other potentially unwanted software.", "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", @@ -1122,41 +1121,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ErrorCode": "0x00000000", "EventType": "WARNING", "Execution Name": "%%813", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "Path": "file:_c:\\users\\r1\\downloads\\tmp2\\tmp2\\win32\\mimidrv.sys", "ProcessName": "c:\\windows\\explorer.exe", "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "WARNING", - "Task": 0, - "ThreatName": "HackTool:Win64/Mikatz!dha", "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" + "Task": 0, + "ThreatName": "HackTool:Win64/Mikatz!dha" }, - "name": "The antimalware platform detected malware or other potentially unwanted software." - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "warning" + "record_id": 424, + "type": "Microsoft-Windows-Windows Defender/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "warning" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 2484, + "pid": 2484, "thread": { "id": 9244 - }, - "pid": 2484, - "id": 2484 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -1165,6 +1160,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -1179,18 +1179,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-12-22 20:25:26\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1151,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":215,\"ProcessID\":5472,\"ThreadID\":5596,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \\r\\n \\tVersion de plateforme\u00a0: 4.18.2011.6\\r\\n \\tVersion de moteur\u00a0: 1.1.19900.2\\r\\n \\tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\\r\\n \\tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\\r\\n \\tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\\r\\n \\tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\\r\\n \\t\u00c9tat RTP\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat OA\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat OAV\u00a0: Activ\u00e9\\r\\n \\t\u00c9tat BM\u00a0: Activ\u00e9\\r\\n \\t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\\r\\n \\t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\\r\\n \\t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\\r\\n \\t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\\r\\n \\tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\\r\\n \\tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\\r\\n \\tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\\r\\n \\tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\\r\\n \\tSource de la derni\u00e8re analyse rapide\u00a0: 2\\r\\n \\tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\\r\\n \\tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\\r\\n \\tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\\r\\n \\tStatut du produit\u00a0: 0x00080000\\r\\n\",\"Opcode\":\"Informations\",\"Product Name\":\"Antivirus Microsoft Defender\",\"Platform version\":\"4.18.2011.6\",\"Engine version\":\"1.1.19900.2\",\"NRI engine version\":\"1.1.19900.2\",\"AV security intelligence version\":\"1.381.814.0\",\"AS security intelligence version\":\"1.381.814.0\",\"NRI security intelligence version\":\"1.381.814.0\",\"RTP state\":\"Activ\u00e9\",\"OA state\":\"Activ\u00e9\",\"IOAV state\":\"Activ\u00e9\",\"BM state\":\"Activ\u00e9\",\"Last AV security intelligence age\":\"1\",\"Last AS security intelligence age\":\"1\",\"Last quick scan age\":\"1\",\"Last full scan age\":\"4294967295\",\"AV security intelligence creation time\":\"21/12/2012 01:50:25\",\"AS security intelligence creation time\":\"21/12/2012 01:50:26\",\"Last quick scan start time\":\"21/12/2012 10:30:01\",\"Last quick scan end time\":\"21/12/2012 10:40:38\",\"Last quick scan source\":\"2\",\"Last full scan start time\":\"01/01/1601 00:00:00\",\"Last full scan end time\":\"01/01/1601 00:00:00\",\"Last full scan source\":\"0\",\"Product status\":\"0x00080000\",\"EventReceivedTime\":\"2012-12-22 20:25:28\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1151", - "provider": "Microsoft-Windows-Windows Defender", - "message": "Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \r\n \tVersion de plateforme\u00a0: 4.18.2011.6\r\n \tVersion de moteur\u00a0: 1.1.19900.2\r\n \tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\r\n \tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\r\n \tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\r\n \tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\r\n \t\u00c9tat RTP\u00a0: Activ\u00e9\r\n \t\u00c9tat OA\u00a0: Activ\u00e9\r\n \t\u00c9tat OAV\u00a0: Activ\u00e9\r\n \t\u00c9tat BM\u00a0: Activ\u00e9\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\r\n \tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\r\n \tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\r\n \tSource de la derni\u00e8re analyse rapide\u00a0: 2\r\n \tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\r\n \tStatut du produit\u00a0: 0x00080000\r\n" + "message": "Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \r\n \tVersion de plateforme\u00a0: 4.18.2011.6\r\n \tVersion de moteur\u00a0: 1.1.19900.2\r\n \tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\r\n \tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\r\n \tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\r\n \tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\r\n \t\u00c9tat RTP\u00a0: Activ\u00e9\r\n \t\u00c9tat OA\u00a0: Activ\u00e9\r\n \t\u00c9tat OAV\u00a0: Activ\u00e9\r\n \t\u00c9tat BM\u00a0: Activ\u00e9\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\r\n \tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\r\n \tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\r\n \tSource de la derni\u00e8re analyse rapide\u00a0: 2\r\n \tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\r\n \tStatut du produit\u00a0: 0x00080000\r\n", + "provider": "Microsoft-Windows-Windows Defender" }, "action": { - "record_id": 215, - "type": "Microsoft-Windows-Windows Defender/Operational", "id": 1151, "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Keywords": "-9223372036854775808", "LastASSecurityIntelligenceAge": "1", "LastAVSecurityIntelligenceAge": "1", "LastFullScanAge": "4294967295", @@ -1198,34 +1197,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "OpcodeValue": 0, "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "INFO", - "Task": 0, "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "Task": 0 + }, + "record_id": 215, + "type": "Microsoft-Windows-Windows Defender/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5472, + "pid": 5472, "thread": { "id": 5596 - }, - "pid": 5472, - "id": 5472 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -1234,6 +1229,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -1248,50 +1248,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-09-13 09:20:39\",\"Hostname\":\"lb-foobar\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5007,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1166,\"ProcessID\":3532,\"ThreadID\":5956,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Processes\\\\powershell.exe = 0x0\\r\\n \\tNew value: \",\"Opcode\":\"Info\",\"Product Name\":\"Microsoft Defender Antivirus\",\"Product Version\":\"4.18.2108.7\",\"Old Value\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Processes\\\\powershell.exe = 0x0\",\"EventReceivedTime\":\"2011-09-13 09:20:41\",\"SourceModuleName\":\"eventlog6\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5007", - "provider": "Microsoft-Windows-Windows Defender", - "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0\r\n \tNew value: " + "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0\r\n \tNew value: ", + "provider": "Microsoft-Windows-Windows Defender" }, "action": { - "record_id": 1166, - "type": "Microsoft-Windows-Windows Defender/Operational", "id": 5007, "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Keywords": "-9223372036854775808", "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0", "OpcodeValue": 0, "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "INFO", - "Task": 0, "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - }, - "log": { - "hostname": "lb-foobar", - "level": "info" + "Task": 0 + }, + "record_id": 1166, + "type": "Microsoft-Windows-Windows Defender/Operational" }, "host": { "hostname": "lb-foobar", "name": "lb-foobar" }, + "log": { + "hostname": "lb-foobar", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 3532, + "pid": 3532, "thread": { "id": 5956 - }, - "pid": 3532, - "id": 3532 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -1300,6 +1295,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -1314,12 +1314,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-06-02 15:04:18\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":712900,\"ActivityID\":\"{260C9E3C-4B0F-0002-DC86-2D260F4BD701}\",\"ProcessID\":22244,\"ThreadID\":16456,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\\r\\n\\r\\n\\r\\nContexte :\\r\\n Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.19041.906\\r\\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\\r\\n Application h\u00f4te = C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.19041.906\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\\r\\n ID de pipeline = 1\\r\\n Nom de commande = Select-Object\\r\\n Type de commande = Cmdlet\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 138\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nDonn\u00e9es utilisateur :\\r\\n\\r\\n\",\"Category\":\"Ex\u00e9cution du pipeline\",\"Opcode\":\"\u00c0 utiliser lorsque l'op\u00e9ration ex\u00e9cute uniquement une m\u00e9thode\",\"ContextInfo\":\" Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.19041.906\\r\\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\\r\\n Application h\u00f4te = C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.19041.906\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\\r\\n ID de pipeline = 1\\r\\n Nom de commande = Select-Object\\r\\n Type de commande = Cmdlet\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence\u00a0= 138\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\\r\\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\\r\\n\",\"EventReceivedTime\":\"2011-06-02 15:04:18\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "provider": "Microsoft-Windows-PowerShell", - "message": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n" + "message": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", + "provider": "Microsoft-Windows-PowerShell" }, "action": { - "record_id": 712900, - "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, "properties": { "AccountName": "Syst\u00e8me", @@ -1327,41 +1325,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", "Domain": "AUTORITE NT", "EventType": "INFO", + "HostApplication": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", + "HostName": "ConsoleHost", + "Keywords": "0", "OpcodeValue": 20, "Payload": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n", "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "Severity": "INFO", - "Task": 106, "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", - "HostName": "ConsoleHost" - } - }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "info" + "Task": 106 + }, + "record_id": 712900, + "type": "Microsoft-Windows-PowerShell/Operational" }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 22244, + "name": "powershell.exe", + "pid": 22244, "thread": { "id": 16456 - }, - "pid": 22244, - "id": 22244, - "name": "powershell.exe" - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -1370,6 +1365,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -1384,51 +1384,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\": \"2022-03-21 09:17:49\", \"Hostname\": \"dcclient-vm\", \"Keywords\": -9223372036854775808, \"EventType\": \"INFO\", \"SeverityValue\": 2, \"Severity\": \"INFO\", \"EventID\": 5007, \"SourceName\": \"Microsoft-Windows-Windows Defender\", \"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\", \"Version\": 0, \"Task\": 0, \"OpcodeValue\": 0, \"RecordNumber\": 4178, \"ProcessID\": 3292, \"ThreadID\": 5848, \"Channel\": \"Microsoft-Windows-Windows Defender/Operational\", \"Domain\": \"NT AUTHORITY\", \"AccountName\": \"SYSTEM\", \"UserID\": \"S-1-5-18\", \"AccountType\": \"User\", \"Message\": \"Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x5\\r\\n \\tNew value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x4\", \"Opcode\": \"Info\", \"Product Name\": \"Microsoft Defender Antivirus\", \"Product Version\": \"4.18.2202.4\", \"Old Value\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x5\", \"New Value\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection = 0x4\", \"EventReceivedTime\": \"2022-03-18 14:42:03\", \"SourceModuleName\": \"eventlog6\", \"SourceModuleType\": \"im_msvistalog\"}", "event": { "code": "5007", - "provider": "Microsoft-Windows-Windows Defender", - "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5\r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4" + "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5\r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", + "provider": "Microsoft-Windows-Windows Defender" }, "action": { - "record_id": 4178, - "type": "Microsoft-Windows-Windows Defender/Operational", "id": 5007, "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Keywords": "-9223372036854775808", "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", "Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5", "OpcodeValue": 0, "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "INFO", - "Task": 0, "SourceName": "Microsoft-Windows-Windows Defender", - "Keywords": "-9223372036854775808" - } - }, - "log": { - "hostname": "dcclient-vm", - "level": "info" + "Task": 0 + }, + "record_id": 4178, + "type": "Microsoft-Windows-Windows Defender/Operational" }, "host": { "hostname": "dcclient-vm", "name": "dcclient-vm" }, + "log": { + "hostname": "dcclient-vm", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 3292, + "pid": 3292, "thread": { "id": 5848 - }, - "pid": 3292, - "id": 3292 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -1437,6 +1432,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -1451,65 +1451,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-05-22 15:37:23\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4768,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14339,\"OpcodeValue\":0,\"RecordNumber\":26287385371,\"ProcessID\":1796,\"ThreadID\":17268,\"Channel\":\"Security\",\"Message\":\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tFOO$\\r\\n\\tSupplied Realm Name:\\tKEY.HOSTFOO.INT\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-1574594750-1263408776-2012955550-83436\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:1.1.1.1\\r\\n\\tClient Port:\\t\\t65016\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\",\"Category\":\"Kerberos Authentication Service\",\"Opcode\":\"Info\",\"TargetUserName\":\"FOO$\",\"TargetDomainName\":\"KEY.HOSTFOO.INT\",\"TargetSid\":\"S-1-5-21-1574594750-1263408776-2012955550-83436\",\"ServiceName\":\"krbtgt\",\"ServiceSid\":\"S-1-5-21-1574594750-1263408776-2012955550-502\",\"TicketOptions\":\"0x40810010\",\"Status\":\"0x0\",\"TicketEncryptionType\":\"0x12\",\"PreAuthType\":\"2\",\"IpAddress\":\"::ffff:1.1.1.1\",\"IpPort\":\"65016\",\"EventReceivedTime\":\"2010-05-22 15:37:24\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4768", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tFOO$\r\n\tSupplied Realm Name:\tKEY.HOSTFOO.INT\r\n\tUser ID:\t\t\tS-1-5-21-1574594750-1263408776-2012955550-83436\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t65016\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120." + "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tFOO$\r\n\tSupplied Realm Name:\tKEY.HOSTFOO.INT\r\n\tUser ID:\t\t\tS-1-5-21-1574594750-1263408776-2012955550-83436\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t65016\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 26287385371, - "type": "Security", "id": 4768, + "name": "A Kerberos authentication ticket (TGT) was requested", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", "IpAddress": "::ffff:1.1.1.1", "IpPort": "65016", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "PreAuthType": "2", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "ServiceName": "krbtgt", "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-502", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "Status": "0x0", "TargetDomainName": "KEY.HOSTFOO.INT", "TargetSid": "S-1-5-21-1574594750-1263408776-2012955550-83436", "TargetUserName": "FOO$", "Task": 14339, "TicketEncryptionType": "0x12", - "TicketOptions": "0x40810010", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "TicketOptions": "0x40810010" }, - "name": "A Kerberos authentication ticket (TGT) was requested", - "outcome": "success" - }, - "log": { - "hostname": "FOOBAZ11", - "level": "info" + "record_id": 26287385371, + "type": "Security" }, "host": { "hostname": "FOOBAZ11", "name": "FOOBAZ11" }, + "log": { + "hostname": "FOOBAZ11", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1796, + "pid": 1796, "thread": { "id": 17268 - }, - "pid": 1796, - "id": 1796 - }, - "user": { - "target": { - "name": "FOO$", - "domain": "KEY.HOSTFOO.INT" } }, - "source": { - "ip": "1.1.1.1", - "address": "::ffff:1.1.1.1" - }, "related": { "hosts": [ "FOOBAZ11" @@ -1517,6 +1507,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "::ffff:1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "target": { + "domain": "KEY.HOSTFOO.INT", + "name": "FOO$" + } } } @@ -1531,50 +1531,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-16 11:55:18\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223354444668731392,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8001,\"SourceName\":\"Microsoft-Windows-Store\",\"ProviderGuid\":\"{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}\",\"Version\":0,\"Task\":8001,\"OpcodeValue\":14,\"RecordNumber\":4644,\"ProcessID\":2368,\"ThreadID\":836,\"Channel\":\"Microsoft-Windows-Store/Operational\",\"Domain\":\"DESKTOP-FOOBARZ\",\"AccountName\":\"UserFoo\",\"UserID\":\"S-1-5-21-1695726573-3959282566-3642579326-1001\",\"AccountType\":\"User\",\"Message\":\"Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\\r\\nFunction: InvokeLicenseManagerRequired\\r\\nSource: enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp (205)\",\"Category\":\"LM\",\"Opcode\":\"Info\",\"Function\":\"InvokeLicenseManagerRequired\",\"Source\":\"enduser\\\\winstore\\\\licensemanager\\\\apisethost\\\\activationapis.cpp\",\"Line Number\":\"205\",\"EventReceivedTime\":\"2019-05-16 11:55:20\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "8001", - "provider": "Microsoft-Windows-Store", - "message": "Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\r\nFunction: InvokeLicenseManagerRequired\r\nSource: enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp (205)" + "message": "Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\r\nFunction: InvokeLicenseManagerRequired\r\nSource: enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp (205)", + "provider": "Microsoft-Windows-Store" }, "action": { - "record_id": 4644, - "type": "Microsoft-Windows-Store/Operational", "id": 8001, "properties": { "AccountName": "UserFoo", "AccountType": "User", "Domain": "DESKTOP-FOOBARZ", "EventType": "INFO", + "Keywords": "-9223354444668731392", "OpcodeValue": 14, "ProviderGuid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}", "Severity": "INFO", "Source": "enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp", - "Task": 8001, "SourceName": "Microsoft-Windows-Store", - "Keywords": "-9223354444668731392" - } - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "Task": 8001 + }, + "record_id": 4644, + "type": "Microsoft-Windows-Store/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 2368, + "pid": 2368, "thread": { "id": 836 - }, - "pid": 2368, - "id": 2368 - }, - "user": { - "id": "S-1-5-21-1695726573-3959282566-3642579326-1001", - "name": "UserFoo", - "domain": "DESKTOP-FOOBARZ" + } }, "related": { "hosts": [ @@ -1583,6 +1578,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "UserFoo" ] + }, + "user": { + "domain": "DESKTOP-FOOBARZ", + "id": "S-1-5-21-1695726573-3959282566-3642579326-1001", + "name": "UserFoo" } } @@ -1597,59 +1597,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 15:24:15\",\"Hostname\":\"HOSTBAZ-001.ad.HOSTFOO.com\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4634,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12545,\"OpcodeValue\":0,\"RecordNumber\":47121546,\"ProcessID\":560,\"ThreadID\":2172,\"Channel\":\"Security\",\"Message\":\"An account was logged off.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1519513455-2607746426-4144247390-71234\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tAD\\r\\n\\tLogon ID:\\t\\t0x3912391A\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"Category\":\"Logoff\",\"Opcode\":\"Info\",\"TargetUserSid\":\"S-1-5-21-1519513455-2607746426-4144247390-71234\",\"TargetUserName\":\"USERFOO\",\"TargetDomainName\":\"AD\",\"TargetLogonId\":\"0x3912391a\",\"LogonType\":\"3\",\"EventReceivedTime\":\"2019-12-16 15:24:17\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." + "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 47121546, - "type": "Security", "id": 4634, + "name": "An account was logged off", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "LogonType": "3", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", - "Task": 12545, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12545 }, - "name": "An account was logged off", - "outcome": "success" - }, - "log": { - "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", - "level": "info" + "record_id": 47121546, + "type": "Security" }, "host": { "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", "name": "HOSTBAZ-001.ad.HOSTFOO.com" }, + "log": { + "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 560, + "pid": 560, "thread": { "id": 2172 - }, - "pid": 560, - "id": 560 - }, - "user": { - "target": { - "name": "USERFOO", - "domain": "AD", - "id": "S-1-5-21-1519513455-2607746426-4144247390-71234" } }, "related": { "hosts": [ "HOSTBAZ-001.ad.HOSTFOO.com" ] + }, + "user": { + "target": { + "domain": "AD", + "id": "S-1-5-21-1519513455-2607746426-4144247390-71234", + "name": "USERFOO" + } } } @@ -1663,47 +1663,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EventTime\":\"2010-06-18 15:28:23\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4624,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12544,\"OpcodeValue\":0,\"RecordNumber\":10457874880,\"ProcessID\":744,\"ThreadID\":2352,\"Channel\":\"Security\",\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-69701\\r\\n\\tAccount Name:\\t\\tSVC_DD_SP-SEARCH\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xFBEE0744\\r\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tV-FOO\\r\\n\\tSource Network Address:\\t-\\r\\n\\tSource Port:\\t\\t-\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\tNTLM V2\\r\\n\\tKey Length:\\t\\t128\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"Category\":\"Logon\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-0-0\",\"SubjectUserName\":\"-\",\"SubjectDomainName\":\"-\",\"SubjectLogonId\":\"0x0\",\"TargetUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-69701\",\"TargetUserName\":\"SVC_DD_SP-SEARCH\",\"TargetDomainName\":\"KEY\",\"TargetLogonId\":\"0xfbee0744\",\"LogonType\":\"3\",\"LogonProcessName\":\"NtLmSsp \",\"AuthenticationPackageName\":\"NTLM\",\"WorkstationName\":\"V-FOO\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LmPackageName\":\"NTLM V2\",\"KeyLength\":\"128\",\"ProcessName\":\"-\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"EventReceivedTime\":\"2010-06-18 15:28:24\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-69701\r\n\tAccount Name:\t\tSVC_DD_SP-SEARCH\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xFBEE0744\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tV-FOO\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "action": "authentication_network", "category": [ "authentication" ], + "code": "4624", + "message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-69701\r\n\tAccount Name:\t\tSVC_DD_SP-SEARCH\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xFBEE0744\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tV-FOO\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "action": "authentication_network" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "V-FOO" - }, - "server": { - "name": "V-FOO", - "os": { - "type": "windows" - } - } + ] }, "action": { - "record_id": 10457874880, - "type": "Security", "id": 4624, + "name": "An account was successfully logged on", + "outcome": "success", "properties": { "AuthenticationPackageName": "NTLM", "EventType": "AUDIT_SUCCESS", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", + "Keywords": "-9214364837600034816", "LogonProcessName": "NtLmSsp ", "LogonType": "3", "OpcodeValue": 0, "ProcessName": "-", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -1712,42 +1700,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetUserName": "SVC_DD_SP-SEARCH", "TargetUserSid": "S-1-5-21-1574594750-1263408776-2012955550-69701", "Task": 12544, - "WorkstationName": "V-FOO", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "WorkstationName": "V-FOO" }, - "name": "An account was successfully logged on", - "outcome": "success" + "record_id": 10457874880, + "type": "Security" }, - "log": { + "host": { "hostname": "V-FOO", - "level": "info" + "name": "V-FOO" }, - "host": { + "log": { "hostname": "V-FOO", - "name": "V-FOO" + "level": "info" }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 744, + "name": "NtLmSsp ", + "pid": 744, "thread": { "id": 2352 - }, - "pid": 744, - "id": 744, - "name": "NtLmSsp " - }, - "user": { - "id": "S-1-0-0", - "target": { - "name": "SVC_DD_SP-SEARCH", - "domain": "KEY", - "id": "S-1-5-21-1574594750-1263408776-2012955550-69701" - }, - "name": "-", - "domain": "-" + } }, "related": { "hosts": [ @@ -1756,6 +1732,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "-" ] + }, + "sekoiaio": { + "client": { + "name": "V-FOO", + "os": { + "type": "windows" + } + }, + "server": { + "name": "V-FOO", + "os": { + "type": "windows" + } + } + }, + "user": { + "domain": "-", + "id": "S-1-0-0", + "name": "-", + "target": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-69701", + "name": "SVC_DD_SP-SEARCH" + } } } @@ -1769,47 +1769,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EventTime\":\"2011-04-12 17:42:04\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4624,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":12544,\"OpcodeValue\":0,\"RecordNumber\":504041,\"ActivityID\":\"{593B242C-183A-44F2-8977-2A836ABEC213}\",\"ProcessID\":996,\"ThreadID\":1920,\"Channel\":\"Security\",\"Message\":\"L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\\r\\n\\r\\nObjet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tPCFOO$\\r\\n\\tDomaine du compte :\\t\\tFOOBAR\\r\\n\\tID d'ouverture de session :\\t\\t0x3E7\\r\\n\\r\\nInformations d'ouverture de session :\\r\\n\\tType d'ouverture de session :\\t\\t9\\r\\n\\tMode administrateur restreint :\\t-\\r\\n\\tCompte virtuel :\\t\\tNon\\r\\n\\tJeton \u00e9lev\u00e9 :\\t\\tOui\\r\\n\\r\\nNiveau d'emprunt d'identit\u00e9 :\\t\\tEmprunt d\u2019identit\u00e9\\r\\n\\r\\nNouvelle ouverture de session :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tSyst\u00e8me\\r\\n\\tDomaine du compte :\\t\\tAUTORITE NT\\r\\n\\tID d'ouverture de session :\\t\\t0x7E767BC\\r\\n\\tID d'ouverture de session li\u00e9e :\\t\\t0x0\\r\\n\\tNom du compte r\u00e9seau :\\tsvc_admin_sccm\\r\\n\\tDomaine du compte r\u00e9seau :\\tFOOBAR\\r\\n\\tGUID d'ouverture de session :\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\r\\nInformations sur le processus :\\r\\n\\tID du processus :\\t\\t0x2780\\r\\n\\tNom du processus :\\t\\tC:\\\\Windows\\\\CCM\\\\CcmExec.exe\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tNom de la station de travail :\\t-\\r\\n\\tAdresse du r\u00e9seau source :\\t-\\r\\n\\tPort source :\\t\\t-\\r\\n\\r\\nInformations d\u00e9taill\u00e9es sur l'authentification :\\r\\n\\tProcessus d'ouverture de session :\\t\\tAdvapi \\r\\n\\tPackage d'authentification :\\tNegotiate\\r\\n\\tServices en transit :\\t-\\r\\n\\tNom du package (NTLM uniquement) :\\t-\\r\\n\\tLongueur de la cl\u00e9 :\\t\\t0\\r\\n\\r\\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\\r\\n\\r\\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\\r\\n\\r\\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\\r\\n\\r\\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\\r\\n\\r\\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\\r\\n\\r\\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\\r\\n\\r\\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\\r\\n\\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\\r\\n\\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\\r\\n\\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\\r\\n\\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.\",\"Category\":\"Logon\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"PCFOO$\",\"SubjectDomainName\":\"FOOBAR\",\"SubjectLogonId\":\"0x3e7\",\"TargetUserSid\":\"S-1-5-18\",\"TargetUserName\":\"Syst\u00e8me\",\"TargetDomainName\":\"AUTORITE NT\",\"TargetLogonId\":\"0x7e767bc\",\"LogonType\":\"9\",\"LogonProcessName\":\"Advapi \",\"AuthenticationPackageName\":\"Negotiate\",\"WorkstationName\":\"-\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LmPackageName\":\"-\",\"KeyLength\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"RestrictedAdminMode\":\"-\",\"TargetOutboundUserName\":\"svc_admin_sccm\",\"TargetOutboundDomainName\":\"FOOBAR\",\"VirtualAccount\":\"%%1843\",\"TargetLinkedLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"EventReceivedTime\":\"2011-04-12 17:42:06\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tPCFOO$\r\n\tDomaine du compte :\t\tFOOBAR\r\n\tID d'ouverture de session :\t\t0x3E7\r\n\r\nInformations d'ouverture de session :\r\n\tType d'ouverture de session :\t\t9\r\n\tMode administrateur restreint :\t-\r\n\tCompte virtuel :\t\tNon\r\n\tJeton \u00e9lev\u00e9 :\t\tOui\r\n\r\nNiveau d'emprunt d'identit\u00e9 :\t\tEmprunt d\u2019identit\u00e9\r\n\r\nNouvelle ouverture de session :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tSyst\u00e8me\r\n\tDomaine du compte :\t\tAUTORITE NT\r\n\tID d'ouverture de session :\t\t0x7E767BC\r\n\tID d'ouverture de session li\u00e9e :\t\t0x0\r\n\tNom du compte r\u00e9seau :\tsvc_admin_sccm\r\n\tDomaine du compte r\u00e9seau :\tFOOBAR\r\n\tGUID d'ouverture de session :\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nInformations sur le processus :\r\n\tID du processus :\t\t0x2780\r\n\tNom du processus :\t\tC:\\Windows\\CCM\\CcmExec.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\t-\r\n\tAdresse du r\u00e9seau source :\t-\r\n\tPort source :\t\t-\r\n\r\nInformations d\u00e9taill\u00e9es sur l'authentification :\r\n\tProcessus d'ouverture de session :\t\tAdvapi \r\n\tPackage d'authentification :\tNegotiate\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de la cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\r\n\r\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\r\n\r\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\r\n\r\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\r\n\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\r\n\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.", + "action": "authentication_alternative_credentials", "category": [ "authentication" ], + "code": "4624", + "message": "L'ouverture de session d'un compte s'est correctement d\u00e9roul\u00e9e.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tPCFOO$\r\n\tDomaine du compte :\t\tFOOBAR\r\n\tID d'ouverture de session :\t\t0x3E7\r\n\r\nInformations d'ouverture de session :\r\n\tType d'ouverture de session :\t\t9\r\n\tMode administrateur restreint :\t-\r\n\tCompte virtuel :\t\tNon\r\n\tJeton \u00e9lev\u00e9 :\t\tOui\r\n\r\nNiveau d'emprunt d'identit\u00e9 :\t\tEmprunt d\u2019identit\u00e9\r\n\r\nNouvelle ouverture de session :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tSyst\u00e8me\r\n\tDomaine du compte :\t\tAUTORITE NT\r\n\tID d'ouverture de session :\t\t0x7E767BC\r\n\tID d'ouverture de session li\u00e9e :\t\t0x0\r\n\tNom du compte r\u00e9seau :\tsvc_admin_sccm\r\n\tDomaine du compte r\u00e9seau :\tFOOBAR\r\n\tGUID d'ouverture de session :\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nInformations sur le processus :\r\n\tID du processus :\t\t0x2780\r\n\tNom du processus :\t\tC:\\Windows\\CCM\\CcmExec.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tNom de la station de travail :\t-\r\n\tAdresse du r\u00e9seau source :\t-\r\n\tPort source :\t\t-\r\n\r\nInformations d\u00e9taill\u00e9es sur l'authentification :\r\n\tProcessus d'ouverture de session :\t\tAdvapi \r\n\tPackage d'authentification :\tNegotiate\r\n\tServices en transit :\t-\r\n\tNom du package (NTLM uniquement) :\t-\r\n\tLongueur de la cl\u00e9 :\t\t0\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d'une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l'ordinateur sur lequel l'ouverture de session a \u00e9t\u00e9 effectu\u00e9e.\r\n\r\nLe champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l'ouverture de session. Il s'agit le plus souvent d'un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.\r\n\r\nLe champ Type d'ouverture de session indique le type d'ouverture de session qui s'est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).\r\n\r\nLe champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s'est connect\u00e9.\r\n\r\nLes champs relatifs au r\u00e9seau indiquent la provenance d'une demande d'ouverture de session \u00e0 distance. Le nom de la station de travail n'\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.\r\n\r\nLe champ du niveau d'emprunt d'identit\u00e9 indique la port\u00e9e de l'emprunt d'identit\u00e9 que peut prendre un processus dans la session d'ouverture de session.\r\n\r\nLes champs relatifs aux informations d'authentification fournissent des d\u00e9tails sur cette demande d'ouverture de session sp\u00e9cifique.\r\n\t- Le GUID d'ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .\r\n\t- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d'ouverture de session.\r\n\t- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.\r\n\t- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e. Elle a la valeur 0 si aucune cl\u00e9 de session n'a \u00e9t\u00e9 demand\u00e9e.", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "action": "authentication_alternative_credentials" - }, - "sekoiaio": { - "client": { - "os": { - "type": "windows" - }, - "name": "PCFOO.corp.net" - }, - "server": { - "name": "PCFOO.corp.net", - "os": { - "type": "windows" - } - } + ] }, "action": { - "record_id": 504041, - "type": "Security", "id": 4624, + "name": "An account was successfully logged on", + "outcome": "success", "properties": { "AuthenticationPackageName": "Negotiate", "EventType": "AUDIT_SUCCESS", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", + "Keywords": "-9214364837600034816", "LogonProcessName": "Advapi ", "LogonType": "9", "OpcodeValue": 0, "ProcessName": "c:\\windows\\ccm\\ccmexec.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "FOOBAR", "SubjectLogonId": "0x3e7", "SubjectUserName": "PCFOO$", @@ -1820,44 +1808,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetUserName": "Syst\u00e8me", "TargetUserSid": "S-1-5-18", "Task": 12544, - "WorkstationName": "-", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "WorkstationName": "-" }, - "name": "An account was successfully logged on", - "outcome": "success" - }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "info" + "record_id": 504041, + "type": "Security" }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 1920 - }, "executable": "c:\\windows\\ccm\\ccmexec.exe", - "pid": 996, "id": 996, "name": "Advapi ", - "working_directory": "c:\\windows\\ccm\\" - }, - "user": { - "id": "S-1-5-18", - "target": { - "name": "Syst\u00e8me", - "domain": "AUTORITE NT", - "id": "S-1-5-18" + "pid": 996, + "thread": { + "id": 1920 }, - "name": "PCFOO$", - "domain": "FOOBAR" + "working_directory": "c:\\windows\\ccm\\" }, "related": { "hosts": [ @@ -1866,6 +1842,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "PCFOO$" ] + }, + "sekoiaio": { + "client": { + "name": "PCFOO.corp.net", + "os": { + "type": "windows" + } + }, + "server": { + "name": "PCFOO.corp.net", + "os": { + "type": "windows" + } + } + }, + "user": { + "domain": "FOOBAR", + "id": "S-1-5-18", + "name": "PCFOO$", + "target": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" + } } } @@ -1880,60 +1880,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 15:24:15\",\"Hostname\":\"HOSTBAZ-001.ad.HOSTFOO.com\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4634,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12545,\"OpcodeValue\":0,\"RecordNumber\":47121546,\"ProcessID\":560,\"ThreadID\":2172,\"Channel\":\"Security\",\"Message\":\"An account was logged off.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1519513455-2607746426-4144247390-71234\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tAD\\r\\n\\tLogon ID:\\t\\t0x3912391A\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"Category\":\"Logoff\",\"Opcode\":\"Info\",\"TargetUserSid\":\"S-1-5-21-1519513455-2607746426-4144247390-71234\",\"TargetUserName\":\"USERFOO\",\"ComputerName\":\"FoobarComputer\",\"TargetDomainName\":\"AD\",\"TargetLogonId\":\"0x3912391a\",\"LogonType\":\"3\",\"EventReceivedTime\":\"2019-12-16 15:24:17\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." + "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 47121546, - "type": "Security", "id": 4634, + "name": "An account was logged off", + "outcome": "success", "properties": { "ComputerName": "FoobarComputer", "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "LogonType": "3", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", - "Task": 12545, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12545 }, - "name": "An account was logged off", - "outcome": "success" - }, - "log": { - "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", - "level": "info" + "record_id": 47121546, + "type": "Security" }, "host": { "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", "name": "HOSTBAZ-001.ad.HOSTFOO.com" }, + "log": { + "hostname": "HOSTBAZ-001.ad.HOSTFOO.com", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 560, + "pid": 560, "thread": { "id": 2172 - }, - "pid": 560, - "id": 560 - }, - "user": { - "target": { - "name": "USERFOO", - "domain": "AD", - "id": "S-1-5-21-1519513455-2607746426-4144247390-71234" } }, "related": { "hosts": [ "HOSTBAZ-001.ad.HOSTFOO.com" ] + }, + "user": { + "target": { + "domain": "AD", + "id": "S-1-5-21-1519513455-2607746426-4144247390-71234", + "name": "USERFOO" + } } } @@ -1948,21 +1948,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-24 00:06:15\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5145,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12811,\"OpcodeValue\":0,\"RecordNumber\":23997037887,\"ProcessID\":776,\"ThreadID\":784,\"Channel\":\"Security\",\"Message\":\"A network share object was checked to see whether client can be granted desired access.\\r\\n\\t\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-123016\\r\\n\\tAccount Name:\\t\\tBAZ256$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xA62B3A8AE\\r\\n\\r\\nNetwork Information:\\t\\r\\n\\tObject Type:\\t\\tFile\\r\\n\\tSource Address:\\t\\t1.1.1.1\\r\\n\\tSource Port:\\t\\t51042\\r\\n\\t\\r\\nShare Information:\\r\\n\\tShare Name:\\t\\t\\\\\\\\*\\\\SYSVOL\\r\\n\\tShare Path:\\t\\t\\\\??\\\\D:\\\\ActiveDirectory\\\\SYSVOL\\\\sysvol\\r\\n\\tRelative Target Name:\\tKEY.ACME.COM\\\\POLICIES\\\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\\\MACHINE\\r\\n\\r\\nAccess Request Information:\\r\\n\\tAccess Mask:\\t\\t0x100081\\r\\n\\tAccesses:\\t\\tSYNCHRONIZE\\r\\n\\t\\t\\t\\tReadData (or ListDirectory)\\r\\n\\t\\t\\t\\tReadAttributes\\r\\n\\t\\t\\t\\t\\r\\nAccess Check Results:\\r\\n\\tSYNCHRONIZE:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\tReadData (or ListDirectory):\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\tReadAttributes:\\tGranted by\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t\\r\\n\",\"Category\":\"Detailed File Share\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-123016\",\"SubjectUserName\":\"BAZ256$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xa62b3a8ae\",\"ObjectType\":\"File\",\"IpAddress\":\"1.1.1.1\",\"IpPort\":\"51042\",\"ShareName\":\"\\\\\\\\*\\\\SYSVOL\",\"ShareLocalPath\":\"\\\\??\\\\D:\\\\ActiveDirectory\\\\SYSVOL\\\\sysvol\",\"RelativeTargetName\":\"KEY.ACME.COM\\\\POLICIES\\\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\\\MACHINE\",\"AccessMask\":\"0x100081\",\"AccessList\":\"%%1541\\r\\n\\t\\t\\t\\t%%4416\\r\\n\\t\\t\\t\\t%%4423\\r\\n\\t\\t\\t\\t\",\"AccessReason\":\"%%1541:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t%%4416:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t%%4423:\\t%%1801\\tD:(A;;0x1200a9;;;WD)\\r\\n\\t\\t\\t\\t\",\"EventReceivedTime\":\"2010-04-24 00:06:17\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5145", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123016\r\n\tAccount Name:\t\tBAZ256$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA62B3A8AE\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t1.1.1.1\r\n\tSource Port:\t\t51042\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tKEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100081\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n" + "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123016\r\n\tAccount Name:\t\tBAZ256$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA62B3A8AE\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t1.1.1.1\r\n\tSource Port:\t\t51042\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tKEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100081\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 23997037887, - "type": "Security", "id": 5145, + "name": "A network share object was checked to see whether client can be granted desired access", + "outcome": "success", "properties": { - "Accesses": "\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes", "AccessList": "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t", "AccessMask": "0x100081", "AccessReason": "%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4416:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t", + "Accesses": "\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes", "EventType": "AUDIT_SUCCESS", "IpAddress": "1.1.1.1", "IpPort": "51042", + "Keywords": "-9214364837600034816", "ObjectType": "File", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", @@ -1970,44 +1971,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Severity": "INFO", "ShareLocalPath": "\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol", "ShareName": "\\\\*\\SYSVOL", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0xa62b3a8ae", "SubjectUserName": "BAZ256$", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123016", - "Task": 12811, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12811 }, - "name": "A network share object was checked to see whether client can be granted desired access", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "record_id": 23997037887, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 776, + "pid": 776, "thread": { "id": 784 - }, - "pid": 776, - "id": 776 - }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-123016", - "name": "BAZ256$", - "domain": "KEY" - }, - "source": { - "ip": "1.1.1.1", - "address": "1.1.1.1" + } }, "related": { "hosts": [ @@ -2019,6 +2010,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "BAZ256$" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-123016", + "name": "BAZ256$" } } @@ -2033,46 +2033,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-17 11:52:46\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":3,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":3,\"OpcodeValue\":0,\"RecordNumber\":51,\"ProcessID\":3912,\"ThreadID\":532,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2019-05-17 09:52:38.882\\r\\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\\r\\nProcessId: 4200\\r\\nImage: C:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\MicrosoftEdgeCP.exe\\r\\nUser: DESKTOP-FOOBARZ\\\\UserFoo\\r\\nProtocol: tcp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 1.1.1.1\\r\\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\\r\\nSourcePort: 49718\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.1\\r\\nDestinationHostname: \\r\\nDestinationPort: 443\\r\\nDestinationPortName: https\",\"Category\":\"Network connection detected (rule: NetworkConnect)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-05-17 09:52:38.882\",\"ProcessGuid\":\"{0BA009B0-846C-5CDE-0000-0010821E0D00}\",\"Image\":\"C:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\MicrosoftEdgeCP.exe\",\"User\":\"DESKTOP-FOOBARZ\\\\UserFoo\",\"Protocol\":\"tcp\",\"Initiated\":\"true\",\"SourceIsIpv6\":\"false\",\"SourceIp\":\"1.1.1.1\",\"SourceHostname\":\"DESKTOP-FOOBARZ.entreprise.sekoia\",\"SourcePort\":\"49718\",\"DestinationIsIpv6\":\"false\",\"DestinationIp\":\"1.1.1.1\",\"DestinationPort\":\"443\",\"DestinationPortName\":\"https\",\"EventReceivedTime\":\"2019-05-17 11:52:46\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "3", - "provider": "Microsoft-Windows-Sysmon", - "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:38.882\r\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nUser: DESKTOP-FOOBARZ\\UserFoo\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\r\nSourcePort: 49718\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 443\r\nDestinationPortName: https" + "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:38.882\r\nProcessGuid: {0BA009B0-846C-5CDE-0000-0010821E0D00}\r\nProcessId: 4200\r\nImage: C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe\r\nUser: DESKTOP-FOOBARZ\\UserFoo\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: DESKTOP-FOOBARZ.entreprise.sekoia\r\nSourcePort: 49718\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 443\r\nDestinationPortName: https", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2019-05-17T09:52:38.882000Z", "action": { - "record_id": 51, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 3, + "name": "Network connection", "properties": { - "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", "AccountName": "Syst\u00e8me", "AccountType": "User", + "DestinationPort": "443", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{0BA009B0-846C-5CDE-0000-0010821E0D00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 3, - "User": "DESKTOP-FOOBARZ\\UserFoo", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "DestinationPort": "443" + "Task": 3, + "User": "DESKTOP-FOOBARZ\\UserFoo" }, - "name": "Network connection", - "target": "network-traffic" + "record_id": 51, + "target": "network-traffic", + "type": "Microsoft-Windows-Sysmon/Operational" }, "destination": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 443, - "address": "1.1.1.1" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "port": 443 }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "network": { "transport": "tcp", "type": "ipv4" @@ -2083,26 +2083,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "id": 4200, + "name": "microsoftedgecp.exe", + "pid": 4200, "thread": { "id": 532 }, - "pid": 4200, - "id": 4200, - "name": "microsoftedgecp.exe", "working_directory": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\" }, - "source": { - "domain": "DESKTOP-FOOBARZ.entreprise.sekoia", - "port": 49718, - "ip": "1.1.1.1", - "address": "DESKTOP-FOOBARZ.entreprise.sekoia", - "size_in_char": 33 - }, - "user": { - "id": "S-1-5-18", - "name": "UserFoo", - "domain": "DESKTOP-FOOBARZ" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ", @@ -2114,6 +2102,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "UserFoo" ] + }, + "source": { + "address": "DESKTOP-FOOBARZ.entreprise.sekoia", + "domain": "DESKTOP-FOOBARZ.entreprise.sekoia", + "ip": "1.1.1.1", + "port": 49718, + "size_in_char": 33 + }, + "user": { + "domain": "DESKTOP-FOOBARZ", + "id": "S-1-5-18", + "name": "UserFoo" } } @@ -2128,18 +2128,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-28 08:22:44\",\"Hostname\":\"CAYENNE\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1551703898,\"ProcessID\":4,\"ThreadID\":13732,\"Channel\":\"Security\",\"Message\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-122301\\r\\n\\tAccount Name:\\t\\tadm_FOOBAZ\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xF22F28C6\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x2bfc\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeFull (2)\\r\\n\\tCreator Process ID:\\t0x2a28\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"Category\":\"Process Creation\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-122301\",\"SubjectUserName\":\"adm_FOOBAZ\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xf22f28c6\",\"NewProcessId\":\"0x2bfc\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\",\"TokenElevationType\":\"%%1937\",\"TargetUserSid\":\"S-1-0-0\",\"TargetUserName\":\"-\",\"TargetDomainName\":\"-\",\"TargetLogonId\":\"0x0\",\"EventReceivedTime\":\"2010-04-28 08:22:45\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-122301\r\n\tAccount Name:\t\tadm_FOOBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xF22F28C6\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2bfc\r\n\tNew Process Name:\tC:\\Windows\\System32\\wbem\\WMIC.exe\r\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\r\n\tCreator Process ID:\t0x2a28\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." + "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-122301\r\n\tAccount Name:\t\tadm_FOOBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xF22F28C6\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2bfc\r\n\tNew Process Name:\tC:\\Windows\\System32\\wbem\\WMIC.exe\r\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\r\n\tCreator Process ID:\t0x2a28\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1551703898, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0xf22f28c6", "SubjectUserName": "adm_FOOBAZ", @@ -2147,44 +2149,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetDomainName": "-", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" - }, - "log": { - "hostname": "CAYENNE", - "level": "info" + "record_id": 1551703898, + "type": "Security" }, "host": { "hostname": "CAYENNE", "name": "CAYENNE" }, + "log": { + "hostname": "CAYENNE", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 13732 - }, - "executable": "c:\\windows\\system32\\wbem\\wmic.exe", - "pid": 11260, - "id": 11260, - "name": "wmic.exe", - "working_directory": "c:\\windows\\system32\\wbem\\" - }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-122301", - "target": { - "name": "-", - "domain": "-", - "id": "S-1-0-0" + "executable": "c:\\windows\\system32\\wbem\\wmic.exe", + "id": 11260, + "name": "wmic.exe", + "pid": 11260, + "thread": { + "id": 13732 }, - "name": "adm_FOOBAZ", - "domain": "KEY" + "working_directory": "c:\\windows\\system32\\wbem\\" }, "related": { "hosts": [ @@ -2193,6 +2183,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "adm_FOOBAZ" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-122301", + "name": "adm_FOOBAZ", + "target": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + } } } @@ -2207,41 +2207,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-05-16 18:07:37\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":36028797018963968,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6000,\"SourceName\":\"Microsoft-Windows-Winlogon\",\"ProviderGuid\":\"{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":628,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Application\",\"Message\":\"L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification.\",\"EventReceivedTime\":\"2019-05-17 09:56:11\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6000", - "provider": "Microsoft-Windows-Winlogon", - "message": "L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification." + "message": "L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification.", + "provider": "Microsoft-Windows-Winlogon" }, "action": { - "record_id": 628, - "type": "Application", "id": 6000, "properties": { "EventType": "INFO", + "Keywords": "36028797018963968", "OpcodeValue": 0, "ProviderGuid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}", "Severity": "INFO", - "Task": 0, "SourceName": "Microsoft-Windows-Winlogon", - "Keywords": "36028797018963968" - } - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "Task": 0 + }, + "record_id": 628, + "type": "Application" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 0, + "pid": 0, "thread": { "id": 0 - }, - "pid": 0, - "id": 0 + } }, "related": { "hosts": [ @@ -2261,19 +2261,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-04-23 13:28:14\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4662,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14080,\"OpcodeValue\":0,\"RecordNumber\":25279566314,\"ProcessID\":1816,\"ThreadID\":15456,\"Channel\":\"Security\",\"Message\":\"An operation was performed on an object.\\r\\n\\r\\nSubject :\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-98189\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x8C042A219\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tDS\\r\\n\\tObject Type:\\t\\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\\tObject Name:\\t\\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\\r\\n\\tHandle ID:\\t\\t0x0\\r\\n\\r\\nOperation:\\r\\n\\tOperation Type:\\t\\tObject Access\\r\\n\\tAccesses:\\t\\tControl Access\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Mask:\\t\\t0x100\\r\\n\\tProperties:\\t\\tControl Access\\r\\n\\t\\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\\r\\n\\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\\r\\n\\r\\nAdditional Information:\\r\\n\\tParameter 1:\\t\\t-\\r\\n\\tParameter 2:\\t\\t\",\"Category\":\"Directory Service Access\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-98189\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x8c042a219\",\"ObjectServer\":\"DS\",\"ObjectType\":\"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\",\"ObjectName\":\"%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\",\"OperationType\":\"Object Access\",\"HandleId\":\"0x0\",\"AccessList\":\"%%7688\\r\\n\\t\\t\\t\\t\",\"AccessMask\":\"0x100\",\"Properties\":\"%%7688\\r\\n\\t\\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\\r\\n\\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\\r\\n\",\"AdditionalInfo\":\"-\",\"EventReceivedTime\":\"2010-04-23 13:28:14\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4662", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-98189\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x8C042A219\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t" + "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-98189\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x8C042A219\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 25279566314, - "type": "Security", "id": 4662, + "name": "An operation was performed on an object", + "outcome": "success", "properties": { - "Accesses": "\t\tControl Access", "AccessList": "%%7688\r\n\t\t\t\t", "AccessMask": "0x100", + "Accesses": "\t\tControl Access", "EventType": "AUDIT_SUCCESS", "HandleId": "0x0", + "Keywords": "-9214364837600034816", "ObjectName": "%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}", "ObjectServer": "DS", "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", @@ -2282,40 +2283,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Properties": "%%7688\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x8c042a219", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-98189", - "Task": 14080, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 14080 }, - "name": "An operation was performed on an object", - "outcome": "success" - }, - "log": { - "hostname": "FOOBAZ11", - "level": "info" + "record_id": 25279566314, + "type": "Security" }, "host": { "hostname": "FOOBAZ11", "name": "FOOBAZ11" }, + "log": { + "hostname": "FOOBAZ11", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1816, + "pid": 1816, "thread": { "id": 15456 - }, - "pid": 1816, - "id": 1816 - }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-98189", - "name": "V-FOO$", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -2324,6 +2319,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-98189", + "name": "V-FOO$" } } @@ -2338,53 +2338,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-05-19 12:11:47\",\"Hostname\":\"V-FOO\",\"Keywords\":0,\"EventType\":\"VERBOSE\",\"SeverityValue\":1,\"Severity\":\"DEBUG\",\"EventID\":4104,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":2,\"OpcodeValue\":15,\"RecordNumber\":272330460,\"ActivityID\":\"{5D86B418-29E5-0000-F508-CD69E529D601}\",\"ProcessID\":968,\"ThreadID\":5568,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Creating Scriptblock text (1 of 1):\\r\\n{ @('Object') -contains $_ }\\r\\n\\r\\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\\r\\nPath: \",\"Category\":\"Execute a Remote Command\",\"Opcode\":\"On create calls\",\"MessageNumber\":\"1\",\"MessageTotal\":\"1\",\"ScriptBlockText\":\"{ @('Object') -contains $_ }\",\"ScriptBlockId\":\"592078b2-e981-40be-a166-10896495067b\",\"EventReceivedTime\":\"2010-05-19 12:11:48\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4104", - "provider": "Microsoft-Windows-PowerShell", - "message": "Creating Scriptblock text (1 of 1):\r\n{ @('Object') -contains $_ }\r\n\r\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\r\nPath: " + "message": "Creating Scriptblock text (1 of 1):\r\n{ @('Object') -contains $_ }\r\n\r\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\r\nPath: ", + "provider": "Microsoft-Windows-PowerShell" }, "action": { - "record_id": 272330460, - "type": "Microsoft-Windows-PowerShell/Operational", "id": 4104, + "name": "Creating Scriptblock text", "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "VERBOSE", + "Keywords": "0", "OpcodeValue": 15, "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "ScriptBlockId": "592078b2-e981-40be-a166-10896495067b", "ScriptBlockText": "{ @('Object') -contains $_ }", "Severity": "DEBUG", - "Task": 2, "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0" + "Task": 2 }, - "name": "Creating Scriptblock text" - }, - "log": { - "hostname": "V-FOO", - "level": "debug" + "record_id": 272330460, + "type": "Microsoft-Windows-PowerShell/Operational" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "debug" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 968, + "name": "powershell.exe", + "pid": 968, "thread": { "id": 5568 - }, - "pid": 968, - "id": 968, - "name": "powershell.exe" - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -2393,6 +2388,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -2407,12 +2407,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-02 17:20:14\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":249099289,\"ActivityID\":\"{264E110A-980D-0002-50EB-4F260D98D601}\",\"ProcessID\":2816,\"ThreadID\":3184,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation(Write-Verbose): \\\"Write-Verbose\\\"\\r\\nParameterBinding(Write-Verbose): name=\\\"Message\\\"; value=\\\"ParentDisplayName\\\"\\r\\n\\r\\n\\r\\nContext:\\r\\n Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14409.1018\\r\\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\\r\\n Host Application = C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\\\ProgramData\\\\PuppetLabs\\\\facter\\\\facts.d\\\\InstalledSoftware.ps1\\r\\n Engine Version = 5.1.14409.1018\\r\\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\\r\\n Pipeline ID = 1\\r\\n Command Name = Write-Verbose\\r\\n Command Type = Cmdlet\\r\\n Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSSoftware\\\\1.0.29\\\\PSSoftware.psm1\\r\\n Command Path = \\r\\n Sequence Number = 3930\\r\\n User = WORKGROUP\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nUser Data:\\r\\n\\r\\n\",\"Category\":\"Executing Pipeline\",\"Opcode\":\"To be used when operation is just executing a method\",\"ContextInfo\":\" Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14409.1018\\r\\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\\r\\n Host Application = C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\\\ProgramData\\\\PuppetLabs\\\\facter\\\\facts.d\\\\InstalledSoftware.ps1\\r\\n Engine Version = 5.1.14409.1018\\r\\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\\r\\n Pipeline ID = 1\\r\\n Command Name = Write-Verbose\\r\\n Command Type = Cmdlet\\r\\n Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSSoftware\\\\1.0.29\\\\PSSoftware.psm1\\r\\n Command Path = \\r\\n Sequence Number = 3930\\r\\n User = WORKGROUP\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation(Write-Verbose): \\\"Write-Verbose\\\"\\r\\nParameterBinding(Write-Verbose): name=\\\"Message\\\"; value=\\\"ParentDisplayName\\\"\\r\\n\",\"EventReceivedTime\":\"2010-10-02 17:20:19\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "provider": "Microsoft-Windows-PowerShell", - "message": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n" + "message": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", + "provider": "Microsoft-Windows-PowerShell" }, "action": { - "record_id": 249099289, - "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, "properties": { "AccountName": "SYSTEM", @@ -2420,41 +2418,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", "Domain": "NT AUTHORITY", "EventType": "INFO", + "HostApplication": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1", + "HostName": "ConsoleHost", + "Keywords": "0", "OpcodeValue": 20, "Payload": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n", "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "Severity": "INFO", - "Task": 106, "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1", - "HostName": "ConsoleHost" - } - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "Task": 106 + }, + "record_id": 249099289, + "type": "Microsoft-Windows-PowerShell/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 2816, + "name": "powershell.exe", + "pid": 2816, "thread": { "id": 3184 - }, - "pid": 2816, - "id": 2816, - "name": "powershell.exe" - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -2463,6 +2458,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -2477,12 +2477,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-08-22 20:12:26\",\"Hostname\":\"DC2.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":32670,\"ActivityID\":\"{AA56825F-C7FE-0000-D33D-F2AAFEC7D901}\",\"ProcessID\":5676,\"ThreadID\":3020,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation(Add-Type): \\\"Add-Type\\\"\\r\\nParameterBinding(Add-Type): name=\\\"AssemblyName\\\"; value=\\\"System.Core\\\"\\r\\n\\r\\n\\r\\nContext:\\r\\n Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14393.5582\\r\\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\\r\\n Engine Version = 5.1.14393.5582\\r\\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\\r\\n Pipeline ID = 1\\r\\n Command Name = Add-Type\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 18\\r\\n User = INTRANET\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nUser Data:\\r\\n\\r\\n\",\"Category\":\"Executing Pipeline\",\"Opcode\":\"To be used when operation is just executing a method\",\"ContextInfo\":\" Severity = Informational\\r\\n Host Name = ConsoleHost\\r\\n Host Version = 5.1.14393.5582\\r\\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\\r\\n Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\\r\\n Engine Version = 5.1.14393.5582\\r\\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\\r\\n Pipeline ID = 1\\r\\n Command Name = Add-Type\\r\\n Command Type = Cmdlet\\r\\n Script Name = \\r\\n Command Path = \\r\\n Sequence Number = 18\\r\\n User = INTRANET\\\\SYSTEM\\r\\n Connected User = \\r\\n Shell ID = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation(Add-Type): \\\"Add-Type\\\"\\r\\nParameterBinding(Add-Type): name=\\\"AssemblyName\\\"; value=\\\"System.Core\\\"\\r\\n\",\"EventReceivedTime\":\"2023-08-22 20:12:27\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "provider": "Microsoft-Windows-PowerShell", - "message": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n" + "message": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", + "provider": "Microsoft-Windows-PowerShell" }, "action": { - "record_id": 32670, - "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, "properties": { "AccountName": "SYSTEM", @@ -2490,41 +2488,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ContextInfo": " Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", "Domain": "NT AUTHORITY", "EventType": "INFO", + "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}", + "HostName": "ConsoleHost", + "Keywords": "0", "OpcodeValue": 20, "Payload": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n", "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "Severity": "INFO", - "Task": 106, "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}", - "HostName": "ConsoleHost" - } - }, - "log": { - "hostname": "DC2.corp.net", - "level": "info" + "Task": 106 + }, + "record_id": 32670, + "type": "Microsoft-Windows-PowerShell/Operational" }, "host": { "hostname": "DC2.corp.net", "name": "DC2.corp.net" }, + "log": { + "hostname": "DC2.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5676, + "name": "powershell.exe", + "pid": 5676, "thread": { "id": 3020 - }, - "pid": 5676, - "id": 5676, - "name": "powershell.exe" - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -2533,6 +2528,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -2547,12 +2547,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-04-18 14:51:32\",\"Hostname\":\"PCFOO4147.corp.net\",\"Keywords\":0,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4103,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":106,\"OpcodeValue\":20,\"RecordNumber\":1079309,\"ActivityID\":\"{83B38D2A-3444-0004-D607-B4834434D701}\",\"ProcessID\":5532,\"ThreadID\":7212,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\\r\\n\\r\\n\\r\\n\\r\\nContexte :\\r\\n Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.18362.1171\\r\\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\\r\\n Application h\u00f4te = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.18362.1171\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\\r\\n ID de pipeline = 1\\r\\n Nom de commande = \\r\\n Type de commande = Script\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 18\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\\r\\n\\r\\nDonn\u00e9es utilisateur :\\r\\n\\r\\n\",\"Category\":\"Ex\u00e9cution du pipeline\",\"Opcode\":\"\u00c0 utiliser lorsque l'op\u00e9ration ex\u00e9cute uniquement une m\u00e9thode\",\"ContextInfo\":\" Gravit\u00e9 = Informational\\r\\n Nom d\u2019h\u00f4te = ConsoleHost\\r\\n Version de l\u2019h\u00f4te = 5.1.18362.1171\\r\\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\\r\\n Application h\u00f4te = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe get-process | select processname\\r\\n Version du moteur = 5.1.18362.1171\\r\\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\\r\\n ID de pipeline = 1\\r\\n Nom de commande = \\r\\n Type de commande = Script\\r\\n Nom du script = \\r\\n Chemin de la commande = \\r\\n Num\u00e9ro de s\u00e9quence = 18\\r\\n Utilisateur = FOOBAR\\\\Syst\u00e8me\\r\\n Utilisateur connect\u00e9 = \\r\\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\\r\\n\",\"Payload\":\"CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\\r\\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\\r\\n\",\"EventReceivedTime\":\"2011-04-18 14:51:33\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4103", - "provider": "Microsoft-Windows-PowerShell", - "message": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\r\n\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n" + "message": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\r\n\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", + "provider": "Microsoft-Windows-PowerShell" }, "action": { - "record_id": 1079309, - "type": "Microsoft-Windows-PowerShell/Operational", "id": 4103, "properties": { "AccountName": "Syst\u00e8me", @@ -2560,41 +2558,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ContextInfo": " Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n", "Domain": "AUTORITE NT", "EventType": "INFO", + "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", + "HostName": "ConsoleHost", + "Keywords": "0", "OpcodeValue": 20, "Payload": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\n", "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "Severity": "INFO", - "Task": 106, "SourceName": "Microsoft-Windows-PowerShell", - "Keywords": "0", - "HostApplication": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname", - "HostName": "ConsoleHost" - } - }, - "log": { - "hostname": "PCFOO4147.corp.net", - "level": "info" + "Task": 106 + }, + "record_id": 1079309, + "type": "Microsoft-Windows-PowerShell/Operational" }, "host": { "hostname": "PCFOO4147.corp.net", "name": "PCFOO4147.corp.net" }, + "log": { + "hostname": "PCFOO4147.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5532, + "name": "powershell.exe", + "pid": 5532, "thread": { "id": 7212 - }, - "pid": 5532, - "id": 5532, - "name": "powershell.exe" - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -2603,6 +2598,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -2617,20 +2617,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-28 18:30:29\",\"Hostname\":\"V-FOO\",\"Keywords\":-9218868437227405312,\"EventType\":\"AUDIT_FAILURE\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":4656,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12804,\"OpcodeValue\":0,\"RecordNumber\":9931381860,\"ProcessID\":728,\"ThreadID\":736,\"Channel\":\"Security\",\"Message\":\"A handle to an object was requested.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-73322\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0xA4FA5F41\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tWS-Management Listener\\r\\n\\tObject Type:\\t\\tUnknown\\r\\n\\tObject Name:\\t\\tUnknown\\r\\n\\tHandle ID:\\t\\t0x0\\r\\n\\tResource Attributes:\\t-\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x3d4\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\r\\n\\r\\nAccess Request Information:\\r\\n\\tTransaction ID:\\t\\t{00000000-0000-0000-0000-000000000000}\\r\\n\\tAccesses:\\t\\tMAX_ALLOWED\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Reasons:\\t\\t-\\r\\n\\tAccess Mask:\\t\\t0x2000000\\r\\n\\tPrivileges Used for Access Check:\\t-\\r\\n\\tRestricted SID Count:\\t0\",\"Category\":\"Other Object Access Events\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-73322\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0xa4fa5f41\",\"ObjectServer\":\"WS-Management Listener\",\"ObjectType\":\"Unknown\",\"ObjectName\":\"Unknown\",\"HandleId\":\"0x0\",\"TransactionId\":\"{00000000-0000-0000-0000-000000000000}\",\"AccessList\":\"%%1543\\r\\n\\t\\t\\t\\t\",\"AccessReason\":\"-\",\"AccessMask\":\"0x2000000\",\"PrivilegeList\":\"-\",\"RestrictedSidCount\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"ResourceAttributes\":\"-\",\"EventReceivedTime\":\"2010-09-28 18:30:30\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4656", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-73322\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA4FA5F41\r\n\r\nObject:\r\n\tObject Server:\t\tWS-Management Listener\r\n\tObject Type:\t\tUnknown\r\n\tObject Name:\t\tUnknown\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x3d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tMAX_ALLOWED\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x2000000\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0" + "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-73322\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA4FA5F41\r\n\r\nObject:\r\n\tObject Server:\t\tWS-Management Listener\r\n\tObject Type:\t\tUnknown\r\n\tObject Name:\t\tUnknown\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x3d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tMAX_ALLOWED\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x2000000\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 9931381860, - "type": "Security", "id": 4656, + "name": "A handle to an object was requested", + "outcome": "failure", "properties": { - "Accesses": "\t\tMAX_ALLOWED", "AccessList": "%%1543\r\n\t\t\t\t", "AccessMask": "0x2000000", "AccessReason": "-", + "Accesses": "\t\tMAX_ALLOWED", "EventType": "AUDIT_FAILURE", "HandleId": "0x0", + "Keywords": "-9218868437227405312", "ObjectName": "Unknown", "ObjectServer": "WS-Management Listener", "ObjectType": "Unknown", @@ -2639,44 +2640,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProcessName": "c:\\windows\\system32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0xa4fa5f41", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-73322", - "Task": 12804, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9218868437227405312" + "Task": 12804 }, - "name": "A handle to an object was requested", - "outcome": "failure" - }, - "log": { - "hostname": "V-FOO", - "level": "error" + "record_id": 9931381860, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 736 - }, "executable": "c:\\windows\\system32\\svchost.exe", - "pid": 728, "id": 728, "name": "svchost.exe", + "pid": 728, + "thread": { + "id": 736 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-73322", - "name": "V-FOO$", - "domain": "KEY" - }, "related": { "hosts": [ "V-FOO" @@ -2684,6 +2679,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-73322", + "name": "V-FOO$" } } @@ -2698,16 +2698,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 12:01:24\",\"Hostname\":\"FOOBAZ02\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4657,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12801,\"OpcodeValue\":0,\"RecordNumber\":27949645047,\"ProcessID\":4,\"ThreadID\":14940,\"Channel\":\"Security\",\"Message\":\"A registry value was modified.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tFOOBAZ02$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Name:\\t\\t\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WindowsUpdate\\\\Auto Update\\r\\n\\tObject Value Name:\\tFirmwareUpdatesNotInstalled\\r\\n\\tHandle ID:\\t\\t0x22cc\\r\\n\\tOperation Type:\\t\\tNew registry value created\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0xac0\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\r\\n\\r\\nChange Information:\\r\\n\\tOld Value Type:\\t\\t-\\r\\n\\tOld Value:\\t\\t-\\r\\n\\tNew Value Type:\\t\\tREG_DWORD\\r\\n\\tNew Value:\\t\\t0\",\"Category\":\"Registry\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"FOOBAZ02$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectName\":\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WindowsUpdate\\\\Auto Update\",\"ObjectValueName\":\"FirmwareUpdatesNotInstalled\",\"HandleId\":\"0x22cc\",\"OperationType\":\"%%1904\",\"OldValueType\":\"-\",\"OldValue\":\"-\",\"NewValueType\":\"%%1876\",\"NewValue\":\"0\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-09-30 12:01:25\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4657", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tFOOBAZ02$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\r\n\tObject Value Name:\tFirmwareUpdatesNotInstalled\r\n\tHandle ID:\t\t0x22cc\r\n\tOperation Type:\t\tNew registry value created\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xac0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\t-\r\n\tOld Value:\t\t-\r\n\tNew Value Type:\t\tREG_DWORD\r\n\tNew Value:\t\t0" + "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tFOOBAZ02$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\r\n\tObject Value Name:\tFirmwareUpdatesNotInstalled\r\n\tHandle ID:\t\t0x22cc\r\n\tOperation Type:\t\tNew registry value created\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xac0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\t-\r\n\tOld Value:\t\t-\r\n\tNew Value Type:\t\tREG_DWORD\r\n\tNew Value:\t\t0", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 27949645047, - "type": "Security", "id": 4657, + "name": "A registry value was modified", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", "HandleId": "0x22cc", + "Keywords": "-9214364837600034816", "NewValue": "0", "ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update", "ObjectValueName": "FirmwareUpdatesNotInstalled", @@ -2716,44 +2717,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProcessName": "c:\\windows\\system32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "FOOBAZ02$", "SubjectUserSid": "S-1-5-18", - "Task": 12801, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12801 }, - "name": "A registry value was modified", - "outcome": "success" - }, - "log": { - "hostname": "FOOBAZ02", - "level": "info" + "record_id": 27949645047, + "type": "Security" }, "host": { "hostname": "FOOBAZ02", "name": "FOOBAZ02" }, + "log": { + "hostname": "FOOBAZ02", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 14940 - }, "executable": "c:\\windows\\system32\\svchost.exe", - "pid": 4, "id": 4, "name": "svchost.exe", + "pid": 4, + "thread": { + "id": 14940 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "FOOBAZ02$", - "domain": "KEY" - }, "related": { "hosts": [ "FOOBAZ02" @@ -2761,6 +2756,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "FOOBAZ02$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "FOOBAZ02$" } } @@ -2775,59 +2775,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 12:32:03\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4658,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12801,\"OpcodeValue\":0,\"RecordNumber\":11254204732,\"ProcessID\":4,\"ThreadID\":6740,\"Channel\":\"Security\",\"Message\":\"The handle to an object was closed.\\r\\n\\r\\nSubject :\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tSecurity\\r\\n\\tHandle ID:\\t\\t0x5c44\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x4e58\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"Category\":\"Registry\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"Security\",\"HandleId\":\"0x5c44\",\"ProcessName\":\"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"EventReceivedTime\":\"2010-09-30 12:32:03\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4658", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x5c44\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4e58\r\n\tProcess Name:\t\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" + "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x5c44\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4e58\r\n\tProcess Name:\t\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 11254204732, - "type": "Security", "id": 4658, + "name": "The handle to an object was closed", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", "HandleId": "0x5c44", + "Keywords": "-9214364837600034816", "ObjectServer": "Security", "OpcodeValue": 0, "ProcessName": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-18", - "Task": 12801, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - }, - "name": "The handle to an object was closed", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "Task": 12801 + }, + "record_id": 11254204732, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 6740 - }, "executable": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", - "pid": 4, "id": 4, "name": "powershell.exe", + "pid": 4, + "thread": { + "id": 6740 + }, "working_directory": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\" }, - "user": { - "id": "S-1-5-18", - "name": "V-FOO$", - "domain": "KEY" - }, "related": { "hosts": [ "V-FOO" @@ -2835,6 +2830,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "V-FOO$" } } @@ -2849,19 +2849,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-09-30 14:43:13\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4663,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12802,\"OpcodeValue\":0,\"RecordNumber\":1507550680,\"ProcessID\":4,\"ThreadID\":10820,\"Channel\":\"Security\",\"Message\":\"An attempt was made to access an object.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tSecurity\\r\\n\\tObject Type:\\t\\tProcess\\r\\n\\tObject Name:\\t\\t\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\tHandle ID:\\t\\t0x5d4\\r\\n\\tResource Attributes:\\t-\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0xcc8\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\\r\\n\\r\\nAccess Request Information:\\r\\n\\tAccesses:\\t\\tRead from process memory\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Mask:\\t\\t0x10\",\"Category\":\"Kernel Object\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"Security\",\"ObjectType\":\"Process\",\"ObjectName\":\"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\lsass.exe\",\"HandleId\":\"0x5d4\",\"AccessList\":\"%%4484\\r\\n\\t\\t\\t\\t\",\"AccessMask\":\"0x10\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\"ResourceAttributes\":\"-\",\"EventReceivedTime\":\"2010-09-30 14:43:15\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4663", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x5d4\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10" + "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x5d4\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1507550680, - "type": "Security", "id": 4663, + "name": "An attempt was made to access an object", + "outcome": "success", "properties": { - "Accesses": "\t\tRead from process memory", "AccessList": "%%4484\r\n\t\t\t\t", "AccessMask": "0x10", + "Accesses": "\t\tRead from process memory", "EventType": "AUDIT_SUCCESS", "HandleId": "0x5d4", + "Keywords": "-9214364837600034816", "ObjectName": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe", "ObjectServer": "Security", "ObjectType": "Process", @@ -2869,48 +2870,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProcessName": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-18", - "Task": 12802, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12802 }, - "name": "An attempt was made to access an object", - "outcome": "success" + "record_id": 1507550680, + "type": "Security" }, - "log": { - "hostname": "V-FOO", - "level": "info" + "file": { + "name": "lsass.exe", + "path": "\\device\\harddiskvolume2\\windows\\system32\\lsass.exe" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 10820 - }, "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", - "pid": 4, "id": 4, "name": "wmiprvse.exe", + "pid": 4, + "thread": { + "id": 10820 + }, "working_directory": "c:\\windows\\system32\\wbem\\" }, - "user": { - "id": "S-1-5-18", - "name": "V-FOO$", - "domain": "KEY" - }, - "file": { - "name": "lsass.exe", - "path": "\\device\\harddiskvolume2\\windows\\system32\\lsass.exe" - }, "related": { "hosts": [ "V-FOO" @@ -2918,6 +2913,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "V-FOO$" } } @@ -2935,12 +2935,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 878009, - "type": "Security", "id": 4670, + "name": "Permissions on an object were changed", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", "HandleId": "0x444", + "Keywords": "-9214364837600034816", "ObjectName": "-", "ObjectServer": "Security", "ObjectType": "Token", @@ -2948,44 +2949,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProcessName": "c:\\windows\\system32\\searchindexer.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "FOOBAZ$", "SubjectUserSid": "S-1-5-18", - "Task": 13570, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13570 }, - "name": "Permissions on an object were changed", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "record_id": 878009, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 7416 - }, "executable": "c:\\windows\\system32\\searchindexer.exe", - "pid": 4, "id": 4, "name": "searchindexer.exe", + "pid": 4, + "thread": { + "id": 7416 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "FOOBAZ$", - "domain": "KEY" - }, "related": { "hosts": [ "V-FOO" @@ -2993,6 +2988,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "FOOBAZ$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "FOOBAZ$" } } @@ -3009,32 +3009,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "process": { - "command_line": "taskhostw.exe", - "parent": { - "executable": "c:\\windows\\system32\\svchost.exe", - "command_line": "c:\\windows\\system32\\svchost.exe", - "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" - }, - "thread": { - "id": 14728 - }, - "executable": "c:\\windows\\system32\\taskhostw.exe", - "pid": 3648, - "id": 3648, - "name": "taskhostw.exe", - "working_directory": "c:\\windows\\system32\\" - }, "action": { - "record_id": 968049, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600035000", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "REDACTED", "SubjectLogonId": "0x3e7", "SubjectUserName": "REDACTED", @@ -3042,34 +3027,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetDomainName": "-", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600035000" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" - }, - "log": { - "hostname": "REDACTED", - "level": "info" + "record_id": 968049, + "type": "Security" }, "host": { "hostname": "REDACTED", "name": "REDACTED" }, + "log": { + "hostname": "REDACTED", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "target": { - "name": "-", - "domain": "-", - "id": "S-1-0-0" + "process": { + "command_line": "taskhostw.exe", + "executable": "c:\\windows\\system32\\taskhostw.exe", + "id": 3648, + "name": "taskhostw.exe", + "parent": { + "command_line": "c:\\windows\\system32\\svchost.exe", + "executable": "c:\\windows\\system32\\svchost.exe", + "name": "svchost.exe", + "working_directory": "c:\\windows\\system32\\" }, - "name": "REDACTED", - "domain": "REDACTED" + "pid": 3648, + "thread": { + "id": 14728 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hosts": [ @@ -3078,6 +3068,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "REDACTED" ] + }, + "user": { + "domain": "REDACTED", + "id": "S-1-5-18", + "name": "REDACTED", + "target": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + } } } @@ -3095,54 +3095,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1840478, - "type": "Security", "id": 4689, + "name": "A process has exited", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProcessName": "c:\\windows\\system32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "Status": "0x0", "SubjectDomainName": "REDACTED", "SubjectLogonId": "0x3e7", "SubjectUserName": "REDACTED", "SubjectUserSid": "S-1-5-18", - "Task": 13313, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13313 }, - "name": "A process has exited", - "outcome": "success" - }, - "log": { - "hostname": "REDACTED", - "level": "info" + "record_id": 1840478, + "type": "Security" }, "host": { "hostname": "REDACTED", "name": "REDACTED" }, + "log": { + "hostname": "REDACTED", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 13048 - }, "executable": "c:\\windows\\system32\\svchost.exe", - "pid": 4, "id": 4, "name": "svchost.exe", + "pid": 4, + "thread": { + "id": 13048 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "REDACTED", - "domain": "REDACTED" - }, "related": { "hosts": [ "REDACTED" @@ -3150,6 +3145,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "REDACTED" ] + }, + "user": { + "domain": "REDACTED", + "id": "S-1-5-18", + "name": "REDACTED" } } @@ -3164,56 +3164,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\": \"2023-08-25 12:13:33\", \"Hostname\": \"srv-foo\", \"Keywords\": -9214364837600034816, \"EventType\": \"AUDIT_SUCCESS\", \"SeverityValue\": 2, \"Severity\": \"INFO\", \"EventID\": 4698, \"SourceName\": \"Microsoft-Windows-Security-Auditing\", \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\", \"Version\": 1, \"Task\": 12804, \"OpcodeValue\": 0, \"RecordNumber\": 4302958134, \"ActivityID\": \"{25C1B30D-1E8B-4A26-9E80-ED3A242DB52E}\", \"ProcessID\": 912, \"ThreadID\": 5584, \"Channel\": \"Security\", \"Message\": \"A scheduled task was created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tsrv-foo$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTask Information:\\r\\n\\tTask Name: \\t\\t\\\\CORP-Dump_Installed_Updates\\r\\n\\tTask Content: \\t\\t\\r\\n\\r\\n \\r\\n KEY\\\\adm_foo\\r\\n \\\\CORP-Dump_Installed_Updates\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n PT1H\\r\\n P1D\\r\\n true\\r\\n \\r\\n 2016-05-02T04:45:00\\r\\n PT30M\\r\\n true\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n \\r\\n HighestAvailable\\r\\n NT AUTHORITY\\\\System\\r\\n S4U\\r\\n \\r\\n \\r\\n \\r\\n StopExisting\\r\\n false\\r\\n false\\r\\n true\\r\\n true\\r\\n false\\r\\n \\r\\n PT5M\\r\\n PT1H\\r\\n false\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n PT1H\\r\\n 7\\r\\n \\r\\n PT15M\\r\\n 3\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\r\\n -NonInteractive -NoProfile -Command \\\"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\\\Exploitation\\\\Scripts\\\\Nagios\\\\LastInstalledUpdates.xml'\\\"\\r\\n \\r\\n \\r\\n\\r\\n\\r\\nOther Information:\\r\\n\\tProcessCreationTime: \\t\\t28428972647776291\\r\\n\\tClientProcessId: \\t\\t\\t1700\\r\\n\\tParentProcessId: \\t\\t\\t892\\r\\n\\tFQDN: \\t\\t0\\r\\n\\t\", \"Category\": \"Other Object Access Events\", \"Opcode\": \"Info\", \"SubjectUserSid\": \"S-1-5-18\", \"SubjectUserName\": \"srv-foo$\", \"SubjectDomainName\": \"KEY\", \"SubjectLogonId\": \"0x3e7\", \"TaskName\": \"\\\\CORP-Dump_Installed_Updates\", \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <Author>KEY\\\\adm_foo</Author>\\r\\n <URI>\\\\CORP-Dump_Installed_Updates</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <CalendarTrigger>\\r\\n <Repetition>\\r\\n <Interval>PT1H</Interval>\\r\\n <Duration>P1D</Duration>\\r\\n <StopAtDurationEnd>true</StopAtDurationEnd>\\r\\n </Repetition>\\r\\n <StartBoundary>2016-05-02T04:45:00</StartBoundary>\\r\\n <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>\\r\\n <Enabled>true</Enabled>\\r\\n <ScheduleByDay>\\r\\n <DaysInterval>1</DaysInterval>\\r\\n </ScheduleByDay>\\r\\n </CalendarTrigger>\\r\\n </Triggers>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <RunLevel>HighestAvailable</RunLevel>\\r\\n <UserId>NT AUTHORITY\\\\System</UserId>\\r\\n <LogonType>S4U</LogonType>\\r\\n </Principal>\\r\\n </Principals>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n <AllowHardTerminate>true</AllowHardTerminate>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <IdleSettings>\\r\\n <Duration>PT5M</Duration>\\r\\n <WaitTimeout>PT1H</WaitTimeout>\\r\\n <StopOnIdleEnd>false</StopOnIdleEnd>\\r\\n <RestartOnIdle>false</RestartOnIdle>\\r\\n </IdleSettings>\\r\\n <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n <Enabled>true</Enabled>\\r\\n <Hidden>false</Hidden>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>false</WakeToRun>\\r\\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\\r\\n <Priority>7</Priority>\\r\\n <RestartOnFailure>\\r\\n <Interval>PT15M</Interval>\\r\\n <Count>3</Count>\\r\\n </RestartOnFailure>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe</Command>\\r\\n <Arguments>-NonInteractive -NoProfile -Command \\\"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\\\Exploitation\\\\Scripts\\\\Nagios\\\\LastInstalledUpdates.xml'\\\"</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n</Task>\", \"ClientProcessStartKey\": \"28428972647776291\", \"ClientProcessId\": \"1700\", \"ParentProcessId\": \"892\", \"RpcCallClientLocality\": \"0\", \"FQDN\": \"srv-foo.key.corp.net\", \"EventReceivedTime\": \"2023-08-25 12:13:34\", \"SourceModuleName\": \"in\", \"SourceModuleType\": \"im_msvistalog\"}", "event": { "code": "4698", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tsrv-foo$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\CORP-Dump_Installed_Updates\r\n\tTask Content: \t\t\r\n\r\n \r\n KEY\\adm_foo\r\n \\CORP-Dump_Installed_Updates\r\n \r\n \r\n \r\n \r\n PT1H\r\n P1D\r\n true\r\n \r\n 2016-05-02T04:45:00\r\n PT30M\r\n true\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n StopExisting\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT1H\r\n 7\r\n \r\n PT15M\r\n 3\r\n \r\n \r\n \r\n \r\n C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n -NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"\r\n \r\n \r\n\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t28428972647776291\r\n\tClientProcessId: \t\t\t1700\r\n\tParentProcessId: \t\t\t892\r\n\tFQDN: \t\t0\r\n\t" + "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tsrv-foo$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\CORP-Dump_Installed_Updates\r\n\tTask Content: \t\t\r\n\r\n \r\n KEY\\adm_foo\r\n \\CORP-Dump_Installed_Updates\r\n \r\n \r\n \r\n \r\n PT1H\r\n P1D\r\n true\r\n \r\n 2016-05-02T04:45:00\r\n PT30M\r\n true\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n StopExisting\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT1H\r\n 7\r\n \r\n PT15M\r\n 3\r\n \r\n \r\n \r\n \r\n C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n -NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"\r\n \r\n \r\n\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t28428972647776291\r\n\tClientProcessId: \t\t\t1700\r\n\tParentProcessId: \t\t\t892\r\n\tFQDN: \t\t0\r\n\t", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 4302958134, - "type": "Security", "id": 4698, + "name": "A scheduled task was created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "srv-foo$", "SubjectUserSid": "S-1-5-18", "Task": 12804, - "TaskName": "\\CORP-Dump_Installed_Updates", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", "TaskContentNew_Args": "-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"", - "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" + "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "TaskName": "\\CORP-Dump_Installed_Updates" }, - "name": "A scheduled task was created", - "outcome": "success" - }, - "log": { - "hostname": "srv-foo", - "level": "info" + "record_id": 4302958134, + "type": "Security" }, "host": { "hostname": "srv-foo", "name": "srv-foo" }, + "log": { + "hostname": "srv-foo", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 912, + "pid": 912, "ppid": "892", "thread": { "id": 5584 - }, - "pid": 912, - "id": 912 - }, - "user": { - "id": "S-1-5-18", - "name": "srv-foo$", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -3222,6 +3217,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "srv-foo$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "srv-foo$" } } @@ -3239,49 +3239,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 3128, - "type": "Security", "id": 4719, + "name": "System audit policy was changed", + "outcome": "success", "properties": { "AuditPolicyChanges": "%%8449, %%8451", "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "FOOBAR$", "SubjectUserSid": "S-1-5-18", - "Task": 13568, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13568 }, - "name": "System audit policy was changed", - "outcome": "success" - }, - "log": { - "hostname": "HOSTFOO", - "level": "info" + "record_id": 3128, + "type": "Security" }, "host": { "hostname": "HOSTFOO", "name": "HOSTFOO" }, + "log": { + "hostname": "HOSTFOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 764, + "pid": 764, "thread": { "id": 932 - }, - "pid": 764, - "id": 764 - }, - "user": { - "id": "S-1-5-18", - "name": "FOOBAR$", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -3290,6 +3285,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "FOOBAR$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "FOOBAR$" } } @@ -3304,18 +3304,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2020-11-27 17:05:18\",\"Hostname\":\"SERVERFOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4720,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":13824,\"OpcodeValue\":0,\"RecordNumber\":2077430259,\"ProcessID\":1808,\"ThreadID\":9204,\"Channel\":\"Security\",\"Message\":\"A user account was created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1595408694-1749029380-1551332766-2746\\r\\n\\tAccount Name:\\t\\tSVC_sitemanager\\r\\n\\tAccount Domain:\\t\\tEXTRAWEB\\r\\n\\tLogon ID:\\t\\t0x8A2F8844\\r\\n\\r\\nNew Account:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1595408694-1749029380-1551332766-47859\\r\\n\\tAccount Name:\\t\\tUSERFOO\\r\\n\\tAccount Domain:\\t\\tEXTRAWEB\\r\\n\\r\\nAttributes:\\r\\n\\tSAM Account Name:\\tUSERFOO\\r\\n\\tDisplay Name:\\t\\tUSERFOO USERLASTNAME\\r\\n\\tUser Principal Name:\\\\tuserfoo@mycorp.nett\\r\\n\\tHome Directory:\\t\\t-\\r\\n\\tHome Drive:\\t\\t-\\r\\n\\tScript Path:\\t\\t-\\r\\n\\tProfile Path:\\t\\t-\\r\\n\\tUser Workstations:\\t-\\r\\n\\tPassword Last Set:\\t\\r\\n\\tAccount Expires:\\t\\t28/11/2021 00:00:00\\r\\n\\tPrimary Group ID:\\t513\\r\\n\\tAllowed To Delegate To:\\t-\\r\\n\\tOld UAC Value:\\t\\t0x0\\r\\n\\tNew UAC Value:\\t\\t0x15\\r\\n\\tUser Account Control:\\t\\r\\n\\t\\tAccount Disabled\\r\\n\\t\\t'Password Not Required' - Enabled\\r\\n\\t\\t'Normal Account' - Enabled\\r\\n\\tUser Parameters:\\t-\\r\\n\\tSID History:\\t\\t-\\r\\n\\tLogon Hours:\\t\\t\\r\\n\\r\\nAdditional Information:\\r\\n\\tPrivileges\\t\\t-\",\"Category\":\"User Account Management\",\"Opcode\":\"Info\",\"TargetUserName\":\"USERFOO\",\"TargetDomainName\":\"EXTRAWEB\",\"TargetSid\":\"S-1-5-21-1595408694-1749029380-1551332766-47859\",\"SubjectUserSid\":\"S-1-5-21-1595408694-1749029380-1551332766-2746\",\"SubjectUserName\":\"SVC_sitemanager\",\"SubjectDomainName\":\"EXTRAWEB\",\"SubjectLogonId\":\"0x8a2f8844\",\"PrivilegeList\":\"-\",\"SamAccountName\":\"USERFOO\",\"DisplayName\":\"USERFOO USERLASTNAME\",\"UserPrincipalName\":\"userfoo@mycorp.nett\",\"HomeDirectory\":\"-\",\"HomePath\":\"-\",\"ScriptPath\":\"-\",\"ProfilePath\":\"-\",\"UserWorkstations\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AccountExpires\":\"28/11/2021 00:00:00\",\"PrimaryGroupId\":\"513\",\"AllowedToDelegateTo\":\"-\",\"OldUacValue\":\"0x0\",\"NewUacValue\":\"0x15\",\"UserAccountControl\":\"\\r\\n\\t\\t%%2080\\r\\n\\t\\t%%2082\\r\\n\\t\\t%%2084\",\"UserParameters\":\"-\",\"SidHistory\":\"-\",\"LogonHours\":\"%%1793\",\"EventReceivedTime\":\"2020-11-27 17:05:19\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4720", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-2746\r\n\tAccount Name:\t\tSVC_sitemanager\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\tLogon ID:\t\t0x8A2F8844\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-47859\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\r\nAttributes:\r\n\tSAM Account Name:\tUSERFOO\r\n\tDisplay Name:\t\tUSERFOO USERLASTNAME\r\n\tUser Principal Name:\\tuserfoo@mycorp.nett\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t\r\n\tAccount Expires:\t\t28/11/2021 00:00:00\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-" + "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-2746\r\n\tAccount Name:\t\tSVC_sitemanager\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\tLogon ID:\t\t0x8A2F8844\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-47859\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\r\nAttributes:\r\n\tSAM Account Name:\tUSERFOO\r\n\tDisplay Name:\t\tUSERFOO USERLASTNAME\r\n\tUser Principal Name:\\tuserfoo@mycorp.nett\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t\r\n\tAccount Expires:\t\t28/11/2021 00:00:00\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 2077430259, - "type": "Security", "id": 4720, + "name": "A user account was created", + "outcome": "success", "properties": { "AllowedToDelegateTo": "-", "DisplayName": "USERFOO USERLASTNAME", "EventType": "AUDIT_SUCCESS", "HomeDirectory": "-", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "PrivilegeList": "-", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", @@ -3323,6 +3324,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ScriptPath": "-", "Severity": "INFO", "SidHistory": "-", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "EXTRAWEB", "SubjectLogonId": "0x8a2f8844", "SubjectUserName": "SVC_sitemanager", @@ -3331,40 +3333,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetSid": "S-1-5-21-1595408694-1749029380-1551332766-47859", "TargetUserName": "USERFOO", "Task": 13824, - "UserPrincipalName": "userfoo@mycorp.nett", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" - }, - "name": "A user account was created", - "outcome": "success" - }, - "log": { - "hostname": "SERVERFOO", - "level": "info" + "UserPrincipalName": "userfoo@mycorp.nett" + }, + "record_id": 2077430259, + "type": "Security" }, "host": { "hostname": "SERVERFOO", "name": "SERVERFOO" }, + "log": { + "hostname": "SERVERFOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1808, + "pid": 1808, "thread": { "id": 9204 - }, - "pid": 1808, - "id": 1808 - }, - "user": { - "id": "S-1-5-21-1595408694-1749029380-1551332766-2746", - "target": { - "name": "USERFOO", - "domain": "EXTRAWEB" - }, - "name": "SVC_sitemanager", - "domain": "EXTRAWEB" + } }, "related": { "hosts": [ @@ -3373,6 +3364,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SVC_sitemanager" ] + }, + "user": { + "domain": "EXTRAWEB", + "id": "S-1-5-21-1595408694-1749029380-1551332766-2746", + "name": "SVC_sitemanager", + "target": { + "domain": "EXTRAWEB", + "name": "USERFOO" + } } } @@ -3387,64 +3387,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-11 16:17:08\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4769,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14337,\"OpcodeValue\":0,\"RecordNumber\":30707351571,\"ProcessID\":1812,\"ThreadID\":4500,\"Channel\":\"Security\",\"Message\":\"A Kerberos service ticket was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tHOSTFOO\\r\\n\\tAccount Domain:\\t\\tKEY.HOSTFOO\\r\\n\\tLogon GUID:\\t\\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tV-FOO$\\r\\n\\tService ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-74694\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::ffff:1.1.1.1\\r\\n\\tClient Port:\\t\\t54021\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810000\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tFailure Code:\\t\\t0x0\\r\\n\\tTransited Services:\\t-\\r\\n\\r\\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\\r\\n\\r\\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\\r\\n\\r\\nTicket options, encryption types, and failure codes are defined in RFC 4120.\",\"Category\":\"Kerberos Service Ticket Operations\",\"Opcode\":\"Info\",\"TargetUserName\":\"HOSTFOO@KEY.HOSTFOO\",\"TargetDomainName\":\"KEY.HOSTFOO\",\"ServiceName\":\"V-FOO$\",\"ServiceSid\":\"S-1-5-21-1574594750-1263408776-2012955550-74694\",\"TicketOptions\":\"0x40810000\",\"TicketEncryptionType\":\"0x12\",\"IpAddress\":\"::ffff:1.1.1.1\",\"IpPort\":\"54021\",\"Status\":\"0x0\",\"LogonGuid\":\"{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\",\"TransmittedServices\":\"-\",\"EventReceivedTime\":\"2010-12-11 16:17:09\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4769", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tHOSTFOO\r\n\tAccount Domain:\t\tKEY.HOSTFOO\r\n\tLogon GUID:\t\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\r\n\r\nService Information:\r\n\tService Name:\t\tV-FOO$\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-74694\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t54021\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120." + "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tHOSTFOO\r\n\tAccount Domain:\t\tKEY.HOSTFOO\r\n\tLogon GUID:\t\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\r\n\r\nService Information:\r\n\tService Name:\t\tV-FOO$\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-74694\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t54021\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 30707351571, - "type": "Security", "id": 4769, + "name": "A Kerberos service ticket was requested", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "FailureCode": "0x0", "IpAddress": "::ffff:1.1.1.1", "IpPort": "54021", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "ServiceName": "V-FOO$", "ServiceSid": "S-1-5-21-1574594750-1263408776-2012955550-74694", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "Status": "0x0", "TargetDomainName": "KEY.HOSTFOO", "TargetUserName": "HOSTFOO@KEY.HOSTFOO", "Task": 14337, "TicketEncryptionType": "0x12", - "TicketOptions": "0x40810000", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "FailureCode": "0x0" + "TicketOptions": "0x40810000" }, - "name": "A Kerberos service ticket was requested", - "outcome": "success" - }, - "log": { - "hostname": "FOOBAZ11", - "level": "info" + "record_id": 30707351571, + "type": "Security" }, "host": { "hostname": "FOOBAZ11", "name": "FOOBAZ11" }, + "log": { + "hostname": "FOOBAZ11", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1812, + "pid": 1812, "thread": { "id": 4500 - }, - "pid": 1812, - "id": 1812 - }, - "user": { - "target": { - "name": "HOSTFOO@KEY.HOSTFOO", - "domain": "KEY.HOSTFOO" } }, - "source": { - "ip": "1.1.1.1", - "address": "::ffff:1.1.1.1" - }, "related": { "hosts": [ "FOOBAZ11" @@ -3452,6 +3442,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "::ffff:1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "target": { + "domain": "KEY.HOSTFOO", + "name": "HOSTFOO@KEY.HOSTFOO" + } } } @@ -3466,56 +3466,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-13 17:25:22\",\"Hostname\":\"FOOBAZ11\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5136,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":14081,\"OpcodeValue\":0,\"RecordNumber\":30373281570,\"ProcessID\":1928,\"ThreadID\":12604,\"Channel\":\"Security\",\"Message\":\"A directory service object was modified.\\r\\n\\t\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1574594750-1263408776-2012955550-123990\\r\\n\\tAccount Name:\\t\\tHOSTNAMEBAZ\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x2245EEC18\\r\\n\\r\\nDirectory Service:\\r\\n\\tName:\\tkey.mycorp.int\\r\\n\\tType:\\tActive Directory Domain Services\\r\\n\\t\\r\\nObject:\\r\\n\\tDN:\\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\\r\\n\\tGUID:\\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\\r\\n\\tClass:\\tcomputer\\r\\n\\t\\r\\nAttribute:\\r\\n\\tLDAP Display Name:\\tservicePrincipalName\\r\\n\\tSyntax (OID):\\t1.1.1.1\\r\\n\\tValue:\\tCmRcService/MYUSER\\r\\n\\t\\r\\nOperation:\\r\\n\\tType:\\tValue Added\\r\\n\\tCorrelation ID:\\t{862BB478-DF85-4696-B45A-8C27F04C9377}\\r\\n\\tApplication Correlation ID:\\t-\",\"Category\":\"Directory Service Changes\",\"Opcode\":\"Info\",\"OpCorrelationID\":\"{862BB478-DF85-4696-B45A-8C27F04C9377}\",\"AppCorrelationID\":\"-\",\"SubjectUserSid\":\"S-1-5-21-1574594750-1263408776-2012955550-123990\",\"SubjectUserName\":\"HOSTNAMEBAZ\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x2245eec18\",\"DSName\":\"key.mycorp.int\",\"DSType\":\"%%14676\",\"ObjectDN\":\"CN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\",\"ObjectGUID\":\"{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\",\"ObjectClass\":\"computer\",\"AttributeLDAPDisplayName\":\"servicePrincipalName\",\"AttributeSyntaxOID\":\"1.1.1.1\",\"AttributeValue\":\"CmRcService/MYUSER\",\"OperationType\":\"%%14674\",\"EventReceivedTime\":\"2010-11-13 17:25:22\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5136", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123990\r\n\tAccount Name:\t\tHOSTNAMEBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x2245EEC18\r\n\r\nDirectory Service:\r\n\tName:\tkey.mycorp.int\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\r\n\tGUID:\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t1.1.1.1\r\n\tValue:\tCmRcService/MYUSER\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{862BB478-DF85-4696-B45A-8C27F04C9377}\r\n\tApplication Correlation ID:\t-" + "message": "A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123990\r\n\tAccount Name:\t\tHOSTNAMEBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x2245EEC18\r\n\r\nDirectory Service:\r\n\tName:\tkey.mycorp.int\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\r\n\tGUID:\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t1.1.1.1\r\n\tValue:\tCmRcService/MYUSER\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{862BB478-DF85-4696-B45A-8C27F04C9377}\r\n\tApplication Correlation ID:\t-", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 30373281570, - "type": "Security", "id": 5136, + "name": "A directory service object was modified", + "outcome": "success", "properties": { "AttributeLDAPDisplayName": "servicePrincipalName", "AttributeValue": "CmRcService/MYUSER", "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "ObjectClass": "computer", "OpcodeValue": 0, "OperationType": "%%14674", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x2245eec18", "SubjectUserName": "HOSTNAMEBAZ", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-123990", - "Task": 14081, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 14081 }, - "name": "A directory service object was modified", - "outcome": "success" - }, - "log": { - "hostname": "FOOBAZ11", - "level": "info" + "record_id": 30373281570, + "type": "Security" }, "host": { "hostname": "FOOBAZ11", "name": "FOOBAZ11" }, + "log": { + "hostname": "FOOBAZ11", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 1928, + "pid": 1928, "thread": { "id": 12604 - }, - "pid": 1928, - "id": 1928 - }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-123990", - "name": "HOSTNAMEBAZ", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -3524,6 +3519,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "HOSTNAMEBAZ" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-123990", + "name": "HOSTNAMEBAZ" } } @@ -3538,28 +3538,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"@timestamp\": \"2010-10-29T12:16:10.651Z\", \"TimeCreated\": \"2010-10-29T12:16:10.651Z\", \"ProviderGuid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"SourcePort\": \"8000\", \"LayerName\": \"%%14609\", \"SourceAddress\": \"::\", \"Level\": \"0\", \"Channel\": \"Security\", \"Task\": \"12810\", \"Protocol\": \"6\", \"SourceName\": \"Microsoft-Windows-Security-Auditing\", \"Hostname\": \"WORKSTATION5\", \"ProcessId\": \"10220\", \"LayerRTID\": \"42\", \"FilterRTID\": \"81935\", \"EventID\": 5154, \"Keywords\": \"0x8020000000000000\", \"Application\": \"\\\\device\\\\harddiskvolume2\\\\users\\\\wardog\\\\appdata\\\\local\\\\programs\\\\python\\\\python39\\\\python.exe\", \"Message\": \"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t10220\\r\\n\\tApplication Name:\\t\\\\device\\\\harddiskvolume2\\\\users\\\\wardog\\\\appdata\\\\local\\\\programs\\\\python\\\\python39\\\\python.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tSource Address:\\t\\t::\\r\\n\\tSource Port:\\t\\t8000\\r\\n\\tProtocol:\\t\\t6\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t81935\\r\\n\\tLayer Name:\\t\\tListen\\r\\n\\tLayer Run-Time ID:\\t42\", \"EventTime\": \"2011-06-10 08:53:53\"}", "event": { "code": "5154", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t10220\r\n\tApplication Name:\t\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t8000\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t81935\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42" + "message": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t10220\r\n\tApplication Name:\t\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t8000\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t81935\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "type": "Security", "id": 5154, + "name": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections", "properties": { "Application": "\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe", + "Keywords": "0x8020000000000000", "ProviderGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "Task": 12810, "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "0x8020000000000000" + "Task": 12810 }, - "name": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections" - }, - "log": { - "hostname": "WORKSTATION5" + "type": "Security" }, "host": { "hostname": "WORKSTATION5", "name": "WORKSTATION5" }, + "log": { + "hostname": "WORKSTATION5" + }, "network": { "transport": "6" }, @@ -3567,11 +3567,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "family": "windows", "platform": "windows" }, - "source": { - "port": 8000, - "ip": "::", - "address": "::" - }, "related": { "hosts": [ "WORKSTATION5" @@ -3579,6 +3574,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "::" ] + }, + "source": { + "address": "::", + "ip": "::", + "port": 8000 } } @@ -3593,41 +3593,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-21 14:10:49\",\"Hostname\":\"host.foo.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5156,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12810,\"OpcodeValue\":0,\"RecordNumber\":10943,\"ProcessID\":4,\"ThreadID\":148,\"Channel\":\"Security\",\"Message\":\"La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\\r\\n\\r\\nInformations sur l\u2019application :\\r\\n\\tID du processus :\\t\\t1452\\r\\n\\tNom de l\u2019application :\\t\\\\device\\\\harddiskvolume2\\\\program files (x86)\\\\nxlog\\\\nxlog.exe\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tDirection :\\t\\tEntrant\\r\\n\\tAdresse source :\\t\\t1.1.1.1\\r\\n\\tPort source :\\t\\t51845\\r\\n\\tAdresse de destination :\\t1.1.1.1\\r\\n\\tPort de destination :\\t\\t51846\\r\\n\\tProtocole :\\t\\t6\\r\\n\\r\\nInformations sur le filtre :\\r\\n\\tID d\u2019ex\u00e9cution du filtre :\\t9\\r\\n\\tNom de la couche :\\t\\tR\u00e9ception/Acceptation\\r\\n\\tID d\u2019ex\u00e9cution de la couche :\\t44\",\"Category\":\"Connexion de la plateforme de filtrage\",\"Opcode\":\"Informations\",\"Application\":\"\\\\device\\\\harddiskvolume2\\\\program files (x86)\\\\nxlog\\\\nxlog.exe\",\"Direction\":\"%%14592\",\"SourceAddress\":\"1.1.1.1\",\"SourcePort\":\"51845\",\"DestAddress\":\"1.1.1.1\",\"DestPort\":\"51846\",\"Protocol\":\"6\",\"FilterRTID\":\"9\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"RemoteUserID\":\"S-1-0-0\",\"RemoteMachineID\":\"S-1-0-0\",\"EventReceivedTime\":\"2010-10-21 14:10:50\",\"SourceModuleName\":\"security\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "5156", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\r\n\r\nInformations sur l\u2019application :\r\n\tID du processus :\t\t1452\r\n\tNom de l\u2019application :\t\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tDirection :\t\tEntrant\r\n\tAdresse source :\t\t1.1.1.1\r\n\tPort source :\t\t51845\r\n\tAdresse de destination :\t1.1.1.1\r\n\tPort de destination :\t\t51846\r\n\tProtocole :\t\t6\r\n\r\nInformations sur le filtre :\r\n\tID d\u2019ex\u00e9cution du filtre :\t9\r\n\tNom de la couche :\t\tR\u00e9ception/Acceptation\r\n\tID d\u2019ex\u00e9cution de la couche :\t44" + "message": "La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\r\n\r\nInformations sur l\u2019application :\r\n\tID du processus :\t\t1452\r\n\tNom de l\u2019application :\t\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tDirection :\t\tEntrant\r\n\tAdresse source :\t\t1.1.1.1\r\n\tPort source :\t\t51845\r\n\tAdresse de destination :\t1.1.1.1\r\n\tPort de destination :\t\t51846\r\n\tProtocole :\t\t6\r\n\r\nInformations sur le filtre :\r\n\tID d\u2019ex\u00e9cution du filtre :\t9\r\n\tNom de la couche :\t\tR\u00e9ception/Acceptation\r\n\tID d\u2019ex\u00e9cution de la couche :\t44", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 10943, - "type": "Security", "id": 5156, + "name": "The Windows Filtering Platform has allowed a connection", + "outcome": "success", "properties": { "Application": "\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe", + "DestinationPort": "51846", "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", - "Task": 12810, "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", - "DestinationPort": "51846" + "Task": 12810 }, - "name": "The Windows Filtering Platform has allowed a connection", - "outcome": "success", - "target": "network-traffic" + "record_id": 10943, + "target": "network-traffic", + "type": "Security" }, "destination": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 51846, - "address": "1.1.1.1" - }, - "log": { - "hostname": "host.foo.local", - "level": "info" + "port": 51846 }, "host": { "hostname": "host.foo.local", "name": "host.foo.local" }, + "log": { + "hostname": "host.foo.local", + "level": "info" + }, "network": { "transport": "6" }, @@ -3636,16 +3636,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { + "id": 4, + "pid": 4, "thread": { "id": 148 - }, - "pid": 4, - "id": 4 - }, - "source": { - "port": 51845, - "ip": "1.1.1.1", - "address": "1.1.1.1" + } }, "related": { "hosts": [ @@ -3654,6 +3649,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 51845 } } @@ -3668,54 +3668,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-26 16:58:35\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9187343239835811840,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":7045,\"SourceName\":\"Service Control Manager\",\"ProviderGuid\":\"{555908D1-A6D7-4695-8E1E-26931D2012F4}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":749,\"ProcessID\":528,\"ThreadID\":636,\"Channel\":\"System\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"A service was installed in the system.\\r\\n\\r\\nService Name: MpKslDrv\\r\\nService File Name: C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\\\MpKslDrv.sys\\r\\nService Type: kernel mode driver\\r\\nService Start Type: system start\\r\\nService Account: \",\"ServiceName\":\"MpKslDrv\",\"ImagePath\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\\\MpKslDrv.sys\",\"ServiceType\":\"kernel mode driver\",\"StartType\":\"system start\",\"EventReceivedTime\":\"2010-10-26 16:58:36\",\"SourceModuleName\":\"eventlog2\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "7045", - "provider": "Service Control Manager", - "message": "A service was installed in the system.\r\n\r\nService Name: MpKslDrv\r\nService File Name: C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys\r\nService Type: kernel mode driver\r\nService Start Type: system start\r\nService Account: " + "message": "A service was installed in the system.\r\n\r\nService Name: MpKslDrv\r\nService File Name: C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys\r\nService Type: kernel mode driver\r\nService Start Type: system start\r\nService Account: ", + "provider": "Service Control Manager" }, "action": { - "record_id": 749, - "type": "System", "id": 7045, + "name": "A new service was installed in the system", "properties": { "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", "ImagePath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys", + "Keywords": "-9187343239835811840", "OpcodeValue": 0, "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}", "ServiceName": "MpKslDrv", "ServiceType": "kernel mode driver", "Severity": "INFO", - "StartType": "system start", - "Task": 0, "SourceName": "Service Control Manager", - "Keywords": "-9187343239835811840" + "StartType": "system start", + "Task": 0 }, - "name": "A new service was installed in the system" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 749, + "type": "System" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 528, + "pid": 528, "thread": { "id": 636 - }, - "pid": 528, - "id": 528 - }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" + } }, "related": { "hosts": [ @@ -3724,6 +3719,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -3738,71 +3738,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2019-05-17 11:52:59\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":66,\"ProcessID\":3912,\"ThreadID\":2152,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-05-17 09:52:59.277\\r\\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\\r\\nProcessId: 4540\\r\\nImage: C:\\\\Windows\\\\System32\\\\LogonUI.exe\\r\\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\\r\\nDescription: Windows Logon User Interface Host\\r\\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nCommandLine: \\\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\\\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: AUTORITE NT\\\\Syst\u00c3\u00a8me\\r\\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 1\\r\\nIntegrityLevel: System\\r\\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\\r\\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\\r\\nParentProcessId: 476\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\winlogon.exe\\r\\nParentCommandLine: winlogon.exe\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-05-17 09:52:59.277\",\"ProcessGuid\":\"{0BA009B0-847B-5CDE-0000-001038720D00}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\",\"FileVersion\":\"10.0.10586.0 (th2_release.151029-1700)\",\"Description\":\"Windows Logon User Interface Host\",\"Product\":\"Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"CommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\\\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\",\"CurrentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"User\":\"AUTORITE NT\\\\Syst\u00c3\u00a8me\",\"LogonGuid\":\"{0BA009B0-82CF-5CDE-0000-0020E7030000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"1\",\"IntegrityLevel\":\"System\",\"Hashes\":\"MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\",\"ParentProcessGuid\":\"{0BA009B0-82CF-5CDE-0000-0010883A0000}\",\"ParentProcessId\":\"476\",\"ParentImage\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\"ParentCommandLine\":\"winlogon.exe\",\"EventReceivedTime\":\"2019-05-17 11:53:00\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", + "message": "Process Create:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:59.277\r\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\r\nProcessId: 4540\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\r\nDescription: Windows Logon User Interface Host\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nCommandLine: \"C:\\Windows\\System32\\LogonUI.exe\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 1\r\nIntegrityLevel: System\r\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\r\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\r\nParentProcessId: 476\r\nParentImage: C:\\Windows\\System32\\winlogon.exe\r\nParentCommandLine: winlogon.exe", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows Logon User Interface Host", - "message": "Process Create:\r\nRuleName: \r\nUtcTime: 2019-05-17 09:52:59.277\r\nProcessGuid: {0BA009B0-847B-5CDE-0000-001038720D00}\r\nProcessId: 4540\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nFileVersion: 10.0.10586.0 (th2_release.151029-1700)\r\nDescription: Windows Logon User Interface Host\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nCommandLine: \"C:\\Windows\\System32\\LogonUI.exe\" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {0BA009B0-82CF-5CDE-0000-0020E7030000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 1\r\nIntegrityLevel: System\r\nHashes: MD5=D40C84E829922B70D511BB2CC6268D49,SHA256=9A54EE3D6D16D0FE3458B1AE1212F546F94B9E28E5A845D311A04191C724D652\r\nParentProcessGuid: {0BA009B0-82CF-5CDE-0000-0010883A0000}\r\nParentProcessId: 476\r\nParentImage: C:\\Windows\\System32\\winlogon.exe\r\nParentCommandLine: winlogon.exe" + "reason": "Windows Logon User Interface Host" }, "@timestamp": "2019-05-17T09:52:59.277000Z", - "process": { - "command_line": "c:\\windows\\system32\\logonui.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", - "parent": { - "command_line": "c:\\windows\\system32\\winlogon.exe", - "executable": "c:\\windows\\system32\\winlogon.exe", - "name": "winlogon.exe", - "working_directory": "c:\\windows\\system32\\" - }, - "executable": "c:\\windows\\system32\\logonui.exe", - "ppid": "476", - "thread": { - "id": 2152 - }, - "working_directory": "c:\\windows\\system32\\", - "pid": 4540, - "id": 4540, - "hash": { - "md5": "d40c84e829922b70d511bb2cc6268d49", - "sha256": "9a54ee3d6d16d0fe3458b1ae1212f546f94b9e28e5a845d311a04191c724d652" - }, - "name": "logonui.exe" - }, "action": { - "record_id": 66, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, + "name": "Process creation", "properties": { - "Image": "c:\\windows\\system32\\logonui.exe", - "ParentImage": "c:\\windows\\system32\\winlogon.exe", "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\system32\\logonui.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, + "ParentImage": "c:\\windows\\system32\\winlogon.exe", "ProcessGuid": "{0BA009B0-847B-5CDE-0000-001038720D00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 1, - "User": "AUTORITE NT\\Syst\u00c3\u00a8me", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 1, + "User": "AUTORITE NT\\Syst\u00c3\u00a8me" }, - "name": "Process creation" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 66, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00c3\u00a8me", - "domain": "AUTORITE NT" + "process": { + "command_line": "c:\\windows\\system32\\logonui.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", + "executable": "c:\\windows\\system32\\logonui.exe", + "hash": { + "md5": "d40c84e829922b70d511bb2cc6268d49", + "sha256": "9a54ee3d6d16d0fe3458b1ae1212f546f94b9e28e5a845d311a04191c724d652" + }, + "id": 4540, + "name": "logonui.exe", + "parent": { + "command_line": "c:\\windows\\system32\\winlogon.exe", + "executable": "c:\\windows\\system32\\winlogon.exe", + "name": "winlogon.exe", + "working_directory": "c:\\windows\\system32\\" + }, + "pid": 4540, + "ppid": "476", + "thread": { + "id": 2152 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hash": [ @@ -3815,6 +3810,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00c3\u00a8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00c3\u00a8me" } } @@ -3831,32 +3831,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "process": { - "command_line": "c:\\windows\\system32\\reg.exe add hklm\\software\\microsoft\\command processor /v disableunccheck /t reg_dword /d 0x1 /f /reg:32", - "parent": { - "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", - "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", - "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0\\" - }, - "thread": { - "id": 3484 - }, - "executable": "c:\\windows\\system32\\reg.exe", - "pid": 3920, - "id": 3920, - "name": "reg.exe", - "working_directory": "c:\\windows\\system32\\" - }, "action": { - "record_id": 1639089, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "HOSTFOOBAR", @@ -3864,34 +3849,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetDomainName": "-", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "record_id": 1639089, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "target": { - "name": "-", - "domain": "-", - "id": "S-1-0-0" + "process": { + "command_line": "c:\\windows\\system32\\reg.exe add hklm\\software\\microsoft\\command processor /v disableunccheck /t reg_dword /d 0x1 /f /reg:32", + "executable": "c:\\windows\\system32\\reg.exe", + "id": 3920, + "name": "reg.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "name": "powershell.exe", + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0\\" }, - "name": "HOSTFOOBAR", - "domain": "KEY" + "pid": 3920, + "thread": { + "id": 3484 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hosts": [ @@ -3900,6 +3890,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "HOSTFOOBAR" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "HOSTFOOBAR", + "target": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + } } } @@ -3916,32 +3916,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "process": { - "command_line": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe /n c:\\users\\userfoo\\downloads\\background for adi-msi-dis june 2010 fr (1).docx /o ", - "parent": { - "executable": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", - "command_line": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", - "name": "chrome.exe", - "working_directory": "c:\\program files (x86)\\google\\chrome\\application\\" - }, - "thread": { - "id": 5632 - }, - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", - "pid": 5004, - "id": 5004, - "name": "winword.exe", - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16\\" - }, "action": { - "record_id": 1454160, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0xc2801", "SubjectUserName": "USERFOO", @@ -3949,34 +3934,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TargetDomainName": "-", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "record_id": 1454160, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-21-1574594750-1263408776-2012955550-78445", - "target": { - "name": "-", - "domain": "-", - "id": "S-1-0-0" + "process": { + "command_line": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe /n c:\\users\\userfoo\\downloads\\background for adi-msi-dis june 2010 fr (1).docx /o ", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "id": 5004, + "name": "winword.exe", + "parent": { + "command_line": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", + "executable": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", + "name": "chrome.exe", + "working_directory": "c:\\program files (x86)\\google\\chrome\\application\\" }, - "name": "USERFOO", - "domain": "KEY" + "pid": 5004, + "thread": { + "id": 5632 + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16\\" }, "related": { "hosts": [ @@ -3985,6 +3975,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "USERFOO" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-21-1574594750-1263408776-2012955550-78445", + "name": "USERFOO", + "target": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + } } } @@ -3999,64 +3999,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-28 12:23:17\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":34819,\"ProcessID\":1436,\"ThreadID\":2860,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\\\r\\\\nRuleName: InvDB\\\\r\\\\nEventType: SetValue\\\\r\\\\nUtcTime: 2010-10-28 11:23:17.379\\\\r\\\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\\\r\\\\nProcessId: 1012\\\\r\\\\nImage: C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\\r\\\\nTargetObject: HKU\\\\\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Compatibility Assistant\\\\\\\\Store\\\\\\\\C:\\\\\\\\Program Files\\\\\\\\WindowsApps\\\\\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\\\\\LocalBridge.exe\\\\r\\\\nDetails: Binary Data\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"InvDB\",\"UtcTime\":\"2010-10-28 11:23:17.379\",\"ProcessGuid\":\"{34EA5B98-48E6-5F99-1600-000000000E00}\",\"Image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\",\"TargetObject\":\"HKU\\\\\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Compatibility Assistant\\\\\\\\Store\\\\\\\\C:\\\\\\\\Program Files\\\\\\\\WindowsApps\\\\\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\\\\\LocalBridge.exe\",\"Details\":\"Binary Data\",\"EventReceivedTime\":\"2010-10-28 12:23:19\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "provider": "Microsoft-Windows-Sysmon", - "message": "Registry value set:\\r\\nRuleName: InvDB\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-10-28 11:23:17.379\\r\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\r\\nProcessId: 1012\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\\r\\nDetails: Binary Data" + "message": "Registry value set:\\r\\nRuleName: InvDB\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-10-28 11:23:17.379\\r\\nProcessGuid: {34EA5B98-48E6-5F99-1600-000000000E00}\\r\\nProcessId: 1012\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nTargetObject: HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe\\r\\nDetails: Binary Data", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-10-28T11:23:17.379000Z", "action": { - "record_id": 34819, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, + "name": "RegistryEvent (Value Set)", "properties": { - "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", - "Details": "Binary Data", "AccountName": "SYSTEM", "AccountType": "User", + "Details": "Binary Data", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{34EA5B98-48E6-5F99-1600-000000000E00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "TargetObject": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", - "Task": 13, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "TargetObject": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "Task": 13 }, - "name": "RegistryEvent (Value Set)", - "target": "registry" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 34819, + "target": "registry", + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\\\windows\\\\system32\\\\svchost.exe", + "id": 1436, + "name": "svchost.exe", + "pid": 1436, "thread": { "id": 2860 }, - "pid": 1436, - "id": 1436, - "name": "svchost.exe", "working_directory": "c:\\\\windows\\\\system32\\\\" }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, "registry": { - "value": "LocalBridge.exe", "hive": "HKU", - "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe" + "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "value": "LocalBridge.exe" }, "related": { "hosts": [ @@ -4065,6 +4060,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -4079,72 +4079,56 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " {\"EventTime\":\"2011-03-02 01:40:47\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":4611686018427387904,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":61,\"SourceName\":\"Microsoft-Windows-Bits-Client\",\"ProviderGuid\":\"{EF1CC15B-46C1-414E-BB95-E76B077BD51E}\",\"Version\":1,\"Task\":0,\"OpcodeValue\":2,\"RecordNumber\":18732,\"ActivityID\":\"{5B327F5A-B797-4B7E-AB05-11A0E98A15AF}\",\"ProcessID\":5796,\"ThreadID\":12472,\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.\",\"Opcode\":\"Arr\u00c3\u00aater\",\"transferId\":\"{5b327f5a-b797-4b7e-ab05-11a0e98a15af}\",\"name\":\"Font Download\",\"Id\":\"{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}\",\"url\":\"https://fs.microsoft.com/fs/windows/config.json\",\"hr\":\"2147954402\",\"fileTime\":\"1601-01-01T00:00:00.0000000Z\",\"fileLength\":\"18446744073709551615\",\"bytesTotal\":\"18446744073709551615\",\"bytesTransferred\":\"0\",\"peerProtocolFlags\":\"0\",\"bytesTransferredFromPeer\":\"0\",\"AdditionalInfoHr\":\"0\",\"PeerContextInfo\":\"0\",\"bandwidthLimit\":\"18446744073709551615\",\"ignoreBandwidthLimitsOnLan\":\"false\",\"EventReceivedTime\":\"2011-03-02 01:40:48\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "61", - "provider": "Microsoft-Windows-Bits-Client", - "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2." - }, - "file": { - "name": "font download", - "size": -1 + "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", + "provider": "Microsoft-Windows-Bits-Client" }, "action": { - "record_id": 18732, - "type": "Microsoft-Windows-Bits-Client/Operational", "id": 61, "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", + "BytesTotal": "-1", "Domain": "AUTORITE NT", "EventType": "WARNING", "Id": "{895bd5ca-3d9e-4ea9-8965-8cbb9e2961dc}", + "Keywords": "4611686018427387904", "OpcodeValue": 2, "ProviderGuid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}", "Severity": "WARNING", - "Task": 0, - "bytesTransferred": "0", "SourceName": "Microsoft-Windows-Bits-Client", - "Keywords": "4611686018427387904", - "BytesTotal": "-1" - } + "Task": 0, + "bytesTransferred": "0" + }, + "record_id": 18732, + "type": "Microsoft-Windows-Bits-Client/Operational" }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "warning" + "destination": { + "address": "fs.microsoft.com", + "domain": "fs.microsoft.com", + "size_in_char": 16 + }, + "file": { + "name": "font download", + "size": -1 }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "warning" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 5796, + "pid": 5796, "thread": { "id": 12472 - }, - "pid": 5796, - "id": 5796 - }, - "url": { - "original": "https://fs.microsoft.com/fs/windows/config.json", - "full": "https://fs.microsoft.com/fs/windows/config.json", - "domain": "fs.microsoft.com", - "scheme": "https", - "path": "/fs/windows/config.json", - "top_level_domain": "com", - "subdomain": "fs", - "registered_domain": "microsoft.com", - "port": 443 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, - "destination": { - "domain": "fs.microsoft.com", - "address": "fs.microsoft.com", - "size_in_char": 16 + } }, "related": { "hosts": [ @@ -4154,6 +4138,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "url": { + "domain": "fs.microsoft.com", + "full": "https://fs.microsoft.com/fs/windows/config.json", + "original": "https://fs.microsoft.com/fs/windows/config.json", + "path": "/fs/windows/config.json", + "port": 443, + "registered_domain": "microsoft.com", + "scheme": "https", + "subdomain": "fs", + "top_level_domain": "com" + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -4168,56 +4168,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-04-01 16:37:06\",\"Hostname\":\"host.foo.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4702,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":12804,\"OpcodeValue\":0,\"RecordNumber\":393771,\"ActivityID\":\"{13AB68AE-1C3D-0000-296A-AB133D1CD701}\",\"ProcessID\":608,\"ThreadID\":244,\"Channel\":\"Security\",\"Message\":\"Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\\r\\n\\r\\nObjet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom de compte :\\t\\tSEKADWV01$\\r\\n\\tDomaine du compte :\\t\\tSEKOPOC\\r\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\r\\n\\r\\nInformations sur la t\u00e2che :\\r\\n\\tNom de la t\u00e2che : \\t\\t\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\\r\\n\\tNouveau contenu de la t\u00e2che : \\t\\t\\r\\n\\r\\n \\r\\n \\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\\r\\n \\r\\n \\r\\n \\r\\n 2011-04-15T14:37:06.282Z\\r\\n true\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n false\\r\\n false\\r\\n true\\r\\n true\\r\\n false\\r\\n \\r\\n PT10M\\r\\n PT1H\\r\\n true\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n true\\r\\n PT72H\\r\\n 7\\r\\n \\r\\n \\r\\n \\r\\n %systemroot%\\\\system32\\\\usoclient.exe\\r\\n StartScan\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n S-1-5-18\\r\\n LeastPrivilege\\r\\n \\r\\n \\r\\n\\r\\n\\t\",\"Category\":\"Other Object Access Events\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"SEKADWV01$\",\"SubjectDomainName\":\"SEKOPOC\",\"SubjectLogonId\":\"0x3e7\",\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan\",\"TaskContentNew\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <URI>\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Backup Scan</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <TimeTrigger>\\r\\n <StartBoundary>2011-04-15T14:37:06.282Z</StartBoundary>\\r\\n <Enabled>true</Enabled>\\r\\n </TimeTrigger>\\r\\n </Triggers>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n <AllowHardTerminate>true</AllowHardTerminate>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <IdleSettings>\\r\\n <Duration>PT10M</Duration>\\r\\n <WaitTimeout>PT1H</WaitTimeout>\\r\\n <StopOnIdleEnd>true</StopOnIdleEnd>\\r\\n <RestartOnIdle>false</RestartOnIdle>\\r\\n </IdleSettings>\\r\\n <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n <Enabled>true</Enabled>\\r\\n <Hidden>false</Hidden>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>true</WakeToRun>\\r\\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\\r\\n <Priority>7</Priority>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>%systemroot%\\\\system32\\\\usoclient.exe</Command>\\r\\n <Arguments>StartScan</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <UserId>S-1-5-18</UserId>\\r\\n <RunLevel>LeastPrivilege</RunLevel>\\r\\n </Principal>\\r\\n </Principals>\\r\\n</Task>\",\"EventReceivedTime\":\"2011-04-01 16:37:08\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4702", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom de compte :\t\tSEKADWV01$\r\n\tDomaine du compte :\t\tSEKOPOC\r\n\tID d\u2019ouverture de session :\t\t0x3E7\r\n\r\nInformations sur la t\u00e2che :\r\n\tNom de la t\u00e2che : \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n\tNouveau contenu de la t\u00e2che : \t\t\r\n\r\n \r\n \\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n \r\n \r\n \r\n 2011-04-15T14:37:06.282Z\r\n true\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT10M\r\n PT1H\r\n true\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n true\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n %systemroot%\\system32\\usoclient.exe\r\n StartScan\r\n \r\n \r\n \r\n \r\n S-1-5-18\r\n LeastPrivilege\r\n \r\n \r\n\r\n\t" + "message": "Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom de compte :\t\tSEKADWV01$\r\n\tDomaine du compte :\t\tSEKOPOC\r\n\tID d\u2019ouverture de session :\t\t0x3E7\r\n\r\nInformations sur la t\u00e2che :\r\n\tNom de la t\u00e2che : \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n\tNouveau contenu de la t\u00e2che : \t\t\r\n\r\n \r\n \\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n \r\n \r\n \r\n 2011-04-15T14:37:06.282Z\r\n true\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT10M\r\n PT1H\r\n true\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n true\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n %systemroot%\\system32\\usoclient.exe\r\n StartScan\r\n \r\n \r\n \r\n \r\n S-1-5-18\r\n LeastPrivilege\r\n \r\n \r\n\r\n\t", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 393771, - "type": "Security", "id": 4702, + "name": "A scheduled task was updated", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "SEKOPOC", "SubjectLogonId": "0x3e7", "SubjectUserName": "SEKADWV01$", "SubjectUserSid": "S-1-5-18", "Task": 12804, "TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <URI>\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <TimeTrigger>\r\n <StartBoundary>2011-04-15T14:37:06.282Z</StartBoundary>\r\n <Enabled>true</Enabled>\r\n </TimeTrigger>\r\n </Triggers>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT10M</Duration>\r\n <WaitTimeout>PT1H</WaitTimeout>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>true</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>%systemroot%\\system32\\usoclient.exe</Command>\r\n <Arguments>StartScan</Arguments>\r\n </Exec>\r\n </Actions>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n </Principal>\r\n </Principals>\r\n</Task>", - "TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan", - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816", "TaskContentNew_Args": "StartScan", - "TaskContentNew_Command": "%systemroot%\\system32\\usoclient.exe" + "TaskContentNew_Command": "%systemroot%\\system32\\usoclient.exe", + "TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan" }, - "name": "A scheduled task was updated", - "outcome": "success" - }, - "log": { - "hostname": "host.foo.local", - "level": "info" + "record_id": 393771, + "type": "Security" }, "host": { "hostname": "host.foo.local", "name": "host.foo.local" }, + "log": { + "hostname": "host.foo.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 608, + "pid": 608, "thread": { "id": 244 - }, - "pid": 608, - "id": 608 - }, - "user": { - "id": "S-1-5-18", - "name": "SEKADWV01$", - "domain": "SEKOPOC" + } }, "related": { "hosts": [ @@ -4226,6 +4221,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SEKADWV01$" ] + }, + "user": { + "domain": "SEKOPOC", + "id": "S-1-5-18", + "name": "SEKADWV01$" } } @@ -4240,15 +4240,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-11-16 14:49:29\",\"Hostname\":\"pps-val-app\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4673,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":0,\"Task\":13056,\"OpcodeValue\":0,\"RecordNumber\":10604999,\"ProcessID\":4,\"ThreadID\":19016,\"Channel\":\"Security\",\"Message\":\"A privileged service was called.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tPPS-VAL-APP$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nService:\\r\\n\\tServer:\\tNT Local Security Authority / Authentication Service\\r\\n\\tService Name:\\tLsaRegisterLogonProcess()\\r\\n\\r\\nProcess:\\r\\n\\tProcess ID:\\t0x7e0\\r\\n\\tProcess Name:\\tC:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\r\\nService Request Information:\\r\\n\\tPrivileges:\\t\\tSeTcbPrivilege\",\"Category\":\"Sensitive Privilege Use\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"PPS-VAL-APP$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"ObjectServer\":\"NT Local Security Authority / Authentication Service\",\"Service\":\"LsaRegisterLogonProcess()\",\"PrivilegeList\":\"SeTcbPrivilege\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"EventReceivedTime\":\"2010-11-16 14:49:31\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4673", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tPPS-VAL-APP$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService:\r\n\tServer:\tNT Local Security Authority / Authentication Service\r\n\tService Name:\tLsaRegisterLogonProcess()\r\n\r\nProcess:\r\n\tProcess ID:\t0x7e0\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege" + "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tPPS-VAL-APP$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService:\r\n\tServer:\tNT Local Security Authority / Authentication Service\r\n\tService Name:\tLsaRegisterLogonProcess()\r\n\r\nProcess:\r\n\tProcess ID:\t0x7e0\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 10604999, - "type": "Security", "id": 4673, + "name": "A privileged service was called", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "ObjectServer": "NT Local Security Authority / Authentication Service", "OpcodeValue": 0, "PrivilegeList": "SeTcbPrivilege", @@ -4256,44 +4257,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Service": "LsaRegisterLogonProcess()", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "PPS-VAL-APP$", "SubjectUserSid": "S-1-5-18", - "Task": 13056, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13056 }, - "name": "A privileged service was called", - "outcome": "success" - }, - "log": { - "hostname": "pps-val-app", - "level": "info" + "record_id": 10604999, + "type": "Security" }, "host": { "hostname": "pps-val-app", "name": "pps-val-app" }, + "log": { + "hostname": "pps-val-app", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 19016 - }, "executable": "c:\\windows\\system32\\lsass.exe", - "pid": 4, "id": 4, "name": "lsass.exe", + "pid": 4, + "thread": { + "id": 19016 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "PPS-VAL-APP$", - "domain": "KEY" - }, "related": { "hosts": [ "pps-val-app" @@ -4301,6 +4296,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "PPS-VAL-APP$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "PPS-VAL-APP$" } } @@ -4318,11 +4318,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1704922, - "type": "Security", "id": 4697, + "name": "A service was installed in the system", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "ServiceAccount": "LocalSystem", @@ -4331,40 +4332,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ServiceStartType": "2", "ServiceType": "0xe0", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-18", - "Task": 12289, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 12289 }, - "name": "A service was installed in the system", - "outcome": "success" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 1704922, + "type": "Security" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 640, + "pid": 640, "thread": { "id": 8908 - }, - "pid": 640, - "id": 640 - }, - "user": { - "id": "S-1-5-18", - "name": "V-FOO$", - "domain": "KEY" + } }, "related": { "hosts": [ @@ -4373,6 +4368,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "V-FOO$" } } @@ -4387,14 +4387,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-15 16:52:28\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":10,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":10,\"OpcodeValue\":0,\"RecordNumber\":1481365,\"ProcessID\":9628,\"ThreadID\":10352,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process accessed:\\r\\nRuleName: \\r\\nUtcTime: 2010-10-15 14:52:28.536\\r\\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\\r\\nSourceProcessId: 920\\r\\nSourceThreadId: 1052\\r\\nSourceImage: C:\\\\Windows\\\\System32\\\\VBoxService.exe\\r\\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\\r\\nTargetProcessId: 4324\\r\\nTargetImage: C:\\\\WINDOWS\\\\system32\\\\ctfmon.exe\\r\\nGrantedAccess: 0x1400\\r\\nCallTrace: C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9c534|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+305fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+12d8d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+140cf|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1435d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fc2b|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1071a|C:\\\\Windows\\\\System32\\\\VBoxService.exe+17fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+31c1f|C:\\\\Windows\\\\System32\\\\VBoxService.exe+35682|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbbeb|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbc7f|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17bd4|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+6ce51\",\"Category\":\"Process accessed (rule: ProcessAccess)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-10-15 14:52:28.536\",\"SourceProcessGUID\":\"{c8188de9-3743-5f84-0000-00100ef00000}\",\"SourceProcessId\":\"920\",\"SourceThreadId\":\"1052\",\"SourceImage\":\"C:\\\\Windows\\\\System32\\\\VBoxService.exe\",\"TargetProcessGUID\":\"{c8188de9-3771-5f84-0000-0010443b0900}\",\"TargetProcessId\":\"4324\",\"TargetImage\":\"C:\\\\WINDOWS\\\\system32\\\\ctfmon.exe\",\"GrantedAccess\":\"0x1400\",\"CallTrace\":\"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+9c534|C:\\\\WINDOWS\\\\System32\\\\KERNELBASE.dll+305fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+12d8d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+140cf|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1435d|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fc2b|C:\\\\Windows\\\\System32\\\\VBoxService.exe+1071a|C:\\\\Windows\\\\System32\\\\VBoxService.exe+17fe|C:\\\\Windows\\\\System32\\\\VBoxService.exe+31c1f|C:\\\\Windows\\\\System32\\\\VBoxService.exe+35682|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbbeb|C:\\\\Windows\\\\System32\\\\VBoxService.exe+fbc7f|C:\\\\WINDOWS\\\\System32\\\\KERNEL32.DLL+17bd4|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+6ce51\",\"EventReceivedTime\":\"2010-10-15 16:56:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "10", - "provider": "Microsoft-Windows-Sysmon", - "message": "Process accessed:\r\nRuleName: \r\nUtcTime: 2010-10-15 14:52:28.536\r\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\r\nSourceProcessId: 920\r\nSourceThreadId: 1052\r\nSourceImage: C:\\Windows\\System32\\VBoxService.exe\r\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\r\nTargetProcessId: 4324\r\nTargetImage: C:\\WINDOWS\\system32\\ctfmon.exe\r\nGrantedAccess: 0x1400\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51" + "message": "Process accessed:\r\nRuleName: \r\nUtcTime: 2010-10-15 14:52:28.536\r\nSourceProcessGUID: {c8188de9-3743-5f84-0000-00100ef00000}\r\nSourceProcessId: 920\r\nSourceThreadId: 1052\r\nSourceImage: C:\\Windows\\System32\\VBoxService.exe\r\nTargetProcessGUID: {c8188de9-3771-5f84-0000-0010443b0900}\r\nTargetProcessId: 4324\r\nTargetImage: C:\\WINDOWS\\system32\\ctfmon.exe\r\nGrantedAccess: 0x1400\r\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-10-15T14:52:28.536000Z", "action": { - "record_id": 1481365, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 10, + "name": "ProcessAccess", "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", @@ -4402,46 +4401,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Domain": "AUTORITE NT", "EventType": "INFO", "GrantedAccess": "0x1400", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", "SourceImage": "c:\\windows\\system32\\vboxservice.exe", + "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "920", "TargetImage": "c:\\windows\\system32\\ctfmon.exe", "TargetProcessId": "4324", - "Task": 10, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 10 }, - "name": "ProcessAccess" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 1481365, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 10352 - }, "executable": "c:\\windows\\system32\\vboxservice.exe", - "pid": 920, "id": 920, "name": "vboxservice.exe", + "pid": 920, + "thread": { + "id": 10352 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ" @@ -4449,6 +4444,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -4463,63 +4463,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 16:10:53\",\"Hostname\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":11,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":11,\"OpcodeValue\":0,\"RecordNumber\":3561,\"ProcessID\":4492,\"ThreadID\":9332,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-16 15:10:53.715\\r\\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\\r\\nProcessId: 2060\\r\\nImage: C:\\\\Program Files (x86)\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Bin\\\\ccSvcHst.exe\\r\\nTargetFilename: C:\\\\Windows\\\\Temp\\\\SymDelta_2060\\\\content.zip.tmp\\\\cur.scr\\r\\nCreationUtcTime: 2019-12-16 15:10:53.715\",\"Category\":\"File created (rule: FileCreate)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 15:10:53.715\",\"ProcessGuid\":\"{23AD1E42-B4F1-5C41-0000-001028060400}\",\"Image\":\"C:\\\\Program Files (x86)\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Bin\\\\ccSvcHst.exe\",\"TargetFilename\":\"C:\\\\Windows\\\\Temp\\\\SymDelta_2060\\\\content.zip.tmp\\\\cur.scr\",\"CreationUtcTime\":\"2019-12-16 15:10:53.715\",\"EventReceivedTime\":\"2019-12-16 16:10:54\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "11", - "provider": "Microsoft-Windows-Sysmon", - "message": "File created:\r\nRuleName: \r\nUtcTime: 2019-12-16 15:10:53.715\r\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\r\nProcessId: 2060\r\nImage: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe\r\nTargetFilename: C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr\r\nCreationUtcTime: 2019-12-16 15:10:53.715" + "message": "File created:\r\nRuleName: \r\nUtcTime: 2019-12-16 15:10:53.715\r\nProcessGuid: {23AD1E42-B4F1-5C41-0000-001028060400}\r\nProcessId: 2060\r\nImage: C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe\r\nTargetFilename: C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr\r\nCreationUtcTime: 2019-12-16 15:10:53.715", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2019-12-16T15:10:53.715000Z", "action": { - "record_id": 3561, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 11, + "name": "FileCreate", "properties": { - "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", "AccountName": "Syst\ufffdme", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4F1-5C41-0000-001028060400}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 11, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "TargetFilename": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr" + "TargetFilename": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr", + "Task": 11 }, - "name": "FileCreate" + "record_id": 3561, + "type": "Microsoft-Windows-Sysmon/Operational" }, "file": { "created": "2019-12-16T15:10:53.715000Z", "name": "cur.scr", "path": "c:\\windows\\temp\\symdelta_2060\\content.zip.tmp\\cur.scr" }, - "log": { - "hostname": "USERNAME01.ACT.CORP.local", - "level": "info" - }, "host": { "hostname": "USERNAME01.ACT.CORP.local", "name": "USERNAME01.ACT.CORP.local" }, + "log": { + "hostname": "USERNAME01.ACT.CORP.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "id": 2060, + "name": "ccsvchst.exe", + "pid": 2060, "thread": { "id": 9332 }, - "pid": 2060, - "id": 2060, - "name": "ccsvchst.exe", "working_directory": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\ufffdme", - "domain": "AUTORITE NT" - }, "related": { "hosts": [ "USERNAME01.ACT.CORP.local" @@ -4527,6 +4522,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\ufffdme" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\ufffdme" } } @@ -4541,71 +4541,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 08:10:31\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":3456,\"ProcessID\":44420,\"ThreadID\":27948,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2019-12-16 07:10:31.795\\r\\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\\r\\nProcessId: 572\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\nolmhash\\r\\nDetails: DWORD (0x00000001)\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 07:10:31.795\",\"ProcessGuid\":\"{D19882A0-7814-5B1E-0000-001015400100}\",\"Image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"TargetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\nolmhash\",\"Details\":\"DWORD (0x00000001)\",\"EventReceivedTime\":\"2019-12-16 08:10:32\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "provider": "Microsoft-Windows-Sysmon", - "message": "Registry value set:\r\nRuleName: \r\nEventType: SetValue\r\nUtcTime: 2019-12-16 07:10:31.795\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash\r\nDetails: DWORD (0x00000001)" + "message": "Registry value set:\r\nRuleName: \r\nEventType: SetValue\r\nUtcTime: 2019-12-16 07:10:31.795\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash\r\nDetails: DWORD (0x00000001)", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2019-12-16T07:10:31.795000Z", "action": { - "record_id": 3456, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, + "name": "RegistryEvent (Value Set)", "properties": { - "MessEventType": "SetValue", - "Image": "c:\\windows\\system32\\services.exe", - "Details": "DWORD (0x00000001)", "AccountName": "Syst\ufffdme", "AccountType": "User", + "Details": "DWORD (0x00000001)", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\system32\\services.exe", + "Keywords": "-9223372036854775808", + "MessEventType": "SetValue", "OpcodeValue": 0, "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", - "Task": 13, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "TargetObject": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "Task": 13 }, - "name": "RegistryEvent (Value Set)", - "target": "registry" - }, - "log": { - "hostname": "HOSTNAMEFOO.ACT.CORP.local", - "level": "info" + "record_id": 3456, + "target": "registry", + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "HOSTNAMEFOO.ACT.CORP.local", "name": "HOSTNAMEFOO.ACT.CORP.local" }, + "log": { + "hostname": "HOSTNAMEFOO.ACT.CORP.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\system32\\services.exe", + "id": 572, + "name": "services.exe", + "pid": 572, "thread": { "id": 27948 }, - "pid": 572, - "id": 572, - "name": "services.exe", "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\ufffdme", - "domain": "AUTORITE NT" - }, "registry": { - "value": "nolmhash", - "hive": "HKLM", - "key": "System\\CurrentControlSet\\Control\\Lsa\\nolmhash", "data": { - "type": "REG_DWORD", "strings": [ "1" - ] - } + ], + "type": "REG_DWORD" + }, + "hive": "HKLM", + "key": "System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "value": "nolmhash" }, "related": { "hosts": [ @@ -4614,6 +4609,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\ufffdme" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\ufffdme" } } @@ -4628,71 +4628,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-03-31 15:02:03\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":13,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":13,\"OpcodeValue\":0,\"RecordNumber\":49665,\"ProcessID\":16532,\"ThreadID\":35536,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Registry value set:\\r\\nRuleName: T1031,T1050\\r\\nEventType: SetValue\\r\\nUtcTime: 2010-03-31 13:02:03.124\\r\\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\\r\\nProcessId: 572\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\NAVENG\\\\ImagePath\\r\\nDetails: \\\\??\\\\C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20100330.020\\\\ENG64.SYS\",\"Category\":\"Registry value set (rule: RegistryEvent)\",\"Opcode\":\"Informations\",\"RuleName\":\"T1031,T1050\",\"UtcTime\":\"2010-03-31 13:02:03.124\",\"ProcessGuid\":\"{D19882A0-7814-5B1E-0000-001015400100}\",\"Image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"TargetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\services\\\\NAVENG\\\\ImagePath\",\"Details\":\"\\\\??\\\\C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20100330.020\\\\ENG64.SYS\",\"EventReceivedTime\":\"2010-03-31 15:02:05\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "13", - "provider": "Microsoft-Windows-Sysmon", - "message": "Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2010-03-31 13:02:03.124\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath\r\nDetails: \\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS" + "message": "Registry value set:\r\nRuleName: T1031,T1050\r\nEventType: SetValue\r\nUtcTime: 2010-03-31 13:02:03.124\r\nProcessGuid: {D19882A0-7814-5B1E-0000-001015400100}\r\nProcessId: 572\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath\r\nDetails: \\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-03-31T13:02:03.124000Z", "action": { - "record_id": 49665, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 13, + "name": "RegistryEvent (Value Set)", "properties": { - "MessEventType": "SetValue", - "Image": "c:\\windows\\system32\\services.exe", - "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", "AccountName": "Syst\u00e8me", "AccountType": "User", + "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\system32\\services.exe", + "Keywords": "-9223372036854775808", + "MessEventType": "SetValue", "OpcodeValue": 0, "ProcessGuid": "{D19882A0-7814-5B1E-0000-001015400100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "TargetObject": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", - "Task": 13, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "TargetObject": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "Task": 13 }, - "name": "RegistryEvent (Value Set)", - "target": "registry" - }, - "log": { - "hostname": "HOSTNAMEFOO.ACT.CORP.local", - "level": "info" + "record_id": 49665, + "target": "registry", + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "HOSTNAMEFOO.ACT.CORP.local", "name": "HOSTNAMEFOO.ACT.CORP.local" }, + "log": { + "hostname": "HOSTNAMEFOO.ACT.CORP.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\system32\\services.exe", + "id": 572, + "name": "services.exe", + "pid": 572, "thread": { "id": 35536 }, - "pid": 572, - "id": 572, - "name": "services.exe", "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "registry": { - "value": "ImagePath", - "hive": "HKLM", - "key": "System\\CurrentControlSet\\services\\NAVENG\\ImagePath", "data": { - "type": "REG_SZ", "strings": [ "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS" - ] - } + ], + "type": "REG_SZ" + }, + "hive": "HKLM", + "key": "System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "value": "ImagePath" }, "related": { "hosts": [ @@ -4701,6 +4696,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -4715,72 +4715,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-05-11 17:36:44\",\"Hostname\":\"PCFOO4019.Comte.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":15,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":15,\"OpcodeValue\":0,\"RecordNumber\":111672,\"ProcessID\":5288,\"ThreadID\":6860,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"File stream created:\\r\\nRuleName: -\\r\\nUtcTime: 2011-05-11 15:36:44.305\\r\\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\\r\\nProcessId: 3768\\r\\nImage: C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\r\\nTargetFilename: C:\\\\Users\\\\Pipin_Touque\\\\Downloads\\\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\\r\\nCreationUtcTime: 2011-05-11 15:36:43.452\\r\\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\\r\\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ \",\"Category\":\"File stream created (rule: FileCreateStreamHash)\",\"Opcode\":\"Informations\",\"RuleName\":\"-\",\"UtcTime\":\"2011-05-11 15:36:44.305\",\"ProcessGuid\":\"{3cb7cf38-a48b-609a-490c-000000002a00}\",\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"TargetFilename\":\"C:\\\\Users\\\\Pipin_Touque\\\\Downloads\\\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\",\"CreationUtcTime\":\"2011-05-11 15:36:43.452\",\"Hash\":\"MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\",\"Contents\":\"[ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ \",\"EventReceivedTime\":\"2011-05-11 17:36:44\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "15", - "provider": "Microsoft-Windows-Sysmon", - "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2011-05-11 15:36:44.305\r\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\r\nProcessId: 3768\r\nImage: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nTargetFilename: C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\r\nCreationUtcTime: 2011-05-11 15:36:43.452\r\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\r\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ " + "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2011-05-11 15:36:44.305\r\nProcessGuid: {3cb7cf38-a48b-609a-490c-000000002a00}\r\nProcessId: 3768\r\nImage: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\r\nTargetFilename: C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier\r\nCreationUtcTime: 2011-05-11 15:36:43.452\r\nHash: MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000\r\nContents: [ZoneTransfer] ZoneId=3 HostUrl=https://entreprises.interepargne.natixis.com/ ", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2011-05-11T15:36:44.305000Z", "action": { - "record_id": 111672, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 15, + "name": "FileCreateStreamHash", "properties": { - "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", "AccountName": "Syst\u00e8me", "AccountType": "User", + "Content": "ZoneTransfer", "Domain": "AUTORITE NT", "EventType": "INFO", "Hash": "MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000", + "HostUrl": "https://entreprises.interepargne.natixis.com/", + "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{3cb7cf38-a48b-609a-490c-000000002a00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 15, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", "TargetFilename": "C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier", - "Content": "ZoneTransfer", - "HostUrl": "https://entreprises.interepargne.natixis.com/", + "Task": 15, "ZoneId": "3" }, - "name": "FileCreateStreamHash" + "record_id": 111672, + "type": "Microsoft-Windows-Sysmon/Operational" }, "file": { "created": "2011-05-11T15:36:43.452000Z", - "name": "hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier", - "path": "c:\\users\\pipin_touque\\downloads\\hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier", "hash": { "imphash": "00000000000000000000000000000000", "md5": "c570199c8261a913bbaa5c7d5020498b", "sha256": "0454b363c7f09ff5ab778f07df4f5fa123cc73e950283234717c50066cb62ea7" - } - }, - "log": { - "hostname": "PCFOO4019.Comte.local", - "level": "info" + }, + "name": "hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier", + "path": "c:\\users\\pipin_touque\\downloads\\hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier" }, "host": { "hostname": "PCFOO4019.Comte.local", "name": "PCFOO4019.Comte.local" }, + "log": { + "hostname": "PCFOO4019.Comte.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "id": 3768, + "name": "chrome.exe", + "pid": 3768, "thread": { "id": 6860 }, - "pid": 3768, - "id": 3768, - "name": "chrome.exe", "working_directory": "c:\\program files\\google\\chrome\\application\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "related": { "hash": [ "0454b363c7f09ff5ab778f07df4f5fa123cc73e950283234717c50066cb62ea7", @@ -4792,6 +4787,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -4810,9 +4810,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2011-07-23T08:38:21.996000Z", "action": { - "record_id": 6045, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 16, + "name": "Sysmon config state changed", "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", @@ -4820,38 +4819,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ConfigurationFileHash": "SHA256=F89C54AE9EEB2BF3810DC3F1B974A4AC56FF013D0A67BBFBB33D217530279740", "Domain": "AUTORITE NT", "EventType": "INFO", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 16, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 16 }, - "name": "Sysmon config state changed" - }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "info" + "record_id": 6045, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 12624, + "pid": 12624, "thread": { "id": 4724 - }, - "pid": 12624, - "id": 12624 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -4860,6 +4855,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -4874,59 +4874,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-16 12:36:40\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":17,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":1,\"Task\":17,\"OpcodeValue\":0,\"RecordNumber\":1148,\"ProcessID\":8764,\"ThreadID\":2780,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Pipe Created:\\r\\nRuleName: -\\r\\nEventType: CreatePipe\\r\\nUtcTime: 2010-12-16 11:36:40.267\\r\\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\\r\\nProcessId: 2584\\r\\nPipeName: \\\\wkssvc\\r\\nImage: c:\\\\windows\\\\system32\\\\svchost.exe\",\"Category\":\"Pipe Created (rule: PipeEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-16 11:36:40.267\",\"ProcessGuid\":\"{FC729081-EDD6-5FD9-3D00-000000000500}\",\"PipeName\":\"\\\\wkssvc\",\"Image\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-12-16 12:36:42\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "17", - "provider": "Microsoft-Windows-Sysmon", - "message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2010-12-16 11:36:40.267\r\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\r\nProcessId: 2584\r\nPipeName: \\wkssvc\r\nImage: c:\\windows\\system32\\svchost.exe" + "message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2010-12-16 11:36:40.267\r\nProcessGuid: {FC729081-EDD6-5FD9-3D00-000000000500}\r\nProcessId: 2584\r\nPipeName: \\wkssvc\r\nImage: c:\\windows\\system32\\svchost.exe", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-12-16T11:36:40.267000Z", "action": { - "record_id": 1148, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 17, + "name": "Pipe created", "properties": { - "MessEventType": "CreatePipe", - "Image": "c:\\windows\\system32\\svchost.exe", "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\windows\\system32\\svchost.exe", + "Keywords": "-9223372036854775808", + "MessEventType": "CreatePipe", "OpcodeValue": 0, "PipeName": "\\wkssvc", "ProcessGuid": "{FC729081-EDD6-5FD9-3D00-000000000500}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 17, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 17 }, - "name": "Pipe created" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 1148, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\system32\\svchost.exe", + "id": 2584, + "name": "svchost.exe", + "pid": 2584, "thread": { "id": 2780 }, - "pid": 2584, - "id": 2584, - "name": "svchost.exe", "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ" @@ -4934,6 +4929,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -4948,59 +4948,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-16 12:37:00\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":18,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":1,\"Task\":18,\"OpcodeValue\":0,\"RecordNumber\":1151,\"ProcessID\":8764,\"ThreadID\":2780,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Pipe Connected:\\r\\nRuleName: -\\r\\nEventType: ConnectPipe\\r\\nUtcTime: 2010-12-16 11:37:00.267\\r\\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\\r\\nProcessId: 4032\\r\\nPipeName: \\\\wkssvc\\r\\nImage: C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\"Category\":\"Pipe Connected (rule: PipeEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-16 11:37:00.267\",\"ProcessGuid\":\"{FC729081-EDDC-5FD9-5800-000000000500}\",\"PipeName\":\"\\\\wkssvc\",\"Image\":\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\"EventReceivedTime\":\"2010-12-16 12:37:02\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "18", - "provider": "Microsoft-Windows-Sysmon", - "message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2010-12-16 11:37:00.267\r\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\r\nProcessId: 4032\r\nPipeName: \\wkssvc\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe" + "message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2010-12-16 11:37:00.267\r\nProcessGuid: {FC729081-EDDC-5FD9-5800-000000000500}\r\nProcessId: 4032\r\nPipeName: \\wkssvc\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-12-16T11:37:00.267000Z", "action": { - "record_id": 1151, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 18, + "name": "Pipe connected", "properties": { - "MessEventType": "ConnectPipe", - "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "Keywords": "-9223372036854775808", + "MessEventType": "ConnectPipe", "OpcodeValue": 0, "PipeName": "\\wkssvc", "ProcessGuid": "{FC729081-EDDC-5FD9-5800-000000000500}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 18, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 18 }, - "name": "Pipe connected" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 1151, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "id": 4032, + "name": "wmiprvse.exe", + "pid": 4032, "thread": { "id": 2780 }, - "pid": 4032, - "id": 4032, - "name": "wmiprvse.exe", "working_directory": "c:\\windows\\system32\\wbem\\" }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ" @@ -5008,6 +5003,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -5022,72 +5022,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2011-03-20 11:19:20\",\"Hostname\":\"PCFOO.corp.net\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":129451,\"ProcessID\":5044,\"ThreadID\":7472,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2011-03-20 10:19:20.872\\r\\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\\r\\nProcessId: 2016\\r\\nImage: C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\r\\nFileVersion: 1.1.1.1\\r\\nDescription: Application IAComClient\\r\\nProduct: Interact\\r\\nCompany: Interact Software\\r\\nOriginalFileName: IAComClient\\r\\nCommandLine: \\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\\"\\r\\nCurrentDirectory: C:\\\\WINDOWS\\\\system32\\\\\\r\\nUser: AUTORITE NT\\\\Syst\u00c3\u00a8me\\r\\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\\r\\nLogonId: 0x3E7\\r\\nTerminalSessionId: 0\\r\\nIntegrityLevel: System\\r\\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\\r\\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\\r\\nParentProcessId: 4756\\r\\nParentImage: C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\r\\nParentCommandLine: \\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\\"\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Informations\",\"RuleName\":\"-\",\"UtcTime\":\"2011-03-20 10:19:20.872\",\"ProcessGuid\":\"{9beb284d-cc28-6055-3602-000000004900}\",\"Image\":\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\",\"FileVersion\":\"1.1.1.1\",\"Description\":\"Application IAComClient\",\"Product\":\"Interact\",\"Company\":\"Interact Software\",\"OriginalFileName\":\"IAComClient\",\"CommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAComClient.exe\\\"\",\"CurrentDirectory\":\"C:\\\\WINDOWS\\\\system32\\\\\",\"User\":\"AUTORITE NT\\\\Syst\u00c3\u00a8me\",\"LogonGuid\":\"{9beb284d-c684-6055-e703-000000000000}\",\"LogonId\":\"0x3e7\",\"TerminalSessionId\":\"0\",\"IntegrityLevel\":\"System\",\"Hashes\":\"MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\",\"ParentProcessGuid\":\"{9beb284d-c689-6055-6900-000000004900}\",\"ParentProcessId\":\"4756\",\"ParentImage\":\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\",\"ParentCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Interact\\\\Bin\\\\IAManager.exe\\\"\",\"EventReceivedTime\":\"2011-03-20 11:19:22\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", + "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2011-03-20 10:19:20.872\r\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\r\nProcessId: 2016\r\nImage: C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\r\nFileVersion: 1.1.1.1\r\nDescription: Application IAComClient\r\nProduct: Interact\r\nCompany: Interact Software\r\nOriginalFileName: IAComClient\r\nCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\"\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\r\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\r\nParentProcessId: 4756\r\nParentImage: C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\r\nParentCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\"", "provider": "Microsoft-Windows-Sysmon", - "reason": "Application IAComClient", - "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2011-03-20 10:19:20.872\r\nProcessGuid: {9beb284d-cc28-6055-3602-000000004900}\r\nProcessId: 2016\r\nImage: C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\r\nFileVersion: 1.1.1.1\r\nDescription: Application IAComClient\r\nProduct: Interact\r\nCompany: Interact Software\r\nOriginalFileName: IAComClient\r\nCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe\"\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: AUTORITE NT\\Syst\u00c3\u00a8me\r\nLogonGuid: {9beb284d-c684-6055-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=6E2ED6BD7A43497C351551D04AEB6444,SHA256=E721BD7242E4571CDBC7729F54118ABAA806FA309059F21F09829B5275C1A751,IMPHASH=5EB894B14A9A429F917FA1E528B4E86B\r\nParentProcessGuid: {9beb284d-c689-6055-6900-000000004900}\r\nParentProcessId: 4756\r\nParentImage: C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\r\nParentCommandLine: \"C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe\"" + "reason": "Application IAComClient" }, "@timestamp": "2011-03-20T10:19:20.872000Z", - "process": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "parent": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "executable": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "name": "iamanager.exe", - "working_directory": "c:\\program files (x86)\\interact\\bin\\" - }, - "executable": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "ppid": "4756", - "thread": { - "id": 7472 - }, - "working_directory": "c:\\windows\\system32\\", - "pid": 2016, - "id": 2016, - "hash": { - "imphash": "5eb894b14a9a429f917fa1e528b4e86b", - "md5": "6e2ed6bd7a43497c351551d04aeb6444", - "sha256": "e721bd7242e4571cdbc7729f54118abaa806fa309059f21f09829b5275c1a751" - }, - "name": "iacomclient.exe" - }, "action": { - "record_id": 129451, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, + "name": "Process creation", "properties": { - "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, + "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", "ProcessGuid": "{9beb284d-cc28-6055-3602-000000004900}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 1, - "User": "AUTORITE NT\\Syst\u00c3\u00a8me", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 1, + "User": "AUTORITE NT\\Syst\u00c3\u00a8me" }, - "name": "Process creation" - }, - "log": { - "hostname": "PCFOO.corp.net", - "level": "info" + "record_id": 129451, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "PCFOO.corp.net", "name": "PCFOO.corp.net" }, + "log": { + "hostname": "PCFOO.corp.net", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00c3\u00a8me", - "domain": "AUTORITE NT" + "process": { + "command_line": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "executable": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "hash": { + "imphash": "5eb894b14a9a429f917fa1e528b4e86b", + "md5": "6e2ed6bd7a43497c351551d04aeb6444", + "sha256": "e721bd7242e4571cdbc7729f54118abaa806fa309059f21f09829b5275c1a751" + }, + "id": 2016, + "name": "iacomclient.exe", + "parent": { + "command_line": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", + "executable": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", + "name": "iamanager.exe", + "working_directory": "c:\\program files (x86)\\interact\\bin\\" + }, + "pid": 2016, + "ppid": "4756", + "thread": { + "id": 7472 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hash": [ @@ -5100,6 +5095,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00c3\u00a8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00c3\u00a8me" } } @@ -5114,72 +5114,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2023-09-05 12:28:34\",\"Hostname\":\"foo-vm\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":1,\"OpcodeValue\":0,\"RecordNumber\":13871322,\"ProcessID\":2992,\"ThreadID\":748,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2023-09-05 12:28:34.887\\r\\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\\r\\nProcessId: 18144\\r\\nImage: C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\\r\\nFileVersion: 16.0.16626.20170\\r\\nDescription: Microsoft Office SDX Helper\\r\\nProduct: Microsoft Office\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: SDXHELPER.EXE\\r\\nCommandLine: \\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\\r\\nCurrentDirectory: C:\\\\Windows\\\\system32\\\\\\r\\nUser: foo-vm\\\\adminuser\\r\\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\\r\\nLogonId: 0x219FAFD\\r\\nTerminalSessionId: 2\\r\\nIntegrityLevel: High\\r\\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\\r\\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\\r\\nParentProcessId: 1772\\r\\nParentImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nParentCommandLine: C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\\r\\nParentUser: NT AUTHORITY\\\\SYSTEM\",\"Category\":\"Process Create (rule: ProcessCreate)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2023-09-05 12:28:34.887\",\"ProcessGuid\":\"{178446c4-1ef2-64f7-fa8d-010000001100}\",\"Image\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\SDXHelper.exe\",\"FileVersion\":\"16.0.16626.20170\",\"Description\":\"Microsoft Office SDX Helper\",\"Product\":\"Microsoft Office\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"SDXHELPER.EXE\",\"CommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\sdxhelper.exe\\\" /onlogon\",\"CurrentDirectory\":\"C:\\\\Windows\\\\system32\\\\\",\"User\":\"foo-vm\\\\adminuser\",\"LogonGuid\":\"{178446c4-8d94-6495-fdfa-190200000000}\",\"LogonId\":\"0x219fafd\",\"TerminalSessionId\":\"2\",\"IntegrityLevel\":\"High\",\"Hashes\":\"MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\",\"ParentProcessGuid\":\"{178446c4-7a9f-6491-2800-000000001100}\",\"ParentProcessId\":\"1772\",\"ParentImage\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvfoo -p -s Schedule\",\"ParentUser\":\"NT AUTHORITY\\\\SYSTEM\",\"EventReceivedTime\":\"2023-09-05 12:28:35\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "1", + "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2023-09-05 12:28:34.887\r\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\r\nProcessId: 18144\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe\r\nFileVersion: 16.0.16626.20170\r\nDescription: Microsoft Office SDX Helper\r\nProduct: Microsoft Office\r\nCompany: Microsoft Corporation\r\nOriginalFileName: SDXHELPER.EXE\r\nCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe\" /onlogon\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: foo-vm\\adminuser\r\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\r\nLogonId: 0x219FAFD\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\r\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\r\nParentProcessId: 1772\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM", "provider": "Microsoft-Windows-Sysmon", - "reason": "Microsoft Office SDX Helper", - "message": "Process Create:\r\nRuleName: -\r\nUtcTime: 2023-09-05 12:28:34.887\r\nProcessGuid: {178446c4-1ef2-64f7-fa8d-010000001100}\r\nProcessId: 18144\r\nImage: C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe\r\nFileVersion: 16.0.16626.20170\r\nDescription: Microsoft Office SDX Helper\r\nProduct: Microsoft Office\r\nCompany: Microsoft Corporation\r\nOriginalFileName: SDXHELPER.EXE\r\nCommandLine: \"C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe\" /onlogon\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: foo-vm\\adminuser\r\nLogonGuid: {178446c4-8d94-6495-fdfa-190200000000}\r\nLogonId: 0x219FAFD\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashes: MD5=F924BBC6FBF646FA0478AEBE5D37504C,SHA256=4494AA7BF1058262F3D2F412B681AF2AF42E34490144FBFD0DB579D966B8FBB6,IMPHASH=0AE5922AFCEF4767754A10F016CD4B30\r\nParentProcessGuid: {178446c4-7a9f-6491-2800-000000001100}\r\nParentProcessId: 1772\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM" + "reason": "Microsoft Office SDX Helper" }, "@timestamp": "2023-09-05T12:28:34.887000Z", - "process": { - "command_line": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe /onlogon", - "parent": { - "command_line": "c:\\windows\\system32\\svchost.exe -k netsvfoo -p -s schedule", - "executable": "c:\\windows\\system32\\svchost.exe", - "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" - }, - "executable": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", - "ppid": "1772", - "thread": { - "id": 748 - }, - "working_directory": "c:\\windows\\system32\\", - "pid": 18144, - "id": 18144, - "hash": { - "imphash": "0ae5922afcef4767754a10f016cd4b30", - "md5": "f924bbc6fbf646fa0478aebe5d37504c", - "sha256": "4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6" - }, - "name": "sdxhelper.exe" - }, "action": { - "record_id": 13871322, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 1, + "name": "Process creation", "properties": { - "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", - "ParentImage": "c:\\windows\\system32\\svchost.exe", "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, + "ParentImage": "c:\\windows\\system32\\svchost.exe", "ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 1, - "User": "foo-vm\\adminuser", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 1, + "User": "foo-vm\\adminuser" }, - "name": "Process creation" - }, - "log": { - "hostname": "foo-vm", - "level": "info" + "record_id": 13871322, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "foo-vm", "name": "foo-vm" }, + "log": { + "hostname": "foo-vm", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, - "user": { - "id": "S-1-5-18", - "name": "adminuser", - "domain": "foo-vm" + "process": { + "command_line": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe /onlogon", + "executable": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "hash": { + "imphash": "0ae5922afcef4767754a10f016cd4b30", + "md5": "f924bbc6fbf646fa0478aebe5d37504c", + "sha256": "4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6" + }, + "id": 18144, + "name": "sdxhelper.exe", + "parent": { + "command_line": "c:\\windows\\system32\\svchost.exe -k netsvfoo -p -s schedule", + "executable": "c:\\windows\\system32\\svchost.exe", + "name": "svchost.exe", + "working_directory": "c:\\windows\\system32\\" + }, + "pid": 18144, + "ppid": "1772", + "thread": { + "id": 748 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hash": [ @@ -5192,6 +5187,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "adminuser" ] + }, + "user": { + "domain": "foo-vm", + "id": "S-1-5-18", + "name": "adminuser" } } @@ -5206,56 +5206,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-18 15:57:58\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":20,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":20,\"OpcodeValue\":0,\"RecordNumber\":17336,\"ProcessID\":3140,\"ThreadID\":4420,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"WmiEventConsumer activity detected:\\r\\nRuleName: -\\r\\nEventType: WmiConsumerEvent\\r\\nUtcTime: 2010-12-18 14:57:58.828\\r\\nOperation: Created\\r\\nUser: DESKTOP-FOOBARZ\\\\userXYZ\\r\\nName: \\\"ServiceConsumer\\\"\\r\\nType: Log File\\r\\nDestination: \\\"C:\\\\\\\\Log.log\\\"\",\"Category\":\"WmiEventConsumer activity detected (rule: WmiEvent)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-18 14:57:58.828\",\"Operation\":\"Created\",\"User\":\"DESKTOP-FOOBARZ\\\\userXYZ\",\"Name\":\" \\\"ServiceConsumer\\\"\",\"Type\":\"Log File\",\"Destination\":\" \\\"C:\\\\\\\\Log.log\\\"\",\"EventReceivedTime\":\"2010-12-18 15:58:00\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "20", - "provider": "Microsoft-Windows-Sysmon", - "message": "WmiEventConsumer activity detected:\r\nRuleName: -\r\nEventType: WmiConsumerEvent\r\nUtcTime: 2010-12-18 14:57:58.828\r\nOperation: Created\r\nUser: DESKTOP-FOOBARZ\\userXYZ\r\nName: \"ServiceConsumer\"\r\nType: Log File\r\nDestination: \"C:\\\\Log.log\"" + "message": "WmiEventConsumer activity detected:\r\nRuleName: -\r\nEventType: WmiConsumerEvent\r\nUtcTime: 2010-12-18 14:57:58.828\r\nOperation: Created\r\nUser: DESKTOP-FOOBARZ\\userXYZ\r\nName: \"ServiceConsumer\"\r\nType: Log File\r\nDestination: \"C:\\\\Log.log\"", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-12-18T14:57:58.828000Z", "action": { - "record_id": 17336, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 20, + "name": "WmiEventConsumer activity detected", "properties": { - "MessEventType": "WmiConsumerEvent", "AccountName": "SYSTEM", "AccountType": "User", "Destination": " \"C:\\\\Log.log\"", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Keywords": "-9223372036854775808", + "MessEventType": "WmiConsumerEvent", "OpcodeValue": 0, "Operation": "Created", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Sysmon", "Task": 20, "Type": "Log File", - "User": "DESKTOP-FOOBARZ\\userXYZ", - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "User": "DESKTOP-FOOBARZ\\userXYZ" }, - "name": "WmiEventConsumer activity detected" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 17336, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 3140, + "pid": 3140, "thread": { "id": 4420 - }, - "pid": 3140, - "id": 3140 - }, - "user": { - "id": "S-1-5-18", - "name": "userXYZ", - "domain": "DESKTOP-FOOBARZ" + } }, "related": { "hosts": [ @@ -5264,6 +5259,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "userXYZ" ] + }, + "user": { + "domain": "DESKTOP-FOOBARZ", + "id": "S-1-5-18", + "name": "userXYZ" } } @@ -5278,66 +5278,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-02-14 14:50:28\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":22,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":22,\"OpcodeValue\":0,\"RecordNumber\":23609,\"ProcessID\":2556,\"ThreadID\":3448,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2010-02-10 12:10:41.909\\r\\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\\r\\nProcessId: 5228\\r\\nQueryName: login.live.com\\r\\nQueryStatus: 0\\r\\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\\r\\nImage: C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\"Category\":\"Dns query (rule: DnsQuery)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-02-10 12:10:41.909\",\"ProcessGuid\":\"{c8188de9-a5a2-5e46-0000-00104fae7900}\",\"QueryName\":\"login.live.com\",\"QueryStatus\":\"0\",\"QueryResults\":\"type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\",\"Image\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\",\"EventReceivedTime\":\"2010-02-14 14:50:29\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "22", - "provider": "Microsoft-Windows-Sysmon", - "message": "Dns query:\r\nRuleName: \r\nUtcTime: 2010-02-10 12:10:41.909\r\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\r\nProcessId: 5228\r\nQueryName: login.live.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\r\nImage: C:\\WINDOWS\\system32\\svchost.exe" + "message": "Dns query:\r\nRuleName: \r\nUtcTime: 2010-02-10 12:10:41.909\r\nProcessGuid: {c8188de9-a5a2-5e46-0000-00104fae7900}\r\nProcessId: 5228\r\nQueryName: login.live.com\r\nQueryStatus: 0\r\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:1.1.1.1;::ffff:1.1.1.1;::ffff:1.1.1.1;1.1.1.1;1.1.1.1;\r\nImage: C:\\WINDOWS\\system32\\svchost.exe", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-02-10T12:10:41.909000Z", "action": { - "record_id": 23609, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 22, + "name": "DNS query", "properties": { - "Image": "c:\\windows\\system32\\svchost.exe", "AccountName": "Syst\ufffdme", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\system32\\svchost.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-a5a2-5e46-0000-00104fae7900}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 22, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - }, - "name": "DNS query" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" - }, - "host": { - "hostname": "DESKTOP-FOOBARZ", - "name": "DESKTOP-FOOBARZ" - }, - "os": { - "family": "windows", - "platform": "windows" - }, - "process": { - "executable": "c:\\windows\\system32\\svchost.exe", - "thread": { - "id": 3448 + "Task": 22 }, - "pid": 5228, - "id": 5228, - "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\ufffdme", - "domain": "AUTORITE NT" + "record_id": 23609, + "type": "Microsoft-Windows-Sysmon/Operational" }, "dns": { - "question": { - "name": "login.live.com", - "top_level_domain": "com", - "subdomain": "login", - "registered_domain": "live.com" - }, - "response_code": "0", - "type": "answer", "answers": [ { "name": "login.msa.msidentity.com", @@ -5368,7 +5333,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "A" } ], - "size_in_char": 14 + "question": { + "name": "login.live.com", + "registered_domain": "live.com", + "subdomain": "login", + "top_level_domain": "com" + }, + "response_code": "0", + "size_in_char": 14, + "type": "answer" + }, + "host": { + "hostname": "DESKTOP-FOOBARZ", + "name": "DESKTOP-FOOBARZ" + }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "c:\\windows\\system32\\svchost.exe", + "id": 5228, + "name": "svchost.exe", + "pid": 5228, + "thread": { + "id": 3448 + }, + "working_directory": "c:\\windows\\system32\\" }, "related": { "hosts": [ @@ -5378,6 +5373,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\ufffdme" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\ufffdme" } } @@ -5396,53 +5396,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2011-05-17T13:36:18.525000Z", "action": { - "record_id": 514759, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 25, + "name": "Process Tampering", "properties": { - "Image": "c:\\windows\\syswow64\\svchost.exe", "AccountName": "SYSTEM", "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\windows\\syswow64\\svchost.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{ab376ee3-7152-60a2-6808-000000001000}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 25, - "Type": "Image is replaced", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 25, + "Type": "Image is replaced" }, - "name": "Process Tampering" - }, - "log": { - "hostname": "VM_FOO", - "level": "info" + "record_id": 514759, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "VM_FOO", "name": "VM_FOO" }, + "log": { + "hostname": "VM_FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\syswow64\\svchost.exe", - "thread": { - "id": 3768 - }, - "pid": 4888, "id": 4888, "name": "svchost.exe", + "pid": 4888, + "thread": { + "id": 3768 + }, "working_directory": "c:\\windows\\syswow64\\" }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, "related": { "hosts": [ "VM_FOO" @@ -5450,6 +5445,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -5464,51 +5464,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2012-09-08 13:12:51\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854776000,\"EventType\":\"ERROR\",\"SeverityValue\":4,\"Severity\":\"ERROR\",\"EventID\":255,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":255,\"OpcodeValue\":0,\"RecordNumber\":320976,\"ProcessID\":2788,\"ThreadID\":4008,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Error report:\\r\\nUtcTime: 2012-09-08 11:12:51.685\\r\\nID: DriverCommunication\\r\\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\\r\\n\",\"Opcode\":\"Informations\",\"UtcTime\":\"2012-09-08 11:12:51.685\",\"ID\":\"DriverCommunication\",\"Description\":\"Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\\r\\n\",\"EventReceivedTime\":\"2012-09-08 13:12:53\",\"SourceModuleName\":\"evtx_win\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "255", + "message": "Error report:\r\nUtcTime: 2012-09-08 11:12:51.685\r\nID: DriverCommunication\r\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n", "provider": "Microsoft-Windows-Sysmon", - "reason": "Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n", - "message": "Error report:\r\nUtcTime: 2012-09-08 11:12:51.685\r\nID: DriverCommunication\r\nDescription: Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n" + "reason": "Failed to retrieve events - Last error: L'op\u00e9ration d'entr\u00e9e/sortie a \u00e9t\u00e9 abandonn\u00e9e en raison de l'arr\u00eat d'un thread ou \u00e0 la demande d'une application.\r\n" }, "@timestamp": "2012-09-08T11:12:51.685000Z", "action": { - "record_id": 320976, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 255, "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "ERROR", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "ERROR", - "Task": 255, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" - } - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "error" + "Task": 255 + }, + "record_id": 320976, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "error" + }, "os": { "family": "windows", "platform": "windows" }, "process": { + "id": 2788, + "pid": 2788, "thread": { "id": 4008 - }, - "pid": 2788, - "id": 2788 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" + } }, "related": { "hosts": [ @@ -5517,6 +5512,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -5531,46 +5531,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2019-12-16 08:46:46\",\"Hostname\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":3,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":5,\"Task\":3,\"OpcodeValue\":0,\"RecordNumber\":3463,\"ProcessID\":4492,\"ThreadID\":8112,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\ufffdme\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Network connection detected:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-16 07:46:27.307\\r\\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\\r\\nProcessId: 564\\r\\nImage: C:\\\\Windows\\\\System32\\\\lsass.exe\\r\\nUser: AUTORITE NT\\\\Syst\u00e8me\\r\\nProtocol: udp\\r\\nInitiated: true\\r\\nSourceIsIpv6: false\\r\\nSourceIp: 1.1.1.1\\r\\nSourceHostname: USERNAME01.ACT.CORP.local\\r\\nSourcePort: 389\\r\\nSourcePortName: \\r\\nDestinationIsIpv6: false\\r\\nDestinationIp: 1.1.1.1\\r\\nDestinationHostname: \\r\\nDestinationPort: 1723\\r\\nDestinationPortName: \",\"Category\":\"Network connection detected (rule: NetworkConnect)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2019-12-16 07:46:27.307\",\"ProcessGuid\":\"{23AD1E42-B4C1-5C41-0000-0010B4020100}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"User\":\"AUTORITE NT\\\\Syst\u00e8me\",\"Protocol\":\"udp\",\"Initiated\":\"true\",\"SourceIsIpv6\":\"false\",\"SourceIp\":\"1.1.1.1\",\"SourceHostname\":\"USERNAME01.ACT.CORP.local\",\"SourcePort\":\"389\",\"DestinationIsIpv6\":\"false\",\"DestinationIp\":\"1.1.1.1\",\"DestinationPort\":\"1723\",\"EventReceivedTime\":\"2019-12-16 08:46:47\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "3", - "provider": "Microsoft-Windows-Sysmon", - "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-12-16 07:46:27.307\r\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\r\nProcessId: 564\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: AUTORITE NT\\Syst\u00e8me\r\nProtocol: udp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: USERNAME01.ACT.CORP.local\r\nSourcePort: 389\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 1723\r\nDestinationPortName: " + "message": "Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-12-16 07:46:27.307\r\nProcessGuid: {23AD1E42-B4C1-5C41-0000-0010B4020100}\r\nProcessId: 564\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: AUTORITE NT\\Syst\u00e8me\r\nProtocol: udp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.1.1.1\r\nSourceHostname: USERNAME01.ACT.CORP.local\r\nSourcePort: 389\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 1.1.1.1\r\nDestinationHostname: \r\nDestinationPort: 1723\r\nDestinationPortName: ", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2019-12-16T07:46:27.307000Z", "action": { - "record_id": 3463, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 3, + "name": "Network connection", "properties": { - "Image": "c:\\windows\\system32\\lsass.exe", "AccountName": "Syst\ufffdme", "AccountType": "User", + "DestinationPort": "1723", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\windows\\system32\\lsass.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4C1-5C41-0000-0010B4020100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 3, - "User": "AUTORITE NT\\Syst\u00e8me", "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808", - "DestinationPort": "1723" + "Task": 3, + "User": "AUTORITE NT\\Syst\u00e8me" }, - "name": "Network connection", - "target": "network-traffic" + "record_id": 3463, + "target": "network-traffic", + "type": "Microsoft-Windows-Sysmon/Operational" }, "destination": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 1723, - "address": "1.1.1.1" - }, - "log": { - "hostname": "USERNAME01.ACT.CORP.local", - "level": "info" + "port": 1723 }, "host": { "hostname": "USERNAME01.ACT.CORP.local", "name": "USERNAME01.ACT.CORP.local" }, + "log": { + "hostname": "USERNAME01.ACT.CORP.local", + "level": "info" + }, "network": { "transport": "udp", "type": "ipv4" @@ -5581,26 +5581,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "c:\\windows\\system32\\lsass.exe", + "id": 564, + "name": "lsass.exe", + "pid": 564, "thread": { "id": 8112 }, - "pid": 564, - "id": 564, - "name": "lsass.exe", "working_directory": "c:\\windows\\system32\\" }, - "source": { - "domain": "USERNAME01.ACT.CORP.local", - "port": 389, - "ip": "1.1.1.1", - "address": "USERNAME01.ACT.CORP.local", - "size_in_char": 25 - }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "related": { "hosts": [ "USERNAME01.ACT.CORP.local" @@ -5611,6 +5599,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "source": { + "address": "USERNAME01.ACT.CORP.local", + "domain": "USERNAME01.ACT.CORP.local", + "ip": "1.1.1.1", + "port": 389, + "size_in_char": 25 + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -5625,64 +5625,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-10-09 03:03:03\",\"Hostname\":\"HOSTNAMEFOO.ACT.CORP.local\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":6,\"OpcodeValue\":0,\"RecordNumber\":82505,\"ProcessID\":2456,\"ThreadID\":3548,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Driver loaded:\\r\\nRuleName: \\r\\nUtcTime: 2010-10-09 01:03:03.880\\r\\nImageLoaded: C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20101008.007\\\\eng64.sys\\r\\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\\r\\nSigned: true\\r\\nSignature: Symantec Corporation\\r\\nSignatureStatus: Valid\",\"Category\":\"Driver loaded (rule: DriverLoad)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-10-09 01:03:03.880\",\"ImageLoaded\":\"C:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\12.1.5337.5000.105\\\\Data\\\\Definitions\\\\VirusDefs\\\\20101008.007\\\\eng64.sys\",\"Hashes\":\"MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\",\"Signed\":\"true\",\"Signature\":\"Symantec Corporation\",\"SignatureStatus\":\"Valid\",\"EventReceivedTime\":\"2010-10-09 03:03:05\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "6", - "provider": "Microsoft-Windows-Sysmon", - "message": "Driver loaded:\r\nRuleName: \r\nUtcTime: 2010-10-09 01:03:03.880\r\nImageLoaded: C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys\r\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\r\nSigned: true\r\nSignature: Symantec Corporation\r\nSignatureStatus: Valid" + "message": "Driver loaded:\r\nRuleName: \r\nUtcTime: 2010-10-09 01:03:03.880\r\nImageLoaded: C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys\r\nHashes: MD5=BE2D7ADB437EB7C9607D60F481729C1F,SHA256=873E305A5BBCC47D0729B4E015F8C06BFF8E381F4A115B0CC8A9961A236B18B2,IMPHASH=48152BC64CB1EA5E4592C852D8BAC3FD\r\nSigned: true\r\nSignature: Symantec Corporation\r\nSignatureStatus: Valid", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-10-09T01:03:03.880000Z", "action": { - "record_id": 82505, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 6, + "name": "Driver loaded", "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", "ImageLoaded": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", "Signature": "Symantec Corporation", "SignatureStatus": "Valid", "Signed": "true", - "Task": 6, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 6 }, - "name": "Driver loaded" - }, - "log": { - "hostname": "HOSTNAMEFOO.ACT.CORP.local", - "level": "info" + "record_id": 82505, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "HOSTNAMEFOO.ACT.CORP.local", "name": "HOSTNAMEFOO.ACT.CORP.local" }, + "log": { + "hostname": "HOSTNAMEFOO.ACT.CORP.local", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 3548 - }, "executable": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", - "pid": 2456, - "id": 2456, "hash": { "imphash": "48152bc64cb1ea5e4592c852d8bac3fd", "md5": "be2d7adb437eb7c9607d60f481729c1f", "sha256": "873e305a5bbcc47d0729b4e015f8c06bff8e381f4a115b0cc8a9961a236b18b2" }, + "id": 2456, "name": "eng64.sys", + "pid": 2456, + "thread": { + "id": 3548 + }, "working_directory": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "related": { "hash": [ "873e305a5bbcc47d0729b4e015f8c06bff8e381f4a115b0cc8a9961a236b18b2", @@ -5694,6 +5689,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -5708,22 +5708,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-08 14:12:27\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":7,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":3,\"Task\":7,\"OpcodeValue\":0,\"RecordNumber\":3035010,\"ProcessID\":10164,\"ThreadID\":5408,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"Image loaded:\\r\\nRuleName: \\r\\nUtcTime: 2010-12-08 13:12:27.356\\r\\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\\r\\nProcessId: 10540\\r\\nImage: C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\\\HxTsr.exe\\r\\nImageLoaded: C:\\\\Windows\\\\System32\\\\bcryptprimitives.dll\\r\\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\\r\\nDescription: Windows Cryptographic Primitives Library\\r\\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\\r\\nCompany: Microsoft Corporation\\r\\nOriginalFileName: bcryptprimitives.dll\\r\\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\\r\\nSigned: true\\r\\nSignature: Microsoft Windows\\r\\nSignatureStatus: Valid\",\"Category\":\"Image loaded (rule: ImageLoad)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-12-08 13:12:27.356\",\"ProcessGuid\":\"{c8188de9-7bbb-5fcf-0000-0010f7277203}\",\"Image\":\"C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\\\HxTsr.exe\",\"ImageLoaded\":\"C:\\\\Windows\\\\System32\\\\bcryptprimitives.dll\",\"FileVersion\":\"10.0.18362.836 (WinBuild.160101.0800)\",\"Description\":\"Windows Cryptographic Primitives Library\",\"Product\":\"Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\",\"Company\":\"Microsoft Corporation\",\"OriginalFileName\":\"bcryptprimitives.dll\",\"Hashes\":\"MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\",\"Signed\":\"true\",\"Signature\":\"Microsoft Windows\",\"SignatureStatus\":\"Valid\",\"EventReceivedTime\":\"2010-12-08 14:20:43\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "7", + "message": "Image loaded:\r\nRuleName: \r\nUtcTime: 2010-12-08 13:12:27.356\r\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\r\nProcessId: 10540\r\nImage: C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe\r\nImageLoaded: C:\\Windows\\System32\\bcryptprimitives.dll\r\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\r\nDescription: Windows Cryptographic Primitives Library\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcryptprimitives.dll\r\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid", "provider": "Microsoft-Windows-Sysmon", - "reason": "Windows Cryptographic Primitives Library", - "message": "Image loaded:\r\nRuleName: \r\nUtcTime: 2010-12-08 13:12:27.356\r\nProcessGuid: {c8188de9-7bbb-5fcf-0000-0010f7277203}\r\nProcessId: 10540\r\nImage: C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe\r\nImageLoaded: C:\\Windows\\System32\\bcryptprimitives.dll\r\nFileVersion: 10.0.18362.836 (WinBuild.160101.0800)\r\nDescription: Windows Cryptographic Primitives Library\r\nProduct: Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: bcryptprimitives.dll\r\nHashes: MD5=EF2BBEAFF07D32A2EC77FB4602FA9664,SHA256=6B47F3E88CDEDF8F31F91940E38A4544818C79D153323262F9F46B21F41D262C\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid" + "reason": "Windows Cryptographic Primitives Library" }, "@timestamp": "2010-12-08T13:12:27.356000Z", "action": { - "record_id": 3035010, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 7, + "name": "Image loaded", "properties": { - "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", "ImageLoaded": "c:\\windows\\system32\\bcryptprimitives.dll", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-7bbb-5fcf-0000-0010f7277203}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", @@ -5731,47 +5731,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Signature": "Microsoft Windows", "SignatureStatus": "Valid", "Signed": "true", - "Task": 7, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 7 }, - "name": "Image loaded" + "record_id": 3035010, + "type": "Microsoft-Windows-Sysmon/Operational" }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "dll": { + "hash": { + "md5": "ef2bbeaff07d32a2ec77fb4602fa9664", + "sha256": "6b47f3e88cdedf8f31f91940e38a4544818c79d153323262f9f46b21f41d262c" + }, + "name": "bcryptprimitives.dll", + "path": "c:\\windows\\system32\\bcryptprimitives.dll" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", + "id": 10540, + "name": "hxtsr.exe", + "pid": 10540, "thread": { "id": 5408 }, - "pid": 10540, - "id": 10540, - "name": "hxtsr.exe", "working_directory": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, - "dll": { - "path": "c:\\windows\\system32\\bcryptprimitives.dll", - "name": "bcryptprimitives.dll", - "hash": { - "md5": "ef2bbeaff07d32a2ec77fb4602fa9664", - "sha256": "6b47f3e88cdedf8f31f91940e38a4544818c79d153323262f9f46b21f41d262c" - } - }, "related": { "hash": [ "6b47f3e88cdedf8f31f91940e38a4544818c79d153323262f9f46b21f41d262c", @@ -5783,6 +5778,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -5797,62 +5797,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-11 16:45:08\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":8,\"OpcodeValue\":0,\"RecordNumber\":3697557,\"ProcessID\":9520,\"ThreadID\":10704,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"Syst\u00e8me\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"CreateRemoteThread detected:\\r\\nRuleName: \\r\\nUtcTime: 2010-12-11 15:45:08.062\\r\\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\\r\\nSourceProcessId: 9808\\r\\nSourceImage: C:\\\\Windows\\\\System32\\\\VBoxTray.exe\\r\\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\\r\\nTargetProcessId: 10576\\r\\nTargetImage: C:\\\\Windows\\\\System32\\\\csrss.exe\\r\\nNewThreadId: 9368\\r\\nStartAddress: 0xFFFFCFBA48C52460\\r\\nStartModule: C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\r\\nStartFunction: LoadLibraryA\",\"Category\":\"CreateRemoteThread detected (rule: CreateRemoteThread)\",\"Opcode\":\"Informations\",\"UtcTime\":\"2010-12-11 15:45:08.062\",\"SourceProcessGuid\":\"{c8188de9-704e-5fcf-0000-001073ed4903}\",\"SourceProcessId\":\"9808\",\"SourceImage\":\"C:\\\\Windows\\\\System32\\\\VBoxTray.exe\",\"TargetProcessGuid\":\"{c8188de9-702f-5fcf-0000-00101b084403}\",\"TargetProcessId\":\"10576\",\"TargetImage\":\"C:\\\\Windows\\\\System32\\\\csrss.exe\",\"NewThreadId\":\"9368\",\"StartAddress\":\"0xFFFFCFBA48C52460\",\"EventReceivedTime\":\"2010-12-11 16:52:15\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "8", - "provider": "Microsoft-Windows-Sysmon", - "message": "CreateRemoteThread detected:\r\nRuleName: \r\nUtcTime: 2010-12-11 15:45:08.062\r\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\r\nSourceProcessId: 9808\r\nSourceImage: C:\\Windows\\System32\\VBoxTray.exe\r\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\r\nTargetProcessId: 10576\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 9368\r\nStartAddress: 0xFFFFCFBA48C52460\r\nStartModule: C:\\Windows\\SYSTEM32\\ntdll.dll\r\nStartFunction: LoadLibraryA" + "message": "CreateRemoteThread detected:\r\nRuleName: \r\nUtcTime: 2010-12-11 15:45:08.062\r\nSourceProcessGuid: {c8188de9-704e-5fcf-0000-001073ed4903}\r\nSourceProcessId: 9808\r\nSourceImage: C:\\Windows\\System32\\VBoxTray.exe\r\nTargetProcessGuid: {c8188de9-702f-5fcf-0000-00101b084403}\r\nTargetProcessId: 10576\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 9368\r\nStartAddress: 0xFFFFCFBA48C52460\r\nStartModule: C:\\Windows\\SYSTEM32\\ntdll.dll\r\nStartFunction: LoadLibraryA", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-12-11T15:45:08.062000Z", "action": { - "record_id": 3697557, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 8, + "name": "CreateRemoteThread", "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", "SourceImage": "c:\\windows\\system32\\vboxtray.exe", + "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "9808", "StartAddress": "0xFFFFCFBA48C52460", "StartFunction": "LoadLibraryA", "StartModule": "c:\\windows\\system32\\ntdll.dll", "TargetImage": "c:\\windows\\system32\\csrss.exe", "TargetProcessId": "10576", - "Task": 8, - "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 8 }, - "name": "CreateRemoteThread" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 3697557, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 10704 - }, "executable": "c:\\windows\\system32\\vboxtray.exe", - "pid": 9808, "id": 9808, "name": "vboxtray.exe", + "pid": 9808, + "thread": { + "id": 10704 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "Syst\u00e8me", - "domain": "AUTORITE NT" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ" @@ -5860,6 +5855,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Syst\u00e8me" ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "Syst\u00e8me" } } @@ -5874,58 +5874,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-12-17 15:52:55\",\"Hostname\":\"DESKTOP-FOOBARZ\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":9,\"SourceName\":\"Microsoft-Windows-Sysmon\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"Version\":2,\"Task\":9,\"OpcodeValue\":0,\"RecordNumber\":4797,\"ProcessID\":2704,\"ThreadID\":3916,\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"RawAccessRead detected:\\r\\nRuleName: -\\r\\nUtcTime: 2010-12-17 14:52:55.449\\r\\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\\r\\nProcessId: 6428\\r\\nImage: C:\\\\Windows\\\\System32\\\\LogonUI.exe\\r\\nDevice: \\\\Device\\\\HarddiskVolume1\",\"Category\":\"RawAccessRead detected (rule: RawAccessRead)\",\"Opcode\":\"Info\",\"RuleName\":\"-\",\"UtcTime\":\"2010-12-17 14:52:55.449\",\"ProcessGuid\":\"{FC729081-70A2-5FDB-6701-000000000600}\",\"Image\":\"C:\\\\Windows\\\\System32\\\\LogonUI.exe\",\"Device\":\"\\\\Device\\\\HarddiskVolume1\",\"EventReceivedTime\":\"2010-12-17 15:52:56\",\"SourceModuleName\":\"eventlog4\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "9", - "provider": "Microsoft-Windows-Sysmon", - "message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2010-12-17 14:52:55.449\r\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\r\nProcessId: 6428\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nDevice: \\Device\\HarddiskVolume1" + "message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2010-12-17 14:52:55.449\r\nProcessGuid: {FC729081-70A2-5FDB-6701-000000000600}\r\nProcessId: 6428\r\nImage: C:\\Windows\\System32\\LogonUI.exe\r\nDevice: \\Device\\HarddiskVolume1", + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2010-12-17T14:52:55.449000Z", "action": { - "record_id": 4797, - "type": "Microsoft-Windows-Sysmon/Operational", "id": 9, + "name": "RawAccessRead", "properties": { - "Image": "c:\\windows\\system32\\logonui.exe", "AccountName": "SYSTEM", "AccountType": "User", "Device": "\\Device\\HarddiskVolume1", "Domain": "NT AUTHORITY", "EventType": "INFO", + "Image": "c:\\windows\\system32\\logonui.exe", + "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{FC729081-70A2-5FDB-6701-000000000600}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "Task": 9, "SourceName": "Microsoft-Windows-Sysmon", - "Keywords": "-9223372036854775808" + "Task": 9 }, - "name": "RawAccessRead" - }, - "log": { - "hostname": "DESKTOP-FOOBARZ", - "level": "info" + "record_id": 4797, + "type": "Microsoft-Windows-Sysmon/Operational" }, "host": { "hostname": "DESKTOP-FOOBARZ", "name": "DESKTOP-FOOBARZ" }, + "log": { + "hostname": "DESKTOP-FOOBARZ", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { "executable": "c:\\windows\\system32\\logonui.exe", + "id": 6428, + "name": "logonui.exe", + "pid": 6428, "thread": { "id": 3916 }, - "pid": 6428, - "id": 6428, - "name": "logonui.exe", "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "SYSTEM", - "domain": "NT AUTHORITY" - }, "related": { "hosts": [ "DESKTOP-FOOBARZ" @@ -5933,6 +5928,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "SYSTEM" ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" } } @@ -5947,28 +5947,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-07-29 15:24:16\",\"HOSTNAME\":\"USERNAME01.ACT.CORP.local\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1284656143,\"ProcessID\":4,\"ThreadID\":92,\"Channel\":\"Security\",\"Message\":\"Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\\r\\n\\r\\nSujet :\\r\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-5-18\\r\\n\\tNom du compte :\\t\\tUSERNAME01$\\r\\n\\tDomaine du compte :\\t\\tACT\\r\\n\\tID d\u2019ouverture de session :\\t\\t0x3e7\\r\\n\\r\\nInformations sur le processus :\\r\\n\\tID du nouveau processus :\\t\\t0x32b4\\r\\n\\tNom du nouveau processus :\\tC:\\\\Windows\\\\System32\\\\qwinsta.exe\\r\\n\\tType d\u2019\u00e9l\u00e9vation du jeton :\\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\\r\\n\\tID du processus cr\u00e9ateur :\\t0x2748\\r\\n\\tLigne de commande de processus :\\t\\r\\n\\r\\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\\r\\n\\r\\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\\r\\n\\r\\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\\r\\n\\r\\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur.\",\"Category\":\"Cr\u00e9ation du processus\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"USERNAME01$\",\"SubjectDomainName\":\"ACT\",\"SubjectLogonId\":\"0x3e7\",\"NewProcessId\":\"0x32b4\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\qwinsta.exe\",\"TokenElevationType\":\"%%1936\",\"EventReceivedTime\":\"2010-07-29 15:24:18\",\"SourceModuleName\":\"eventlog3\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tUSERNAME01$\r\n\tDomaine du compte :\t\tACT\r\n\tID d\u2019ouverture de session :\t\t0x3e7\r\n\r\nInformations sur le processus :\r\n\tID du nouveau processus :\t\t0x32b4\r\n\tNom du nouveau processus :\tC:\\Windows\\System32\\qwinsta.exe\r\n\tType d\u2019\u00e9l\u00e9vation du jeton :\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\r\n\tID du processus cr\u00e9ateur :\t0x2748\r\n\tLigne de commande de processus :\t\r\n\r\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\r\n\r\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\r\n\r\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\r\n\r\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur." + "message": "Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tUSERNAME01$\r\n\tDomaine du compte :\t\tACT\r\n\tID d\u2019ouverture de session :\t\t0x3e7\r\n\r\nInformations sur le processus :\r\n\tID du nouveau processus :\t\t0x32b4\r\n\tNom du nouveau processus :\tC:\\Windows\\System32\\qwinsta.exe\r\n\tType d\u2019\u00e9l\u00e9vation du jeton :\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\r\n\tID du processus cr\u00e9ateur :\t0x2748\r\n\tLigne de commande de processus :\t\r\n\r\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\r\n\r\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\r\n\r\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\r\n\r\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1284656143, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "ACT", "SubjectLogonId": "0x3e7", "SubjectUserName": "USERNAME01$", "SubjectUserSid": "S-1-5-18", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" + "record_id": 1284656143, + "type": "Security" }, "log": { "level": "info" @@ -5978,24 +5978,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "thread": { - "id": 92 - }, "executable": "c:\\windows\\system32\\qwinsta.exe", - "pid": 12980, "id": 12980, "name": "qwinsta.exe", + "pid": 12980, + "thread": { + "id": 92 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "USERNAME01$", - "domain": "ACT" - }, "related": { "user": [ "USERNAME01$" ] + }, + "user": { + "domain": "ACT", + "id": "S-1-5-18", + "name": "USERNAME01$" } } @@ -6010,56 +6010,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"EventTime\":\"2010-08-05 16:21:20\",\"Hostname\":\"V-FOO\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":1132084818,\"ProcessID\":4,\"ThreadID\":88,\"Channel\":\"Security\",\"Message\":\"A new process has been created.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tV-FOO$\\r\\n\\tAccount Domain:\\t\\tKEY\\r\\n\\tLogon ID:\\t\\t0x3e7\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x111c\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\conhost.exe\\r\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\r\\n\\tCreator Process ID:\\t0x204\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\",\"Category\":\"Process Creation\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"S-1-5-18\",\"SubjectUserName\":\"V-FOO$\",\"SubjectDomainName\":\"KEY\",\"SubjectLogonId\":\"0x3e7\",\"NewProcessId\":\"0x111c\",\"NewProcessName\":\"C:\\\\Windows\\\\System32\\\\conhost.exe\",\"TokenElevationType\":\"%%1936\",\"EventReceivedTime\":\"2010-08-05 16:21:21\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}", "event": { "code": "4688", - "provider": "Microsoft-Windows-Security-Auditing", - "message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x111c\r\n\tNew Process Name:\tC:\\Windows\\System32\\conhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x204\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." + "message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x111c\r\n\tNew Process Name:\tC:\\Windows\\System32\\conhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x204\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "provider": "Microsoft-Windows-Security-Auditing" }, "action": { - "record_id": 1132084818, - "type": "Security", "id": 4688, + "name": "A new process has been created", + "outcome": "success", "properties": { "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", "OpcodeValue": 0, "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "KEY", "SubjectLogonId": "0x3e7", "SubjectUserName": "V-FOO$", "SubjectUserSid": "S-1-5-18", - "Task": 13312, - "SourceName": "Microsoft-Windows-Security-Auditing", - "Keywords": "-9214364837600034816" + "Task": 13312 }, - "name": "A new process has been created", - "outcome": "success" - }, - "log": { - "hostname": "V-FOO", - "level": "info" + "record_id": 1132084818, + "type": "Security" }, "host": { "hostname": "V-FOO", "name": "V-FOO" }, + "log": { + "hostname": "V-FOO", + "level": "info" + }, "os": { "family": "windows", "platform": "windows" }, "process": { - "thread": { - "id": 88 - }, "executable": "c:\\windows\\system32\\conhost.exe", - "pid": 4380, "id": 4380, "name": "conhost.exe", + "pid": 4380, + "thread": { + "id": 88 + }, "working_directory": "c:\\windows\\system32\\" }, - "user": { - "id": "S-1-5-18", - "name": "V-FOO$", - "domain": "KEY" - }, "related": { "hosts": [ "V-FOO" @@ -6067,6 +6062,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "V-FOO$" ] + }, + "user": { + "domain": "KEY", + "id": "S-1-5-18", + "name": "V-FOO$" } } diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 4e3d766cdd..50d672fd9c 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -44,26 +44,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-06-28T15:51:42Z", - "host": { - "id": "16", - "ip": [] - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1687967508000, "commentCount": 0, - "pbid": 26316, - "time": 1687967502000, + "creationTime": 1687967508000, + "device": { + "firstSeen": 1644001727000, + "ip": "192.168.1.#18408", + "ips": [ + { + "ip": "192.168.1.#18408", + "sid": 3, + "time": "2023-07-0202:00:00", + "timems": 1688263200000 + } + ], + "lastSeen": 1688266122000, + "sid": 3, + "typelabel": "Desktop", + "typename": "desktop" + }, "model": { - "then": { - "name": "AnomalousFile::ZiporGzipfromRareExternalLocation", - "pid": 619, - "phid": 9945, - "uuid": "80010119-6d7f-0000-0305-5e0000000172", + "now": { + "behaviour": "decreasing", + "category": "Informational", + "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.", + "message": "Excludedcommonuseragents", "mitre": { "tactics": [ "resource-development" @@ -72,22 +78,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "T1588.001" ] }, + "name": "AnomalousFile::ZiporGzipfromRareExternalLocation", + "phid": 9945, + "pid": 619, + "priority": 1, "tags": [ "", "AP:Tooling", "OTEngineer" ], - "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.", - "category": "Informational", - "priority": 1, - "behaviour": "decreasing", + "uuid": "80010119-6d7f-0000-0305-5e0000000172", "version": 42 }, - "now": { - "name": "AnomalousFile::ZiporGzipfromRareExternalLocation", - "pid": 619, - "phid": 9945, - "uuid": "80010119-6d7f-0000-0305-5e0000000172", + "then": { + "behaviour": "decreasing", + "category": "Informational", + "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.", "mitre": { "tactics": [ "resource-development" @@ -96,38 +102,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "T1588.001" ] }, + "name": "AnomalousFile::ZiporGzipfromRareExternalLocation", + "phid": 9945, + "pid": 619, + "priority": 1, "tags": [ "", "AP:Tooling", "OTEngineer" ], - "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.", - "behaviour": "decreasing", - "message": "Excludedcommonuseragents", - "priority": 1, - "category": "Informational", + "uuid": "80010119-6d7f-0000-0305-5e0000000172", "version": 42 } }, + "pbid": 26316, "score": 0.245, - "device": { - "ip": "192.168.1.#18408", - "ips": [ - { - "ip": "192.168.1.#18408", - "timems": 1688263200000, - "time": "2023-07-0202:00:00", - "sid": 3 - } - ], - "sid": 3, - "firstSeen": 1644001727000, - "lastSeen": 1688266122000, - "typename": "desktop", - "typelabel": "Desktop" - } + "time": 1687967502000 } }, + "host": { + "id": "16", + "ip": [] + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, "related": { "ip": [] } @@ -151,78 +151,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-06-28T21:31:26Z", - "host": { - "id": "31", - "hostname": "my_host", - "ip": [ - "192.168.1.2" - ], - "name": "my_host" - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1687987892000, "commentCount": 0, - "pbid": 26368, - "time": 1687987886000, + "creationTime": 1687987892000, + "device": { + "firstSeen": 1649669953000, + "ip": "192.168.1.2", + "ips": [ + { + "ip": "192.168.1.2", + "sid": 3, + "time": "2023-07-0313:00:00", + "timems": 1688389200000 + } + ], + "lastSeen": 1688391406000, + "sid": 3, + "typelabel": "DNSServer", + "typename": "dnsserver" + }, "model": { - "then": { - "name": "Antigena::Network::Compliance::AntigenaConnectionSeen", - "pid": 2299, - "phid": 9961, - "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6", - "tags": [], - "category": "Suspicious", - "priority": 4, - "behaviour": "decreasing", - "defeats": [], - "version": 7 - }, "now": { - "name": "Antigena::Network::Compliance::AntigenaConnectionSeen", - "pid": 2299, - "phid": 9962, - "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6", - "tags": [], "behaviour": "decreasing", + "category": "Suspicious", "defeats": [], "edited": { "userID": 2 }, + "name": "Antigena::Network::Compliance::AntigenaConnectionSeen", + "phid": 9962, + "pid": 2299, "priority": 4, - "category": "Suspicious", + "tags": [], + "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6", "version": 8 + }, + "then": { + "behaviour": "decreasing", + "category": "Suspicious", + "defeats": [], + "name": "Antigena::Network::Compliance::AntigenaConnectionSeen", + "phid": 9961, + "pid": 2299, + "priority": 4, + "tags": [], + "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6", + "version": 7 } }, + "pbid": 26368, "score": 0.871, - "device": { - "ip": "192.168.1.2", - "ips": [ - { - "ip": "192.168.1.2", - "timems": 1688389200000, - "time": "2023-07-0313:00:00", - "sid": 3 - } - ], - "sid": 3, - "firstSeen": 1649669953000, - "lastSeen": 1688391406000, - "typename": "dnsserver", - "typelabel": "DNSServer" - } + "time": 1687987886000 } }, - "related": { + "host": { + "hostname": "my_host", + "id": "31", "ip": [ "192.168.1.2" ], + "name": "my_host" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "related": { "hosts": [ "my_host" + ], + "ip": [ + "192.168.1.2" ] } } @@ -245,26 +245,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-07-02T02:48:43Z", - "host": { - "id": "16", - "ip": [] - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1688266130000, "commentCount": 0, - "pbid": 27103, - "time": 1688266123000, + "creationTime": 1688266130000, + "device": { + "firstSeen": 1644001727000, + "ip": "192.168.1.#18408", + "ips": [ + { + "ip": "192.168.1.#18408", + "sid": 3, + "time": "2023-07-0202:00:00", + "timems": 1688263200000 + } + ], + "lastSeen": 1688266122000, + "sid": 3, + "typelabel": "Desktop", + "typename": "desktop" + }, "model": { - "then": { - "name": "Device::AttackandReconTools", - "pid": 76, - "phid": 8953, - "uuid": "80010119-6d7f-0000-0305-5e0000000197", + "now": { + "behaviour": "decreasing", + "category": "Suspicious", + "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.", + "message": "Addeddetectionforgobusteranddirbuster", "mitre": { "tactics": [ "initial-access" @@ -273,22 +279,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "T1200" ] }, + "name": "Device::AttackandReconTools", + "phid": 8953, + "pid": 76, + "priority": 4, "tags": [ "", "AP:InternalRecon", "OTEngineer" ], - "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.", - "category": "Suspicious", - "priority": 4, - "behaviour": "decreasing", + "uuid": "80010119-6d7f-0000-0305-5e0000000197", "version": 87 }, - "now": { - "name": "Device::AttackandReconTools", - "pid": 76, - "phid": 8953, - "uuid": "80010119-6d7f-0000-0305-5e0000000197", + "then": { + "behaviour": "decreasing", + "category": "Suspicious", + "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.", "mitre": { "tactics": [ "initial-access" @@ -297,38 +303,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "T1200" ] }, + "name": "Device::AttackandReconTools", + "phid": 8953, + "pid": 76, + "priority": 4, "tags": [ "", "AP:InternalRecon", "OTEngineer" ], - "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.", - "behaviour": "decreasing", - "message": "Addeddetectionforgobusteranddirbuster", - "priority": 4, - "category": "Suspicious", + "uuid": "80010119-6d7f-0000-0305-5e0000000197", "version": 87 } }, + "pbid": 27103, "score": 0.871, - "device": { - "ip": "192.168.1.#18408", - "ips": [ - { - "ip": "192.168.1.#18408", - "timems": 1688263200000, - "time": "2023-07-0202:00:00", - "sid": 3 - } - ], - "sid": 3, - "firstSeen": 1644001727000, - "lastSeen": 1688266122000, - "typename": "desktop", - "typelabel": "Desktop" - } + "time": 1688266123000 } }, + "host": { + "id": "16", + "ip": [] + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, "related": { "ip": [] } @@ -352,82 +352,82 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-06-26T10:09:02Z", - "host": { - "id": "6", - "ip": [] - }, - "service": { - "name": "Slack" - }, - "user": { - "email": "john.doe@company.com" - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1687774148000, "commentCount": 0, - "pbid": 25808, - "time": 1687774142000, + "creationTime": 1687774148000, + "device": { + "firstSeen": 1639068361000, + "ip": "192.168.16.#54818", + "ips": [ + { + "ip": "192.168.16.#54818", + "sid": 4, + "time": "2023-07-0312:00:00", + "timems": 1688385600000 + } + ], + "lastSeen": 1688385853000, + "sid": 4, + "typelabel": "Desktop", + "typename": "desktop" + }, "model": { - "then": { + "now": { + "behaviour": "decreasing", + "category": "Critical", + "defeats": [], + "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.", + "message": "Adjustingmodellogicforproxiedconnections", "name": "Compromise::WatchedDomain", - "pid": 608, "phid": 6768, - "uuid": "80010119-6d7f-0000-0305-5e0000000256", + "pid": 608, + "priority": 5, "tags": [ "", "AP:C2Comms" ], - "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.", - "category": "Critical", - "priority": 5, - "behaviour": "decreasing", - "defeats": [], + "uuid": "80010119-6d7f-0000-0305-5e0000000256", "version": 31 }, - "now": { + "then": { + "behaviour": "decreasing", + "category": "Critical", + "defeats": [], + "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.", "name": "Compromise::WatchedDomain", - "pid": 608, "phid": 6768, - "uuid": "80010119-6d7f-0000-0305-5e0000000256", + "pid": 608, + "priority": 5, "tags": [ "", "AP:C2Comms" ], - "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.", - "behaviour": "decreasing", - "defeats": [], - "message": "Adjustingmodellogicforproxiedconnections", - "priority": 5, - "category": "Critical", + "uuid": "80010119-6d7f-0000-0305-5e0000000256", "version": 31 } }, + "pbid": 25808, "score": 0.541, - "device": { - "ip": "192.168.16.#54818", - "ips": [ - { - "ip": "192.168.16.#54818", - "timems": 1688385600000, - "time": "2023-07-0312:00:00", - "sid": 4 - } - ], - "sid": 4, - "firstSeen": 1639068361000, - "lastSeen": 1688385853000, - "typename": "desktop", - "typelabel": "Desktop" - } + "time": 1687774142000 } }, + "host": { + "id": "6", + "ip": [] + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, "related": { "ip": [] + }, + "service": { + "name": "Slack" + }, + "user": { + "email": "john.doe@company.com" } } @@ -449,58 +449,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-06-26T15:32:13Z", - "host": { - "id": "39", - "ip": [ - "192.168.1.3" - ] - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1687793540000, "commentCount": 0, - "pbid": 25860, - "time": 1687793533000, + "creationTime": 1687793540000, + "device": { + "firstSeen": 1666276905000, + "ip": "192.168.1.3", + "ips": [ + { + "ip": "192.168.1.3", + "sid": 3, + "time": "2023-07-0313:00:00", + "timems": 1688389200000 + } + ], + "lastSeen": 1688391268000, + "sid": 3, + "typelabel": "Server", + "typename": "server" + }, "model": { "then": { + "behaviour": "decreasing", + "category": "Critical", + "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.", "name": "Device::ThreatIndicator", - "pid": 540, "phid": 6656, - "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176", + "pid": 540, + "priority": 5, "tags": [ "", "RequiresConfiguration" ], - "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.", - "category": "Critical", - "priority": 5, - "behaviour": "decreasing", + "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176", "version": 39 } }, + "pbid": 25860, "score": 0.612, - "device": { - "ip": "192.168.1.3", - "ips": [ - { - "ip": "192.168.1.3", - "timems": 1688389200000, - "time": "2023-07-0313:00:00", - "sid": 3 - } - ], - "sid": 3, - "firstSeen": 1666276905000, - "lastSeen": 1688391268000, - "typename": "server", - "typelabel": "Server" - } + "time": 1687793533000 } }, + "host": { + "id": "39", + "ip": [ + "192.168.1.3" + ] + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, "related": { "ip": [ "192.168.1.3" @@ -526,70 +526,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-06-26T20:35:07Z", - "host": { - "id": "31", - "ip": [ - "192.168.1.2" - ] - }, - "observer": { - "name": "Darktrace", - "product": "Threat visualizer" - }, "darktrace": { "threat_visualizer": { - "creationTime": 1687811713000, "commentCount": 0, - "pbid": 25908, - "time": 1687811707000, + "creationTime": 1687811713000, + "device": { + "firstSeen": 1649669953000, + "ip": "192.168.1.2", + "ips": [ + { + "ip": "192.168.1.2", + "sid": 3, + "time": "2023-07-0313:00:00", + "timems": 1688389200000 + } + ], + "lastSeen": 1688391406000, + "sid": 3, + "typelabel": "DNSServer", + "typename": "dnsserver" + }, "model": { - "then": { - "name": "PenTest", - "pid": 2721, - "phid": 9287, - "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8", - "tags": [], - "category": "Critical", - "priority": 5, - "behaviour": "flat", - "defeats": [], - "version": 7 - }, "now": { - "name": "PenTest", - "pid": 2721, - "phid": 9287, - "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8", - "tags": [], "behaviour": "flat", + "category": "Critical", "defeats": [], "edited": { "userID": 22 }, + "name": "PenTest", + "phid": 9287, + "pid": 2721, "priority": 5, + "tags": [], + "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8", + "version": 7 + }, + "then": { + "behaviour": "flat", "category": "Critical", + "defeats": [], + "name": "PenTest", + "phid": 9287, + "pid": 2721, + "priority": 5, + "tags": [], + "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8", "version": 7 } }, + "pbid": 25908, "score": 1.0, - "device": { - "ip": "192.168.1.2", - "ips": [ - { - "ip": "192.168.1.2", - "timems": 1688389200000, - "time": "2023-07-0313:00:00", - "sid": 3 - } - ], - "sid": 3, - "firstSeen": 1649669953000, - "lastSeen": 1688391406000, - "typename": "dnsserver", - "typelabel": "DNSServer" - } + "time": 1687811707000 } }, + "host": { + "id": "31", + "ip": [ + "192.168.1.2" + ] + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, "related": { "ip": [ "192.168.1.2" diff --git a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md index 9d72cfad48..3b5d82acf3 100644 --- a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md +++ b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md @@ -36,30 +36,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673516966.834663913 FW_MX_01 events dhcp lease of ip 1.2.3.4 from mx mac AA:BB:CC:DD:EE:FF for client mac 01:02:03:04:05:06 from router 5.6.7.8 on subnet 255.255.255.0 with dns 9.10.11.12", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-12T09:49:26.834664Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { "event_subtype": "dhcp_offer" }, - "source": { - "ip": "1.2.3.4", - "mac": "01:02:03:04:05:06", - "address": "1.2.3.4" - }, "destination": { "mac": "AA:BB:CC:DD:EE:FF" }, + "observer": { + "hostname": "FW_MX_01" + }, "related": { "hosts": [ "FW_MX_01" @@ -67,6 +62,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "01:02:03:04:05:06" } } @@ -80,29 +80,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673541902.311547724 FW_MX_01 events dhcp no offers for mac AA:BB:CC:DD:EE:FF", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-12T16:45:02.311548Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { "event_subtype": "dhcp_no_offer" }, - "source": { - "mac": "AA:BB:CC:DD:EE:FF" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ "FW_MX_01" ] + }, + "source": { + "mac": "AA:BB:CC:DD:EE:FF" } } @@ -116,35 +116,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673596662.226844514 FW_MX_01 events type=anyconnect_vpn_auth_failure msg= 'RADIUS[373] Server IP=1.2.3.4 Server port=1812 Peer IP=5.6.7.8 Peer port=56735: Authentication request rejected. '", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "denied" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-13T07:57:42.226845Z", - "observer": { - "hostname": "FW_MX_01" - }, - "cisco_meraki": { - "event_subtype": "anyconnect_vpn_auth_failure" - }, "action": { "outcome": "failure", "outcome_reason": "Authentication request rejected. " }, - "source": { - "ip": "5.6.7.8", - "port": 56735, - "address": "5.6.7.8" + "cisco_meraki": { + "event_subtype": "anyconnect_vpn_auth_failure" }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 1812, - "address": "1.2.3.4" + "port": 1812 + }, + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -154,6 +149,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 56735 } } @@ -167,38 +167,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673596676.426899545 FW_MX_01 events type=anyconnect_vpn_auth_success msg= 'RADIUS[374] Server IP=1.2.3.4 Server port=1812 Peer IP=5.6.7.8 Peer port=56735 User=john.doe: Authentication request accepted. '", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "allowed" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-13T07:57:56.426899Z", - "observer": { - "hostname": "FW_MX_01" - }, - "cisco_meraki": { - "event_subtype": "anyconnect_vpn_auth_success" - }, "action": { "outcome": "success", "outcome_reason": "Authentication request accepted. " }, - "source": { - "ip": "5.6.7.8", - "port": 56735, - "address": "5.6.7.8" + "cisco_meraki": { + "event_subtype": "anyconnect_vpn_auth_success" }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 1812, - "address": "1.2.3.4" + "port": 1812 }, - "user": { - "name": "john.doe" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -211,6 +203,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 56735 + }, + "user": { + "name": "john.doe" } } @@ -224,32 +224,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673614753.814828766 FW_MX_01 events anyconnect_vpn_connect user id 'john.doe@sekoia.io' local ip 1.2.3.4 reconnected from 5.6.7.8", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-13T12:59:13.814829Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { "event_subtype": "anyconnect_vpn_connect" }, - "source": { - "nat": { - "ip": "1.2.3.4" - }, - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "user": { - "name": "john.doe", - "domain": "sekoia.io" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -262,6 +251,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "domain": "sekoia.io", + "name": "john.doe" } } @@ -275,32 +275,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673614753.814828766 FW_MX_01 events anyconnect_vpn_connect user id 'john.doe@sekoia.io' local ip 1.2.3.4 connected from 5.6.7.8", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-13T12:59:13.814829Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { "event_subtype": "anyconnect_vpn_connect" }, - "source": { - "nat": { - "ip": "1.2.3.4" - }, - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "user": { - "name": "john.doe", - "domain": "sekoia.io" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -313,6 +302,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "domain": "sekoia.io", + "name": "john.doe" } } @@ -326,38 +326,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673516936.233050742 FW_MX_01 events type=anyconnect_vpn_connection_success msg= 'Server IP=1.2.3.4 Server port=443 Prot[TCP] Peer IP=5.6.7.8 Peer port=55760 conn_id[55356] Connection closed. '", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-12T09:48:56.233051Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { "event_subtype": "anyconnect_vpn_connection_success" }, - "source": { - "ip": "5.6.7.8", - "port": 55760, - "address": "5.6.7.8" - }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 443, - "address": "1.2.3.4" - }, - "server": { "port": 443 }, "network": { "protocol": "TCP" }, + "observer": { + "hostname": "FW_MX_01" + }, "related": { "hosts": [ "FW_MX_01" @@ -366,6 +358,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "server": { + "port": 443 + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 55760 } } @@ -379,30 +379,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673614757.517501781 FW_MX_01 events type=anyconnect_vpn_session_manager msg= 'Sess-ID[289] Peer IP=1.2.3.4 User[john.doe@sekoia.io]: Successfully added DTLS tunnel[289.4] '", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "info" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-13T12:59:17.517502Z", - "observer": { - "hostname": "FW_MX_01" - }, "cisco_meraki": { - "event_subtype": "anyconnect_vpn_session_manager", - "end_of_message": "Successfully added DTLS tunnel[289.4] " - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "end_of_message": "Successfully added DTLS tunnel[289.4] ", + "event_subtype": "anyconnect_vpn_session_manager" }, - "user": { - "name": "john.doe", - "domain": "sekoia.io" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -414,6 +406,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "sekoia.io", + "name": "john.doe" } } @@ -427,42 +427,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673541348.531136002 FW_MX_01 events content_filtering_block url='https://docs.sekoia.io/...' server='1.2.3.4:443' client_mac='AA:BB:CC:DD:EE:FF'", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "events", + "kind": "event", "type": [ "denied" - ], - "dataset": "events" + ] }, "@timestamp": "2023-01-12T16:35:48.531136Z", - "observer": { - "hostname": "FW_MX_01" + "action": { + "outcome": "block" }, "cisco_meraki": { "event_subtype": "content_filtering_block" }, "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 443, - "address": "1.2.3.4" - }, - "source": { - "mac": "AA:BB:CC:DD:EE:FF" - }, - "url": { - "original": "https://docs.sekoia.io/...", - "domain": "docs.sekoia.io", - "top_level_domain": "io", - "subdomain": "docs", - "registered_domain": "sekoia.io", - "path": "/...", - "scheme": "https", "port": 443 }, - "action": { - "outcome": "block" + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -471,6 +458,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "source": { + "mac": "AA:BB:CC:DD:EE:FF" + }, + "url": { + "domain": "docs.sekoia.io", + "original": "https://docs.sekoia.io/...", + "path": "/...", + "port": 443, + "registered_domain": "sekoia.io", + "scheme": "https", + "subdomain": "docs", + "top_level_domain": "io" } } @@ -484,25 +484,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277220.253011885 FW_MX_01 firewall src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "firewall", + "kind": "event", "type": [ "allowed" - ], - "dataset": "firewall" + ] }, "@timestamp": "2023-01-09T15:13:40.253012Z", - "source": { - "ip": "1.2.3.4", - "port": 39247, - "address": "1.2.3.4" + "action": { + "outcome": "allow" }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" + "port": 443 }, "network": { "protocol": "tcp" @@ -510,9 +508,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "hostname": "FW_MX_01" }, - "action": { - "outcome": "allow" - }, "related": { "hosts": [ "FW_MX_01" @@ -521,6 +516,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39247 } } @@ -534,25 +534,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277220.253011885 FW_MX_01 firewall allow src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "firewall", + "kind": "event", "type": [ "allowed" - ], - "dataset": "firewall" + ] }, "@timestamp": "2023-01-09T15:13:40.253012Z", - "source": { - "ip": "1.2.3.4", - "port": 39247, - "address": "1.2.3.4" + "action": { + "outcome": "allow" }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" + "port": 443 }, "network": { "protocol": "tcp" @@ -560,9 +558,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "hostname": "FW_MX_01" }, - "action": { - "outcome": "allow" - }, "related": { "hosts": [ "FW_MX_01" @@ -571,6 +566,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39247 } } @@ -584,25 +584,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.954105815 FW_MX_01 firewall src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543 pattern: 1 all", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "firewall", + "kind": "event", "type": [ "denied" - ], - "dataset": "firewall" + ] }, "@timestamp": "2023-01-09T15:14:04.954106Z", - "source": { - "ip": "1.2.3.4", - "port": 42644, - "address": "1.2.3.4" + "action": { + "outcome": "deny" }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 543, - "address": "5.6.7.8" + "port": 543 }, "network": { "protocol": "tcp" @@ -610,9 +608,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "hostname": "FW_MX_01" }, - "action": { - "outcome": "deny" - }, "related": { "hosts": [ "FW_MX_01" @@ -621,6 +616,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 42644 } } @@ -634,25 +634,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.954105815 FW_MX_01 firewall deny src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "firewall", + "kind": "event", "type": [ "denied" - ], - "dataset": "firewall" + ] }, "@timestamp": "2023-01-09T15:14:04.954106Z", - "source": { - "ip": "1.2.3.4", - "port": 42644, - "address": "1.2.3.4" + "action": { + "outcome": "deny" }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 543, - "address": "5.6.7.8" + "port": 543 }, "network": { "protocol": "tcp" @@ -660,9 +658,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "hostname": "FW_MX_01" }, - "action": { - "outcome": "deny" - }, "related": { "hosts": [ "FW_MX_01" @@ -671,6 +666,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 42644 } } @@ -684,35 +684,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277220.253011885 FW_MX_01 flows src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "flows", + "kind": "event", "type": [ "allowed" - ], - "dataset": "flows" + ] }, "@timestamp": "2023-01-09T15:13:40.253012Z", + "action": { + "outcome": "allow" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "1.2.3.4", - "port": 39247, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" - }, - "action": { - "outcome": "allow" - }, "related": { "hosts": [ "FW_MX_01" @@ -721,6 +716,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39247 } } @@ -734,35 +734,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277220.253011885 FW_MX_01 flows allow src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "flows", + "kind": "event", "type": [ "allowed" - ], - "dataset": "flows" + ] }, "@timestamp": "2023-01-09T15:13:40.253012Z", + "action": { + "outcome": "allow" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "1.2.3.4", - "port": 39247, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" - }, - "action": { - "outcome": "allow" - }, "related": { "hosts": [ "FW_MX_01" @@ -771,6 +766,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39247 } } @@ -784,35 +784,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277220.253011885 FW_MX_01 flows src=fe80:110:8897:efab:9202:b3ff:fe1e:8329 dst=fe80:110:8897:efab:9202:b3ff:fe1e:8330 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "flows", + "kind": "event", "type": [ "allowed" - ], - "dataset": "flows" + ] }, "@timestamp": "2023-01-09T15:13:40.253012Z", + "action": { + "outcome": "allow" + }, + "destination": { + "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8330", + "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8330", + "port": 443 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", - "port": 39247, - "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8329" - }, - "destination": { - "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8330", - "port": 443, - "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8330" - }, - "action": { - "outcome": "allow" - }, "related": { "hosts": [ "FW_MX_01" @@ -821,6 +816,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "fe80:110:8897:efab:9202:b3ff:fe1e:8329", "fe80:110:8897:efab:9202:b3ff:fe1e:8330" ] + }, + "source": { + "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "port": 39247 } } @@ -834,35 +834,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.954105815 FW_MX_01 flows src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543 pattern: 1 all", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "flows", + "kind": "event", "type": [ "denied" - ], - "dataset": "flows" + ] }, "@timestamp": "2023-01-09T15:14:04.954106Z", + "action": { + "outcome": "deny" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 543 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "1.2.3.4", - "port": 42644, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 543, - "address": "5.6.7.8" - }, - "action": { - "outcome": "deny" - }, "related": { "hosts": [ "FW_MX_01" @@ -871,6 +866,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 42644 } } @@ -884,35 +884,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.954105815 FW_MX_01 flows deny src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "flows", + "kind": "event", "type": [ "denied" - ], - "dataset": "flows" + ] }, "@timestamp": "2023-01-09T15:14:04.954106Z", + "action": { + "outcome": "deny" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 543 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "1.2.3.4", - "port": 42644, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 543, - "address": "5.6.7.8" - }, - "action": { - "outcome": "deny" - }, "related": { "hosts": [ "FW_MX_01" @@ -921,6 +916,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 42644 } } @@ -934,35 +934,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277245.252432409 FW_MX_01 ip_flow_end src=1.2.3.4 dst=5.6.7.8 protocol=udp sport=56391 dport=53 translated_dst_ip=9.10.11.12 translated_port=53", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "ip_flow_end", + "kind": "event", "type": [ "info" - ], - "dataset": "ip_flow_end" + ] }, "@timestamp": "2023-01-09T15:14:05.252432Z", - "network": { - "protocol": "udp" - }, - "observer": { - "hostname": "FW_MX_01" - }, - "source": { - "ip": "1.2.3.4", - "port": 56391, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 53, "nat": { "ip": "9.10.11.12", "port": 53 }, - "address": "5.6.7.8" + "port": 53 + }, + "network": { + "protocol": "udp" + }, + "observer": { + "hostname": "FW_MX_01" }, "related": { "hosts": [ @@ -973,6 +968,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "5.6.7.8", "9.10.11.12" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 56391 } } @@ -986,36 +986,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277245.262063982 FW_MX_01 ip_flow_start src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=64365 dport=443 translated_src_ip=9.10.11.12 translated_port=64365", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "ip_flow_start", + "kind": "event", "type": [ "info" - ], - "dataset": "ip_flow_start" + ] }, "@timestamp": "2023-01-09T15:14:05.262064Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, "network": { "protocol": "tcp" }, "observer": { "hostname": "FW_MX_01" }, - "source": { - "ip": "1.2.3.4", - "port": 64365, - "nat": { - "ip": "9.10.11.12", - "port": 64365 - }, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" - }, "related": { "hosts": [ "FW_MX_01" @@ -1025,6 +1016,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "5.6.7.8", "9.10.11.12" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "9.10.11.12", + "port": 64365 + }, + "port": 64365 } } @@ -1038,37 +1038,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277245.257656306 FW_MX_01 urls src=1.2.3.4:51960 dst=5.6.7.8:443 mac=AA:BB:CC:DD:EE:FF request: UNKNOWN https://www.google.com/...", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "urls", + "kind": "event", "type": [ "info" - ], - "dataset": "urls" + ] }, "@timestamp": "2023-01-09T15:14:05.257656Z", - "observer": { - "hostname": "FW_MX_01" - }, - "source": { - "ip": "1.2.3.4", - "port": 51960, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" - }, - "url": { - "original": "https://www.google.com/...", - "domain": "www.google.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "google.com", - "path": "/...", - "scheme": "https", "port": 443 }, "http": { @@ -1076,6 +1058,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "UNKNOWN" } }, + "observer": { + "hostname": "FW_MX_01" + }, "related": { "hosts": [ "FW_MX_01" @@ -1084,6 +1069,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51960 + }, + "url": { + "domain": "www.google.com", + "original": "https://www.google.com/...", + "path": "/...", + "port": 443, + "registered_domain": "google.com", + "scheme": "https", + "subdomain": "www", + "top_level_domain": "com" } } @@ -1097,37 +1097,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.773622789 FW_MX_01 urls src=1.2.3.4:64194 dst=5.6.7.8:80 mac=AA:BB:CC:DD:EE:FF request: GET http://www.msftconnecttest.com/connecttest.txt", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "urls", + "kind": "event", "type": [ "info" - ], - "dataset": "urls" + ] }, "@timestamp": "2023-01-09T15:14:04.773623Z", - "observer": { - "hostname": "FW_MX_01" - }, - "source": { - "ip": "1.2.3.4", - "port": 64194, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 80, - "address": "5.6.7.8" - }, - "url": { - "original": "http://www.msftconnecttest.com/connecttest.txt", - "domain": "www.msftconnecttest.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "msftconnecttest.com", - "path": "/connecttest.txt", - "scheme": "http", "port": 80 }, "http": { @@ -1135,6 +1117,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "hostname": "FW_MX_01" + }, "related": { "hosts": [ "FW_MX_01" @@ -1143,6 +1128,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64194 + }, + "url": { + "domain": "www.msftconnecttest.com", + "original": "http://www.msftconnecttest.com/connecttest.txt", + "path": "/connecttest.txt", + "port": 80, + "registered_domain": "msftconnecttest.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" } } @@ -1156,64 +1156,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.416181683 FW_MX_01 urls src=1.2.3.4:55566 dst=5.6.7.8:80 mac=AA:BB:CC:DD:EE:FF agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' request: GET http://docs.sekoia.io/xdr/features/collect/integrations/network/cisco_meraki/", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "urls", + "kind": "event", "type": [ "info" - ], - "dataset": "urls" + ] }, "@timestamp": "2023-01-09T15:14:04.416182Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + } + }, "observer": { "hostname": "FW_MX_01" }, + "related": { + "hosts": [ + "FW_MX_01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "source": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 55566, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 80, - "address": "5.6.7.8" + "port": 55566 }, "url": { - "original": "http://docs.sekoia.io/xdr/features/collect/integrations/network/cisco_meraki/", "domain": "docs.sekoia.io", - "top_level_domain": "io", - "subdomain": "docs", - "registered_domain": "sekoia.io", + "original": "http://docs.sekoia.io/xdr/features/collect/integrations/network/cisco_meraki/", "path": "/xdr/features/collect/integrations/network/cisco_meraki/", + "port": 80, + "registered_domain": "sekoia.io", "scheme": "http", - "port": 80 - }, - "http": { - "request": { - "method": "GET" - } + "subdomain": "docs", + "top_level_domain": "io" }, "user_agent": { - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "device": { "name": "Mac" }, "name": "Chrome", - "version": "108.0.0", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", "os": { "name": "Mac OS X", "version": "10.15.7" - } - }, - "related": { - "hosts": [ - "FW_MX_01" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] + }, + "version": "108.0.0" } } @@ -1227,37 +1227,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1673277244.773622789 FW_MX_01 urls src=fe80:110:8897:efab:9202:b3ff:fe1e:8329:64194 dst=fe80:110:8897:efab:9202:b3ff:fe1e:8330:80 mac=AA:BB:CC:DD:EE:FF request: GET http://www.msftconnecttest.com/connecttest.txt", "event": { - "kind": "event", "category": [ "network" ], + "dataset": "urls", + "kind": "event", "type": [ "info" - ], - "dataset": "urls" + ] }, "@timestamp": "2023-01-09T15:14:04.773623Z", - "observer": { - "hostname": "FW_MX_01" - }, - "source": { - "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", - "port": 64194, - "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8329" - }, "destination": { + "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8330", "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8330", - "port": 80, - "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8330" - }, - "url": { - "original": "http://www.msftconnecttest.com/connecttest.txt", - "domain": "www.msftconnecttest.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "msftconnecttest.com", - "path": "/connecttest.txt", - "scheme": "http", "port": 80 }, "http": { @@ -1265,6 +1247,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "hostname": "FW_MX_01" + }, "related": { "hosts": [ "FW_MX_01" @@ -1273,6 +1258,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "fe80:110:8897:efab:9202:b3ff:fe1e:8329", "fe80:110:8897:efab:9202:b3ff:fe1e:8330" ] + }, + "source": { + "address": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "ip": "fe80:110:8897:efab:9202:b3ff:fe1e:8329", + "port": 64194 + }, + "url": { + "domain": "www.msftconnecttest.com", + "original": "http://www.msftconnecttest.com/connecttest.txt", + "path": "/connecttest.txt", + "port": 80, + "registered_domain": "msftconnecttest.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" } } diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md index f62bed6f5d..61b547ba60 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md @@ -37,114 +37,114 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":1077,\"record_identifier\":\"d327f865227909ad464d67f8\",\"ioc_severity\":4,\"path\":\"HKEY_LOCAL Options\",\"ioc_detection_cvss\":\"4\",\"analysis\":\"{\\\"dep_opt_out\\\":0,\\\"dep_alwayson\\\":0,\\\"dep_opt_in\\\":1}\",\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"COMPLIANCE-DEP-PERMISSIVE\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_data.name\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"vulnerability_dep\\\",\\\"references\\\":[\\\"http://www.test.com/\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"01:02:03:04:05:06\",\"endpoint_id\":\"0a7e076f-k4p1-428a-8304-azedazedazef\",\"meta_public_ip_country_code\":\"FR\",\"meta_public_ip_postal\":\"35750\",\"schema_version\":\"20\",\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_detection_access\":\"{\\\"authentication\\\":\\\"None\\\",\\\"complexity\\\":\\\"Low\\\",\\\"vector\\\":\\\"Local\\\"}\",\"ioc_created_at\":\"2022-11-30T09:23:22.226Z\",\"ingestion_timestamp\":\"2022-11-30T09:22:29.980Z\",\"ioc_detection_attack\":\"Exposure\",\"numerics\":false,\"meta_public_ip\":\"1.2.3.4\",\"counter\":2,\"detection_id_dedup\":\"azeifazeiofuhapizefhapzieofhazeufh\",\"meta_hostname\":\"AC061-E44iauzebf\",\"ioc_detection_references\":\"[\\\"http://www.test.com\\\"]\",\"ioc_worker_name\":\"Direct Mapping Worker\",\"ioc_detection_type\":\"Vulnerability\",\"ioc_detection_category\":\"Vulnerability\",\"ioc_unix_time\":\"2022-11-30T09:22:11.000Z\",\"epoch\":1669619877,\"meta_ip_mask\":\"1.2.3.4\",\"meta_public_ip_city\":\"Paris\",\"ioc_worker_id\":\"direct_mapping_worker\",\"unix_time\":\"2022-11-30T09:22:11.000Z\",\"ioc_log_type\":\"summary\",\"query_source\":\"xdr_only\",\"host_identifier\":\"4C4C4544-0035-4E10-8044-B3C04F5A3333\",\"partition_bucket\":\"87\",\"meta_public_ip_country\":\"France\",\"meta_public_ip_state\":\"Paris\",\"meta_boot_time\":1669798899,\"meta_os_name\":\"Microsoft Windows 10 Professionnel\",\"osquery_action\":\"added\",\"meta_query_pack_version\":\"1.14.90\",\"calendar_time\":\"2022-11-30T09:22:11.000Z\",\"meta_eid\":\"0a7e076f-0316-428a-8304-fea736738c7a\",\"meta_public_ip_longitude\":2.4075,\"ioc_detection_id\":\"COMPLIANCE-DEP-PERMISSIVE\",\"meta_os_platform\":\"windows\",\"meta_username\":\"AC712341234\",\"detection_identifier\":\"d327f865227909ad464d67f8fc9d8e38c4285299f4\",\"query_name\":\"vulnerability_dep\",\"key\":\"HKEY_LOCAL_MACHINE Control\",\"meta_os_version\":\"10.0.19044\",\"meta_public_ip_latitude\":39,\"mtime\":1669757890,\"ioc_detection_licenses\":\"[\\\"MTR\\\"]\",\"name\":\"SystemStartOptions\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"type\":\"REG_SZ\",\"ingest_date\":\"2022-11-30\",\"ioc_detection_impact\":\"{\\\"availability\\\":\\\"Partial\\\",\\\"confidentiality\\\":\\\"Partial\\\",\\\"integrity\\\":\\\"Partial\\\"}\",\"meta_endpoint_type\":\"computer\",\"meta_domain_controller\":\"False\",\"customer_id\":\"f7193486-a186-4197-ab40-0ddc013a0a65\",\"data\":\" NOEXECUTE=OPTIN FVEBOOT=1234567 NOVGA\",\"ioc_detection_description\":\"DEP is not Admin Opt-out or Always-on.\",\"message_identifier\":\"ofiazefoazebfaozuefazeo\",\"ioc_attack_type\":\"Exposure\",\"ioc_detection_weight\":4}", "event": { - "kind": "event", - "severity": 4, "code": "COMPLIANCE-DEP-PERMISSIVE", - "ingested": "2022-11-30T09:22:29.980000Z" + "ingested": "2022-11-30T09:22:29.980000Z", + "kind": "event", + "severity": 4 }, "@timestamp": "2022-11-30T09:22:11Z", - "user": { - "name": "AC712341234" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "01:02:03:04:05:06", - "geo": { - "country_iso_code": "FR", - "postal_code": "35750", - "city_name": "Paris", - "country_name": "France" - }, - "bytes": 1077, - "address": "1.2.3.4" - }, "host": { - "name": "AC061-E44iauzebf", "id": "4C4C4544-0035-4E10-8044-B3C04F5A3333", + "name": "AC061-E44iauzebf", "os": { "full": "Microsoft Windows 10 Professionnel", "name": "windows", "version": "10.0.19044" } }, - "vulnerability": { - "reference": "http://www.test.com", - "description": "DEP is not Admin Opt-out or Always-on." - }, "process": { "name": "Direct Mapping Worker" }, "registry": { - "path": "HKEY_LOCAL Options", - "key": "HKEY_LOCAL_MACHINE Control", "data": { - "type": "REG_SZ", "strings": [ " NOEXECUTE=OPTIN FVEBOOT=1234567 NOVGA" - ] - } + ], + "type": "REG_SZ" + }, + "key": "HKEY_LOCAL_MACHINE Control", + "path": "HKEY_LOCAL Options" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "AC712341234" + ] }, "sophos": { "threat_center": { - "record_identifier": "d327f865227909ad464d67f8", - "id": "0a7e076f-k4p1-428a-8304-azedazedazef", - "message": { - "id": "ofiazefoazebfaozuefazeo" - }, + "aggressive_activity": "False", + "analysis": "{\"dep_alwayson\": 0, \"dep_opt_in\": 1, \"dep_opt_out\": 0}", + "detection_id_dedup": "azeifazeiofuhapizefhapzieofhazeufh", "endpoint": { "type": "computer" }, - "worker": { - "id": "direct_mapping_worker" - }, - "aggressive_activity": "False", - "detection_id_dedup": "azeifazeiofuhapizefhapzieofhazeufh", + "id": "0a7e076f-k4p1-428a-8304-azedazedazef", "ioc": { - "log_type": "summary", "attack_type": "Exposure", - "unix_time": "2022-11-30T09:22:11.000000Z", "detection": { + "access": { + "complexity": "Low", + "vector": "Local" + }, "attack": "Exposure", - "cvss": "4", - "weight": "4", - "licences": [ - "MTR" - ], - "type": "Vulnerability", "category": "Vulnerability", + "cvss": "4", "impact": { "availability": "Partial", - "integrity": "Partial", - "confidentiality": "Partial" - }, - "access": { - "complexity": "Low", - "vector": "Local" + "confidentiality": "Partial", + "integrity": "Partial" }, + "licences": [ + "MTR" + ], "sigma": { "id": "COMPLIANCE-DEP-PERMISSIVE" - } - } + }, + "type": "Vulnerability", + "weight": "4" + }, + "log_type": "summary", + "unix_time": "2022-11-30T09:22:11.000000Z" + }, + "message": { + "id": "ofiazefoazebfaozuefazeo" }, "query": { - "source": "xdr_only", "action": "added", + "name": "vulnerability_dep", "pack_version": "1.14.90", - "name": "vulnerability_dep" + "source": "xdr_only" }, - "analysis": "{\"dep_alwayson\": 0, \"dep_opt_in\": 1, \"dep_opt_out\": 0}" + "record_identifier": "d327f865227909ad464d67f8", + "worker": { + "id": "direct_mapping_worker" + } } }, - "related": { - "ip": [ - "1.2.3.4" - ], - "user": [ - "AC712341234" - ] + "source": { + "address": "1.2.3.4", + "bytes": 1077, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "country_name": "France", + "postal_code": "35750" + }, + "ip": "1.2.3.4", + "mac": "01:02:03:04:05:06", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "name": "AC712341234" + }, + "vulnerability": { + "description": "DEP is not Admin Opt-out or Always-on.", + "reference": "http://www.test.com" } } @@ -158,108 +158,108 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":1291,\"record_identifier\":\"09dd5e717aa664189dqehbfazuebfazuebfiaze\",\"ioc_severity\":4,\"path\":\"LOCAL_MACHINE/test.exe\",\"ioc_detection_cvss\":\"4\",\"analysis\":\"{\\\"os_compatibility_target\\\":\\\"test\\\"}\",\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"COMPLIANCE-APP-COMPAT\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_data.name\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"vulnerability_app_compatibility\\\",\\\"references\\\":[\\\"https://test.com/\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"01:02:03:04:05:06\",\"endpoint_id\":\"a3288afe-799d-aizuef-azfeef-fazef\",\"schema_version\":\"20\",\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_detection_access\":\"{\\\"authentication\\\":\\\"None\\\",\\\"complexity\\\":\\\"Low\\\",\\\"vector\\\":\\\"Local\\\"}\",\"ioc_created_at\":\"2022-11-30T09:25:14.805Z\",\"ingestion_timestamp\":\"2022-11-30T09:22:45.391Z\",\"ioc_detection_attack\":\"Exposure\",\"numerics\":false,\"meta_public_ip\":\"1.2.3.4\",\"counter\":0,\"detection_id_dedup\":\"432025a1cb38ad65dc6azefazef\",\"meta_hostname\":\"AKAS-TE8789897\",\"ioc_detection_references\":\"[\\\"https://test.com\\\"]\",\"ioc_worker_name\":\"Direct Mapping Worker\",\"ioc_detection_type\":\"Vulnerability\",\"ioc_detection_category\":\"Vulnerability\",\"ioc_unix_time\":\"2022-11-30T09:22:25.000Z\",\"epoch\":1111100000,\"meta_ip_mask\":\"1.2.3.0\",\"ioc_worker_id\":\"direct_mapping_worker\",\"unix_time\":\"2022-11-30T09:22:25.000Z\",\"ioc_log_type\":\"summary\",\"query_source\":\"xdr_only\",\"host_identifier\":\"5C32B390-E1EB-D177\",\"partition_bucket\":\"87\",\"meta_boot_time\":1111100000,\"meta_os_name\":\"Microsoft Windows 10 Professionnel\",\"osquery_action\":\"added\",\"meta_query_pack_version\":\"1.14.90\",\"calendar_time\":\"2022-11-30T09:22:25.000Z\",\"meta_eid\":\"a3288afe-799d-46a4-9026-ad5cd41337f4\",\"ioc_detection_id\":\"COMPLIANCE-APP\",\"meta_os_platform\":\"windows\",\"meta_username\":\"AC7500JOIJOIJ\",\"detection_identifier\":\"09dd5e717aa664189d54ea1757ddd6e2beaacd676ffb\",\"query_name\":\"vulnerability_app_compatibility\",\"key\":\"LOCAL_MACHINE/Layers\",\"meta_os_version\":\"10.0.19044\",\"mtime\":1111100000,\"ioc_detection_licenses\":\"[\\\"MTR\\\"]\",\"name\":\"C:test.exe\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"type\":\"REG_SZ\",\"ingest_date\":\"2022-11-30\",\"ioc_detection_impact\":\"{\\\"availability\\\":\\\"Partial\\\",\\\"confidentiality\\\":\\\"Partial\\\",\\\"integrity\\\":\\\"Partial\\\"}\",\"meta_endpoint_type\":\"computer\",\"meta_domain_controller\":\"False\",\"customer_id\":\"f7193486-a186-4197\",\"data\":\"HIGHDPITEST\",\"ioc_detection_description\":\"Applications with special compatibility set for an executable.\",\"message_identifier\":\"75e420b40149f07eada47bdb23c28281\",\"ioc_attack_type\":\"Exposure\",\"ioc_detection_weight\":4}", "event": { - "kind": "event", - "severity": 4, "code": "COMPLIANCE-APP", - "ingested": "2022-11-30T09:22:45.391000Z" + "ingested": "2022-11-30T09:22:45.391000Z", + "kind": "event", + "severity": 4 }, "@timestamp": "2022-11-30T09:22:25Z", - "user": { - "name": "AC7500JOIJOIJ" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "01:02:03:04:05:06", - "bytes": 1291, - "address": "1.2.3.4" - }, "host": { - "name": "AKAS-TE8789897", "id": "5C32B390-E1EB-D177", + "name": "AKAS-TE8789897", "os": { "full": "Microsoft Windows 10 Professionnel", "name": "windows", "version": "10.0.19044" } }, - "vulnerability": { - "reference": "https://test.com", - "description": "Applications with special compatibility set for an executable." - }, "process": { "name": "Direct Mapping Worker" }, "registry": { - "path": "LOCAL_MACHINE/test.exe", - "key": "LOCAL_MACHINE/Layers", "data": { - "type": "REG_SZ", "strings": [ "HIGHDPITEST" - ] - } + ], + "type": "REG_SZ" + }, + "key": "LOCAL_MACHINE/Layers", + "path": "LOCAL_MACHINE/test.exe" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "AC7500JOIJOIJ" + ] }, "sophos": { "threat_center": { - "record_identifier": "09dd5e717aa664189dqehbfazuebfazuebfiaze", - "id": "a3288afe-799d-aizuef-azfeef-fazef", - "message": { - "id": "75e420b40149f07eada47bdb23c28281" - }, + "aggressive_activity": "False", + "analysis": "{\"os_compatibility_target\": \"test\"}", + "detection_id_dedup": "432025a1cb38ad65dc6azefazef", "endpoint": { "type": "computer" }, - "worker": { - "id": "direct_mapping_worker" - }, - "aggressive_activity": "False", - "detection_id_dedup": "432025a1cb38ad65dc6azefazef", + "id": "a3288afe-799d-aizuef-azfeef-fazef", "ioc": { - "log_type": "summary", "attack_type": "Exposure", - "unix_time": "2022-11-30T09:22:25.000000Z", "detection": { + "access": { + "complexity": "Low", + "vector": "Local" + }, "attack": "Exposure", - "cvss": "4", - "weight": "4", - "licences": [ - "MTR" - ], - "type": "Vulnerability", "category": "Vulnerability", + "cvss": "4", "impact": { "availability": "Partial", - "integrity": "Partial", - "confidentiality": "Partial" - }, - "access": { - "complexity": "Low", - "vector": "Local" + "confidentiality": "Partial", + "integrity": "Partial" }, + "licences": [ + "MTR" + ], "sigma": { "id": "COMPLIANCE-APP-COMPAT" - } - } + }, + "type": "Vulnerability", + "weight": "4" + }, + "log_type": "summary", + "unix_time": "2022-11-30T09:22:25.000000Z" + }, + "message": { + "id": "75e420b40149f07eada47bdb23c28281" }, "query": { - "source": "xdr_only", "action": "added", + "name": "vulnerability_app_compatibility", "pack_version": "1.14.90", - "name": "vulnerability_app_compatibility" + "source": "xdr_only" }, - "analysis": "{\"os_compatibility_target\": \"test\"}" + "record_identifier": "09dd5e717aa664189dqehbfazuebfazuebfiaze", + "worker": { + "id": "direct_mapping_worker" + } } }, - "related": { - "ip": [ - "1.2.3.4" - ], - "user": [ - "AC7500JOIJOIJ" - ] + "source": { + "address": "1.2.3.4", + "bytes": 1291, + "ip": "1.2.3.4", + "mac": "01:02:03:04:05:06", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "name": "AC7500JOIJOIJ" + }, + "vulnerability": { + "description": "Applications with special compatibility set for an executable.", + "reference": "https://test.com" } } @@ -273,97 +273,97 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":1869,\"record_identifier\":\"864de39eef32\",\"ioc_severity\":5,\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"EVENT-Brute-Force-Attempt\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_data.name\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"windows_event\\\",\\\"references\\\":[\\\"https://test.com/auditing/event-4625\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"00:01:02:03:04:05\",\"endpoint_id\":\"51a8f1a0-db9d\",\"meta_public_ip_country_code\":\"FR\",\"remote_address\":\"1.2.3.4\",\"schema_version\":\"22\",\"authentication_package\":\"NTLM\",\"remote_port\":0,\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2023-07-17T11:34:57.524Z\",\"ingestion_timestamp\":\"2023-07-17T11:34:57.356Z\",\"ioc_detection_attack\":\"Suspicious Activity\",\"numerics\":false,\"eventid\":46254646,\"meta_public_ip\":\"1.2.3.4\",\"counter\":68,\"detection_id_dedup\":\"ab874753684df564365b\",\"logon_type\":3,\"meta_hostname\":\"mytestname-vm\",\"ioc_detection_references\":\"[\\\"https://test.com/auditing/event-4625\\\"]\",\"ioc_worker_name\":\"Direct Mapping Worker\",\"ioc_detection_type\":\"Threat\",\"ioc_detection_category\":\"Threat\",\"status\":\"0xc00000677d\",\"ioc_unix_time\":\"2023-07-17T11:34:45.000Z\",\"username_list\":\"TEST,TEST1,TEST2,TEST3,TEST4, TEST5\",\"epoch\":1689319838,\"event_timestamps\":\"1689589842,1689589974\",\"meta_ip_mask\":\"1.2.3.4\",\"meta_public_ip_city\":\"Camping\",\"failure_reason\":\"%%2313\",\"ioc_worker_id\":\"direct_mapping_worker\",\"transmitted_services\":\"-\",\"unix_time\":\"2023-07-17T11:34:45.000Z\",\"ioc_log_type\":\"summary\",\"query_source\":\"xdr_only\",\"host_identifier\":\"7BB240A3-B6AC\",\"partition_bucket\":\"10\",\"meta_public_ip_country\":\"France\",\"meta_public_ip_state\":\"Saint Paule\",\"meta_boot_time\":1687956677,\"subject_username\":\"-\",\"meta_os_name\":\"Microsoft Windows 10 Pro N\",\"osquery_action\":\"added\",\"meta_query_pack_version\":\"1.16.54\",\"subject_domain\":\"-\",\"calendar_time\":\"2023-07-17T11:34:45.000Z\",\"meta_eid\":\"51a8f1a0-db9d\",\"meta_public_ip_longitude\":-477.0565,\"ioc_detection_id\":\"EVENT-4625-Brute-Force-Attempt\",\"meta_os_platform\":\"windows\",\"detection_identifier\":\"864de39eef32e68379ce450f5b6ebd4ef7f1\",\"workstation_name\":\"-\",\"query_name\":\"windows_event_invalid_logon_brute_force\",\"key_length\":0,\"provider_name\":\"Microsoft-Windows-Security\",\"meta_os_version\":\"10.0.19044\",\"sub_status\":\"0xc0000064\",\"meta_public_ip_latitude\":-221.9035,\"source\":\"Security\",\"ioc_detection_licenses\":\"[\\\"MTR\\\",\\\"MTRE\\\"]\",\"name\":\"-\",\"description\":\"Source IP is shuffling through 20 or more different usernames, appears to be a brute force attack\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"logon_process\":\"NtLmSsp \",\"ingest_date\":\"2023-07-17\",\"target_domain\":\"\",\"meta_endpoint_type\":\"computer\",\"meta_domain_controller\":\"False\",\"customer_id\":\"4feff6df-7454\",\"ioc_detection_description\":\"Windows Event Brute Force Attempt Detected.\",\"message_identifier\":\"7f181e964e95390587e73b\",\"ioc_attack_type\":\"Suspicious Activity\",\"ioc_detection_weight\":5}", "event": { + "code": "EVENT-4625-Brute-Force-Attempt", + "ingested": "2023-07-17T11:34:57.356000Z", "kind": "event", - "severity": 5, "reason": "Source IP is shuffling through 20 or more different usernames, appears to be a brute force attack", - "code": "EVENT-4625-Brute-Force-Attempt", - "ingested": "2023-07-17T11:34:57.356000Z" + "severity": 5 }, "@timestamp": "2023-07-17T11:34:45Z", - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "00:01:02:03:04:05", - "geo": { - "country_iso_code": "FR", - "city_name": "Camping", - "country_name": "France" - }, - "bytes": 1869, - "address": "1.2.3.4" + "destination": { + "address": "1.2.3.4", + "port": 0 }, "host": { - "name": "mytestname-vm", + "domain": "-", "id": "7BB240A3-B6AC", + "name": "mytestname-vm", "os": { "full": "Microsoft Windows 10 Pro N", "name": "windows", "version": "10.0.19044" - }, - "domain": "-" - }, - "vulnerability": { - "reference": "https://test.com/auditing/event-4625", - "description": "Windows Event Brute Force Attempt Detected." + } }, "process": { "name": "Direct Mapping Worker" }, - "destination": { - "port": 0, - "address": "1.2.3.4" + "related": { + "ip": [ + "1.2.3.4" + ] }, "sophos": { "threat_center": { - "record_identifier": "864de39eef32", - "event": { - "id": 46254646 - }, - "id": "51a8f1a0-db9d", - "logon_process": "NtLmSsp ", - "message": { - "id": "7f181e964e95390587e73b" - }, + "aggressive_activity": "False", + "detection_id_dedup": "ab874753684df564365b", "endpoint": { "type": "computer" }, - "worker": { - "id": "direct_mapping_worker" + "event": { + "id": 46254646 }, - "aggressive_activity": "False", - "detection_id_dedup": "ab874753684df564365b", + "id": "51a8f1a0-db9d", "ioc": { - "log_type": "summary", "attack_type": "Suspicious Activity", - "unix_time": "2023-07-17T11:34:45.000000Z", "detection": { "attack": "Suspicious Activity", - "weight": "5", + "category": "Threat", "licences": [ "MTR", "MTRE" ], - "type": "Threat", - "category": "Threat", "sigma": { "id": "EVENT-Brute-Force-Attempt" - } - } + }, + "type": "Threat", + "weight": "5" + }, + "log_type": "summary", + "unix_time": "2023-07-17T11:34:45.000000Z" + }, + "logon_process": "NtLmSsp ", + "message": { + "id": "7f181e964e95390587e73b" }, "query": { - "source": "xdr_only", "action": "added", + "name": "windows_event_invalid_logon_brute_force", "pack_version": "1.16.54", - "name": "windows_event_invalid_logon_brute_force" + "source": "xdr_only" + }, + "record_identifier": "864de39eef32", + "worker": { + "id": "direct_mapping_worker" } } }, - "related": { - "ip": [ - "1.2.3.4" - ] + "source": { + "address": "1.2.3.4", + "bytes": 1869, + "geo": { + "city_name": "Camping", + "country_iso_code": "FR", + "country_name": "France" + }, + "ip": "1.2.3.4", + "mac": "00:01:02:03:04:05", + "nat": { + "ip": "1.2.3.4" + } + }, + "vulnerability": { + "description": "Windows Event Brute Force Attempt Detected.", + "reference": "https://test.com/auditing/event-4625" } } @@ -377,116 +377,116 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":2056,\"record_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_severity\":5,\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"EVENT-0000\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_test\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"windows_event_user_account_locked_out\\\",\\\"references\\\":[\\\"https://test.com/event-0000\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"00:11:22:33:44:55\",\"endpoint_id\":\"70599d12-fec7-4129-8844-7c6cfded4642\",\"meta_public_ip_country_code\":\"FR\",\"schema_version\":\"22\",\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2025-12-12T13:59:12.269Z\",\"ingestion_timestamp\":\"2025-12-12T13:59:11.487Z\",\"ioc_detection_attack\":\"Suspicious Activity\",\"numerics\":false,\"eventid\":4740,\"meta_public_ip\":\"1.2.3.4\",\"counter\":1,\"detection_id_dedup\":\"b99ecce6f278bb68406f67ba7dcc76e1de263395\",\"meta_hostname\":\"CER31SVM\",\"ioc_detection_references\":\"[\\\"https://test.com/event-7777\\\"]\",\"ioc_worker_name\":\"IOC worker name\",\"ioc_detection_type\":\"Threat\",\"ioc_detection_category\":\"Threat\",\"ioc_unix_time\":\"2023-12-12T13:58:51.000Z\",\"epoch\":1699999999,\"meta_ip_mask\":\"5.5.5.5\",\"ioc_worker_id\":\"direct_mapping_worker\",\"unix_time\":\"2023-08-17T13:58:51.000Z\",\"ioc_log_type\":\"summary\",\"query_source\":\"xdr_only\",\"host_identifier\":\"eb37c32a-4285-11ee-be56-0242ac120002\",\"partition_bucket\":\"87\",\"meta_public_ip_country\":\"France\",\"meta_boot_time\":1611110000,\"subject_username\":\"SUBJECTUSERNAME\",\"meta_os_name\":\"Microsoft Windows Server\",\"osquery_action\":\"added\",\"meta_query_pack_version\":\"1.17.56\",\"subject_domain\":\"SUBJECTDOMAIN\",\"calendar_time\":\"2025-12-12T10:00:51.000Z\",\"meta_eid\":\"70599d12-fec7-4129-8844-7c6cfded4642\",\"meta_public_ip_longitude\":46.3387,\"ioc_detection_id\":\"WIN-EVENT-4740\",\"meta_os_platform\":\"windows\",\"meta_username\":\"AC000TEST0011\",\"detection_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002_0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"query_name\":\"windows_query_event\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"meta_os_version\":\"1.0.2s\",\"meta_public_ip_latitude\":55.8582,\"source\":\"Security\",\"ioc_detection_licenses\":\"[\\\"License1\\\",\\\"License2\\\"]\",\"description\":\"A user account was locked out.\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"ingest_date\":\"2023-08-17\",\"target_domain\":\"AC000-TEST0011\",\"meta_endpoint_type\":\"server\",\"meta_domain_controller\":\"False\",\"customer_id\":\"36c536f0-4282-11ee-be56-0242ac120002\",\"ioc_detection_description\":\"Windows Event User Account Locked Out.\",\"message_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_attack_type\":\"Suspicious Activity\",\"target_username\":\"Administrateur\",\"user_upn\":\"user.mail@company.fr\",\"ml_score_band\":\"HIGH_SUSPICION\",\"target_server\":\"TEST/1.2.3.4\",\"package\":\"TEST\",\"ioc_detection_weight\":5}", "event": { + "code": "WIN-EVENT-4740", + "ingested": "2025-12-12T13:59:11.487000Z", "kind": "event", - "severity": 5, "reason": "A user account was locked out.", - "code": "WIN-EVENT-4740", - "ingested": "2025-12-12T13:59:11.487000Z" + "severity": 5 }, "@timestamp": "2025-12-12T10:00:51Z", - "user": { - "name": "AC000TEST0011", - "target": { - "name": "Administrateur" - } - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "00:11:22:33:44:55", - "geo": { - "country_iso_code": "FR", - "country_name": "France" - }, - "bytes": 2056, - "address": "1.2.3.4" + "destination": { + "address": "AC000-TEST0011", + "domain": "AC000-TEST0011" }, "host": { - "name": "CER31SVM", + "domain": "SUBJECTDOMAIN", "id": "eb37c32a-4285-11ee-be56-0242ac120002", + "name": "CER31SVM", "os": { "full": "Microsoft Windows Server", "name": "windows", "version": "1.0.2s" - }, - "domain": "SUBJECTDOMAIN" - }, - "vulnerability": { - "reference": "https://test.com/event-7777", - "description": "Windows Event User Account Locked Out." + } }, "process": { "name": "IOC worker name" }, - "destination": { - "domain": "AC000-TEST0011", - "address": "AC000-TEST0011" + "related": { + "hosts": [ + "AC000-TEST0011", + "TEST/1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "AC000TEST0011" + ] }, "server": { "domain": "TEST/1.2.3.4" }, "sophos": { "threat_center": { - "record_identifier": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002", - "event": { - "id": 4740 - }, - "id": "70599d12-fec7-4129-8844-7c6cfded4642", - "user_upn": "user.mail@company.fr", - "package": "TEST", - "message": { - "id": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002" - }, + "aggressive_activity": "False", + "detection_id_dedup": "b99ecce6f278bb68406f67ba7dcc76e1de263395", "endpoint": { "type": "server" }, - "worker": { - "id": "direct_mapping_worker" + "event": { + "id": 4740 }, - "aggressive_activity": "False", - "detection_id_dedup": "b99ecce6f278bb68406f67ba7dcc76e1de263395", + "id": "70599d12-fec7-4129-8844-7c6cfded4642", "ioc": { - "log_type": "summary", "attack_type": "Suspicious Activity", - "unix_time": "2023-12-12T13:58:51.000000Z", "detection": { "attack": "Suspicious Activity", - "weight": "5", + "category": "Threat", "licences": [ "License1", "License2" ], - "type": "Threat", - "category": "Threat", "sigma": { "id": "EVENT-0000" - } - } + }, + "type": "Threat", + "weight": "5" + }, + "log_type": "summary", + "unix_time": "2023-12-12T13:58:51.000000Z" + }, + "message": { + "id": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002" }, + "ml": { + "score_band": "HIGH_SUSPICION" + }, + "package": "TEST", "query": { - "source": "xdr_only", "action": "added", + "name": "windows_query_event", "pack_version": "1.17.56", - "name": "windows_query_event" + "source": "xdr_only" }, - "ml": { - "score_band": "HIGH_SUSPICION" + "record_identifier": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002", + "user_upn": "user.mail@company.fr", + "worker": { + "id": "direct_mapping_worker" } } }, - "related": { - "hosts": [ - "AC000-TEST0011", - "TEST/1.2.3.4" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "AC000TEST0011" - ] + "source": { + "address": "1.2.3.4", + "bytes": 2056, + "geo": { + "country_iso_code": "FR", + "country_name": "France" + }, + "ip": "1.2.3.4", + "mac": "00:11:22:33:44:55", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "name": "AC000TEST0011", + "target": { + "name": "Administrateur" + } + }, + "vulnerability": { + "description": "Windows Event User Account Locked Out.", + "reference": "https://test.com/event-7777" } } @@ -500,293 +500,293 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":2088,\"record_identifier\":\"0242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_severity\":5,\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"EVENT-0000\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_test\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"windows_event_user_account_locked_out\\\",\\\"references\\\":[\\\"https://test.com/event-0000\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"00:11:22:33:44:55\",\"endpoint_id\":\"70599d12-fec7-4129-8844-7c6cfded4642\",\"meta_public_ip_country_code\":\"FR\",\"schema_version\":\"22\",\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2025-12-12T13:59:12.269Z\",\"ingestion_timestamp\":\"2025-12-12T13:59:11.487Z\",\"ioc_detection_attack\":\"Suspicious Activity\",\"numerics\":false,\"eventid\":4740,\"meta_public_ip\":\"1.2.3.4\",\"detection_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002_0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"query_name\":\"windows_query_event\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"meta_os_version\":\"1.0.2s\",\"meta_public_ip_latitude\":55.8582,\"source\":\"Security\",\"ioc_detection_licenses\":\"[\\\"License1\\\",\\\"License2\\\"]\",\"description\":\"A user account was locked out.\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"ingest_date\":\"2023-08-17\",\"target_domain\":\"AC000-TEST0011\",\"meta_endpoint_type\":\"server\",\"meta_domain_controller\":\"False\",\"customer_id\":\"36c536f0-4282-11ee-be56-0242ac120002\",\"ioc_detection_description\":\"Windows Event User Account Locked Out.\",\"message_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_attack_type\":\"Suspicious Activity\",\"target_username\":\"Administrateur\",\"user_upn\":\"user.mail@company.fr\",\"ml_score_band\":\"HIGH_SUSPICION\",\"target_server\":\"TEST/1.2.3.4\",\"package\":\"TEST\",\"ioc_detection_weight\":5,\"logon_process\":\"logon_process\",\"is_process_file_signed\":\"1\",\"sha1\":\"d4baeeb9180a4284b33fa3602d86c\",\"process_cmd_line\":\"\\\"C:\\\\Program Files (x86)\\\\test.exe\\\" --te /test:5\",\"process_ml_score_band\":\"ml_score\",\"process_parent_name\":\"process_parent.exe\",\"threat_type\":\"threat_type\",\"threat_source\":\"threat_source\",\"ioc_event_path\":\"C:\\\\Program Files (x86)\\\\TEST.EXE\",\"sha256\":\"94256542e235681ba64a20bc50910dd745d52347\",\"cmdline\":\"get_test \",\"password_last_set\":\"18/08/2021 03:37:25\",\"lolbins_ml_results\":{\"score\":19,\"score_label\":\"score_label\",\"sha256\":\"dd6748642b108262f933260c3ae8\"}}", "event": { + "ingested": "2025-12-12T13:59:11.487000Z", "kind": "event", - "severity": 5, "reason": "A user account was locked out.", - "ingested": "2025-12-12T13:59:11.487000Z" + "severity": 5 }, - "user": { - "target": { - "name": "Administrateur" - } + "destination": { + "address": "AC000-TEST0011", + "domain": "AC000-TEST0011" }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "00:11:22:33:44:55", - "geo": { - "country_iso_code": "FR" + "file": { + "directory": "C:\\Program Files (x86)", + "hash": { + "sha1": "d4baeeb9180a4284b33fa3602d86c", + "sha256": "94256542e235681ba64a20bc50910dd745d52347" }, - "bytes": 2088, - "address": "1.2.3.4" + "name": "TEST.EXE", + "path": "C:\\Program Files (x86)\\TEST.EXE" }, "host": { "os": { "version": "1.0.2s" } }, - "vulnerability": { - "description": "Windows Event User Account Locked Out." - }, "process": { + "code_signature": { + "exists": true + }, + "command_line": "\"C:\\Program Files (x86)\\test.exe\" --te /test:5", "hash": { "sha1": "d4baeeb9180a4284b33fa3602d86c", "sha256": "94256542e235681ba64a20bc50910dd745d52347" }, "parent": { "name": "process_parent.exe" - }, - "command_line": "\"C:\\Program Files (x86)\\test.exe\" --te /test:5", - "code_signature": { - "exists": true } }, - "destination": { - "domain": "AC000-TEST0011", - "address": "AC000-TEST0011" - }, - "threat": { - "indicator": { - "provider": "threat_source" - } + "related": { + "hash": [ + "94256542e235681ba64a20bc50910dd745d52347", + "d4baeeb9180a4284b33fa3602d86c" + ], + "hosts": [ + "AC000-TEST0011", + "TEST/1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ] }, "server": { "domain": "TEST/1.2.3.4" }, - "file": { - "path": "C:\\Program Files (x86)\\TEST.EXE", - "hash": { - "sha1": "d4baeeb9180a4284b33fa3602d86c", - "sha256": "94256542e235681ba64a20bc50910dd745d52347" - }, - "name": "TEST.EXE", - "directory": "C:\\Program Files (x86)" - }, "sophos": { "threat_center": { - "record_identifier": "0242ac1200020cd6e1e0428211eebe560242ac120002", - "event": { - "id": 4740 - }, - "id": "70599d12-fec7-4129-8844-7c6cfded4642", - "user_upn": "user.mail@company.fr", - "logon_process": "logon_process", - "package": "TEST", - "message": { - "id": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002" - }, + "aggressive_activity": "False", "endpoint": { "type": "server" }, - "aggressive_activity": "False", - "threat_type": "threat_type", - "process": { - "executable": { - "is_signed": true - } + "event": { + "id": 4740 }, + "id": "70599d12-fec7-4129-8844-7c6cfded4642", "ioc": { "attack_type": "Suspicious Activity", "detection": { "attack": "Suspicious Activity", - "weight": "5", "licences": [ "License1", "License2" ], "sigma": { "id": "EVENT-0000" - } + }, + "weight": "5" } }, - "query": { - "name": "windows_query_event" - }, - "ml": { - "score": "19", - "score_band": "ml_score" - }, + "logon_process": "logon_process", "lolbins_ml_results": { "score": "19", "score_label": "score_label", "sha256": "dd6748642b108262f933260c3ae8" }, + "message": { + "id": "0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002" + }, + "ml": { + "score": "19", + "score_band": "ml_score" + }, + "package": "TEST", "password": { "last_set": "2021-08-18T03:37:25.000000Z" - } + }, + "process": { + "executable": { + "is_signed": true + } + }, + "query": { + "name": "windows_query_event" + }, + "record_identifier": "0242ac1200020cd6e1e0428211eebe560242ac120002", + "threat_type": "threat_type", + "user_upn": "user.mail@company.fr" } }, - "related": { - "hash": [ - "94256542e235681ba64a20bc50910dd745d52347", - "d4baeeb9180a4284b33fa3602d86c" - ], - "hosts": [ - "AC000-TEST0011", - "TEST/1.2.3.4" - ], - "ip": [ - "1.2.3.4" - ] - } - } - - ``` - - -=== "ioc_view_query5.json" - - ```json + "source": { + "address": "1.2.3.4", + "bytes": 2088, + "geo": { + "country_iso_code": "FR" + }, + "ip": "1.2.3.4", + "mac": "00:11:22:33:44:55", + "nat": { + "ip": "1.2.3.4" + } + }, + "threat": { + "indicator": { + "provider": "threat_source" + } + }, + "user": { + "target": { + "name": "Administrateur" + } + }, + "vulnerability": { + "description": "Windows Event User Account Locked Out." + } + } + + ``` + + +=== "ioc_view_query5.json" + + ```json { "message": "{\n \"parent\": 25740,\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"upload_size\": 2376,\n \"record_identifier\": \"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044\",\n \"ioc_severity\": 5,\n \"path\": \"C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe\",\n \"is_process_file_signed\": \"1\",\n \"ml_score_data\": \"{\\\"configVersion\\\":\\\"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044\\\",\\\"expireTime\\\":0,\\\"peMalwareScore\\\":7,\\\"pePuaScore\\\":15,\\\"vdlFlags\\\":0,\\\"version\\\":2}\",\n \"ioc_detection_sigma\": \"{\\\"id\\\":\\\"WIN-EXE-ENR-ML-SUSPICIOUS-1.star\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_data.columns.sophosPID\\\",\\\"detection.id\\\"]}}\",\n \"company_name\": \"Microsoft Corporation\",\n \"pua_score\": 15,\n \"folded\": 0,\n \"meta_mac_address\": \"00:05:9a:3c:7a:00\",\n \"endpoint_id\": \"7df406c7-efc9-4c7d-806f-1c7216031630\",\n \"meta_public_ip_country_code\": \"FR\",\n \"schema_version\": \"22\",\n \"uid\": 292948,\n \"ioc_detection_mitre_attack\": \"[{\\\"tactic\\\":{\\\"id\\\":\\\"TA0002\\\",\\\"name\\\":\\\"Execution\\\",\\\"techniques\\\":[{\\\"id\\\":\\\"T1059\\\",\\\"name\\\":\\\"Command and Scripting Interpreter\\\"}]}}]\",\n \"meta_licence\": \"\",\n \"ioc_detection_experiment_level\": 0,\n \"ioc_created_at\": \"2023-08-30T15:04:40.934Z\",\n \"cmdline\": \"wmic /Namespace:\\\\\\\\root\\\\SecurityCenter2 Path AntivirusProduct Get displayName,productState\",\n \"ingestion_timestamp\": \"2023-08-30T15:04:17.022Z\",\n \"ioc_detection_attack\": \"Execution\",\n \"numerics\": false,\n \"meta_public_ip\": \"194.0.166.130\",\n \"counter\": 1414,\n \"detection_id_dedup\": \"b758901433312f4077ce4ed46b776ecc895712ff\",\n \"meta_hostname\": \"H3333333333333\",\n \"username\": \"U11111111\",\n \"ioc_worker_name\": \"Security Event Service\",\n \"ioc_detection_type\": \"process\",\n \"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"ioc_detection_category\": \"Threat\",\n \"ioc_unix_time\": \"2023-08-30T15:03:56.000Z\",\n \"epoch\": 1693206450,\n \"meta_ip_mask\": \"255.255.252.0\",\n \"file_size\": 576000,\n \"ioc_worker_id\": \"security-event-service\",\n \"global_rep_data\": \"{\\\"expireTime\\\":0,\\\"lookupType\\\":0,\\\"reputation\\\":-1,\\\"reputationData\\\":\\\"\\\",\\\"sampleRate\\\":0,\\\"version\\\":1}\",\n \"parent_name\": \"idea64.exe\",\n \"unix_time\": \"2023-08-30T15:03:56.000Z\",\n \"pid\": 3984,\n \"ioc_log_type\": \"summary\",\n \"original_filename\": \"wmic.exe\",\n \"ml_score_band\": \"LIKELY_BENIGN\",\n \"query_source\": \"xdr_only\",\n \"sophos_pid\": \"3984:133378811508910039\",\n \"host_identifier\": \"689FF239-6905-4EB3-8CA4-716E63BDB63D\",\n \"partition_bucket\": \"87\",\n \"meta_public_ip_country\": \"United-Kingdom\",\n \"meta_boot_time\": 1693382499,\n \"local_rep\": 91,\n \"meta_os_name\": \"Microsoft Windows 10 Professionnel\",\n \"sha256_reputation_score\": 70,\n \"osquery_action\": \"added\",\n \"lolbins_ml_results\": {\n \"score\": 99.0,\n \"score_label\": \"Suspicious\",\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"\n },\n \"parent_path\": \"C:\\\\Program Files\\\\JetBrains\\\\IntelliJ IDEA 2021.3.3\\\\bin\\\\idea64.exe\",\n \"meta_query_pack_version\": \"1.17.56\",\n \"calendar_time\": \"2023-08-30T15:03:56.000Z\",\n \"meta_eid\": \"aecc2aae-83d8-4f39-b65a-53413caa415f\",\n \"meta_public_ip_longitude\": -0.076198,\n \"ioc_detection_id\": \"WIN-EXE-ENR-ML-SUSPICIOUS-1\",\n \"meta_os_platform\": \"windows\",\n \"meta_username\": \"U111111111\",\n \"detection_identifier\": \"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044_b758901433312f4077ce4ed46b776ecc895712ff\",\n \"query_name\": \"running_processes_windows_sophos\",\n \"meta_os_type\": \"\",\n \"meta_os_version\": \"10.0.19045\",\n \"parent_cmdline\": \"\\\"C:\\\\Program Files\\\\JetBrains\\\\IntelliJ IDEA 2021.3.3\\\\bin\\\\idea64.exe\\\" \",\n \"meta_public_ip_latitude\": 51.5082,\n \"local_rep_data\": \"{\\\"reputationData\\\":{\\\"isSigned\\\":1,\\\"signerInfo\\\":[{\\\"cryptoAlgorithm\\\":32780,\\\"cryptoStrength\\\":112,\\\"isValid\\\":1,\\\"signer\\\":\\\"Microsoft Windows\\\",\\\"thumbprint\\\":\\\"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1\\\"}]}}\",\n \"ioc_detection_licenses\": \"[\\\"MTR\\\"]\",\n \"parent_sophos_pid\": \"22222:666666666666666666\",\n \"name\": \"WMIC.exe\",\n \"global_rep\": -1,\n \"meta_aggressive_activity\": \"False\",\n \"meta_ip_address\": \"1.2.3.4\",\n \"time\": 1693407550,\n \"file_version\": \"10.0.19041.1741 (WinBuild.160101.0800)\",\n \"ingest_date\": \"2023-08-30\",\n \"file_description\": \"WMI Commandline Utility\",\n \"ml_score\": 7,\n \"sha256_reputation_band\": \"KNOWN_GOOD\",\n \"meta_endpoint_type\": \"computer\",\n \"meta_domain_controller\": \"False\",\n \"customer_id\": \"9cc350ec-283c-451a-b072-4c7df065d350\",\n \"ioc_detection_description\": \"Identifies Lolbin processes labeled as suspicious by a machine learning model.\",\n \"message_identifier\": \"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044\",\n \"ioc_attack_type\": \"Security Event Service Detections\",\n \"product_name\": \"Microsoft\u00ae Windows\u00ae Operating System\",\n \"gid\": 292948,\n \"ioc_detection_weight\": 5\n}\n", "event": { - "kind": "event", - "severity": 5, "code": "WIN-EXE-ENR-ML-SUSPICIOUS-1", - "ingested": "2023-08-30T15:04:17.022000Z" + "ingested": "2023-08-30T15:04:17.022000Z", + "kind": "event", + "severity": 5 }, "@timestamp": "2023-08-30T15:03:56Z", - "user": { - "name": "U111111111" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "194.0.166.130" - }, - "mac": "00:05:9a:3c:7a:00", - "geo": { - "country_iso_code": "FR", - "country_name": "United-Kingdom" + "file": { + "hash": { + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, - "bytes": 2376, - "address": "1.2.3.4" + "name": "WMIC.exe", + "path": "C:\\Windows\\System32\\wbem\\WMIC.exe", + "size": 576000 }, "host": { - "name": "H3333333333333", "id": "689FF239-6905-4EB3-8CA4-716E63BDB63D", + "name": "H3333333333333", "os": { "full": "Microsoft Windows 10 Professionnel", "name": "windows", "version": "10.0.19045" } }, - "vulnerability": { - "description": "Identifies Lolbin processes labeled as suspicious by a machine learning model." - }, "process": { - "pid": 3984, - "name": "Security Event Service", + "code_signature": { + "exists": true + }, + "command_line": "wmic /Namespace:\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName,productState", "hash": { "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, + "name": "Security Event Service", "parent": { - "name": "idea64.exe", + "command_line": "\"C:\\Program Files\\JetBrains\\IntelliJ IDEA 2021.3.3\\bin\\idea64.exe\" ", "executable": "C:\\Program Files\\JetBrains\\IntelliJ IDEA 2021.3.3\\bin\\idea64.exe", - "command_line": "\"C:\\Program Files\\JetBrains\\IntelliJ IDEA 2021.3.3\\bin\\idea64.exe\" " + "name": "idea64.exe" }, - "command_line": "wmic /Namespace:\\\\root\\SecurityCenter2 Path AntivirusProduct Get displayName,productState", - "code_signature": { - "exists": true - } + "pid": 3984 }, - "file": { - "size": 576000, - "hash": { - "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - }, - "name": "WMIC.exe", - "path": "C:\\Windows\\System32\\wbem\\WMIC.exe" + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "ip": [ + "1.2.3.4", + "194.0.166.130" + ], + "user": [ + "U111111111" + ] }, "sophos": { "threat_center": { - "record_identifier": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044", - "id": "7df406c7-efc9-4c7d-806f-1c7216031630", - "message": { - "id": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044" - }, - "sha256": { - "reputation_band": "KNOWN_GOOD", - "reputation_score": "70" - }, + "aggressive_activity": "False", + "detection_id_dedup": "b758901433312f4077ce4ed46b776ecc895712ff", "endpoint": { "type": "computer" }, - "worker": { - "id": "security-event-service" - }, "file": { - "version": "10.0.19041.1741 (WinBuild.160101.0800)", "description": "WMI Commandline Utility", "original": { "name": "wmic.exe" - } - }, - "aggressive_activity": "False", - "detection_id_dedup": "b758901433312f4077ce4ed46b776ecc895712ff", - "process": { - "executable": { - "is_signed": true - } + }, + "version": "10.0.19041.1741 (WinBuild.160101.0800)" }, + "global_rep": -1, + "id": "7df406c7-efc9-4c7d-806f-1c7216031630", "ioc": { - "log_type": "summary", "attack_type": "Security Event Service Detections", - "unix_time": "2023-08-30T15:03:56.000000Z", "detection": { "attack": "Execution", - "weight": "5", + "category": "Threat", "licences": [ "MTR" ], - "type": "process", - "category": "Threat", "sigma": { "id": "WIN-EXE-ENR-ML-SUSPICIOUS-1.star" - } - } + }, + "type": "process", + "weight": "5" + }, + "log_type": "summary", + "unix_time": "2023-08-30T15:03:56.000000Z" }, - "query": { - "source": "xdr_only", - "action": "added", - "pack_version": "1.17.56", - "name": "running_processes_windows_sophos" + "lolbins_ml_results": { + "score": "99.0", + "score_label": "Suspicious", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "message": { + "id": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044" }, "ml": { "score": "7", "score_band": "LIKELY_BENIGN" }, - "lolbins_ml_results": { - "score": "99.0", - "score_label": "Suspicious", - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + "ml_score_data": { + "config_version": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044" + }, + "process": { + "executable": { + "is_signed": true + } }, "pua": { "score": "15" }, - "global_rep": -1, - "ml_score_data": { - "config_version": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044" + "query": { + "action": "added", + "name": "running_processes_windows_sophos", + "pack_version": "1.17.56", + "source": "xdr_only" + }, + "record_identifier": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044", + "sha256": { + "reputation_band": "KNOWN_GOOD", + "reputation_score": "70" + }, + "worker": { + "id": "security-event-service" } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", - "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" - ], - "ip": [ - "1.2.3.4", - "194.0.166.130" - ], - "user": [ - "U111111111" - ] + "source": { + "address": "1.2.3.4", + "bytes": 2376, + "geo": { + "country_iso_code": "FR", + "country_name": "United-Kingdom" + }, + "ip": "1.2.3.4", + "mac": "00:05:9a:3c:7a:00", + "nat": { + "ip": "194.0.166.130" + } + }, + "user": { + "name": "U111111111" + }, + "vulnerability": { + "description": "Identifies Lolbin processes labeled as suspicious by a machine learning model." } } @@ -800,31 +800,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"upload_size\":4486,\"record_identifier\":\"9be070bb55a846a99c85f38e82afb01b9be070bb55a846a99c85f3\",\"ioc_severity\":5,\"process_cmd_line\":\"\\\"C:\\\\process_cmd_line.EXE\\\" \",\"ioc_event_path\":\"C:\\\\ioc_event_path.EXE\",\"process_ml_score_band\":\"LIKELY_BENIGN\",\"process_parent_name\":\"process_parent_name.exe\",\"folded\":0,\"meta_mac_address\":\"00:11:22:33:44:55\",\"endpoint_id\":\"3494ce1f-08fd-4a03-8948-0cb0945ac521\",\"meta_public_ip_country_code\":\"MAR\",\"schema_version\":\"22\",\"ioc_detection_mitre_attack\":\"[{\\\"tactic\\\":{\\\"description\\\":\\\"description tactic \\\",\\\"external_references\\\":[{\\\"external_id\\\":\\\"EE0003\\\",\\\"source_name\\\":\\\"mitre-attack\\\",\\\"url\\\":\\\"https://test.org/tactics/EE0003\\\"}],\\\"id\\\":\\\"EE0003\\\",\\\"name\\\":\\\"Persistence\\\",\\\"techniques\\\":[{\\\"description\\\":\\\"techniques description\\\",\\\"external_references\\\":[{\\\"external_id\\\":\\\"E1997.009\\\",\\\"source_name\\\":\\\"mitre-attack\\\",\\\"url\\\":\\\"https://test.org/techniques/E1997/009\\\"},{\\\"external_id\\\":\\\"EEEEE-132\\\",\\\"source_name\\\":\\\"EEEEE\\\",\\\"url\\\":\\\"https://test.org/132.html\\\"},{\\\"description\\\":\\\"EEE description\\\",\\\"source_name\\\":\\\"source name 2020 - LNK Elastic\\\",\\\"url\\\":\\\"https://www.youtube.com/watch?v=EEEEEEEE\\\"}],\\\"id\\\":\\\"T1547.009\\\",\\\"name\\\":\\\"Shortcut Modification\\\",\\\"platforms\\\":[\\\"Windows\\\"]}]}}]\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2023-09-20T09:31:41.937Z\",\"process_name\":\"process_name.EXE\",\"ingestion_timestamp\":\"2023-09-20T09:31:41.090Z\",\"ioc_detection_attack\":\"Suspicious Activity\",\"numerics\":false,\"ioc_event_sid\":\"\",\"process_global_rep\":-1,\"meta_public_ip\":\"1.2.3.4\",\"counter\":33,\"detection_id_dedup\":\"e880fc47a0dc0086a8c2f05b92971d2bce2bdaf3\",\"process_sha256_reputation_band\":\"KNOWN_GOOD\",\"meta_hostname\":\"H3333333333333\",\"ioc_event_sophos_tid\":\"\",\"ioc_event_threat_source\":\"Behavioral\",\"ioc_detection_references\":\"[]\",\"process_file_size\":2119600,\"ioc_worker_name\":\"Direct Mapping Worker\",\"ioc_detection_type\":\"Threat\",\"ioc_event_username\":\"\",\"process_path\":\"C:\\\\process_path.EXE\",\"ioc_detection_category\":\"Threat\",\"ioc_unix_time\":\"2023-09-20T09:28:15.000Z\",\"epoch\":1695009925,\"meta_ip_mask\":\"255.255.255.0\",\"ioc_worker_id\":\"direct_mapping_worker\",\"unix_time\":\"2023-09-20T09:28:15.000Z\",\"ioc_log_type\":\"summary\",\"query_source\":\"xdr_only\",\"sophos_pid\":\"12120:111111111111111111\",\"host_identifier\":\"6f80b628-5b7c-11ee-8c99-0242ac120002\",\"partition_bucket\":\"87\",\"meta_public_ip_country\":\"France\",\"process_local_rep_signers\":\"{\\\"reputationData\\\":{\\\"isSigned\\\":1,\\\"signerInfo\\\":[{\\\"isValid\\\":1,\\\"signer\\\":\\\"Microsoft Corporation\\\"},{\\\"isValid\\\":1,\\\"signer\\\":\\\"Microsoft Corporation\\\"}]}}\",\"meta_boot_time\":1695182611,\"process_pua_score\":17,\"process_sha256_reputation_score\":70,\"meta_os_name\":\"Microsoft Windows 10 Professionnel\",\"process_ml_score\":8,\"osquery_action\":\"added\",\"meta_query_pack_version\":\"1.18.1\",\"calendar_time\":\"2023-09-20T09:28:15.000Z\",\"meta_eid\":\"9cc350ec-283c-451a-b072-4c7df065d350\",\"meta_public_ip_longitude\":-0.076198,\"ioc_detection_id\":\"WIN-DET-T1547.009\",\"meta_os_platform\":\"windows\",\"meta_username\":\"JDOE\",\"process_parent_sophos_pid\":\"14208:111111111111111111\",\"detection_identifier\":\"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044_b758901433312f4077ce4ed46b776ecc895712ff\",\"query_name\":\"sophos_runtime_iocs_windows\",\"process_cmd_line_truncated\":0,\"meta_os_version\":\"10.0.19045\",\"meta_public_ip_latitude\":51.5082,\"process_sha256\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"event_count\":1,\"ioc_event_time\":\"2023-09-20T09:28:15.000Z\",\"meta_aggressive_activity\":\"False\",\"ioc_event_events\":\"[{\\\"cmdline\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office16\\\\\\\\ONENOTE.EXE\\\\\\\" \\\",\\\"irep\\\":5,\\\"newSpid\\\":{\\\"!spid\\\":\\\"[12120:111111111111111111]\\\"},\\\"pwin32Path\\\":\\\"c:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\\"rep\\\":5,\\\"sha256\\\":{\\\"!sha256\\\":\\\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\\\"},\\\"spid\\\":{\\\"!spid\\\":\\\"[14208:111111111111111111]\\\"},\\\"type\\\":\\\"ProcessCreate\\\",\\\"win32Path\\\":\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office16\\\\\\\\ONENOTE.EXE\\\"},{\\\"fileAttributes\\\":32,\\\"irep\\\":5,\\\"process\\\":\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office16\\\\\\\\ONENOTE.EXE\\\",\\\"rep\\\":5,\\\"size\\\":{\\\"!uint64\\\":\\\"0\\\"},\\\"spid\\\":{\\\"!spid\\\":\\\"[12120:111111111111111111]\\\"},\\\"stid\\\":{\\\"!stid\\\":\\\"[5816:111111111111111111]\\\"},\\\"type\\\":\\\"FileOpen\\\",\\\"win32Path\\\":\\\"C:\\\\\\\\Users\\\\\\\\JDOE\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\Envoyer \\\\u00e0 OneNote.lnk\\\"}]\",\"meta_ip_address\":\"1.2.3.4\",\"process_local_rep\":91,\"ingest_date\":\"2023-09-20\",\"meta_endpoint_type\":\"computer\",\"meta_domain_controller\":\"False\",\"ioc_event_ttp_summary\":\"TA0003-T1547.009\",\"customer_id\":\"9cc350ec-283c-451a-b072-4c7df065d350\",\"message_identifier\":\"f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044\",\"ioc_attack_type\":\"Suspicious Activity\",\"process_pid\":12120,\"ioc_events_size\":1247,\"process_parent_path\":\"C:\\\\Windows\\\\process_parent_path.exe\",\"ioc_detection_weight\":5}", "event": { - "kind": "event", - "severity": 5, "code": "WIN-DET-T1547.009", - "ingested": "2023-09-20T09:31:41.090000Z" + "ingested": "2023-09-20T09:31:41.090000Z", + "kind": "event", + "severity": 5 }, "@timestamp": "2023-09-20T09:28:15Z", - "user": { - "name": "JDOE" - }, - "source": { - "ip": "1.2.3.4", - "nat": { - "ip": "1.2.3.4" - }, - "mac": "00:11:22:33:44:55", - "geo": { - "country_iso_code": "MAR", - "country_name": "France" - }, - "bytes": 4486, - "address": "1.2.3.4" + "file": { + "directory": "C:", + "name": "ioc_event_path.EXE", + "path": "C:\\ioc_event_path.EXE", + "size": 2119600 }, "host": { - "name": "H3333333333333", "id": "6f80b628-5b7c-11ee-8c99-0242ac120002", + "name": "H3333333333333", "os": { "full": "Microsoft Windows 10 Professionnel", "name": "windows", @@ -832,82 +822,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { + "command_line": "\"C:\\process_cmd_line.EXE\" ", + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, "name": "Direct Mapping Worker", "parent": { "name": "process_parent_name.exe", "working_directory": "C:\\Windows\\process_parent_path.exe" - }, - "command_line": "\"C:\\process_cmd_line.EXE\" ", - "hash": { - "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, - "file": { - "path": "C:\\ioc_event_path.EXE", - "size": 2119600, - "name": "ioc_event_path.EXE", - "directory": "C:" + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] }, "sophos": { "threat_center": { - "record_identifier": "9be070bb55a846a99c85f38e82afb01b9be070bb55a846a99c85f3", + "aggressive_activity": "False", + "detection_id_dedup": "e880fc47a0dc0086a8c2f05b92971d2bce2bdaf3", + "endpoint": { + "type": "computer" + }, "id": "3494ce1f-08fd-4a03-8948-0cb0945ac521", + "ioc": { + "attack_type": "Suspicious Activity", + "detection": { + "attack": "Suspicious Activity", + "category": "Threat", + "type": "Threat", + "weight": "5" + }, + "log_type": "summary", + "ttp_summary": "TA0003-T1547.009", + "unix_time": "2023-09-20T09:28:15.000000Z" + }, "message": { "id": "f94976c04e9a3863965cf49ea581e5a0cb2cad90fa949a44a443b7b2b3c9a044" }, - "endpoint": { - "type": "computer" - }, - "worker": { - "id": "direct_mapping_worker" + "ml": { + "score_band": "LIKELY_BENIGN" }, - "aggressive_activity": "False", - "detection_id_dedup": "e880fc47a0dc0086a8c2f05b92971d2bce2bdaf3", "process": { - "ml_score": "8", - "pua": { - "score": "17" - }, "hash": { "sha256": { "reputation_band": "KNOWN_GOOD", "reputation_score": "70" } - } - }, - "ioc": { - "ttp_summary": "TA0003-T1547.009", - "log_type": "summary", - "attack_type": "Suspicious Activity", - "unix_time": "2023-09-20T09:28:15.000000Z", - "detection": { - "attack": "Suspicious Activity", - "weight": "5", - "type": "Threat", - "category": "Threat" + }, + "ml_score": "8", + "pua": { + "score": "17" } }, "query": { - "source": "xdr_only", "action": "added", + "name": "sophos_runtime_iocs_windows", "pack_version": "1.18.1", - "name": "sophos_runtime_iocs_windows" + "source": "xdr_only" }, - "ml": { - "score_band": "LIKELY_BENIGN" + "record_identifier": "9be070bb55a846a99c85f38e82afb01b9be070bb55a846a99c85f3", + "worker": { + "id": "direct_mapping_worker" } } }, - "related": { - "hash": [ - "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "JDOE" - ] + "source": { + "address": "1.2.3.4", + "bytes": 4486, + "geo": { + "country_iso_code": "MAR", + "country_name": "France" + }, + "ip": "1.2.3.4", + "mac": "00:11:22:33:44:55", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "name": "JDOE" } } diff --git a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md index 8feb6415b9..7bcc6717d6 100644 --- a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md +++ b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md @@ -35,70 +35,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Plaintext password login attempt over HTTP from 1.2.3.4 (UPS) to 5.6.7.8 (Room Monitor) with username: john.doe.|5|device_asset_id=BWMKNUSOGU device_assignees=[] device_category=IoT device_connection_type_list=['Ethernet'] device_ip_list=['1.2.3.4'] device_labels=[] device_mac_list=['00:50:56:94:2b:94'] device_manufacturer=APC device_model=Smart UPS device_network_list=['Corporate'] device_note=None device_os=Proprietary AOS device_site_name=Main device_subcategory=Facilities device_type=UPS device_uid=2bad8dfb-0bf8-4dcc-87c6-a669c8a30933 domain=None dst_ip=5.6.7.8 dst_mac=e8:98:6d:ce:1f:11 dst_port=80 event_description=Plaintext password login attempt over HTTP from 1.2.3.4 (UPS) to 5.6.7.8 (Room Monitor) with username: john.doe. event_id=11111111 event_timestamp=2022-02-06T14:18:48.578951+00:00 event_type=Device Sent Plaintext Credentials geo_location=None msg_category=comm_event password_length=6 protocol=HTTP server_port=None src_ip=1.2.3.4 src_mac=e8:98:6d:ce:1f:12 src_port=39252 username=john.doe", "event": { - "kind": "alert", "category": [ "authentication" ], + "code": "Device Sent Plaintext Credentials", + "kind": "alert", + "reason": "Plaintext password login attempt over HTTP from 1.2.3.4 (UPS) to 5.6.7.8 (Room Monitor) with username: john.doe.", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "reason": "Plaintext password login attempt over HTTP from 1.2.3.4 (UPS) to 5.6.7.8 (Room Monitor) with username: john.doe.", - "code": "Device Sent Plaintext Credentials" + ] }, "@timestamp": "2022-02-06T14:18:48.578951Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "e8:98:6d:ce:1f:12", - "port": 39252, - "address": "1.2.3.4" - }, - "user": { - "name": "john.doe" + "claroty": { + "xdome": { + "device": { + "category": "IoT", + "site_name": "Main", + "subcategory": "Facilities", + "uid": "2bad8dfb-0bf8-4dcc-87c6-a669c8a30933" + }, + "event_id": "11111111" + } }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", "mac": "e8:98:6d:ce:1f:11", - "port": 80, - "address": "5.6.7.8" + "port": 80 }, - "network": { - "protocol": "HTTP" + "device": { + "id": "BWMKNUSOGU", + "manufacturer": "APC", + "model": { + "name": "Smart UPS" + } }, "host": { - "mac": [ - "00:50:56:94:2b:94" - ], "ip": [ "1.2.3.4" ], - "type": "UPS", + "mac": [ + "00:50:56:94:2b:94" + ], "os": { "full": "Proprietary AOS" - } + }, + "type": "UPS" }, - "device": { - "id": "BWMKNUSOGU", - "manufacturer": "APC", - "model": { - "name": "Smart UPS" - } + "network": { + "protocol": "HTTP" }, - "claroty": { - "xdome": { - "event_id": "11111111", - "device": { - "uid": "2bad8dfb-0bf8-4dcc-87c6-a669c8a30933", - "category": "IoT", - "subcategory": "Facilities", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "ip": [ @@ -108,6 +99,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "e8:98:6d:ce:1f:12", + "port": 39252 + }, + "user": { + "name": "john.doe" } } @@ -121,70 +121,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Plaintext password login attempt over HTTP from 1.2.3.4 (PC) to 5.6.7.8 with username: john.doe.|5|device_asset_id=NRLDV001 device_assignees=[] device_category=IT device_connection_type_list=['Ethernet'] device_ip_list=['1.2.3.4'] device_labels=[] device_mac_list=['98:e7:f4:bf:6c:9c'] device_manufacturer=HP device_model=EliteDesk 800 G3 DM 35W device_network_list=['Corporate'] device_note=None device_os=Windows 10 1607 device_site_name=Main device_subcategory=Computers device_type=PC device_uid=e74fc1c7-215c-4cd0-b266-df935b70221e domain=None dst_ip=5.6.7.8 dst_mac=36:34:95:3d:89:0f dst_port=80 event_description=Plaintext password login attempt over HTTP from 1.2.3.4 (PC) to 5.6.7.8 with username: john.doe. event_id=51455158 event_timestamp=2022-02-06T14:23:49.145782+00:00 event_type=Device Sent Plaintext Credentials geo_location=None msg_category=comm_event password_length=4 protocol=HTTP server_port=None src_ip=1.2.3.4 src_mac=98:e7:f4:bf:6c:9c src_port=55137 username=john.doe", "event": { - "kind": "alert", "category": [ "authentication" ], + "code": "Device Sent Plaintext Credentials", + "kind": "alert", + "reason": "Plaintext password login attempt over HTTP from 1.2.3.4 (PC) to 5.6.7.8 with username: john.doe.", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "reason": "Plaintext password login attempt over HTTP from 1.2.3.4 (PC) to 5.6.7.8 with username: john.doe.", - "code": "Device Sent Plaintext Credentials" + ] }, "@timestamp": "2022-02-06T14:23:49.145782Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "98:e7:f4:bf:6c:9c", - "port": 55137, - "address": "1.2.3.4" - }, - "user": { - "name": "john.doe" + "claroty": { + "xdome": { + "device": { + "category": "IT", + "site_name": "Main", + "subcategory": "Computers", + "uid": "e74fc1c7-215c-4cd0-b266-df935b70221e" + }, + "event_id": "51455158" + } }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", "mac": "36:34:95:3d:89:0f", - "port": 80, - "address": "5.6.7.8" + "port": 80 }, - "network": { - "protocol": "HTTP" + "device": { + "id": "NRLDV001", + "manufacturer": "HP", + "model": { + "name": "EliteDesk 800 G3 DM 35W" + } }, "host": { - "mac": [ - "98:e7:f4:bf:6c:9c" - ], "ip": [ "1.2.3.4" ], - "type": "PC", + "mac": [ + "98:e7:f4:bf:6c:9c" + ], "os": { "full": "Windows 10 1607" - } + }, + "type": "PC" }, - "device": { - "id": "NRLDV001", - "manufacturer": "HP", - "model": { - "name": "EliteDesk 800 G3 DM 35W" - } + "network": { + "protocol": "HTTP" }, - "claroty": { - "xdome": { - "event_id": "51455158", - "device": { - "uid": "e74fc1c7-215c-4cd0-b266-df935b70221e", - "category": "IT", - "subcategory": "Computers", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "ip": [ @@ -194,6 +185,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "98:e7:f4:bf:6c:9c", + "port": 55137 + }, + "user": { + "name": "john.doe" } } @@ -207,70 +207,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Successful authentication with a Default/Weak password of length: 3, was detected on 5.6.7.8 (Firewall). 1.2.3.4 (Last known IP) (Chemistry Analyzer) had logged in with username: fgl.|5|device_asset_id=NRLDV001 device_assignees=[] device_category=IT device_connection_type_list=['Ethernet'] device_ip_list=['5.6.7.8'] device_labels=[] device_mac_list=['e0:23:ff:02:6a:89'] device_manufacturer=Fortinet device_model=FortiGate device_network_list=['Corporate'] device_note=None device_os=FortiOS device_site_name=Main device_subcategory=Network device_type=Firewall device_uid=e98cadb0-1838-4cc0-98f0-79d2a4678684 dst_ip=5.6.7.8 dst_mac=e8:98:6d:ce:1f:11 dst_port=21 event_description=Successful authentication with a Default/Weak password of length: 3, was detected on 5.6.7.8 (Firewall). 1.2.3.4 (Last known IP) (Chemistry Analyzer) had logged in with username: ftp. event_id=51455159 event_timestamp=2022-02-06T14:24:09.084580+00:00 event_type=Weak/Default Password msg_category=comm_event password_length=3 protocol=FTP server_port=None src_ip=1.2.3.4 src_mac=e8:98:6d:ce:1f:12 src_port=53866 username=ftp", "event": { - "kind": "alert", "category": [ "authentication" ], + "code": "Weak/Default Password", + "kind": "alert", + "reason": "Successful authentication with a Default/Weak password of length: 3, was detected on 5.6.7.8 (Firewall). 1.2.3.4 (Last known IP) (Chemistry Analyzer) had logged in with username: ftp.", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "reason": "Successful authentication with a Default/Weak password of length: 3, was detected on 5.6.7.8 (Firewall). 1.2.3.4 (Last known IP) (Chemistry Analyzer) had logged in with username: ftp.", - "code": "Weak/Default Password" + ] }, "@timestamp": "2022-02-06T14:24:09.084580Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "e8:98:6d:ce:1f:12", - "port": 53866, - "address": "1.2.3.4" - }, - "user": { - "name": "ftp" + "claroty": { + "xdome": { + "device": { + "category": "IT", + "site_name": "Main", + "subcategory": "Network", + "uid": "e98cadb0-1838-4cc0-98f0-79d2a4678684" + }, + "event_id": "51455159" + } }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", "mac": "e8:98:6d:ce:1f:11", - "port": 21, - "address": "5.6.7.8" + "port": 21 }, - "network": { - "protocol": "FTP" + "device": { + "id": "NRLDV001", + "manufacturer": "Fortinet", + "model": { + "name": "FortiGate" + } }, "host": { - "mac": [ - "e0:23:ff:02:6a:89" - ], "ip": [ "5.6.7.8" ], - "type": "Firewall", + "mac": [ + "e0:23:ff:02:6a:89" + ], "os": { "full": "FortiOS" - } + }, + "type": "Firewall" }, - "device": { - "id": "NRLDV001", - "manufacturer": "Fortinet", - "model": { - "name": "FortiGate" - } + "network": { + "protocol": "FTP" }, - "claroty": { - "xdome": { - "event_id": "51455159", - "device": { - "uid": "e98cadb0-1838-4cc0-98f0-79d2a4678684", - "category": "IT", - "subcategory": "Network", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "ip": [ @@ -280,6 +271,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "ftp" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "e8:98:6d:ce:1f:12", + "port": 53866 + }, + "user": { + "name": "ftp" } } @@ -293,95 +293,95 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Expired TLS Certificate was sent over TLS 1.2 from 1.2.3.4 (Server) to 5.6.7.8 (PC)|5|certificate_C=US certificate_CN=PRDVRZ1.prod.example.com certificate_L=None certificate_O=None certificate_OU=None certificate_ST=None certificate_expiry_date=20160526192415Z certificate_start_date=20150527192415Z certificate_thumbprint=AF:40:01:58:A8:3F:B2:AB:3C:7A:36:67:FD:65:FA:50:6C:67:A6:59 certificate_type=Server device_asset_id=BWMGLTVSTE device_assignees=[] device_category=IT device_connection_type_list=['Ethernet'] device_ip_list=['1.2.3.4'] device_labels=[] device_mac_list=['00:50:56:97:02:d4'] device_manufacturer=None device_model=None device_network_list=['Corporate'] device_note=None device_os=Windows Server 2012 R2 NT 6.3 device_site_name=Main device_subcategory=Servers device_type=Server device_uid=71b2bde6-370d-4a00-840d-bd828de48364 domain=nrldv001.prod.example.com dst_ip=5.6.7.8 dst_mac=00:50:56:94:b2:86 dst_port=59889 event_description=Expired TLS Certificate was sent over TLS 1.2 from 1.2.3.4 (Server) to 5.6.7.8 (PC) event_id=1111111 event_timestamp=2022-02-06T14:24:10.146720+00:00 event_type=Expired TLS Certificate geo_location=None msg_category=comm_event protocol=TLS 1.2 sender_id=NRLDV001 server_port=None src_ip=1.2.3.4 src_mac=e8:98:6d:ce:1f:10 src_port=8083", "event": { - "kind": "alert", "category": [ "network" ], + "code": "Expired TLS Certificate", + "kind": "alert", + "reason": "Expired TLS Certificate was sent over TLS 1.2 from 1.2.3.4 (Server) to 5.6.7.8 (PC)", + "severity": 5, "type": [ "connection" - ], - "severity": 5, - "reason": "Expired TLS Certificate was sent over TLS 1.2 from 1.2.3.4 (Server) to 5.6.7.8 (PC)", - "code": "Expired TLS Certificate" + ] }, "@timestamp": "2022-02-06T14:24:10.146720Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "e8:98:6d:ce:1f:10", - "port": 8083, - "address": "1.2.3.4" + "claroty": { + "xdome": { + "device": { + "category": "IT", + "site_name": "Main", + "subcategory": "Servers", + "uid": "71b2bde6-370d-4a00-840d-bd828de48364" + }, + "event_id": "1111111", + "sender_id": "NRLDV001" + } }, "destination": { + "address": "nrldv001.prod.example.com", + "domain": "nrldv001.prod.example.com", "ip": "5.6.7.8", "mac": "00:50:56:94:b2:86", "port": 59889, - "domain": "nrldv001.prod.example.com", - "address": "nrldv001.prod.example.com", - "top_level_domain": "com", + "registered_domain": "example.com", "subdomain": "nrldv001.prod", - "registered_domain": "example.com" + "top_level_domain": "com" }, - "network": { - "protocol": "TLS 1.2" + "device": { + "id": "BWMGLTVSTE" }, "host": { - "mac": [ - "00:50:56:97:02:d4" - ], "ip": [ "1.2.3.4" ], - "type": "Server", + "mac": [ + "00:50:56:97:02:d4" + ], "os": { "full": "Windows Server 2012 R2 NT 6.3" - } + }, + "type": "Server" }, - "device": { - "id": "BWMGLTVSTE" - }, - "tls": { - "server": { - "x509": { - "subject": { - "common_name": "PRDVRZ1.prod.example.com", - "country": "US" - }, - "not_after": "2016-05-26T19:24:15Z", - "not_before": "2015-05-27T19:24:15Z" - }, - "hash": { - "sha1": "AF:40:01:58:A8:3F:B2:AB:3C:7A:36:67:FD:65:FA:50:6C:67:A6:59" - } - } + "network": { + "protocol": "TLS 1.2" }, - "claroty": { - "xdome": { - "sender_id": "NRLDV001", - "event_id": "1111111", - "device": { - "uid": "71b2bde6-370d-4a00-840d-bd828de48364", - "category": "IT", - "subcategory": "Servers", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "hash": [ "AF:40:01:58:A8:3F:B2:AB:3C:7A:36:67:FD:65:FA:50:6C:67:A6:59" ], + "hosts": [ + "nrldv001.prod.example.com" + ], "ip": [ "1.2.3.4", "5.6.7.8" - ], - "hosts": [ - "nrldv001.prod.example.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "e8:98:6d:ce:1f:10", + "port": 8083 + }, + "tls": { + "server": { + "hash": { + "sha1": "AF:40:01:58:A8:3F:B2:AB:3C:7A:36:67:FD:65:FA:50:6C:67:A6:59" + }, + "x509": { + "not_after": "2016-05-26T19:24:15Z", + "not_before": "2015-05-27T19:24:15Z", + "subject": { + "common_name": "PRDVRZ1.prod.example.com", + "country": "US" + } + } + } } } @@ -395,73 +395,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Communication over POCT1-A (PHI-containing protocol) was detected between 1.2.3.4 (Hematology Analyzer Gateway) and 5.6.7.8 (Glucose Meter)|5|device_asset_id=DZMKWPEVVL device_assignees=[] device_category=Industrial device_connection_type_list=['Ethernet'] device_ip_list=['1.2.3.4'] device_labels=[] device_mac_list=['00:50:56:94:b3:b8'] device_manufacturer=Roche device_model=CoaguChek Gateway device_network_list=['Corporate'] device_note=None device_os=Windows Server 2016 1607 device_site_name=Main device_subcategory=Clinical Lab device_type=Hematology Analyzer device_uid=f257cf93-017d-42b7-9292-75dc8a8e248f domain=None dst_ip=5.6.7.8 dst_mac=b8:78:79:13:5e:00 dst_port=36812 event_description=Communication over POCT1-A (PHI-containing protocol) was detected between 1.2.3.4 (Hematology Analyzer Gateway) and 5.6.7.8 (Glucose Meter) event_id=11111111 event_timestamp=2022-02-06T14:24:49.785636+00:00 event_type=Unencrypted PHI Protocol Communication geo_location=None msg_category=comm_event protocol=POCT1-A server_port=None src_ip=1.2.3.4 src_mac=00:50:56:94:b3:b8 src_port=3001", "event": { - "kind": "alert", "category": [ "network" ], + "code": "Unencrypted PHI Protocol Communication", + "kind": "alert", + "reason": "Communication over POCT1-A (PHI-containing protocol) was detected between 1.2.3.4 (Hematology Analyzer Gateway) and 5.6.7.8 (Glucose Meter)", + "severity": 5, "type": [ "connection" - ], - "severity": 5, - "reason": "Communication over POCT1-A (PHI-containing protocol) was detected between 1.2.3.4 (Hematology Analyzer Gateway) and 5.6.7.8 (Glucose Meter)", - "code": "Unencrypted PHI Protocol Communication" + ] }, "@timestamp": "2022-02-06T14:24:49.785636Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "00:50:56:94:b3:b8", - "port": 3001, - "address": "1.2.3.4" + "claroty": { + "xdome": { + "device": { + "category": "Industrial", + "site_name": "Main", + "subcategory": "Clinical Lab", + "uid": "f257cf93-017d-42b7-9292-75dc8a8e248f" + }, + "event_id": "11111111" + } }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", "mac": "b8:78:79:13:5e:00", - "port": 36812, - "address": "5.6.7.8" + "port": 36812 }, - "network": { - "protocol": "POCT1-A" + "device": { + "id": "DZMKWPEVVL", + "manufacturer": "Roche", + "model": { + "name": "CoaguChek Gateway" + } }, "host": { - "mac": [ - "00:50:56:94:b3:b8" - ], "ip": [ "1.2.3.4" ], - "type": "Hematology Analyzer", + "mac": [ + "00:50:56:94:b3:b8" + ], "os": { "full": "Windows Server 2016 1607" - } + }, + "type": "Hematology Analyzer" }, - "device": { - "id": "DZMKWPEVVL", - "manufacturer": "Roche", - "model": { - "name": "CoaguChek Gateway" - } + "network": { + "protocol": "POCT1-A" }, - "claroty": { - "xdome": { - "event_id": "11111111", - "device": { - "uid": "f257cf93-017d-42b7-9292-75dc8a8e248f", - "category": "Industrial", - "subcategory": "Clinical Lab", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "00:50:56:94:b3:b8", + "port": 3001 } } @@ -475,74 +475,74 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Claroty|Industrial Device Security Platform|1.0|11111111|Communication over SMBv1 was detected between 1.2.3.4 (PC) and 172.23.44.46|5|client_id=ZOLDKI0234 device_asset_id=NRLDV001 device_assignees=[] device_category=IT device_connection_type_list=['Ethernet'] device_ip_list=['1.2.3.4'] device_labels=[] device_mac_list=['fc:3f:db:0d:87:89'] device_manufacturer=HP device_model=EliteDesk 800 G2 DM 35W device_network_list=['Corporate'] device_note=None device_os=Windows 10 1607 device_site_name=Main device_subcategory=Computers device_type=PC device_uid=6162cd8a-8dc8-40b2-8a4a-e7a922862505 dst_ip=172.23.44.46 dst_mac=c8:d3:ff:9b:4f:9c dst_port=60383 event_description=Communication over SMBv1 was detected between 1.2.3.4 (PC) and 172.23.44.46 event_id=11111111 event_timestamp=2022-02-06T14:21:52.873069+00:00 event_type=SMBv1 Communication msg_category=comm_event protocol=SMBv1 server_port=139 src_ip=1.2.3.4 src_mac=fc:3f:db:0d:87:89 src_port=139", "event": { - "kind": "alert", "category": [ "network" ], + "code": "SMBv1 Communication", + "kind": "alert", + "reason": "Communication over SMBv1 was detected between 1.2.3.4 (PC) and 172.23.44.46", + "severity": 5, "type": [ "connection" - ], - "severity": 5, - "reason": "Communication over SMBv1 was detected between 1.2.3.4 (PC) and 172.23.44.46", - "code": "SMBv1 Communication" + ] }, "@timestamp": "2022-02-06T14:21:52.873069Z", - "observer": { - "vendor": "Claroty", - "product": "Industrial Device Security Platform", - "version": "1.0" - }, - "source": { - "ip": "1.2.3.4", - "mac": "fc:3f:db:0d:87:89", - "port": 139, - "address": "1.2.3.4" + "claroty": { + "xdome": { + "client_id": "ZOLDKI0234", + "device": { + "category": "IT", + "site_name": "Main", + "subcategory": "Computers", + "uid": "6162cd8a-8dc8-40b2-8a4a-e7a922862505" + }, + "event_id": "11111111" + } }, "destination": { + "address": "172.23.44.46", "ip": "172.23.44.46", "mac": "c8:d3:ff:9b:4f:9c", - "port": 60383, - "address": "172.23.44.46" + "port": 60383 }, - "network": { - "protocol": "SMBv1" + "device": { + "id": "NRLDV001", + "manufacturer": "HP", + "model": { + "name": "EliteDesk 800 G2 DM 35W" + } }, "host": { - "mac": [ - "fc:3f:db:0d:87:89" - ], "ip": [ "1.2.3.4" ], - "type": "PC", + "mac": [ + "fc:3f:db:0d:87:89" + ], "os": { "full": "Windows 10 1607" - } + }, + "type": "PC" }, - "device": { - "id": "NRLDV001", - "manufacturer": "HP", - "model": { - "name": "EliteDesk 800 G2 DM 35W" - } + "network": { + "protocol": "SMBv1" }, - "claroty": { - "xdome": { - "client_id": "ZOLDKI0234", - "event_id": "11111111", - "device": { - "uid": "6162cd8a-8dc8-40b2-8a4a-e7a922862505", - "category": "IT", - "subcategory": "Computers", - "site_name": "Main" - } - } + "observer": { + "product": "Industrial Device Security Platform", + "vendor": "Claroty", + "version": "1.0" }, "related": { "ip": [ "1.2.3.4", "172.23.44.46" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "fc:3f:db:0d:87:89", + "port": 139 } } diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index 576989b1c2..8478250dbf 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -35,45 +35,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\"malopGuid\": \"11.-6654920844431693523\", \"timestamp\": 1668945737625},\n \"@class\": \".FileSuspectDetailsModel\",\n \"firstSeen\": 1657923190000,\n \"lastSeen\": 1667946935000,\n \"counter\": 2,\n \"wasEverDetectedInScan\": false,\n \"wasEverDetectedByAccess\": true,\n \"detectionDecisionStatus\": \"DDS_PREVENTED\",\n \"guid\": \"11.7498520112250262440\",\n \"ownerMachineName\": \"desktop-aaaaaa\",\n \"ownerMachineGuid\": \"aaaaaaaaaaaaaaaa\",\n \"sha1String\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"behaviourIdString\": null,\n \"correctedPath\": \"c:\\\\System\\\\kprocesshacker.sys\",\n \"modifiedTime\": null,\n \"elementDisplayName\": \"kprocesshacker.sys\"\n}\n", "event": { - "kind": "event", "category": [ "file" ], + "code": "file_suspect", + "kind": "event", "type": [ "info" - ], - "code": "file_suspect" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { "malop": { - "id": "11.-6654920844431693523", - "host": { - "id": "aaaaaaaaaaaaaaaa" - }, "file": { - "id": "11.7498520112250262440", "decision": { "status_code": "DDS_PREVENTED" - } - } + }, + "id": "11.7498520112250262440" + }, + "host": { + "id": "aaaaaaaaaaaaaaaa" + }, + "id": "11.-6654920844431693523" } }, "file": { - "path": "c:\\System\\kprocesshacker.sys", + "directory": "c:\\System", "hash": { "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" }, "name": "kprocesshacker.sys", - "directory": "c:\\System" + "path": "c:\\System\\kprocesshacker.sys" }, "host": { "name": "desktop-aaaaaa" }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" + }, "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" @@ -91,36 +91,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\"malopGuid\": \"11.-6654920844431693523\", \"timestamp\": 1668945737625},\n \"@class\": \".MachineDetailsModel\",\n \"guid\": \"-576002811.1198775089551518743\",\n \"displayName\": \"desktop-aaaaaa\",\n \"osType\": \"WINDOWS\",\n \"connected\": false,\n \"isolated\": false,\n \"lastConnected\": 1668439428578,\n \"adOU\": null,\n \"adOrganization\": null,\n \"adDisplayName\": \"DESKTOP-AAAAAA\",\n \"adDNSHostName\": \"desktop-aaaaaa.example.org\",\n \"adDepartment\": null,\n \"adCompany\": null,\n \"adLocation\": null,\n \"adMachineRole\": null,\n \"pylumId\": \"MARVELCLIENT_INTEGRATION_DESKTOP-AAAAAA_000000000000\",\n \"empty\": true\n}\n", "event": { - "kind": "event", "category": [ "host" ], + "code": "machine", + "kind": "event", "type": [ "info" - ], - "code": "machine" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { "malop": { - "id": "11.-6654920844431693523", "host": { "id": "-576002811.1198775089551518743", - "is_online": false, - "is_isolated": false - } + "is_isolated": false, + "is_online": false + }, + "id": "11.-6654920844431693523" } }, "host": { - "name": "desktop-aaaaaa", "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", "os": { "type": "windows" } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" } } @@ -134,28 +134,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\"malopGuid\": \"11.-6654920844431693523\", \"timestamp\": 1668945737625},\n \"@class\": \".MachineInboxModel\",\n \"guid\": \"11.7498520112250262440\",\n \"displayName\": \"desktop-aaaaaa\",\n \"osType\": \"WINDOWS\",\n \"connected\": false,\n \"isolated\": false,\n \"lastConnected\": 1668439428578,\n \"empty\": true\n}\n", "event": { - "kind": "event", "category": [ "host" ], + "code": "machine", + "kind": "event", "type": [ "info" - ], - "code": "machine" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { "malop": { - "id": "11.-6654920844431693523", "host": { "id": "11.7498520112250262440", - "is_online": false, - "is_isolated": false - } + "is_isolated": false, + "is_online": false + }, + "id": "11.-6654920844431693523" } }, "host": { @@ -163,6 +159,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "os": { "type": "windows" } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" } } @@ -176,43 +176,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"@class\": \".MalopInboxModel\",\n \"guid\": \"11.-6654920844431693523\",\n \"displayName\": \"cymulateagent.exe\",\n \"rootCauseElementType\": \"Process\",\n \"primaryRootCauseName\": \"cymulateagent.exe\",\n \"rootCauseElementNamesCount\": 1,\n \"detectionEngines\": [\n \"EDR\"\n ],\n \"detectionTypes\": [\n \"Custom Malware\"\n ],\n \"malopDetectionType\": \"CUSTOM_RULE\",\n \"creationTime\": 1668333388300,\n \"lastUpdateTime\": 1668945737625,\n \"iconBase64\": \"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIISURBVFhHxdS/K8RxHMfxQxaKbrnBjwXjWW3UTSZlEMk/oAxs/gQZRdkoUmYGGSyXhVXM6m5RiiLDxZ3n+9P7XZ++vQnfj+5Vj7rh+3m9vnffuyvkTd/cpehEBSd4RhMP2Mc4wnXJo8UdWEIdLccNppD2JqwQE6jBGzfXGIKeThApg7z7HXijMXkkKwjnkkTL+nEFbzTrCPJd0YackSKUcAtvMOsU3dCGnJEi9OAC3mDWLsK5JLEyrMMbjL1hFuluQKKFg6jCGzYH6IWeTBQpVGWcoYF4+BV7GEC49sd5Kg+bIiaxgBmMoQvhOitGEfPYwiE2MQ35nvxpXEZksIoXfKCBe2yghHCtxYYg/w+/G7VYKRbxiJajiWPIp6MnE0UKMYI7eOPmHWsIZ5LEyrAMeZfecOwSfdCGnJEitQ1vMKuOUWhDzkiR+ukN1PAvN9CeRyCRMrTnSyixQrTnZyiRUvz6j2i1cm467PWfY+X49q84Gi1iHls4xCam0YN8N/NVrBhlnKGBVuQVexhA+pvQ0kFUEQ9nHaAXejJBpEytwxuNvWEW4UySaJk83wt4o1m7SH4DJdzCG8w6RTe0IWekCP24gjeYdYROaEPOSBHk974DbzDWxArCuSSxMkygBm/YXGMIejpRpBDyKSyhDm/8BlMI1yePFsuzreAEz5CP/AH7GMcX44XCJ3XZVwZHImRNAAAAAElFTkSuQmCC\",\n \"priority\": \"HIGH\",\n \"group\": \"\",\n \"rootCauseElementHashes\": \"\",\n \"status\": \"Active\",\n \"severity\": \"High\",\n \"machines\": [\n {\n \"@class\": \".MachineInboxModel\",\n \"guid\": \"-576002811.1198775089551518743\",\n \"displayName\": \"win-cybereason\",\n \"osType\": \"WINDOWS\",\n \"connected\": true,\n \"isolated\": false,\n \"lastConnected\": 1669369715023,\n \"empty\": true\n }\n ],\n \"users\": [\n {\n \"guid\": \"0.2548072792133848559\",\n \"displayName\": \"win-cybereason\\\\administrator\",\n \"admin\": true,\n \"localSystem\": false,\n \"domainUser\": false\n }\n ],\n \"containers\": [],\n \"labels\": [],\n \"decisionStatuses\": [],\n \"malopCloseTime\": null,\n \"closerName\": null,\n \"malopType\": \"CUSTOM_RULE\",\n \"escalated\": false,\n \"malopPriority\": \"HIGH\",\n \"edr\": true,\n \"malopStatus\": \"Active\",\n \"malopSeverity\": \"High\",\n \"closed\": false,\n \"empty\": true\n}\n", "event": { - "kind": "alert", "category": [ "malware" ], + "code": "malop", + "kind": "alert", "type": [ "info" - ], - "code": "malop" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", - "process": { - "name": "cymulateagent.exe" - }, "cybereason": { "malop": { - "id": "11.-6654920844431693523", - "status": "Active", - "priority": "HIGH", - "severity": "High", + "created_at": "2022-11-13T09:56:28.300000Z", "detection": { - "type": "CUSTOM_RULE", "engines": [ "EDR" - ] + ], + "type": "CUSTOM_RULE" }, + "id": "11.-6654920844431693523", + "is_edr": "true", + "modified_at": "2022-11-20T12:02:17.625000Z", + "priority": "HIGH", "root_cause": { - "type": "Process", - "name": "cymulateagent.exe" + "name": "cymulateagent.exe", + "type": "Process" }, - "is_edr": "true", - "created_at": "2022-11-13T09:56:28.300000Z", - "modified_at": "2022-11-20T12:02:17.625000Z" + "severity": "High", + "status": "Active" } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" + }, + "process": { + "name": "cymulateagent.exe" } } @@ -226,47 +226,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"@class\": \".DetectionMalopDetailsModel\",\n \"guid\": \"11.7498520112250262440\",\n \"displayName\": \"kprocesshacker.sys\",\n \"rootCauseElementType\": \"File\",\n \"primaryRootCauseName\": \"kprocesshacker.sys\",\n \"rootCauseElementNamesCount\": 1,\n \"detectionEngines\": [\n \"AntiVirus\"\n ],\n \"detectionTypes\": [\n \"Known malware detected by Cybereason Anti-Malware\"\n ],\n \"malopDetectionType\": \"KNOWN_MALWARE\",\n \"creationTime\": 1668357472339,\n \"lastUpdateTime\": 1668392385000,\n \"iconBase64\": \"\",\n \"priority\": \"HIGH\",\n \"group\": \"\",\n \"rootCauseElementHashes\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"status\": \"Active\",\n \"severity\": \"High\",\n \"machines\": [\n {\n \"@class\": \".MachineDetailsModel\",\n \"guid\": \"-576002811.1198775089551518743\",\n \"displayName\": \"desktop-aaaaaa\",\n \"osType\": \"WINDOWS\",\n \"connected\": false,\n \"isolated\": false,\n \"lastConnected\": 1668439428578,\n \"adOU\": null,\n \"adOrganization\": null,\n \"adDisplayName\": \"DESKTOP-AAAAAA\",\n \"adDNSHostName\": \"desktop-aaaaaa.example.org\",\n \"adDepartment\": null,\n \"adCompany\": null,\n \"adLocation\": null,\n \"adMachineRole\": null,\n \"pylumId\": \"MARVELCLIENT_INTEGRATION_DESKTOP-AAAAAA_000000000000\",\n \"empty\": true\n }\n ],\n \"users\": [\n {\n \"guid\": \"0.2548072792133848559\",\n \"displayName\": \"desktop-aaaaa\\\\system\",\n \"admin\": false,\n \"localSystem\": false,\n \"domainUser\": false\n }\n ],\n \"containers\": [],\n \"labels\": [],\n \"decisionStatuses\": [\n \"Detected\"\n ],\n \"malopCloseTime\": null,\n \"closerName\": null,\n \"signer\": null,\n \"fileClassificationType\": \"av_detected\",\n \"filePaths\": [\n \"c:\\\\System\\\\kprocesshacker.sys\"\n ],\n \"commandLines\": [],\n \"decodedCommandLines\": [],\n \"detectionValues\": [\n \"Generic.ASP.WebShell.AH.B7A2B560\"\n ],\n \"detectionValueTypes\": [\n \"DVT_FILE\"\n ],\n \"fileHash\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"scriptDetectionTypes\": [],\n \"exploitDetectionTypes\": [],\n \"descriptions\": [\n \"Known malware with file name kprocesshacker.sys was detected\"\n ],\n \"hasAnyScanEvent\": false,\n \"activeProcessesCount\": 0,\n \"totalProcessesCount\": 0,\n \"fileSuspects\": [\n {\n \"@class\": \".FileSuspectDetailsModel\",\n \"firstSeen\": 1657923190000,\n \"lastSeen\": 1667946935000,\n \"counter\": 2,\n \"wasEverDetectedInScan\": false,\n \"wasEverDetectedByAccess\": true,\n \"detectionDecisionStatus\": \"DDS_PREVENTED\",\n \"guid\": \"11.7498520112250262440\",\n \"ownerMachineName\": \"desktop-aaaaaa\",\n \"ownerMachineGuid\": \"aaaaaaaaaaaaaaaa\",\n \"sha1String\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"behaviourIdString\": null,\n \"correctedPath\": \"c:\\\\System\\\\kprocesshacker.sys\",\n \"modifiedTime\": null,\n \"elementDisplayName\": \"kprocesshacker.sys\"\n }\n ],\n \"processSuspects\": null,\n \"processes\": null,\n \"files\": [\n {\n \"@class\": \".FileDetailsModel\",\n \"lastDetectionDecisionStatus\": \"DDS_UNKNOWN\",\n \"guid\": \"11.7498520112250262440\",\n \"ownerMachineName\": \"desktop-aaaaaa\",\n \"ownerMachineGuid\": \"aaaaaaaaaaaaaaaa\",\n \"sha1String\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"correctedPath\": \"c:\\\\System\\\\kprocesshacker.sys\",\n \"modifiedTime\": null,\n \"elementDisplayName\": \"kprocesshacker.sys\",\n \"behaviourIdString\": null,\n \"quarantined\": false\n }\n ],\n \"connections\": null,\n \"timelineEvents\": [\n {\n \"@class\": \".MalopStartTimelineEventModel\",\n \"timestamp\": 1657923190000,\n \"data\": {\n \"detectionTypes\": [\n \"Known malware detected by Cybereason Anti-Malware\"\n ],\n \"detectionEngines\": [\n \"AntiVirus\"\n ]\n },\n \"type\": \"malopStart\"\n },\n {\n \"@class\": \".DetectionEventFirstSeenTimelineEventModel\",\n \"timestamp\": 1657923190000,\n \"data\": {\n \"machineName\": \"sthq-mimikatz\",\n \"osType\": \"WINDOWS\",\n \"connected\": true,\n \"detectionsCount\": 2,\n \"prevented\": false\n },\n \"type\": \"detectionEventFirstSeen\"\n },\n {\n \"@class\": \".SuspicionTimelineEventModel\",\n \"timestamp\": 1657923198032,\n \"data\": {\n \"suspicion\": \"Malicious by Anti-Malware\",\n \"activityType\": \"MALICIOUS_INFECTION\"\n },\n \"type\": \"suspicion\"\n }\n ],\n \"payloads\": [],\n \"escalated\": false,\n \"edr\": false,\n \"malopStatus\": \"Closed\",\n \"malopSeverity\": \"Low\",\n \"malopType\": \"KNOWN_MALWARE\",\n \"malopPriority\": \"HIGH\",\n \"closed\": false,\n \"empty\": true\n}\n", "event": { - "kind": "alert", "category": [ "malware" ], + "code": "malop", + "kind": "alert", "type": [ "info" - ], - "code": "malop" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-14T02:19:45Z", - "file": { - "name": "kprocesshacker.sys", - "hash": { - "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" - } - }, "cybereason": { "malop": { - "id": "11.7498520112250262440", - "status": "Closed", - "priority": "HIGH", - "severity": "Low", + "created_at": "2022-11-13T16:37:52.339000Z", "detection": { - "type": "KNOWN_MALWARE", "engines": [ "AntiVirus" - ] + ], + "type": "KNOWN_MALWARE" }, + "id": "11.7498520112250262440", + "is_edr": "false", + "modified_at": "2022-11-14T02:19:45.000000Z", + "priority": "HIGH", "root_cause": { - "type": "File", - "name": "kprocesshacker.sys" + "name": "kprocesshacker.sys", + "type": "File" }, - "is_edr": "false", - "created_at": "2022-11-13T16:37:52.339000Z", - "modified_at": "2022-11-14T02:19:45.000000Z" + "severity": "Low", + "status": "Closed" } }, + "file": { + "hash": { + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + }, + "name": "kprocesshacker.sys" + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" + }, "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" @@ -284,34 +284,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\n \"malopGuid\": \"11.7498520112250262440\",\n \"timestamp\": \"1668945737625\"},\n \"@class\": \".SuspicionModel\",\n \"guid\": 1495442710604,\n \"name\": \"shellOfNonShellRunnerSuspicion\",\n \"firstTimestamp\": 1447276254985,\n \"evidences\": [\n \"detectedInjectedEvidence\",\n \"highUnresolvedToResolvedRateEvidence\",\n \"hostingInjectedThreadEvidence\",\n \"manyUnresolvedRecordNotExistsEvidence\"\n ]\n}\n", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "code": "suspicion", + "kind": "event", "type": [ "info" - ], - "code": "suspicion" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { "malop": { "id": "11.7498520112250262440", "suspicion": { - "id": "1495442710604", - "name": "shellOfNonShellRunnerSuspicion", "evidences": [ "detectedInjectedEvidence", "highUnresolvedToResolvedRateEvidence", "hostingInjectedThreadEvidence", "manyUnresolvedRecordNotExistsEvidence" - ] + ], + "id": "1495442710604", + "name": "shellOfNonShellRunnerSuspicion" } } + }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" } } @@ -325,35 +325,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\n \"malopGuid\": \"11.7498520112250262440\",\n \"timestamp\": \"1668945737625\"},\n \"@class\": \".SuspicionModel\",\n \"guid\": 1495442710604,\n \"name\": \"T1060 - Registry Run Keys / Startup Folder : Autorun JavaScript Value\",\n \"firstTimestamp\": 1447276254985,\n \"evidences\": [\n \"detectedInjectedEvidence\",\n \"highUnresolvedToResolvedRateEvidence\",\n \"hostingInjectedThreadEvidence\",\n \"manyUnresolvedRecordNotExistsEvidence\"\n ]\n}\n", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "code": "suspicion", + "kind": "event", "type": [ "info" - ], - "code": "suspicion" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { "malop": { "id": "11.7498520112250262440", "suspicion": { - "id": "1495442710604", - "name": "T1060 - Registry Run Keys / Startup Folder : Autorun JavaScript Value", "evidences": [ "detectedInjectedEvidence", "highUnresolvedToResolvedRateEvidence", "hostingInjectedThreadEvidence", "manyUnresolvedRecordNotExistsEvidence" - ] + ], + "id": "1495442710604", + "name": "T1060 - Registry Run Keys / Startup Folder : Autorun JavaScript Value" } } }, + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" + }, "threat": { "technique": { "id": "T1060", @@ -372,18 +372,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"metadata\": {\"malopGuid\": \"11.-6654920844431693523\", \"timestamp\": 1668945737625},\n \"@class\": \".UserInboxModel\",\n \"guid\": \"0.2548072792133848559\",\n \"displayName\": \"desktop-aaaaa\\\\system\",\n \"admin\": false,\n \"localSystem\": false,\n \"domainUser\": false\n}\n", "event": { - "kind": "event", "category": [ "session" ], + "code": "user", + "kind": "event", "type": [ "info" - ], - "code": "user" - }, - "observer": { - "vendor": "Cybereason", - "product": "Cybereason" + ] }, "@timestamp": "2022-11-20T12:02:17.625000Z", "cybereason": { @@ -395,14 +391,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, - "user": { - "name": "system", - "domain": "desktop-aaaaa" + "observer": { + "product": "Cybereason", + "vendor": "Cybereason" }, "related": { "user": [ "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index 7cd6f71ebe..6ce4b2a51a 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -35,14 +35,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1564655684.277 3387 192.168.0.1 TCP_TUNNEL/200 19131 CONNECT example.org:443 - HIER_DIRECT/example.org -", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 3387 + "duration": 3387, + "kind": "event" }, "@timestamp": "2019-08-01T10:34:44.277000Z", + "destination": { + "address": "example.org", + "domain": "example.org", + "port": 443, + "registered_domain": "example.org", + "top_level_domain": "org" + }, "http": { "request": { "method": "CONNECT" @@ -56,24 +63,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" - }, - "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" - }, - "destination": { - "domain": "example.org", - "port": 443, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "vendor": "Squid" }, "related": { "hosts": [ @@ -82,6 +75,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "192.168.0.1" ] + }, + "source": { + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "squid": { + "hierarchy_code": "HIER_DIRECT" } } @@ -95,14 +95,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1564576741.982 5756 192.168.0.1 TCP_TUNNEL/200 6295 CONNECT api42-api.example.com:443 - HIER_DIRECT/api42-api.example.com -", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 5756 + "duration": 5756, + "kind": "event" }, "@timestamp": "2019-07-31T12:39:01.982000Z", + "destination": { + "address": "api42-api.example.com", + "domain": "api42-api.example.com", + "port": 443, + "registered_domain": "example.com", + "subdomain": "api42-api", + "top_level_domain": "com" + }, "http": { "request": { "method": "CONNECT" @@ -116,25 +124,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" - }, - "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" - }, - "destination": { - "domain": "api42-api.example.com", - "port": 443, - "address": "api42-api.example.com", - "top_level_domain": "com", - "subdomain": "api42-api", - "registered_domain": "example.com" + "vendor": "Squid" }, "related": { "hosts": [ @@ -143,6 +136,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "192.168.0.1" ] + }, + "source": { + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "squid": { + "hierarchy_code": "HIER_DIRECT" } } @@ -156,14 +156,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1587042596.494 1717 192.168.224.39 TCP_TUNNEL/200 3512 CONNECT 193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net:443 - HIER_DIRECT/193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net -", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 1717 + "duration": 1717, + "kind": "event" }, "@timestamp": "2020-04-16T13:09:56.494000Z", + "destination": { + "address": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net", + "domain": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net", + "port": 443, + "registered_domain": "akamaihd.net", + "subdomain": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s", + "top_level_domain": "net" + }, "http": { "request": { "method": "CONNECT" @@ -177,25 +185,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" - }, - "source": { - "ip": "192.168.224.39", - "address": "192.168.224.39" - }, - "destination": { - "domain": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net", - "port": 443, - "address": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s.akamaihd.net", - "top_level_domain": "net", - "subdomain": "193-164-229-102_s-2-18-244-11_ts-1587042594-clienttons-s", - "registered_domain": "akamaihd.net" + "vendor": "Squid" }, "related": { "hosts": [ @@ -204,6 +197,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "192.168.224.39" ] + }, + "source": { + "address": "192.168.224.39", + "ip": "192.168.224.39" + }, + "squid": { + "hierarchy_code": "HIER_DIRECT" } } @@ -217,12 +217,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1642667037.129 0 10.0.4.4 TCP_DENIED/403 3868 CONNECT 45.138.98.34:80 - HIER_NONE/- text/html \"-\" \"-\"", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], "duration": 0, + "kind": "event", "type": [ "connection", "denied", @@ -230,43 +230,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-01-20T08:23:57.129000Z", + "destination": { + "address": "45.138.98.34", + "ip": "45.138.98.34", + "port": 80 + }, "http": { "request": { "method": "CONNECT" }, "response": { "bytes": 3868, - "status_code": 403, - "mime_type": "text/html" + "mime_type": "text/html", + "status_code": 403 } }, "network": { "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_NONE", - "cache_status": "denied" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" - }, - "source": { - "ip": "10.0.4.4", - "address": "10.0.4.4" - }, - "destination": { - "ip": "45.138.98.34", - "port": 80, - "address": "45.138.98.34" + "vendor": "Squid" }, "related": { "ip": [ "10.0.4.4", "45.138.98.34" ] + }, + "source": { + "address": "10.0.4.4", + "ip": "10.0.4.4" + }, + "squid": { + "cache_status": "denied", + "hierarchy_code": "HIER_NONE" } } @@ -280,67 +280,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1565598801.353 24 10.16.12.86 TCP_MISS/200 394 GET http://dt.adsafeprotected.com/dt?anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c - HIER_DIRECT/dt.adsafeprotected.com image/gif", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 24 + "duration": 24, + "kind": "event" }, "@timestamp": "2019-08-12T08:33:21.353000Z", + "destination": { + "address": "dt.adsafeprotected.com", + "domain": "dt.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "dt", + "top_level_domain": "com" + }, "http": { "request": { "method": "GET" }, "response": { "bytes": 394, - "status_code": 200, - "mime_type": "image/gif" + "mime_type": "image/gif", + "status_code": 200 } }, "network": { "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT", - "cache_status": "miss" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" + "vendor": "Squid" + }, + "related": { + "hosts": [ + "dt.adsafeprotected.com" + ], + "ip": [ + "10.16.12.86" + ] }, "source": { - "ip": "10.16.12.86", - "address": "10.16.12.86" + "address": "10.16.12.86", + "ip": "10.16.12.86" + }, + "squid": { + "cache_status": "miss", + "hierarchy_code": "HIER_DIRECT" }, "url": { - "original": "http://dt.adsafeprotected.com/dt?anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c", - "full": "http://dt.adsafeprotected.com/dt?anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c", "domain": "dt.adsafeprotected.com", - "top_level_domain": "com", - "subdomain": "dt", - "registered_domain": "adsafeprotected.com", + "full": "http://dt.adsafeprotected.com/dt?anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c", + "original": "http://dt.adsafeprotected.com/dt?anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c", "path": "/dt", + "port": 80, "query": "anId=929475&asId=f0fc9c04-7168-68e3-32ca-6cc17dd2223a&tv={c:l4fyeI,pingTime:-1,time:7884,type:u,clog:[{piv:100,vs:i,r:,w:1,h:1,t:78},{piv:0,vs:o,r:l,t:5971}],ndt:6,es:0,sc:1,ha:1,gm:1,slTimes:{i:5971,o:1913,n:0,pp:0,pm:0},slEvents:[{sl:i,t:78,wc:0.0.1920.1040,ac:952.74.1.1,am:i,cc:952.74.1.1,piv:100,obst:0,th:0,reas:,bkn:{piv:[5898~100],as:[5898~1.1]}},{sl:o,t:5971,wc:0.0.1920.1040,ac:952.-516.1.1,am:i,cc:952.-516.1.1,piv:0,obst:0,th:0,reas:l,bkn:{piv:[1914~0],as:[1914~1.1]}}],slEventCount:2,em:true,fr:true,e:,tt:jload,dtt:254,metricIdList:[publ1,grpm1],fm:ryV6ZcU+11|12|13|14*.929475|141|15.929475|151|152|16,idMap:14.c4c75fac-ccbe-9ba7-61b1-d1276709f9ec.31_289523-36779676|14*,rend:0,renddet:WINDOW,rmeas:0,lt:1}&br=c", + "registered_domain": "adsafeprotected.com", "scheme": "http", - "port": 80 - }, - "destination": { - "domain": "dt.adsafeprotected.com", - "address": "dt.adsafeprotected.com", - "top_level_domain": "com", "subdomain": "dt", - "registered_domain": "adsafeprotected.com" - }, - "related": { - "hosts": [ - "dt.adsafeprotected.com" - ], - "ip": [ - "10.16.12.86" - ] + "top_level_domain": "com" } } @@ -354,18 +354,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1564670112.892 5007 192.168.95.17 TCP_HIT_ABORTED/000 0 GET http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA== - HIER_DIRECT/smex10-2-en.url.trendmicro.com -", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], "duration": 5007, + "kind": "event", "type": [ "connection", "error" ] }, "@timestamp": "2019-08-01T14:35:12.892000Z", + "destination": { + "address": "smex10-2-en.url.trendmicro.com", + "domain": "smex10-2-en.url.trendmicro.com", + "registered_domain": "trendmicro.com", + "subdomain": "smex10-2-en.url", + "top_level_domain": "com" + }, "http": { "request": { "method": "GET" @@ -379,36 +386,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT", - "cache_status": "hit" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" - }, - "source": { - "ip": "192.168.95.17", - "address": "192.168.95.17" - }, - "url": { - "original": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", - "full": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", - "domain": "smex10-2-en.url.trendmicro.com", - "top_level_domain": "com", - "subdomain": "smex10-2-en.url", - "registered_domain": "trendmicro.com", - "path": "/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", - "scheme": "http", - "port": 80 - }, - "destination": { - "domain": "smex10-2-en.url.trendmicro.com", - "address": "smex10-2-en.url.trendmicro.com", - "top_level_domain": "com", - "subdomain": "smex10-2-en.url", - "registered_domain": "trendmicro.com" + "vendor": "Squid" }, "related": { "hosts": [ @@ -417,6 +398,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "192.168.95.17" ] + }, + "source": { + "address": "192.168.95.17", + "ip": "192.168.95.17" + }, + "squid": { + "cache_status": "hit", + "hierarchy_code": "HIER_DIRECT" + }, + "url": { + "domain": "smex10-2-en.url.trendmicro.com", + "full": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", + "original": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", + "path": "/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", + "port": 80, + "registered_domain": "trendmicro.com", + "scheme": "http", + "subdomain": "smex10-2-en.url", + "top_level_domain": "com" } } @@ -430,12 +430,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1565600128.411 0 192.168.0.1 TCP_DENIED/407 3980 GET http://api.example.org/api/v2/check - HIER_NONE/- text/html", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], "duration": 0, + "kind": "event", "type": [ "connection", "denied", @@ -449,42 +449,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "response": { "bytes": 3980, - "status_code": 407, - "mime_type": "text/html" + "mime_type": "text/html", + "status_code": 407 } }, "network": { "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_NONE", - "cache_status": "denied" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" + "vendor": "Squid" + }, + "related": { + "ip": [ + "192.168.0.1" + ] }, "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "squid": { + "cache_status": "denied", + "hierarchy_code": "HIER_NONE" }, "url": { - "original": "http://api.example.org/api/v2/check", - "full": "http://api.example.org/api/v2/check", "domain": "api.example.org", - "top_level_domain": "org", - "subdomain": "api", - "registered_domain": "example.org", + "full": "http://api.example.org/api/v2/check", + "original": "http://api.example.org/api/v2/check", "path": "/api/v2/check", + "port": 80, + "registered_domain": "example.org", "scheme": "http", - "port": 80 - }, - "related": { - "ip": [ - "192.168.0.1" - ] + "subdomain": "api", + "top_level_domain": "org" } } @@ -498,61 +498,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1628084203.491 82 192.168.2.2 TCP_MISS/200 318399 GET http://download.windowsupdate.com/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab - HIER_DIRECT/13.107.4.50 application/vnd.ms-cab-compressed", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 82 + "duration": 82, + "kind": "event" }, "@timestamp": "2021-08-04T13:36:43.491000Z", + "destination": { + "address": "13.107.4.50", + "ip": "13.107.4.50" + }, "http": { "request": { "method": "GET" }, "response": { "bytes": 318399, - "status_code": 200, - "mime_type": "application/vnd.ms-cab-compressed" + "mime_type": "application/vnd.ms-cab-compressed", + "status_code": 200 } }, "network": { "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT", - "cache_status": "miss" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" + "vendor": "Squid" + }, + "related": { + "ip": [ + "13.107.4.50", + "192.168.2.2" + ] }, "source": { - "ip": "192.168.2.2", - "address": "192.168.2.2" + "address": "192.168.2.2", + "ip": "192.168.2.2" + }, + "squid": { + "cache_status": "miss", + "hierarchy_code": "HIER_DIRECT" }, "url": { - "original": "http://download.windowsupdate.com/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab", - "full": "http://download.windowsupdate.com/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab", "domain": "download.windowsupdate.com", - "top_level_domain": "com", - "subdomain": "download", - "registered_domain": "windowsupdate.com", + "full": "http://download.windowsupdate.com/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab", + "original": "http://download.windowsupdate.com/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab", "path": "/c/msdownload/update/others/2019/07/29477140_324519a81d0af914f765c56a1dc7141a5759ad4c.cab", + "port": 80, + "registered_domain": "windowsupdate.com", "scheme": "http", - "port": 80 - }, - "destination": { - "ip": "13.107.4.50", - "address": "13.107.4.50" - }, - "related": { - "ip": [ - "13.107.4.50", - "192.168.2.2" - ] + "subdomain": "download", + "top_level_domain": "com" } } @@ -566,12 +566,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1628150510.448 549 192.168.0.1 TCP_HIT/206 2055995 GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3 - HIER_NONE/- application/octet-stream", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], - "duration": 549 + "duration": 549, + "kind": "event" }, "@timestamp": "2021-08-05T08:01:50.448000Z", "http": { @@ -580,42 +580,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "response": { "bytes": 2055995, - "status_code": 206, - "mime_type": "application/octet-stream" + "mime_type": "application/octet-stream", + "status_code": 206 } }, "network": { "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_NONE", - "cache_status": "hit" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" + "vendor": "Squid" + }, + "related": { + "ip": [ + "192.168.0.1" + ] }, "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "squid": { + "cache_status": "hit", + "hierarchy_code": "HIER_NONE" }, "url": { - "original": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3", - "full": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3", "domain": "edgedl.me.gvt1.com", - "top_level_domain": "com", - "subdomain": "edgedl.me", - "registered_domain": "gvt1.com", + "full": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3", + "original": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3", "path": "/edgedl/release2/chrome_component/adbzvrjxj3ir3yvy5lknhgbxo6tq_92.267.200/gkmgaooipdjhmangpemjhigmamcehddo_92.267.200_win64_ac37t7snjqk4qthomil6kwgo54hq.crx3", + "port": 80, + "registered_domain": "gvt1.com", "scheme": "http", - "port": 80 - }, - "related": { - "ip": [ - "192.168.0.1" - ] + "subdomain": "edgedl.me", + "top_level_domain": "com" } } @@ -629,18 +629,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1564670112.892 5007 192.168.95.17 TCP_HIT_ABORTED/000 0 GET http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA== - HIER_DIRECT/smex10-2-en.url.trendmicro.com - \"http://www.example.org\" \"TMUFE\"", "event": { - "kind": "event", "category": [ - "web", - "network" + "network", + "web" ], "duration": 5007, + "kind": "event", "type": [ "connection", "error" ] }, "@timestamp": "2019-08-01T14:35:12.892000Z", + "destination": { + "address": "smex10-2-en.url.trendmicro.com", + "domain": "smex10-2-en.url.trendmicro.com", + "registered_domain": "trendmicro.com", + "subdomain": "smex10-2-en.url", + "top_level_domain": "com" + }, "http": { "request": { "method": "GET", @@ -655,54 +662,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "direction": "egress", "transport": "tcp" }, - "squid": { - "hierarchy_code": "HIER_DIRECT", - "cache_status": "hit" - }, "observer": { + "product": "Squid", "type": "proxy", - "vendor": "Squid", - "product": "Squid" + "vendor": "Squid" }, - "user_agent": { - "original": "TMUFE", - "device": { - "name": "Other" - }, - "name": "Other", - "os": { - "name": "Other" - } + "related": { + "hosts": [ + "smex10-2-en.url.trendmicro.com" + ], + "ip": [ + "192.168.95.17" + ] }, "source": { - "ip": "192.168.95.17", - "address": "192.168.95.17" + "address": "192.168.95.17", + "ip": "192.168.95.17" + }, + "squid": { + "cache_status": "hit", + "hierarchy_code": "HIER_DIRECT" }, "url": { - "original": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", - "full": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", "domain": "smex10-2-en.url.trendmicro.com", - "top_level_domain": "com", - "subdomain": "smex10-2-en.url", - "registered_domain": "trendmicro.com", + "full": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", + "original": "http://smex10-2-en.url.trendmicro.com/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", "path": "/T/152/oiCEKI6Xe7maaxpSHK-gvDyUEBfC6_avSkwxG5MiT4-LQlujnVUK3SbBFHZKimvaG-TwxeMEqOnp0BelYbpVeMfVAZU85B8kltUSjYiidio-IBs_8MdCCFayLkMpM2lboKcOX-RrnDx2oFrUco0cMA==", + "port": 80, + "registered_domain": "trendmicro.com", "scheme": "http", - "port": 80 - }, - "destination": { - "domain": "smex10-2-en.url.trendmicro.com", - "address": "smex10-2-en.url.trendmicro.com", - "top_level_domain": "com", "subdomain": "smex10-2-en.url", - "registered_domain": "trendmicro.com" + "top_level_domain": "com" }, - "related": { - "hosts": [ - "smex10-2-en.url.trendmicro.com" - ], - "ip": [ - "192.168.95.17" - ] + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "TMUFE", + "os": { + "name": "Other" + } } } diff --git a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md index b15affff81..86a8c67531 100644 --- a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md +++ b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md @@ -26,32 +26,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client @0x7f62b80115d0 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA + (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } @@ -64,36 +64,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA +TC (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "CD", + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD", - "CD" - ] + "type": "query" }, "network": { "transport": "tcp" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } @@ -106,33 +106,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#42811 (ipv6.google.com): query: ipv6.google.com IN A +EDC (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 42811, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [ + "CD", + "RD" + ], "question": { "class": "IN", - "type": "A", "name": "ipv6.google.com", - "top_level_domain": "com", + "registered_domain": "google.com", "subdomain": "ipv6", - "registered_domain": "google.com" + "top_level_domain": "com", + "type": "A" }, - "type": "query", - "header_flags": [ - "RD", - "CD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "ipv6.google.com" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 42811 } } @@ -145,32 +145,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client @0x7f4f8003d9e0 192.168.101.61#38251 (global.vortex.data.trafficmanager.net): query: global.vortex.data.trafficmanager.net IN AAAA +E(0) (192.168.100.102)", - "source": { - "ip": "192.168.101.61", - "port": 38251, - "address": "192.168.101.61" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "global.vortex.data.trafficmanager.net", - "top_level_domain": "net", + "registered_domain": "trafficmanager.net", "subdomain": "global.vortex.data", - "registered_domain": "trafficmanager.net" + "top_level_domain": "net", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.101.61" - ], "hosts": [ "global.vortex.data.trafficmanager.net" + ], + "ip": [ + "192.168.101.61" ] + }, + "source": { + "address": "192.168.101.61", + "ip": "192.168.101.61", + "port": 38251 } } @@ -183,30 +183,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#57980 (ipv6.google.com): query: ipv6.google.com IN AAAA - (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 57980, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [], "question": { "class": "IN", - "type": "AAAA", "name": "ipv6.google.com", - "top_level_domain": "com", + "registered_domain": "google.com", "subdomain": "ipv6", - "registered_domain": "google.com" + "top_level_domain": "com", + "type": "AAAA" }, - "type": "query", - "header_flags": [] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "ipv6.google.com" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 57980 } } @@ -219,32 +219,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.103.66#45041 (107.100.168.192.in-addr.arpa): query: 107.100.168.192.in-addr.arpa IN PTR +E (192.168.100.102)", - "source": { - "ip": "192.168.103.66", - "port": 45041, - "address": "192.168.103.66" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "PTR", "name": "107.100.168.192.in-addr.arpa", - "top_level_domain": "in-addr.arpa", + "registered_domain": "192.in-addr.arpa", "subdomain": "107.100.168", - "registered_domain": "192.in-addr.arpa" + "top_level_domain": "in-addr.arpa", + "type": "PTR" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "related": { - "ip": [ - "192.168.103.66" - ], "hosts": [ "107.100.168.192.in-addr.arpa" + ], + "ip": [ + "192.168.103.66" ] + }, + "source": { + "address": "192.168.103.66", + "ip": "192.168.103.66", + "port": 45041 } } @@ -257,35 +257,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "client 192.168.101.70#55575 (docs.sekoia.io): query: docs.sekoia.io IN AAAA +ET (192.168.100.102)", - "source": { - "ip": "192.168.101.70", - "port": 55575, - "address": "192.168.101.70" - }, "dns": { + "header_flags": [ + "RD" + ], "question": { "class": "IN", - "type": "AAAA", "name": "docs.sekoia.io", - "top_level_domain": "io", + "registered_domain": "sekoia.io", "subdomain": "docs", - "registered_domain": "sekoia.io" + "top_level_domain": "io", + "type": "AAAA" }, - "type": "query", - "header_flags": [ - "RD" - ] + "type": "query" }, "network": { "transport": "tcp" }, "related": { - "ip": [ - "192.168.101.70" - ], "hosts": [ "docs.sekoia.io" + ], + "ip": [ + "192.168.101.70" ] + }, + "source": { + "address": "192.168.101.70", + "ip": "192.168.101.70", + "port": 55575 } } diff --git a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md index 6401893bff..c794bbeb6a 100644 --- a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md +++ b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md @@ -36,53 +36,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"initiated_by\":{\"id\":\"61e536ebdbbe784cb2e55fb5\",\"type\":\"admin\",\"email\":\"john.doe@sekoia.io\"},\"geoip\":{\"country_code\":\"FR\",\"timezone\":\"Europe/Paris\",\"latitude\":48.8323,\"continent_code\":\"EU\",\"region_name\":\"Paris\",\"longitude\":2.4075,\"region_code\":\"75\"},\"useragent\":{\"os\":\"Mac OS X\",\"minor\":\"0\",\"os_minor\":\"15\",\"os_version\":\"10.15.7\",\"os_major\":\"10\",\"version\":\"114.0.0.0\",\"os_patch\":\"7\",\"patch\":\"0\",\"os_full\":\"Mac OS X 10.15.7\",\"major\":\"114\",\"name\":\"Chrome\",\"os_name\":\"Mac OS X\",\"device\":\"Mac\"},\"mfa\":true,\"event_type\":\"admin_login_attempt\",\"provider\":null,\"service\":\"directory\",\"success\":true,\"organization\":\"641b3db57090821c0b2f8183\",\"@version\":\"1\",\"client_ip\":\"1.2.3.4\",\"id\":\"648c6c758c2ac07fa1fdee94\",\"timestamp\":\"2023-06-16T14:06:45.921Z\"}", "event": { + "action": "admin_login_attempt", "category": [ "authentication" ], "type": [ "info" - ], - "action": "admin_login_attempt" + ] + }, + "@timestamp": "2023-06-16T14:06:45.921000Z", + "action": { + "outcome": "success" }, "client": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "jumpcloud": { + "event_type": "admin_login_attempt", + "id": "648c6c758c2ac07fa1fdee94" }, - "@timestamp": "2023-06-16T14:06:45.921000Z", "observer": { "vendor": "Jumpcloud" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", "user": { "email": "john.doe@sekoia.io", "id": "61e536ebdbbe784cb2e55fb5" - }, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "jumpcloud": { - "id": "648c6c758c2ac07fa1fdee94", - "event_type": "admin_login_attempt" - }, - "action": { - "outcome": "success" + } }, "user_agent": { "device": { "name": "Mac" }, "name": "Chrome", - "version": "114.0.0.0", "os": { + "full": "Mac OS X 10.15.7", "name": "Mac OS X", - "version": "10.15.7", - "full": "Mac OS X 10.15.7" - } - }, - "related": { - "ip": [ - "1.2.3.4" - ] + "version": "10.15.7" + }, + "version": "114.0.0.0" } } @@ -98,61 +98,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "association_change" }, - "client": { - "ip": "176.161.221.161", - "address": "176.161.221.161" - }, "@timestamp": "2023-06-21T14:34:21.089000Z", - "observer": { - "vendor": "Jumpcloud" + "action": { + "outcome": "success" }, - "source": { - "user": { - "email": "maurice.moss@sekoia.io", - "id": "61e536ebdbbe784cb2e55fb5" - }, - "ip": "176.161.221.161", - "address": "176.161.221.161" + "client": { + "address": "176.161.221.161", + "ip": "176.161.221.161" }, "jumpcloud": { - "id": "64930a6d00466f31842811a1", - "event_type": "association_change", "association": { - "op": "add", "action_source": "manual", "connection": { "from": { "name": "JDOE-DESKTOP", - "type": "system", - "object_id": "6447f8a7caa17d71c56b2dca" + "object_id": "6447f8a7caa17d71c56b2dca", + "type": "system" }, "to": { "name": "john.doe", - "type": "user", - "object_id": "636b8c40f03d374a5c7f6ceb" + "object_id": "636b8c40f03d374a5c7f6ceb", + "type": "user" } - } - } + }, + "op": "add" + }, + "event_type": "association_change", + "id": "64930a6d00466f31842811a1" }, - "action": { - "outcome": "success" + "observer": { + "vendor": "Jumpcloud" + }, + "related": { + "ip": [ + "176.161.221.161" + ] + }, + "source": { + "address": "176.161.221.161", + "ip": "176.161.221.161", + "user": { + "email": "maurice.moss@sekoia.io", + "id": "61e536ebdbbe784cb2e55fb5" + } }, "user_agent": { "device": { "name": "Mac" }, "name": "Chrome", - "version": "114.0.0.0", "os": { + "full": "Mac OS X 10.15.7", "name": "Mac OS X", - "version": "10.15.7", - "full": "Mac OS X 10.15.7" - } - }, - "related": { - "ip": [ - "176.161.221.161" - ] + "version": "10.15.7" + }, + "version": "114.0.0.0" } } @@ -168,31 +168,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "radius_auth_attempt" }, - "client": { - "ip": "13.14.15.16", - "address": "13.14.15.16" - }, "@timestamp": "2023-06-15T15:16:41Z", - "observer": { - "vendor": "Jumpcloud" - }, - "user": { - "name": "john.doe" + "action": { + "outcome": "failure", + "outcome_reason": "mschap: MS-CHAP2-Response is incorrect" }, - "source": { - "user": { - "name": "john.doe" - }, - "ip": "13.14.15.16", - "address": "13.14.15.16" + "client": { + "address": "13.14.15.16", + "ip": "13.14.15.16" }, "jumpcloud": { - "id": "E5223E70-F3DB-3CB4-B452-96FC2259B9EE", - "event_type": "radius_auth_attempt" + "event_type": "radius_auth_attempt", + "id": "E5223E70-F3DB-3CB4-B452-96FC2259B9EE" }, - "action": { - "outcome": "failure", - "outcome_reason": "mschap: MS-CHAP2-Response is incorrect" + "observer": { + "vendor": "Jumpcloud" }, "related": { "ip": [ @@ -201,6 +191,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "13.14.15.16", + "ip": "13.14.15.16", + "user": { + "name": "john.doe" + } + }, + "user": { + "name": "john.doe" } } @@ -216,30 +216,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "radius_auth_attempt" }, - "client": { - "ip": "20.21.22.23", - "address": "20.21.22.23" - }, "@timestamp": "2023-06-15T15:17:41Z", - "observer": { - "vendor": "Jumpcloud" - }, - "user": { - "name": "jane.doe" + "action": { + "outcome": "success" }, - "source": { - "user": { - "name": "jane.doe" - }, - "ip": "20.21.22.23", - "address": "20.21.22.23" + "client": { + "address": "20.21.22.23", + "ip": "20.21.22.23" }, "jumpcloud": { - "id": "842B7B84-FE16-32AF-B257-9D508FB22D22", - "event_type": "radius_auth_attempt" + "event_type": "radius_auth_attempt", + "id": "842B7B84-FE16-32AF-B257-9D508FB22D22" }, - "action": { - "outcome": "success" + "observer": { + "vendor": "Jumpcloud" }, "related": { "ip": [ @@ -248,6 +238,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "jane.doe" ] + }, + "source": { + "address": "20.21.22.23", + "ip": "20.21.22.23", + "user": { + "name": "jane.doe" + } + }, + "user": { + "name": "jane.doe" } } @@ -261,57 +261,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"initiated_by\":{\"id\":\"619294e65bb5c23fb2b1ce09\",\"type\":\"user\",\"username\":\"jane.doe\"},\"error_message\":\"application unreachable\",\"geoip\":{\"country_code\":\"US\",\"timezone\":\"America/New_York\",\"latitude\":42.059,\"continent_code\":\"NA\",\"region_name\":\"Massachusetts\",\"longitude\":-71.1123,\"region_code\":\"MA\"},\"sso_token_success\":false,\"useragent\":{\"minor\":\"0\",\"os\":\"Mac OS X\",\"os_minor\":\"15\",\"os_major\":\"10\",\"os_version\":\"10.15.7\",\"version\":\"114.0.0.0\",\"os_patch\":\"7\",\"patch\":\"0\",\"os_full\":\"Mac OS X 10.15.7\",\"major\":\"114\",\"name\":\"Chrome\",\"os_name\":\"Mac OS X\",\"device\":\"Mac\"},\"auth_context\":{\"system\":{\"hostname\":\"JDOE-LAPTOP\",\"os\":\"Mac OS X\",\"displayName\":\"JDOE-LAPTOP\",\"id\":\"61958333dd6a1b033f2b4b95\",\"version\":\"13.4\"},\"auth_methods\":{}},\"mfa\":false,\"event_type\":\"sso_auth\",\"application\":{\"display_label\":\"\",\"sso_type\":\"saml\",\"name\":\"\",\"id\":\"\",\"sso_url\":\"https://sso.jumpcloud.com/saml2/google\"},\"provider\":\"\",\"service\":\"sso\",\"organization\":\"641b3db57090821c0b2f8183\",\"@version\":\"1\",\"client_ip\":\"5.6.7.8\",\"id\":\"648b1e56c0b7fd51eb1d0938\",\"idp_initiated\":false,\"timestamp\":\"2023-06-15T14:21:10.34334445Z\"}", "event": { + "action": "sso_auth", "category": [ "authentication" ], "type": [ "info" - ], - "action": "sso_auth" + ] + }, + "@timestamp": "2023-06-15T14:21:10.343344Z", + "action": { + "outcome": "failure", + "outcome_reason": "application unreachable" }, "client": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "jumpcloud": { + "event_type": "sso_auth", + "id": "648b1e56c0b7fd51eb1d0938" }, - "@timestamp": "2023-06-15T14:21:10.343344Z", "observer": { "vendor": "Jumpcloud" }, + "related": { + "ip": [ + "5.6.7.8" + ], + "user": [ + "jane.doe" + ] + }, "source": { - "user": { - "name": "jane.doe", - "id": "619294e65bb5c23fb2b1ce09" - }, + "address": "5.6.7.8", "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "jumpcloud": { - "id": "648b1e56c0b7fd51eb1d0938", - "event_type": "sso_auth" - }, - "action": { - "outcome": "failure", - "outcome_reason": "application unreachable" + "user": { + "id": "619294e65bb5c23fb2b1ce09", + "name": "jane.doe" + } }, "user_agent": { "device": { "name": "Mac" }, "name": "Chrome", - "version": "114.0.0.0", "os": { + "full": "Mac OS X 10.15.7", "name": "Mac OS X", - "version": "10.15.7", - "full": "Mac OS X 10.15.7" - } - }, - "related": { - "ip": [ - "5.6.7.8" - ], - "user": [ - "jane.doe" - ] + "version": "10.15.7" + }, + "version": "114.0.0.0" } } @@ -325,60 +325,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"initiated_by\":{\"id\":\"627e7e94c17c5a34e72b862a\",\"type\":\"user\",\"username\":\"john.doe\"},\"error_message\":\"not authorized\",\"geoip\":{\"country_code\":\"FR\",\"timezone\":\"Europe/Paris\",\"latitude\":48.8138,\"continent_code\":\"EU\",\"region_name\":\"Val-de-Marne\",\"longitude\":2.3873,\"region_code\":\"94\"},\"sso_token_success\":false,\"useragent\":{\"os\":\"Mac OS X\",\"minor\":\"0\",\"os_minor\":\"15\",\"os_major\":\"10\",\"os_version\":\"10.15.7\",\"version\":\"114.0.0.0\",\"os_patch\":\"7\",\"patch\":\"0\",\"os_full\":\"Mac OS X 10.15.7\",\"major\":\"114\",\"name\":\"Chrome\",\"os_name\":\"Mac OS X\",\"device\":\"Mac\"},\"auth_context\":{\"system\":{\"hostname\":\"JPABLO-MAC\",\"os\":\"Mac OS X\",\"displayName\":\"PCONTRERAS-MAC\",\"id\":\"627e7d26e05f2c61150b5905\",\"version\":\"13.4\"},\"auth_methods\":{}},\"mfa\":false,\"event_type\":\"sso_auth\",\"application\":{\"display_label\":\"Salesforce\",\"sso_type\":\"saml\",\"name\":\"salesforce\",\"id\":\"5fbfaa559753353c0b83ecc0\",\"sso_url\":\"https://sso.jumpcloud.com/saml2/google\"},\"provider\":\"\",\"service\":\"sso\",\"organization\":\"641b3db57090821c0b2f8183\",\"@version\":\"1\",\"client_ip\":\"9.10.11.12\",\"id\":\"648b24c48eae32f4adabc27e\",\"idp_initiated\":false,\"timestamp\":\"2023-06-15T14:48:36.495420839Z\"}", "event": { + "action": "sso_auth", "category": [ "authentication" ], "type": [ "info" - ], - "action": "sso_auth" + ] + }, + "@timestamp": "2023-06-15T14:48:36.495420Z", + "action": { + "outcome": "failure", + "outcome_reason": "not authorized" }, "client": { - "ip": "9.10.11.12", - "address": "9.10.11.12" + "address": "9.10.11.12", + "ip": "9.10.11.12" + }, + "jumpcloud": { + "event_type": "sso_auth", + "id": "648b24c48eae32f4adabc27e" }, - "@timestamp": "2023-06-15T14:48:36.495420Z", "observer": { "vendor": "Jumpcloud" }, - "source": { - "user": { - "name": "john.doe", - "id": "627e7e94c17c5a34e72b862a" - }, - "ip": "9.10.11.12", - "address": "9.10.11.12" - }, - "jumpcloud": { - "id": "648b24c48eae32f4adabc27e", - "event_type": "sso_auth" + "related": { + "ip": [ + "9.10.11.12" + ], + "user": [ + "john.doe" + ] }, "service": { "name": "salesforce" }, - "action": { - "outcome": "failure", - "outcome_reason": "not authorized" + "source": { + "address": "9.10.11.12", + "ip": "9.10.11.12", + "user": { + "id": "627e7e94c17c5a34e72b862a", + "name": "john.doe" + } }, "user_agent": { "device": { "name": "Mac" }, "name": "Chrome", - "version": "114.0.0.0", "os": { + "full": "Mac OS X 10.15.7", "name": "Mac OS X", - "version": "10.15.7", - "full": "Mac OS X 10.15.7" - } - }, - "related": { - "ip": [ - "9.10.11.12" - ], - "user": [ - "john.doe" - ] + "version": "10.15.7" + }, + "version": "114.0.0.0" } } @@ -392,59 +392,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"initiated_by\":{\"id\":\"611d175820c84b11c28262e2\",\"type\":\"user\",\"username\":\"john.doe\"},\"error_message\":\"\",\"geoip\":{\"country_code\":\"US\",\"timezone\":\"America/New_York\",\"latitude\":42.3364,\"continent_code\":\"NA\",\"region_name\":\"Massachusetts\",\"region_code\":\"MA\",\"longitude\":-71.0326},\"sso_token_success\":true,\"auth_context\":{\"system\":{\"hostname\":\"JDOE-DEKSTOP\",\"os\":\"Mac OS X\",\"displayName\":\"JDOE-DEKSTOP\",\"id\":\"611eadd78e9ce015fc53eb28\",\"version\":\"13.4\"},\"auth_methods\":{},\"policies_applied\":[{\"metadata\":{\"resource_type\":\"APPLICATION\",\"action\":\"ALLOW\"},\"name\":\"Global Policy\",\"id\":\"\"}]},\"useragent\":{\"os_full\":\"Mac OS X 10.15\",\"minor\":\"0\",\"os\":\"Mac OS X\",\"major\":\"114\",\"os_minor\":\"15\",\"os_major\":\"10\",\"os_version\":\"10.15\",\"name\":\"Firefox\",\"os_name\":\"Mac OS X\",\"device\":\"Mac\",\"version\":\"114.0\"},\"mfa\":false,\"event_type\":\"sso_auth\",\"application\":{\"display_label\":\"Google Workspace\",\"sso_type\":\"saml\",\"name\":\"google\",\"id\":\"60d05c1385450d17af70308f\",\"sso_url\":\"https://sso.jumpcloud.com/saml2/google\"},\"provider\":\"\",\"service\":\"sso\",\"organization\":\"641b3db57090821c0b2f8183\",\"@version\":\"1\",\"client_ip\":\"1.2.3.4\",\"id\":\"648b16171f40f190e2945fc1\",\"idp_initiated\":false,\"timestamp\":\"2023-06-15T13:45:59.812449824Z\"}", "event": { + "action": "sso_auth", "category": [ "authentication" ], "type": [ "info" - ], - "action": "sso_auth" + ] + }, + "@timestamp": "2023-06-15T13:45:59.812449Z", + "action": { + "outcome": "success" }, "client": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "jumpcloud": { + "event_type": "sso_auth", + "id": "648b16171f40f190e2945fc1" }, - "@timestamp": "2023-06-15T13:45:59.812449Z", "observer": { "vendor": "Jumpcloud" }, - "source": { - "user": { - "name": "john.doe", - "id": "611d175820c84b11c28262e2" - }, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "jumpcloud": { - "id": "648b16171f40f190e2945fc1", - "event_type": "sso_auth" + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] }, "service": { "name": "google" }, - "action": { - "outcome": "success" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "id": "611d175820c84b11c28262e2", + "name": "john.doe" + } }, "user_agent": { "device": { "name": "Mac" }, "name": "Firefox", - "version": "114.0", "os": { + "full": "Mac OS X 10.15", "name": "Mac OS X", - "version": "10.15", - "full": "Mac OS X 10.15" - } - }, - "related": { - "ip": [ - "1.2.3.4" - ], - "user": [ - "john.doe" - ] + "version": "10.15" + }, + "version": "114.0" } } @@ -460,51 +460,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "user_update" }, + "@timestamp": "2023-06-20T00:21:09.162000Z", "client": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "jumpcloud": { + "changes": [ + { + "field": "attributes" + } + ], + "event_type": "user_update", + "id": "6490f0f5a2d539837a30aaad" }, - "@timestamp": "2023-06-20T00:21:09.162000Z", "observer": { "vendor": "Jumpcloud" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", "user": { "email": "maurice.moss@sekoia.io", "id": "603e0c284295c570a179ef4a" - }, - "ip": "1.2.3.4", - "address": "1.2.3.4" + } }, "user": { "target": { - "name": "jane.doe", - "id": "6127579ec58b6d6144c06492" + "id": "6127579ec58b6d6144c06492", + "name": "jane.doe" } }, - "jumpcloud": { - "id": "6490f0f5a2d539837a30aaad", - "event_type": "user_update", - "changes": [ - { - "field": "attributes" - } - ] - }, "user_agent": { "device": { "name": "Other" }, "name": "Other", "os": { - "name": "Other", - "full": "Other" + "full": "Other", + "name": "Other" } - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -520,31 +520,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "user_update" }, - "client": { - "ip": "4.5.6.7", - "address": "4.5.6.7" - }, "@timestamp": "2023-06-19T16:05:10.657000Z", - "observer": { - "vendor": "Jumpcloud" - }, - "source": { - "user": { - "email": "maurice.moss@sekoia.io", - "id": "5bf6defbdcd8233029e0c599" - }, - "ip": "4.5.6.7", - "address": "4.5.6.7" + "action": { + "outcome": "success" }, - "user": { - "target": { - "name": "jane.doe", - "id": "627232d9c2bb20373d84eb63" - } + "client": { + "address": "4.5.6.7", + "ip": "4.5.6.7" }, "jumpcloud": { - "id": "64907cb6e968be7fe5b14d80", - "event_type": "user_update", "changes": [ { "field": "addresses" @@ -555,26 +539,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "field": "location" } + ], + "event_type": "user_update", + "id": "64907cb6e968be7fe5b14d80" + }, + "observer": { + "vendor": "Jumpcloud" + }, + "related": { + "ip": [ + "4.5.6.7" ] }, - "action": { - "outcome": "success" + "source": { + "address": "4.5.6.7", + "ip": "4.5.6.7", + "user": { + "email": "maurice.moss@sekoia.io", + "id": "5bf6defbdcd8233029e0c599" + } + }, + "user": { + "target": { + "id": "627232d9c2bb20373d84eb63", + "name": "jane.doe" + } }, "user_agent": { "device": { "name": "Other" }, "name": "curl", - "version": "7.68.0", "os": { - "name": "Other", - "full": "Other" - } - }, - "related": { - "ip": [ - "4.5.6.7" - ] + "full": "Other", + "name": "Other" + }, + "version": "7.68.0" } } @@ -590,31 +590,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "user_update" }, - "client": { - "ip": "10.11.12.13", - "address": "10.11.12.13" - }, "@timestamp": "2023-06-19T17:11:10.381000Z", - "observer": { - "vendor": "Jumpcloud" - }, - "source": { - "user": { - "email": "maurice.moss@sekoia.io", - "id": "5bf6defbdcd8233029e0c599" - }, - "ip": "10.11.12.13", - "address": "10.11.12.13" + "action": { + "outcome": "success" }, - "user": { - "target": { - "name": "john.wick", - "id": "628cf9c0d6f4831f8192fa8d" - } + "client": { + "address": "10.11.12.13", + "ip": "10.11.12.13" }, "jumpcloud": { - "id": "64908c2ef675033f5a7a5e1e", - "event_type": "user_update", "changes": [ { "field": "addresses" @@ -635,26 +619,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "from": "false", "to": "true" } + ], + "event_type": "user_update", + "id": "64908c2ef675033f5a7a5e1e" + }, + "observer": { + "vendor": "Jumpcloud" + }, + "related": { + "ip": [ + "10.11.12.13" ] }, - "action": { - "outcome": "success" + "source": { + "address": "10.11.12.13", + "ip": "10.11.12.13", + "user": { + "email": "maurice.moss@sekoia.io", + "id": "5bf6defbdcd8233029e0c599" + } + }, + "user": { + "target": { + "id": "628cf9c0d6f4831f8192fa8d", + "name": "john.wick" + } }, "user_agent": { "device": { "name": "Other" }, "name": "curl", - "version": "7.68.0", "os": { - "name": "Other", - "full": "Other" - } - }, - "related": { - "ip": [ - "10.11.12.13" - ] + "full": "Other", + "name": "Other" + }, + "version": "7.68.0" } } diff --git a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md index 78d3ad3846..1fbd309a80 100644 --- a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md +++ b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md @@ -35,15 +35,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Exchange Online|1.0|Added|Added Mailbox|0|shost=REDACTED cat=Mailbox suser=user@acme.wtf filePath=REDACTED start=d\u00e9c. 01 2022 13:40:34 GMT msg=Name: \"REDACTED\", Alias: \"REDACTED_ALIAS\", Email Address: \"redacted@acme.onmicrosoft.com\", Display Name: \"REDACTED\", Equipment: \"True\", Windows Live ID: \"redacted@acme.onmicrosoft.com\"", "event": { - "kind": "event", "code": "added", + "kind": "event", + "reason": "Name: \"REDACTED\", Alias: \"REDACTED_ALIAS\", Email Address: \"redacted@acme.onmicrosoft.com\", Display Name: \"REDACTED\", Equipment: \"True\", Windows Live ID: \"redacted@acme.onmicrosoft.com\"", "severity": 0, - "start": "2022-12-01T13:40:34Z", - "reason": "Name: \"REDACTED\", Alias: \"REDACTED_ALIAS\", Email Address: \"redacted@acme.onmicrosoft.com\", Display Name: \"REDACTED\", Equipment: \"True\", Windows Live ID: \"redacted@acme.onmicrosoft.com\"" + "start": "2022-12-01T13:40:34Z" }, "observer": { - "vendor": "Netwrix", "product": "Exchange Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { @@ -61,15 +61,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Calendar Processing|0|shost=PAWPR07MB9321 cat=Calendar Processing suser=user@acme.tld filePath= start=d\u00e9c. 01 2022 13:41:23 GMT msg=Resource Delegates changed, All Book In Policy changed to \"False\", All Request In Policy changed to \"True\", Allow Recurring Meetings changed to \"False\", Booking Window In Days changed to \"0\", Maximum Duration In Minutes changed to \"0\"", "event": { - "kind": "event", "code": "modified", + "kind": "event", + "reason": "Resource Delegates changed, All Book In Policy changed to \"False\", All Request In Policy changed to \"True\", Allow Recurring Meetings changed to \"False\", Booking Window In Days changed to \"0\", Maximum Duration In Minutes changed to \"0\"", "severity": 0, - "start": "2022-12-01T13:41:23Z", - "reason": "Resource Delegates changed, All Book In Policy changed to \"False\", All Request In Policy changed to \"True\", Allow Recurring Meetings changed to \"False\", Booking Window In Days changed to \"0\", Maximum Duration In Minutes changed to \"0\"" + "start": "2022-12-01T13:41:23Z" }, "observer": { - "vendor": "Netwrix", "product": "Exchange Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { @@ -87,25 +87,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Conditional Access Policy|0|shost=redatec cat=Conditional Access Policy suser=ACME\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) filePath=some-uuid start=d\u00e9c. 01 2022 12:19:45 GMT msg=Policy Details changed to \"{\"DummyKnownNetworkPolicy\":\"\"}\", Policy Last Updated Time changed to \"12/1/2022 12:19:45 PM\", Tenant Default Policy changed to \"6\", Display Name changed to \"Policy Display Name\", Policy Identifier String changed to \"10/5/2022 7:27:35 AM\"", "event": { - "kind": "event", "code": "modified", + "kind": "event", + "reason": "Policy Details changed to \"{\"DummyKnownNetworkPolicy\":\"\"}\", Policy Last Updated Time changed to \"12/1/2022 12:19:45 PM\", Tenant Default Policy changed to \"6\", Display Name changed to \"Policy Display Name\", Policy Identifier String changed to \"10/5/2022 7:27:35 AM\"", "severity": 0, - "start": "2022-12-01T12:19:45Z", - "reason": "Policy Details changed to \"{\"DummyKnownNetworkPolicy\":\"\"}\", Policy Last Updated Time changed to \"12/1/2022 12:19:45 PM\", Tenant Default Policy changed to \"6\", Display Name changed to \"Policy Display Name\", Policy Identifier String changed to \"10/5/2022 7:27:35 AM\"" + "start": "2022-12-01T12:19:45Z" }, "observer": { - "vendor": "Netwrix", "product": "Exchange Online", + "vendor": "Netwrix", "version": "1.0" }, - "user": { - "name": "Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker)", - "domain": "ACME" - }, "related": { "user": [ "Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker)" ] + }, + "user": { + "domain": "ACME", + "name": "Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker)" } } @@ -119,15 +119,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Mailbox|0|shost=REDACTED cat=Mailbox suser=user@acme.tld filePath=Redacted start=d\u00e9c. 01 2022 13:40:37 GMT msg=Office changed to \"SaaS\"", "event": { - "kind": "event", "code": "modified", + "kind": "event", + "reason": "Office changed to \"SaaS\"", "severity": 0, - "start": "2022-12-01T13:40:37Z", - "reason": "Office changed to \"SaaS\"" + "start": "2022-12-01T13:40:37Z" }, "observer": { - "vendor": "Netwrix", "product": "Exchange Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { @@ -145,28 +145,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Logon Activity|1.0|Logoff|Logoff Interactive logon|0|shost=server.acme.wtf cat=Interactive logon suser=Acme Domain\\user filePath=server.acme.wtf start=d\u00e9c. 01 2022 12:42:08 GMT msg=Session duration: 2 hours 1 minute.", "event": { - "kind": "event", "code": "logoff", + "kind": "event", + "reason": "Session duration: 2 hours 1 minute.", "severity": 0, - "start": "2022-12-01T12:42:08Z", - "reason": "Session duration: 2 hours 1 minute." + "start": "2022-12-01T12:42:08Z" }, "observer": { - "vendor": "Netwrix", "product": "Logon Activity", + "vendor": "Netwrix", "version": "1.0" }, - "user": { - "name": "user", - "domain": "Acme Domain" - }, - "source": { - "domain": "server.acme.wtf", - "address": "server.acme.wtf", - "top_level_domain": "wtf", - "subdomain": "server", - "registered_domain": "acme.wtf" - }, "related": { "hosts": [ "server.acme.wtf" @@ -174,6 +163,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user" ] + }, + "source": { + "address": "server.acme.wtf", + "domain": "server.acme.wtf", + "registered_domain": "acme.wtf", + "subdomain": "server", + "top_level_domain": "wtf" + }, + "user": { + "domain": "Acme Domain", + "name": "user" } } @@ -187,25 +187,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Logon Activity|1.0|Failed Logon|Failed Logon Logon|0|shost=server.acme.tld cat=Logon suser=user filePath=N/A start=nov. 29 2022 14:51:57 GMT msg=Cause: User logon with misspelled or bad user account", "event": { - "kind": "event", "code": "failed logon", + "kind": "event", + "reason": "Cause: User logon with misspelled or bad user account", "severity": 0, - "start": "2022-11-29T14:51:57Z", - "reason": "Cause: User logon with misspelled or bad user account" + "start": "2022-11-29T14:51:57Z" }, "observer": { - "vendor": "Netwrix", "product": "Logon Activity", + "vendor": "Netwrix", "version": "1.0" }, - "user": { - "name": "user" - }, - "source": { - "domain": "server.acme.tld", - "address": "server.acme.tld", - "subdomain": "server.acme" - }, "related": { "hosts": [ "server.acme.tld" @@ -213,6 +205,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user" ] + }, + "source": { + "address": "server.acme.tld", + "domain": "server.acme.tld", + "subdomain": "server.acme" + }, + "user": { + "name": "user" } } @@ -226,27 +226,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|Logon Activity|1.0|Successful Logon|Successful Logon Interactive logon|0|shost=server.acme.wtf cat=Interactive logon suser=domain\\user filePath=server.acme.wtf start=d\u00e9c. 01 2022 13:35:20 GMT", "event": { - "kind": "event", "code": "successful logon", + "kind": "event", "severity": 0, "start": "2022-12-01T13:35:20Z" }, "observer": { - "vendor": "Netwrix", "product": "Logon Activity", + "vendor": "Netwrix", "version": "1.0" }, - "user": { - "name": "user", - "domain": "domain" - }, - "source": { - "domain": "server.acme.wtf", - "address": "server.acme.wtf", - "top_level_domain": "wtf", - "subdomain": "server", - "registered_domain": "acme.wtf" - }, "related": { "hosts": [ "server.acme.wtf" @@ -254,6 +243,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user" ] + }, + "source": { + "address": "server.acme.wtf", + "domain": "server.acme.wtf", + "registered_domain": "acme.wtf", + "subdomain": "server", + "top_level_domain": "wtf" + }, + "user": { + "domain": "domain", + "name": "user" } } @@ -267,24 +267,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|SharePoint Online|1.0|Added|Added Document|0|shost=https://acme-my.sharepoint.com/personal/redacted cat=Document suser=user@acme.tld filePath=https://acme-my.sharepoint.com/personal/redacted/Documents/redacted document name.xlsx start=d\u00e9c. 01 2022 12:38:40 GMT msg=Application Name: Microsoft Office Excel (16.0.15726.20070)", "event": { - "kind": "event", + "action": "added document", "code": "added", + "kind": "event", "severity": 0, - "start": "2022-12-01T12:38:40Z", - "action": "added document" + "start": "2022-12-01T12:38:40Z" + }, + "file": { + "directory": "personal/redacted/Documents", + "name": "redacted document name.xlsx", + "path": "personal/redacted/Documents/redacted document name.xlsx" }, "observer": { - "vendor": "Netwrix", "product": "SharePoint Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { "email": "user@acme.tld" - }, - "file": { - "path": "personal/redacted/Documents/redacted document name.xlsx", - "directory": "personal/redacted/Documents", - "name": "redacted document name.xlsx" } } @@ -298,24 +298,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|SharePoint Online|1.0|Modified|Modified Document|0|shost=https://acme-my.sharepoint.com/personal/user_acme_tld cat=Document suser=user@acme.tld filePath=https://acme-my.sharepoint.com/personal/redacted/Documents/someone somestuff/Redacted.one start=nov. 29 2022 14:49:11 GMT msg=Application Name: Microsoft Office OneNote (16.0.10392.20029)", "event": { - "kind": "event", + "action": "modified document", "code": "modified", + "kind": "event", "severity": 0, - "start": "2022-11-29T14:49:11Z", - "action": "modified document" + "start": "2022-11-29T14:49:11Z" + }, + "file": { + "directory": "personal/redacted/Documents/someone somestuff", + "name": "Redacted.one", + "path": "personal/redacted/Documents/someone somestuff/Redacted.one" }, "observer": { - "vendor": "Netwrix", "product": "SharePoint Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { "email": "user@acme.tld" - }, - "file": { - "path": "personal/redacted/Documents/someone somestuff/Redacted.one", - "directory": "personal/redacted/Documents/someone somestuff", - "name": "Redacted.one" } } @@ -329,24 +329,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Netwrix|SharePoint Online|1.0|Renamed|Renamed Document|0|shost=https://acme.sharepoint.com cat=Document suser=user@acme.tld filePath=https://acme.sharepoint.com/folder one/ACME Org/user/test.txt start=nov. 29 2022 14:31:21 GMT msg=Name changed to \"test.txt\", Application Name: Microsoft OneDrive (22.227.1030.0001)", "event": { - "kind": "event", + "action": "renamed document", "code": "renamed", + "kind": "event", "severity": 0, - "start": "2022-11-29T14:31:21Z", - "action": "renamed document" + "start": "2022-11-29T14:31:21Z" + }, + "file": { + "directory": "folder one/ACME Org/user", + "name": "test.txt", + "path": "folder one/ACME Org/user/test.txt" }, "observer": { - "vendor": "Netwrix", "product": "SharePoint Online", + "vendor": "Netwrix", "version": "1.0" }, "user": { "email": "user@acme.tld" - }, - "file": { - "path": "folder one/ACME Org/user/test.txt", - "directory": "folder one/ACME Org/user", - "name": "test.txt" } } diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index b1af1ae0ad..8fa1fc824a 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -35,20 +35,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "51.255.128.104 - - [25/Aug/2019:23:59:51 +0000] \"GET /sic/ HTTP/1.1\" 200 537 \"http://app.sekoia.io/sic/\" \"Go-http-client/1.1\"", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2019-08-25T23:59:51Z", "http": { "request": { @@ -61,6 +56,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "ip": [ + "51.255.128.104" + ] + }, "source": { "address": "51.255.128.104", "ip": "51.255.128.104" @@ -70,20 +75,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "path": "/sic/" }, "user_agent": { - "original": "Go-http-client/1.1", "device": { "name": "Other" }, "name": "Go-http-client", - "version": "1.1", + "original": "Go-http-client/1.1", "os": { "name": "Other" - } - }, - "related": { - "ip": [ - "51.255.128.104" - ] + }, + "version": "1.1" } } @@ -97,20 +97,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2019/08/25 23:59:53 [error] 9841#9841: *103137592 connect() failed (111: Connection refused) while connecting to upstream, client: 51.255.128.104, server: api.prod.sekoia.io, request: \"GET /v1/apiauth/auth/health HTTP/1.1\", upstream: \"http://10.110.30.121:80/v1/apiauth/auth/health\", host: \"api.sekoia.io\"", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", + "kind": "event", "type": [ "error" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "destination": { "address": "api.prod.sekoia.io", "domain": "api.prod.sekoia.io" @@ -121,15 +116,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, - "source": { - "address": "51.255.128.104", - "ip": "51.255.128.104" - }, - "url": { - "domain": "10.110.30.121", - "original": "/v1/apiauth/auth/health", - "path": "/v1/apiauth/auth/health", - "port": 80 + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" }, "related": { "hosts": [ @@ -139,6 +129,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "51.255.128.104" ] + }, + "source": { + "address": "51.255.128.104", + "ip": "51.255.128.104" + }, + "url": { + "domain": "10.110.30.121", + "original": "/v1/apiauth/auth/health", + "path": "/v1/apiauth/auth/health", + "port": 80 } } @@ -152,20 +152,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\"", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2019-08-22T06:28:30Z", "destination": { "address": "rdp.acme.com", @@ -183,6 +178,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "rdp.acme.com" + ], + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4" @@ -193,24 +201,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "query": "key1=111111&time=1566455309850" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134", "device": { "name": "Other" }, "name": "Edge", - "version": "17.17134", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "hosts": [ - "rdp.acme.com" - ], - "ip": [ - "1.2.3.4" - ] + }, + "version": "17.17134" } } @@ -224,20 +224,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "rdp.acme.com 1.2.3.4 - - [12/Feb/2020:17:31:31 +0100] \"GET /app/query/results?query=contentsitename=NDOX%111/AA%20AND%20(doctype:DOCX%20OR%20doctype:PDF)%20AND%20(date=\\x222018-4-4\\x22) HTTP/1.1\" 200 946 \"https://rdp.acme.com/eng\" \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\" \"1.2.3.4\" \"0.184\" \"TLSv1.2/DHE-RSA-AES256-GCM-SHA384\" \"application/json; charset=utf-8\"", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-02-12T16:31:31Z", "destination": { "address": "rdp.acme.com", @@ -255,6 +250,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "rdp.acme.com" + ], + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4" @@ -265,24 +273,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "query": "query=contentsitename=NDOX%111/AA%20AND%20(doctype:DOCX%20OR%20doctype:PDF)%20AND%20(date=\\x222018-4-4\\x22)" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", "device": { "name": "Other" }, "name": "IE", - "version": "11.0", + "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", "os": { "name": "Windows", "version": "7" - } - }, - "related": { - "hosts": [ - "rdp.acme.com" - ], - "ip": [ - "1.2.3.4" - ] + }, + "version": "11.0" } } @@ -296,20 +296,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "rdp.acme.com 1.2.3.4 - - [12/Feb/2020:16:32:33 +0100] \"POST /update_pc_list.php?id=PD17TE700&available=y&email=Angele.BLAES@acme.com&login=BLAES&domain=KEY&ip=4.3.2.1 HTTP/1.1\" 200 - \"-\" \"Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\" \"-\" \"0\" \"-\"", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-02-12T15:32:33Z", "destination": { "address": "rdp.acme.com", @@ -324,6 +319,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "version": "1.1" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "rdp.acme.com" + ], + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4" @@ -334,23 +342,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "query": "id=PD17TE700&available=y&email=Angele.BLAES@acme.com&login=BLAES&domain=KEY&ip=4.3.2.1" }, "user_agent": { - "original": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)", "device": { "name": "Spider" }, "name": "Other", + "original": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)", "os": { "name": "Windows", "version": "95" } - }, - "related": { - "hosts": [ - "rdp.acme.com" - ], - "ip": [ - "1.2.3.4" - ] } } @@ -364,26 +364,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"server_name\":\"rdp.acme.com\",\"server_addr\":\"5.6.7.8\",\"remote_addr\":\"1.2.3.4\",\"remote_user\":\"\",\"time_local\":\"02/Jun/2020:13:07:18 +0200\",\"request\":\"DELETE /blobstore/aaa/bbb/530fd9ee-23af-4d4e-a9e4-0b7280ace286/document.tgz HTTP/1.1\",\"status\":\"204\",\"body_bytes_sent\":\"0\",\"http_referer\":\"\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\",\"proxy_add_x_forwarded_for\":\"1.2.3.4\",\"request_time\":\"0.007\",\"ssl_protocol\":\"\",\"ssl_cipher\":\"\",\"sent_http_content_type\":\"\"}", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", "duration": 7000000.0, + "kind": "event", "type": [ "error" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-06-02T11:07:18Z", + "action": { + "name": "DELETE", + "outcome": "success" + }, "destination": { "address": "rdp.acme.com", - "ip": "5.6.7.8", - "domain": "rdp.acme.com" + "domain": "rdp.acme.com", + "ip": "5.6.7.8" }, "http": { "request": { @@ -398,38 +397,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "forwarded_ip": "1.2.3.4" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "rdp.acme.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "original": "/blobstore/aaa/bbb/530fd9ee-23af-4d4e-a9e4-0b7280ace286/document.tgz", "path": "/blobstore/aaa/bbb/530fd9ee-23af-4d4e-a9e4-0b7280ace286/document.tgz" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", "device": { "name": "Other" }, "name": "IE", - "version": "11.0", + "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", "os": { "name": "Windows", "version": "7" - } - }, - "action": { - "name": "DELETE", - "outcome": "success" - }, - "related": { - "hosts": [ - "rdp.acme.com" - ], - "ip": [ - "1.2.3.4", - "5.6.7.8" - ] + }, + "version": "11.0" } } @@ -443,26 +443,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"timestamp\": \"2020-06-04T11:17:10+02:00\", \"remote_addr\": \"1.2.3.4\", \"body_bytes_sent\": 36, \"request_time\": 0.003, \"response_status\": 404, \"request\": \"GET /rest/plugins/1.0/com.atlassian.jira.plugins.jira-slack-server-integration-plugin-key/media/plugin-icon HTTP/1.1\", \"request_method\": \"GET\", \"host\": \"rdp.acme.com\", \"http_scheme\": \"https\", \"upstream_cache_status\": \"-\", \"upstream_addr\": \"9.8.7.6:38080\", \"http_x_forwarded_for\": \"-\", \"http_referrer\": \"https://rdp.acme.com/plugins/servlet/project-config/PVC/summary\", \"http_user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\", \"http_version\": \"HTTP/1.1\", \"nginx_access\": true }", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", "duration": 3000000.0, + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-06-04T09:17:10Z", + "action": { + "name": "GET", + "outcome": "failure" + }, "destination": { "address": "rdp.acme.com", - "ip": "9.8.7.6", "domain": "rdp.acme.com", + "ip": "9.8.7.6", "port": 38080 }, "http": { @@ -479,38 +478,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "https" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "rdp.acme.com" + ], + "ip": [ + "1.2.3.4", + "9.8.7.6" + ] + }, "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "original": "/rest/plugins/1.0/com.atlassian.jira.plugins.jira-slack-server-integration-plugin-key/media/plugin-icon", "path": "/rest/plugins/1.0/com.atlassian.jira.plugins.jira-slack-server-integration-plugin-key/media/plugin-icon" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "81.0.4044", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "action": { - "name": "GET", - "outcome": "failure" - }, - "related": { - "hosts": [ - "rdp.acme.com" - ], - "ip": [ - "1.2.3.4", - "9.8.7.6" - ] + }, + "version": "81.0.4044" } } @@ -524,26 +524,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"timestamp\": \"2020-05-27T17:13:08+02:00\", \"remote_addr\": \"1.2.3.4\", \"body_bytes_sent\": 441, \"request_time\": 0.008, \"response_status\": 200, \"request\": \"GET /nuxeo/site/api/v1/automation/Bulk.RunAction/@async/2c9ebc2e-90a9-49bf-a723-f816eeb565e5/status HTTP/1.1\", \"request_method\": \"GET\", \"host\": \"acme.com\", \"http_scheme\": \"http\", \"upstream_cache_status\": \"-\", \"upstream_addr\": \"9.8.7.6:8080\", \"http_x_forwarded_for\": \"-\", \"http_referrer\": \"http://acme.com/nuxeo/ui/\", \"http_user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\", \"http_version\": \"HTTP/1.1\", \"nginx_access\": true }", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", "duration": 8000000.0, + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-05-27T15:13:08Z", + "action": { + "name": "GET", + "outcome": "success" + }, "destination": { "address": "acme.com", - "ip": "9.8.7.6", "domain": "acme.com", + "ip": "9.8.7.6", "port": 8080 }, "http": { @@ -560,38 +559,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "http" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "hosts": [ + "acme.com" + ], + "ip": [ + "1.2.3.4", + "9.8.7.6" + ] + }, "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "original": "/nuxeo/site/api/v1/automation/Bulk.RunAction/@async/2c9ebc2e-90a9-49bf-a723-f816eeb565e5/status", "path": "/nuxeo/site/api/v1/automation/Bulk.RunAction/@async/2c9ebc2e-90a9-49bf-a723-f816eeb565e5/status" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36", "device": { "name": "Other" }, "name": "Chrome", - "version": "81.0.4044", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "action": { - "name": "GET", - "outcome": "success" - }, - "related": { - "hosts": [ - "acme.com" - ], - "ip": [ - "1.2.3.4", - "9.8.7.6" - ] + }, + "version": "81.0.4044" } } @@ -605,22 +605,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"timestamp\": \"2020-08-04T10:57:00+02:00\", \"remote_addr\": \"13.49.125.139\", \"body_bytes_sent\": 18752, \"request_time\": 0.000, \"response_status\": 403, \"request\": \"GET /.git/HEAD HTTP/1.1\", \"request_method\": \"GET\", \"host\": \"185.189.174.2\", \"http_scheme\": \"http\", \"upstream_cache_status\": \"-\", \"upstream_addr\": \"-\", \"http_x_forwarded_for\": \"-\", \"http_referrer\": \"-\", \"http_user_agent\": \"curl/7.47.0\", \"http_version\": \"HTTP/1.1\", \"nginx_access\": true }", "event": { - "kind": "event", "category": [ "web" ], "dataset": "access", "duration": 0.0, + "kind": "event", "type": [ "access" ] }, - "observer": { - "product": "nginx", - "type": "WEB server", - "vendor": "F5" - }, "@timestamp": "2020-08-04T08:57:00Z", + "action": { + "name": "GET", + "outcome": "failure" + }, "destination": { "address": "185.189.174.2", "ip": "185.189.174.2" @@ -638,34 +637,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "http" }, + "observer": { + "product": "nginx", + "type": "WEB server", + "vendor": "F5" + }, + "related": { + "ip": [ + "13.49.125.139", + "185.189.174.2" + ] + }, "source": { - "ip": "13.49.125.139", - "address": "13.49.125.139" + "address": "13.49.125.139", + "ip": "13.49.125.139" }, "url": { "original": "/.git/HEAD", "path": "/.git/HEAD" }, "user_agent": { - "original": "curl/7.47.0", "device": { "name": "Other" }, "name": "curl", - "version": "7.47.0", + "original": "curl/7.47.0", "os": { "name": "Other" - } - }, - "action": { - "name": "GET", - "outcome": "failure" - }, - "related": { - "ip": [ - "13.49.125.139", - "185.189.174.2" - ] + }, + "version": "7.47.0" } } diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index a1e03200a6..277461b2b4 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -35,33 +35,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " Ignoring request to auth address * port 1812 bound to server default from unknown client 1.2.3.4 port 9459 proto udp", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "source": { - "port": 9459, - "ip": "1.2.3.4", - "address": "1.2.3.4" + ] }, "destination": { "port": 1812 }, - "network": { - "transport": "udp" - }, "freeradius": { "outcome": "Ignoring request to auth address" }, + "network": { + "transport": "udp" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 9459 } } @@ -75,35 +75,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(548804) Invalid user (Rejected: User-Name contains whitespace): [john.doe@example.org ] (from client WLAN port 9815 cli 00-11-22-33-44-55)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", + "reason": "Rejected: User-Name contains whitespace", "type": [ "info" - ], - "dataset": "freeradius.authentication", - "reason": "Rejected: User-Name contains whitespace" + ] }, - "user": { - "email": "john.doe@example.org ", - "name": "john.doe", - "domain": "example.org " + "freeradius": { + "outcome": "Invalid user" }, "network": { "name": "WLAN" }, - "source": { - "port": 9815, - "mac": "00-11-22-33-44-55" - }, - "freeradius": { - "outcome": "Invalid user" - }, "related": { "user": [ "john.doe" ] + }, + "source": { + "mac": "00-11-22-33-44-55", + "port": 9815 + }, + "user": { + "domain": "example.org ", + "email": "john.doe@example.org ", + "name": "john.doe" } } @@ -117,32 +117,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(29512) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test] (from client LAN port 0)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", + "reason": "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject", "type": [ "info" - ], - "dataset": "freeradius.authentication", - "reason": "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject" + ] }, - "user": { - "name": "test" + "freeradius": { + "outcome": "Login incorrect" }, "network": { "name": "LAN" }, - "source": { - "port": 0 - }, - "freeradius": { - "outcome": "Login incorrect" - }, "related": { "user": [ "test" ] + }, + "source": { + "port": 0 + }, + "user": { + "name": "test" } } @@ -156,34 +156,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(15350502) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [domain\\username] (from client RX-WIFI-CISCO-5520-491 port 0 cli 0a3253427066)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", + "reason": "The users session was previously rejected: returning reject (again.)", "type": [ "info" - ], - "dataset": "freeradius.authentication", - "reason": "The users session was previously rejected: returning reject (again.)" - }, - "user": { - "name": "username", - "domain": "domain" - }, - "network": { - "name": "RX-WIFI-CISCO-5520-491" - }, - "source": { - "port": 0, - "mac": "0a-32-53-42-70-66" + ] }, "freeradius": { "outcome": "Login incorrect" }, + "host": { + "name": "RX-WIFI-CISCO-5520-491" + }, "related": { "user": [ "username" ] + }, + "source": { + "mac": "0a-32-53-42-70-66", + "port": 0 + }, + "user": { + "domain": "domain", + "name": "username" } } @@ -197,34 +197,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(549077) Login OK: [host/hostname.example.org] (from client WLAN port 9815 cli 00-11-22-33-44-55)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "network": { - "name": "WLAN" - }, - "source": { - "port": 9815, - "mac": "00-11-22-33-44-55", - "domain": "hostname.example.org", - "address": "hostname.example.org", - "top_level_domain": "org", - "subdomain": "hostname", - "registered_domain": "example.org" + ] }, "freeradius": { "outcome": "Login OK" }, + "network": { + "name": "WLAN" + }, "related": { "hosts": [ "hostname.example.org" ] + }, + "source": { + "address": "hostname.example.org", + "domain": "hostname.example.org", + "mac": "00-11-22-33-44-55", + "port": 9815, + "registered_domain": "example.org", + "subdomain": "hostname", + "top_level_domain": "org" } } @@ -238,32 +238,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(549117) Login OK: [john.doe@example.org] (from client abcdef port 2010 cli 1.2.3.4 via TLS tunnel)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" + ] }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" + "freeradius": { + "outcome": "Login OK" + }, + "host": { + "name": "abcdef" }, "network": { - "name": "abcdef", "protocol": "TLS" }, - "source": { - "port": 2010, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "freeradius": { - "outcome": "Login OK" - }, "related": { "ip": [ "1.2.3.4" @@ -271,6 +263,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 2010 + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -284,31 +286,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(29559) Login OK: [nagios_check] (from client abcdef port 0)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "user": { - "name": "nagios_check" - }, - "network": { - "name": "abcdef" - }, - "source": { - "port": 0 + ] }, "freeradius": { "outcome": "Login OK" }, + "host": { + "name": "abcdef" + }, "related": { "user": [ "nagios_check" ] + }, + "source": { + "port": 0 + }, + "user": { + "name": "nagios_check" } } @@ -322,33 +324,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(19962164) Login OK: [MYDOM\\UR12345678] (from client test port 8 cli 00-11-22-33-44-55)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "user": { - "name": "UR12345678", - "domain": "MYDOM" - }, - "network": { - "name": "test" - }, - "source": { - "port": 8, - "mac": "00-11-22-33-44-55" + ] }, "freeradius": { "outcome": "Login OK" }, + "host": { + "name": "test" + }, "related": { "user": [ "UR12345678" ] + }, + "source": { + "mac": "00-11-22-33-44-55", + "port": 8 + }, + "user": { + "domain": "MYDOM", + "name": "UR12345678" } } @@ -362,35 +364,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(16634082) Login OK: [host/hostname.test.example.org] (from client test port 8 cli 00-11-22-33-44-55 via TLS tunnel)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "network": { - "name": "test", - "protocol": "TLS" - }, - "source": { - "port": 8, - "mac": "00-11-22-33-44-55", - "domain": "hostname.test.example.org", - "address": "hostname.test.example.org", - "top_level_domain": "org", - "subdomain": "hostname.test", - "registered_domain": "example.org" + ] }, "freeradius": { "outcome": "Login OK" }, + "host": { + "name": "test" + }, + "network": { + "protocol": "TLS" + }, "related": { "hosts": [ "hostname.test.example.org" ] + }, + "source": { + "address": "hostname.test.example.org", + "domain": "hostname.test.example.org", + "mac": "00-11-22-33-44-55", + "port": 8, + "registered_domain": "example.org", + "subdomain": "hostname.test", + "top_level_domain": "org" } } @@ -404,31 +408,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(737467) Login OK: [username] (from client ccsma port 0)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" + ] }, - "user": { - "name": "username" + "freeradius": { + "outcome": "Login OK" }, "network": { "name": "ccsma" }, - "source": { - "port": 0 - }, - "freeradius": { - "outcome": "Login OK" - }, "related": { "user": [ "username" ] + }, + "source": { + "port": 0 + }, + "user": { + "name": "username" } } @@ -442,33 +446,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(12403060) Login OK: [domain\\username] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-84-92-6c-48-1e)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "user": { - "name": "username", - "domain": "domain" - }, - "network": { - "name": "RX-WIFI-CISCO-5520" - }, - "source": { - "port": 8, - "mac": "0a-84-92-6c-48-1e" + ] }, "freeradius": { "outcome": "Login OK" }, + "host": { + "name": "RX-WIFI-CISCO-5520" + }, "related": { "user": [ "username" ] + }, + "source": { + "mac": "0a-84-92-6c-48-1e", + "port": 8 + }, + "user": { + "domain": "domain", + "name": "username" } } @@ -482,35 +486,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "(16634082) Login OK: [host/username.example.org] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-44-5b-4f-04-cf via TLS tunnel)", "event": { - "kind": "event", "category": [ "authentication" ], + "dataset": "freeradius.authentication", + "kind": "event", "type": [ "info" - ], - "dataset": "freeradius.authentication" - }, - "network": { - "name": "RX-WIFI-CISCO-5520", - "protocol": "TLS" - }, - "source": { - "port": 8, - "mac": "0a-44-5b-4f-04-cf", - "domain": "username.example.org", - "address": "username.example.org", - "top_level_domain": "org", - "subdomain": "username", - "registered_domain": "example.org" + ] }, "freeradius": { "outcome": "Login OK" }, + "host": { + "name": "RX-WIFI-CISCO-5520" + }, + "network": { + "protocol": "TLS" + }, "related": { "hosts": [ "username.example.org" ] + }, + "source": { + "address": "username.example.org", + "domain": "username.example.org", + "mac": "0a-44-5b-4f-04-cf", + "port": 8, + "registered_domain": "example.org", + "subdomain": "username", + "top_level_domain": "org" } } @@ -534,6 +540,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`freeradius.outcome` | `keyword` | The outcome of the event | +|`host.name` | `keyword` | Name of the host. | |`network.name` | `keyword` | Name given by operators to sections of their network. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | diff --git a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md index 6d29dd003a..3504c79a6c 100644 --- a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md +++ b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md @@ -30,33 +30,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "duration": 416000000 }, - "source": { - "ip": "1.2.3.4", - "port": 443, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 37500, - "address": "5.6.7.8" - }, - "network": { - "bytes": 6561, - "packets": 12, - "iana_number": "6", - "type": "ipv4", - "transport": "tcp" + "port": 37500 }, "netflow": { "tcp": { "flags": 27 } }, + "network": { + "bytes": 6561, + "iana_number": "6", + "packets": 12, + "transport": "tcp", + "type": "ipv4" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 443 } } @@ -72,33 +72,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "duration": 113000000 }, - "source": { - "ip": "1.2.3.4", - "port": 54840, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" - }, - "network": { - "bytes": 1732, - "packets": 17, - "iana_number": "6", - "type": "ipv4", - "transport": "tcp" + "port": 443 }, "netflow": { "tcp": { "flags": 27 } }, + "network": { + "bytes": 1732, + "iana_number": "6", + "packets": 17, + "transport": "tcp", + "type": "ipv4" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 54840 } } @@ -114,28 +114,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "duration": 100000000 }, - "source": { - "ip": "1.2.3.4", - "port": 38005, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 123, - "address": "5.6.7.8" + "port": 123 }, "network": { "bytes": 76, - "packets": 1, "iana_number": "17", - "type": "ipv4", - "transport": "udp" + "packets": 1, + "transport": "udp", + "type": "ipv4" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 38005 } } diff --git a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md index 6d10ceb517..441fc83355 100644 --- a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md +++ b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md @@ -39,56 +39,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\trend\\Desktop\\eicar.exe act=Delete result=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/A TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM", "event": { - "kind": "event", + "action": "Delete", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Realtime", + "severity": 6, "type": [ "info" - ], - "severity": 6, - "action": "Delete", - "reason": "Realtime" - }, - "observer": { - "vendor": "Trend Micro", - "type": "Deep Security Agent", - "version": "" - }, - "rule": { - "id": "4000000" + ] }, - "trendmicro": { - "TrendMicroDsRelevantDetectionNames": [ - "Ransom_CERBER.BZC", - "Ransom_CERBER.C", - "Ransom_CRYPNISCA.SM" - ], - "TrendMicroDsDetectionConfidence": "95", - "TrendMicroDsMalwareTargetType": "N/A", - "TrendMicroDsMalwareTarget": "N/A", - "ResourceType": "Other" + "cef": { + "Name": "Eicar_test_file" }, "container": { "name": "ContainerImageName | ContainerName | ContainerID" }, - "host": { - "id": "1", - "name": "hostname" - }, "file": { + "directory": "C:\\Users\\trend\\Desktop", "hash": { - "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F", + "md5": "44D88612FEA8A8F36DE82E1278ABB02F", "sha1": "3395856CE81F2B7382DEE72602F798B642F14140", - "md5": "44D88612FEA8A8F36DE82E1278ABB02F" + "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" }, - "size": 205, - "path": "C:\\Users\\trend\\Desktop\\eicar.exe", "name": "eicar.exe", - "directory": "C:\\Users\\trend\\Desktop" + "path": "C:\\Users\\trend\\Desktop\\eicar.exe", + "size": 205 }, - "cef": { - "Name": "Eicar_test_file" + "host": { + "id": "1", + "name": "hostname" + }, + "observer": { + "type": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "" }, "related": { "hash": [ @@ -96,6 +82,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "3395856CE81F2B7382DEE72602F798B642F14140", "44D88612FEA8A8F36DE82E1278ABB02F" ] + }, + "rule": { + "id": "4000000" + }, + "trendmicro": { + "ResourceType": "Other", + "TrendMicroDsDetectionConfidence": "95", + "TrendMicroDsMalwareTarget": "N/A", + "TrendMicroDsMalwareTargetType": "N/A", + "TrendMicroDsRelevantDetectionNames": [ + "Ransom_CERBER.BZC", + "Ransom_CERBER.C", + "Ransom_CRYPNISCA.SM" + ] } } @@ -109,64 +109,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent|20.0.677|1011466|Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)|6|cn1=318 cn1Label=Host ID dvchost=foo.bar.fr TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dmac=22:22:22:22:22:22 smac=11:11:11:11:11:11 TrendMicroDsFrameType=IP src=2.2.2.2 dst=1.1.1.1 in=0 cs3=DF 0 cs3Label=Fragmentation Bits proto=TCP spt=58407 dpt=443 cs2=ACK cs2Label=TCP Flags cnt=2 act=IDS:Reset cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs1=\"CVE-2022-30522\" cs1Label=DPI Note cs6=0 cs6Label=DPI Flags\n\n", "event": { - "kind": "event", + "action": "IDS:Reset", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)", + "severity": 6, "type": [ "info" - ], - "severity": 6, - "action": "IDS:Reset", - "reason": "Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)" - }, - "observer": { - "vendor": "Trend Micro", - "type": "Deep Security Agent", - "version": "20.0.677" - }, - "rule": { - "id": "1011466" + ] }, - "source": { - "ip": "2.2.2.2", - "mac": "11:11:11:11:11:11", - "port": 58407, - "address": "2.2.2.2" + "cef": { + "Name": "Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)" }, "destination": { + "address": "1.1.1.1", "ip": "1.1.1.1", - "port": 443, "mac": "22:22:22:22:22:22", - "address": "1.1.1.1" + "port": 443 }, "host": { + "id": "318", + "name": "foo.bar.fr", "network": { "ingress": { "bytes": 0 } - }, - "id": "318", - "name": "foo.bar.fr" - }, - "trendmicro": { - "TrendMicroDsFrameType": "IP", - "TrendMicroDsTenantId": "0", - "TrendMicroDsTenant": "Primary", - "FragmentationBits": "DF 0", - "TCPFlags": [ - "ACK" - ], - "ResourceType": "Other" + } }, - "cef": { - "Name": "Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)" + "observer": { + "type": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "20.0.677" }, "related": { "ip": [ "1.1.1.1", "2.2.2.2" ] + }, + "rule": { + "id": "1011466" + }, + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "mac": "11:11:11:11:11:11", + "port": 58407 + }, + "trendmicro": { + "FragmentationBits": "DF 0", + "ResourceType": "Other", + "TCPFlags": [ + "ACK" + ], + "TrendMicroDsFrameType": "IP", + "TrendMicroDsTenant": "Primary", + "TrendMicroDsTenantId": "0" } } @@ -180,51 +180,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5", "event": { - "kind": "event", + "action": "detectOnly", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "notWhitelisted", + "severity": 6, "type": [ "info" - ], - "severity": 6, - "action": "detectOnly", - "reason": "notWhitelisted" - }, - "observer": { - "vendor": "Trend Micro", - "type": "Deep Security Agent", - "version": "10.2.229" + ] }, - "rule": { - "id": "6001200" + "cef": { + "Name": "AppControl detectOnly" }, "file": { - "size": 20, + "directory": "/home/user1/Desktop/Directory1/", "hash": { - "sha1": "0CC9713BA896193A527213D9C94892D41797EB7C", - "md5": "7EA8EF10BEB2E9876D4D7F7E5A46CF8D" + "md5": "7EA8EF10BEB2E9876D4D7F7E5A46CF8D", + "sha1": "0CC9713BA896193A527213D9C94892D41797EB7C" }, - "path": "/home/user1/Desktop/Directory1//heartbeatSync.sh", "name": "heartbeatSync.sh", - "directory": "/home/user1/Desktop/Directory1/" - }, - "source": { - "user": { - "name": "root" - } - }, - "trendmicro": { - "TrendMicroDsTenantId": "0", - "TrendMicroDsTenant": "Primary", - "ResourceType": "Other" + "path": "/home/user1/Desktop/Directory1//heartbeatSync.sh", + "size": 20 }, "host": { "id": "202", "ip": "192.168.33.128" }, - "cef": { - "Name": "AppControl detectOnly" + "observer": { + "type": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "10.2.229" }, "related": { "hash": [ @@ -237,6 +224,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "root" ] + }, + "rule": { + "id": "6001200" + }, + "source": { + "user": { + "name": "root" + } + }, + "trendmicro": { + "ResourceType": "Other", + "TrendMicroDsTenant": "Primary", + "TrendMicroDsTenantId": "0" } } @@ -250,35 +250,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent|50.0.1063|7000000|Device Control DeviceControl|6|cn1=1 cn1Label=Host ID dvchost=test-hostname TrendMicroDsTenant=tenantName TrendMicroDsTenantId=1 device=deviceName processName=processName1 fileName=/tmp/some_path2 vendor=vendorName serial=aaaa-bbbb-cccc model=modelName computerName=computerName domainName=computerDomain deviceType=0 permission=0", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Device Control DeviceControl", + "severity": 6, "type": [ "info" - ], - "severity": 6, - "reason": "Device Control DeviceControl" + ] + }, + "cef": { + "Name": "Device Control DeviceControl" + }, + "host": { + "id": "1", + "name": "test-hostname" }, "observer": { - "vendor": "Trend Micro", "type": "Deep Security Agent", + "vendor": "Trend Micro", "version": "50.0.1063" }, "rule": { "id": "7000000" }, "trendmicro": { - "TrendMicroDsTenantId": "1", + "ResourceType": "Other", "TrendMicroDsTenant": "tenantName", - "ResourceType": "Other" - }, - "host": { - "id": "1", - "name": "test-hostname" - }, - "cef": { - "Name": "Device Control DeviceControl" + "TrendMicroDsTenantId": "1" } } @@ -292,63 +292,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AFB...", "event": { - "kind": "event", + "action": "Log", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Log for TCP Port 80", "type": [ "info" - ], - "action": "Log", - "reason": "Log for TCP Port 80" + ] + }, + "cef": { + "Name": "Log for TCP Port 80" + }, + "destination": { + "address": "72.14.204.147", + "ip": "72.14.204.147", + "mac": "00:50:56:F5:7F:47", + "port": 80 + }, + "host": { + "id": "1", + "network": { + "egress": { + "bytes": 1019 + } + } }, "observer": { - "vendor": "Trend Micro", "type": "Deep Security Agent", + "vendor": "Trend Micro", "version": "" }, + "related": { + "ip": [ + "192.168.126.150", + "72.14.204.147" + ] + }, "rule": { "id": "20", "name": "Log-only Firewall rule" }, "source": { + "address": "192.168.126.150", "ip": "192.168.126.150", "mac": "00:0C:29:EB:35:DE", - "port": 49617, - "address": "192.168.126.150" - }, - "destination": { - "ip": "72.14.204.147", - "port": 80, - "mac": "00:50:56:F5:7F:47", - "address": "72.14.204.147" - }, - "host": { - "network": { - "egress": { - "bytes": 1019 - } - }, - "id": "1" + "port": 49617 }, "trendmicro": { - "TrendMicroDsFrameType": "IP", "FragmentationBits": "DF MF", + "ResourceType": "Other", "TCPFlags": [ "0x00", "ACK", "PSH" ], - "ResourceType": "Other" - }, - "cef": { - "Name": "Log for TCP Port 80" - }, - "related": { - "ip": [ - "192.168.126.150", - "72.14.204.147" - ] + "TrendMicroDsFrameType": "IP" } } @@ -362,22 +362,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||30|New Integrity Monitoring Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\\windows\\message.dll suser=admin sproc=C:\\Windows\\System32\\notepad.exe msg=lastModified,sha1,size", "event": { - "kind": "event", + "action": "updated", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "lastModified,sha1,size", + "severity": 6, "type": [ "info" - ], - "severity": 6, - "action": "updated", - "reason": "lastModified,sha1,size" + ] + }, + "cef": { + "Name": "New Integrity Monitoring Rule" + }, + "file": { + "directory": "c:\\windows", + "name": "message.dll", + "path": "c:\\windows\\message.dll" + }, + "host": { + "id": "1", + "name": "hostname" }, "observer": { - "vendor": "Trend Micro", "type": "Deep Security Agent", + "vendor": "Trend Micro", "version": "" }, + "process": { + "name": "C:\\Windows\\System32\\notepad.exe" + }, + "related": { + "user": [ + "admin" + ] + }, "rule": { "id": "30", "name": "Custom Integrity Monitoring rule" @@ -389,26 +409,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "trendmicro": { "ResourceType": "Other" - }, - "host": { - "id": "1", - "name": "hostname" - }, - "process": { - "name": "C:\\Windows\\System32\\notepad.exe" - }, - "file": { - "path": "c:\\windows\\message.dll", - "name": "message.dll", - "directory": "c:\\windows" - }, - "cef": { - "Name": "New Integrity Monitoring Rule" - }, - "related": { - "user": [ - "admin" - ] } } @@ -422,66 +422,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags TrendMicroDsPacketData=R0VUIC9zP3...", "event": { - "kind": "event", + "action": "IDS:Reset", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Test Intrusion Prevention Rule", + "severity": 3, "type": [ "info" - ], - "severity": 3, - "action": "IDS:Reset", - "reason": "Test Intrusion Prevention Rule" - }, - "observer": { - "vendor": "Trend Micro", - "type": "Deep Security Agent", - "version": "" - }, - "rule": { - "id": "1001111" + ] }, - "source": { - "ip": "192.168.126.150", - "mac": "00:0C:29:EB:35:DE", - "port": 49786, - "address": "192.168.126.150" + "cef": { + "Name": "Test Intrusion Prevention Rule" }, "destination": { + "address": "72.14.204.105", "ip": "72.14.204.105", - "port": 80, "mac": "00:50:56:F5:7F:47", - "address": "72.14.204.105" + "port": 80 }, "host": { + "id": "1", + "name": "hostname", "network": { "egress": { "bytes": 1093 } - }, - "id": "1", - "name": "hostname" + } + }, + "observer": { + "type": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "" + }, + "related": { + "ip": [ + "192.168.126.150", + "72.14.204.105" + ] + }, + "rule": { + "id": "1001111" + }, + "source": { + "address": "192.168.126.150", + "ip": "192.168.126.150", + "mac": "00:0C:29:EB:35:DE", + "port": 49786 }, "trendmicro": { - "TrendMicroDsFrameType": "IP", - "IntrusionPreventionStreamPosition": "10", - "IntrusionPreventionFlags": "8", "FragmentationBits": "DF MF", + "IntrusionPreventionFlags": "8", + "IntrusionPreventionStreamPosition": "10", + "ResourceType": "Other", "TCPFlags": [ "0x00", "ACK", "PSH" ], - "ResourceType": "Other" - }, - "cef": { - "Name": "Test Intrusion Prevention Rule" - }, - "related": { - "ip": [ - "192.168.126.150", - "72.14.204.105" - ] + "TrendMicroDsFrameType": "IP" } } @@ -495,58 +495,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||3002795|Microsoft Windows Events|8|cn1=1 cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..", + "severity": 8, "type": [ "info" - ], - "severity": 8, - "reason": "WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: .." - }, - "observer": { - "vendor": "Trend Micro", - "type": "Deep Security Agent", - "version": "" - }, - "rule": { - "id": "3002795" - }, - "file": { - "name": "Security" + ] }, - "source": { - "ip": "127.0.0.1", - "address": "127.0.0.1" + "cef": { + "Name": "Microsoft Windows Events" }, "destination": { "user": { "name": "(no user)" } }, + "file": { + "name": "Security" + }, "host": { "hostname": "WIN-RM6HM42G65V", "id": "1", "name": "hostname" }, - "trendmicro": { - "LogInspectionDescription": "Multiple Windows Logon Failures", - "ResourceType": "Other" - }, - "cef": { - "Name": "Microsoft Windows Events" + "observer": { + "type": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "" }, "related": { "hosts": [ "WIN-RM6HM42G65V" ], - "user": [ - "(no user)" - ], "ip": [ "127.0.0.1" + ], + "user": [ + "(no user)" ] + }, + "rule": { + "id": "3002795" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "trendmicro": { + "LogInspectionDescription": "Multiple Windows Logon Failures", + "ResourceType": "Other" } } @@ -560,44 +560,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Workload Security Manager||600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5", "event": { - "kind": "event", "category": [ "authentication" ], + "kind": "event", + "reason": "User signed in from 2001:db8::5", + "severity": 3, "type": [ "info" - ], - "severity": 3, - "reason": "User signed in from 2001:db8::5" + ] + }, + "cef": { + "Name": "User Signed In" }, "observer": { - "vendor": "Trend Micro", "type": "Workload Security Manager", + "vendor": "Trend Micro", "version": "" }, + "related": { + "ip": [ + "10.52.116.160" + ], + "user": [ + "admin" + ] + }, "rule": { "id": "600" }, "source": { + "address": "10.52.116.160", + "ip": "10.52.116.160", "user": { "name": "admin" - }, - "ip": "10.52.116.160", - "address": "10.52.116.160" + } }, "trendmicro": { "ResourceType": "Other" - }, - "cef": { - "Name": "User Signed In" - }, - "related": { - "user": [ - "admin" - ], - "ip": [ - "10.52.116.160" - ] } } @@ -611,37 +611,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trend Micro|Deep Security Agent||5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", + "reason": "Blocked By Admin", + "severity": 5, "type": [ "info" - ], - "severity": 5, - "reason": "Blocked By Admin" + ] + }, + "cef": { + "Name": "WebReputation" + }, + "host": { + "id": "1", + "name": "hostname" }, "observer": { - "vendor": "Trend Micro", "type": "Deep Security Agent", + "vendor": "Trend Micro", "version": "" }, "rule": { "id": "5000000" }, - "url": { - "original": "example.com", - "path": "example.com" - }, "trendmicro": { "ResourceType": "Other" }, - "host": { - "id": "1", - "name": "hostname" - }, - "cef": { - "Name": "WebReputation" + "url": { + "original": "example.com", + "path": "example.com" } } diff --git a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md index 1f177c7e3b..1fa23c751b 100644 --- a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md @@ -35,81 +35,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"timestamp\":\"2023-06-16T14:55:19.595Z\",\"autoguid\":\"d40cdc38-cd2e-4605-a119-d6b4b00b4c1c\",\"detectedutc\":\"1686927090000\",\"receivedutc\":\"1686927319594\",\"agentguid\":\"d751670f-2c24-422a-af97-23a008522910\",\"analyzer\":\"ENDP_AM_1070\",\"analyzername\":\"Trellix Endpoint Security\",\"analyzerversion\":\"10.7.0.5786\",\"analyzerhostname\":\"hyrvrxzcyuaz-vm\",\"analyzeripv4\":\"10.0.4.4\",\"analyzeripv6\":\"/0:0:0:0:0:ffff:a00:404\",\"analyzermac\":\"6045bdeef272\",\"analyzerdatversion\":null,\"analyzerengineversion\": \"analyzer_engine_version_1\",\"analyzerdetectionmethod\":\"Exploit Prevention\",\"sourcehostname\":null,\"sourceipv4\":\"10.0.4.4\",\"sourceipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"sourcemac\":null,\"sourceusername\":\"test_source_username\",\"sourceprocessname\":\"test_source_process_name\",\"sourceurl\":null,\"targethostname\":null,\"targetipv4\":\"10.0.4.5\",\"targetipv6\":\"/0:0:0:0:0:ffff:a00:404\",\"targetmac\":null,\"targetusername\":\"hyrvrxzcyuaz-vm\\\\adminuser\",\"targetport\":2081,\"targetprotocol\":null,\"targetprocessname\":\"POWERSHELL.EXE\",\"targetfilename\":\"C:\\\\WINDOWS\\\\SYSTEM32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\POWERSHELL.EXE\",\"threatcategory\":\"hip.bo\",\"threateventid\":18054,\"threatseverity\":\"2\",\"threatname\":\"ExP:Illegal API Use\",\"threattype\":\"IDS_THREAT_TYPE_VALUE_BOP\",\"threatactiontaken\":\"IDS_ACTION_WOULD_BLOCK\",\"threathandled\":true,\"nodepath\":\"1\\\\1016600\\\\1089555\",\"targethash\":\"bcf01e61144d6d6325650134823198b8\",\"sourceprocesshash\":null,\"sourceprocesssigned\":null,\"sourceprocesssigner\":null,\"sourcefilepath\":null}", "event": { - "kind": "event", "category": [ "intrusion_detection" ], + "kind": "event", "type": [ "denied" ] }, "@timestamp": "2023-06-16T14:55:19.595000Z", - "observer": { - "vendor": "Trellix", - "product": "ePO" - }, "agent": { "id": "d751670f-2c24-422a-af97-23a008522910" }, - "source": { + "destination": { + "address": "10.0.4.5", + "ip": "10.0.4.5", + "port": 2081, "user": { - "name": "test_source_username" - }, - "ip": "10.0.4.4", - "address": "10.0.4.4" - }, - "user": { - "name": "test_source_username", - "target": { "name": "hyrvrxzcyuaz-vm\\adminuser" } }, + "host": { + "name": "hyrvrxzcyuaz-vm" + }, + "observer": { + "product": "ePO", + "vendor": "Trellix" + }, "process": { "name": "test_source_process_name" }, - "destination": { - "user": { - "name": "hyrvrxzcyuaz-vm\\adminuser" - }, - "ip": "10.0.4.5", - "port": 2081, - "address": "10.0.4.5" + "related": { + "ip": [ + "10.0.4.4", + "10.0.4.5" + ], + "user": [ + "hyrvrxzcyuaz-vm\\adminuser", + "test_source_username" + ] }, - "host": { - "name": "hyrvrxzcyuaz-vm" + "source": { + "address": "10.0.4.4", + "ip": "10.0.4.4", + "user": { + "name": "test_source_username" + } }, "trellix": { + "analyzer": { + "detection_method": "Exploit Prevention", + "engine_version": "analyzer_engine_version_1", + "host": "hyrvrxzcyuaz-vm", + "name": "Trellix Endpoint Security", + "version": "10.7.0.5786" + }, "event": { - "id": "d40cdc38-cd2e-4605-a119-d6b4b00b4c1c", "detect_date": "1686927090000", + "id": "d40cdc38-cd2e-4605-a119-d6b4b00b4c1c", "receive_date": "1686927319594" }, - "analyzer": { - "name": "Trellix Endpoint Security", - "version": "10.7.0.5786", - "host": "hyrvrxzcyuaz-vm", - "detection_method": "Exploit Prevention", - "engine_version": "analyzer_engine_version_1" - }, "threat": { - "name": "ExP:Illegal API Use", + "action_taken": "IDS_ACTION_WOULD_BLOCK", "category": "hip.bo", "event_id": "18054", + "is_handled": "true", + "name": "ExP:Illegal API Use", "severity": "2", - "type": "IDS_THREAT_TYPE_VALUE_BOP", - "action_taken": "IDS_ACTION_WOULD_BLOCK", - "is_handled": "true" + "type": "IDS_THREAT_TYPE_VALUE_BOP" } }, - "related": { - "user": [ - "hyrvrxzcyuaz-vm\\adminuser", - "test_source_username" - ], - "ip": [ - "10.0.4.4", - "10.0.4.5" - ] + "user": { + "name": "test_source_username", + "target": { + "name": "hyrvrxzcyuaz-vm\\adminuser" + } } } diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md index 17cac86e48..bea533f522 100644 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md @@ -39,65 +39,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], + "kind": "event", + "severity": 1, "type": [ "info" - ], - "severity": 1, - "kind": "event" - }, - "source": { - "ip": "9.8.7.6", - "port": 80, - "address": "9.8.7.6" + ] }, + "@timestamp": "2022-06-03T15:00:20.531000Z", "destination": { + "address": "1.2.3.4", "ip": "1.2.3.4", - "port": 49804, - "address": "1.2.3.4" + "port": 49804 }, - "@timestamp": "2022-06-03T15:00:20.531000Z", - "observer": { - "name": "gcap-nti.gatewatcher.com", - "version": "0.2", - "hostname": "network.internal", - "type": "firewall" - }, - "network": { - "transport": "TCP", - "protocol": "http" + "file": { + "hash": { + "md5": "16e3fcee85f81ec9e9c75dd13fb08c01", + "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c" + }, + "name": "/exploit.html", + "size": 6105 }, "gatewatcher": { - "type": "malcore", - "state": "Infected", + "event_type": "malware", + "flow_id": "1686930575880829", + "gcap": "gcap-nti.gatewatcher.com", "gcenter": [ "gcenter-nti.gatewatcher.com", "gcenter-nti.gatewatcher.com" ], - "gcap": "gcap-nti.gatewatcher.com", - "flow_id": "1686930575880829", - "timestamp_analyzed": "2022-06-03T15:00:20.531Z", - "timestamp_detected": "2022-06-03T14:59:08.780Z", - "event_type": "malware", "malcore": { "code": "1", "detail_threat_found": "Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic" }, - "reporting_token": "No GBOX" - }, - "file": { - "name": "/exploit.html", - "size": 6105, - "hash": { - "md5": "16e3fcee85f81ec9e9c75dd13fb08c01", - "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c" - } - }, - "url": { - "path": "/exploit.html", - "domain": "www.xmlformats.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "xmlformats.com" + "reporting_token": "No GBOX", + "state": "Infected", + "timestamp_analyzed": "2022-06-03T15:00:20.531Z", + "timestamp_detected": "2022-06-03T14:59:08.780Z", + "type": "malcore" }, "http": { "request": { @@ -107,16 +85,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, - "user_agent": { - "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)", - "device": { - "name": "Other" - }, - "name": "Outlook", - "version": "2016", - "os": { - "name": "Other" - } + "network": { + "protocol": "http", + "transport": "TCP" + }, + "observer": { + "hostname": "network.internal", + "name": "gcap-nti.gatewatcher.com", + "type": "firewall", + "version": "0.2" }, "related": { "hash": [ @@ -131,6 +108,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "9.8.7.6" ] + }, + "source": { + "address": "9.8.7.6", + "ip": "9.8.7.6", + "port": 80 + }, + "url": { + "domain": "www.xmlformats.com", + "path": "/exploit.html", + "registered_domain": "xmlformats.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Outlook", + "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)", + "os": { + "name": "Other" + }, + "version": "2016" } } @@ -144,63 +144,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2022-06-03T14:59:41.373Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"alert\",\"payload\":\"SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFRodSwgMDIgSnVuIDIwMjIgMjI6Mzc6MjIgR01UClNlcnZlcjogQXBhY2hlLzIuNC40MSAoVWJ1bnR1KQpMYXN0LU1vZGlmaWVkOiBUaHUsIDAyIEp1biAyMDIyIDIyOjMwOjM0IEdNVApFVGFnOiAiMTdkOS01ZTA3ZThkZGI0NTA4LWd6aXAiCkFjY2VwdC1SYW5nZXM6IGJ5dGVzClZhcnk6IEFjY2VwdC1FbmNvZGluZwpDb250ZW50LUVuY29kaW5nOiBnemlwCkNvbnRlbnQtTGVuZ3RoOiAyNDg1CktlZXAtQWxpdmU6IHRpbWVvdXQ9NSwgbWF4PTEwMApDb25uZWN0aW9uOiBLZWVwLUFsaXZlCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sCgp0ZXN0Cg==\",\"packet\":\"CAAnjitsCAAnk+hwCABFAAAoBRhAAD8GMWkKAQHewKg4yABQwow7Z24SQI3k4FAQAfUWzAAA\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"app_proto\":\"http\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"alert\":{\"action\":\"allowed\",\"rev\":2,\"signature\":\"ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)\",\"category\":\"Potentially Bad Traffic\",\"gid\":1,\"metadata\":{\"updated_at\":[\"2020_11_17\"],\"created_at\":[\"2020_04_13\"],\"former_category\":[\"HUNTING\"],\"signature_severity\":[\"Informational\"],\"attack_target\":[\"Client_Endpoint\"],\"deployment\":[\"Perimeter\"],\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"]},\"signature_id\":2841990,\"severity\":2},\"flow\":{\"pkts_toserver\":5,\"bytes_toserver\":798,\"start\":\"2022-06-03T14:59:08.750205+0000\",\"pkts_toclient\":4,\"bytes_toclient\":3052},\"files\":[{\"filename\":\"/exploit.html\",\"state\":\"CLOSED\",\"tx_id\":0,\"sid\":[1100029],\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"size\":6105,\"stored\":false}],\"proto\":\"TCP\",\"stream\":1,\"host\":\"network.internal\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"ether\":{\"src_mac\":\"08:00:27:8e:2b:6c\",\"dest_mac\":\"08:00:27:93:e8:70\"},\"src_port\":80,\"flow_id\":1686930575880829,\"payload_printable\":\"HTTP/1.1 200 OK\\r\\nDate: Thu, 02 Jun 2022 22:37:22 GMT\\r\\nServer: Apache/2.4.41 (Ubuntu)\\r\\nLast-Modified: Thu, 02 Jun 2022 22:30:34 GMT\\r\\nETag: \\\"17d9-5e07e8ddb4508-gzip\\\"\\r\\nAccept-Ranges: bytes\\r\\nVary: Accept-Encoding\\r\\nContent-Encoding: gzip\\r\\nContent-Length: 2485\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html\\r\\n\\r\\n...........Xko........\\n.F&.$VS..]pmYRa.Vd9q.(.........gW......#7....G....s.=.RO.....q..&n.....0.k...|{D.....!6.....V&nB.6.oVap......}7........l..>..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\\\"...!:.............C./.Z.....\\rP$S,.t.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\\n...B......q.IR....\\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\\rm.VcK....p:....P.Dj...\\nD*0u*..b..(..P...\\\\S..Q*VT'......m.............7B..D./\\\"...gX..\\\".9W....I.=.9......T.%.U....J{b.l.\\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\\\..zZ\\\"\\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\\\&#'EUT...;Xt?...P.%W'.,@(\\r.+Y...4.y~.{d.&xn\\\"...../].....k.m.ZK`..M.lr.....VK.\\\"z&.R+.V.<-..U.\\\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\\\"S\\\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\\\........H...Y...MA...`U.8..O..z.J.l#91..\\\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^FEDERATEUR ACCEPT IN=enp4s0f0.82 OUT=enp4s0f1 MAC=14:58:d0:b4:65:b8:02:01:c0:a8:e0:26:08:00 SRC=192.168.224.43 DST=192.168.100.230 LEN=52 TOS=08 PREC=0x00 TTL=126 ID=0 DF PROTO=TCP SPT=44606 DPT=80 SEQ=2504400626 ACK=0 WINDOW=64612 SYN URGP=0 MARK=0", + "action": { + "name": "accept", + "outcome": "success" + }, "destination": { - "mac": "14:58:d0:b4:65:b8", - "port": 80, "address": "192.168.100.230", - "ip": "192.168.100.230" - }, - "source": { - "mac": "02:01:c0:a8:e0:26", - "port": 44606, - "address": "192.168.224.43", - "bytes": 52, - "ip": "192.168.224.43" + "ip": "192.168.100.230", + "mac": "14:58:d0:b4:65:b8", + "port": 80 }, "network": { "transport": "tcp" }, - "action": { - "name": "accept", - "outcome": "success" - }, "related": { "ip": [ "192.168.100.230", "192.168.224.43" ] + }, + "source": { + "address": "192.168.224.43", + "bytes": 52, + "ip": "192.168.224.43", + "mac": "02:01:c0:a8:e0:26", + "port": 44606 } } @@ -64,31 +64,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INPUT DFLT DROP IN=enp4s0f0.82 OUT=enp4s0f1 MAC=14:58:d0:b4:65:b8:02:01:c0:a8:e0:26:08:00 SRC=192.168.224.43 DST=192.168.100.230 LEN=52 TOS=08 PREC=0x00 TTL=126 ID=0 DF PROTO=TCP SPT=44606 DPT=80 SEQ=2504400626 ACK=0 WINDOW=64612 SYN URGP=0 MARK=0", + "action": { + "name": "drop", + "outcome": "success" + }, "destination": { - "mac": "14:58:d0:b4:65:b8", - "port": 80, "address": "192.168.100.230", - "ip": "192.168.100.230" - }, - "source": { - "mac": "02:01:c0:a8:e0:26", - "port": 44606, - "address": "192.168.224.43", - "bytes": 52, - "ip": "192.168.224.43" + "ip": "192.168.100.230", + "mac": "14:58:d0:b4:65:b8", + "port": 80 }, "network": { "transport": "tcp" }, - "action": { - "name": "drop", - "outcome": "success" - }, "related": { "ip": [ "192.168.100.230", "192.168.224.43" ] + }, + "source": { + "address": "192.168.224.43", + "bytes": 52, + "ip": "192.168.224.43", + "mac": "02:01:c0:a8:e0:26", + "port": 44606 } } @@ -101,31 +101,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INTERNET SPOOFING DROP IN=enp4s0f1 OUT=enp5s0f1 MAC=14:58:d0:b4:65:bc:d8:67:d9:0f:85:41:08:00 SRC=10.16.123.245 DST=192.168.1.47 LEN=132 TOS=00 PREC=0x00 TTL=126 ID=26580 PROTO=UDP SPT=61829 DPT=65267 LEN=112 MARK=0", + "action": { + "name": "drop", + "outcome": "success" + }, "destination": { - "mac": "14:58:d0:b4:65:bc", - "port": 65267, "address": "192.168.1.47", - "ip": "192.168.1.47" - }, - "source": { - "mac": "d8:67:d9:0f:85:41", - "port": 61829, - "address": "10.16.123.245", - "bytes": 132, - "ip": "10.16.123.245" + "ip": "192.168.1.47", + "mac": "14:58:d0:b4:65:bc", + "port": 65267 }, "network": { "transport": "udp" }, - "action": { - "name": "drop", - "outcome": "success" - }, "related": { "ip": [ "10.16.123.245", "192.168.1.47" ] + }, + "source": { + "address": "10.16.123.245", + "bytes": 132, + "ip": "10.16.123.245", + "mac": "d8:67:d9:0f:85:41", + "port": 61829 } } @@ -139,15 +139,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "IPTABLES IN=net0 OUT=docker0 MAC=00:e0:4c:68:00:64:70:df:2f:d0:8c:a7:08:00 SRC=172.217.22.142 DST=172.17.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=20 SEQ=", "destination": { - "mac": "00:e0:4c:68:00:64", "address": "172.17.0.2", - "ip": "172.17.0.2" - }, - "source": { - "mac": "70:df:2f:d0:8c:a7", - "address": "172.217.22.142", - "bytes": 84, - "ip": "172.217.22.142" + "ip": "172.17.0.2", + "mac": "00:e0:4c:68:00:64" }, "network": { "transport": "icmp" @@ -157,6 +151,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "172.17.0.2", "172.217.22.142" ] + }, + "source": { + "address": "172.217.22.142", + "bytes": 84, + "ip": "172.217.22.142", + "mac": "70:df:2f:d0:8c:a7" } } @@ -170,17 +170,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "IPTABLES IN=net0 OUT=docker0 MAC=00:e0:4c:68:00:64:70:df:2f:d0:8c:a7:08:00 SRC=216.58.213.163 DST=172.17.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=120 ID=51233 PROTO=TCP SPT=80 DPT=51212 WINDOW=60192 RES=0x00 ACK SYN URGP=0", "destination": { - "mac": "00:e0:4c:68:00:64", - "port": 51212, "address": "172.17.0.2", - "ip": "172.17.0.2" - }, - "source": { - "mac": "70:df:2f:d0:8c:a7", - "port": 80, - "address": "216.58.213.163", - "bytes": 60, - "ip": "216.58.213.163" + "ip": "172.17.0.2", + "mac": "00:e0:4c:68:00:64", + "port": 51212 }, "network": { "transport": "tcp" @@ -190,6 +183,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "172.17.0.2", "216.58.213.163" ] + }, + "source": { + "address": "216.58.213.163", + "bytes": 60, + "ip": "216.58.213.163", + "mac": "70:df:2f:d0:8c:a7", + "port": 80 } } diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index f9a94f04ab..3c1d55145a 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -37,70 +37,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2020-09-29T08:59:26\", \"Id\": \"e1717ca5-c13e-4382-ad7e-4864faa11e85\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"RecordType\": 15, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"10030000A9F382C6@sekoiacorp.onmicrosoft.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe\", \"UserId\": \"user@company.onmicrosoft.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"cb42ef6c-989f-49d0-86cd-7706b8d14528\", \"Type\": 0}, {\"ID\": \"user@company.onmicrosoft.com\", \"Type\": 5}, {\"ID\": \"10030000A9F382C6\", \"Type\": 3}], \"ActorContextId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"ActorIpAddress\": \"1.2.3.4\", \"InterSystemsId\": \"d23dd5d2-ccc8-4928-b7a0-f446a2ca4a90\", \"IntraSystemId\": \"a196489a-9a7c-4824-b35a-5bfdec600c00\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe\", \"Type\": 0}], \"TargetContextId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"ApplicationId\": \"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\"}", "event": { "action": "UserLoggedIn", - "kind": "event", - "code": "15", "category": [ "authentication" ], + "code": "15", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2020-09-29T08:59:26Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "user@company.onmicrosoft.com", - "id": "10030000A9F382C6@sekoiacorp.onmicrosoft.com", - "email": "user@company.onmicrosoft.com" - }, - "organization": { - "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" - }, "action": { "id": 15, "name": "UserLoggedIn", - "target": "network-traffic", - "outcome": "success" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "outcome": "success", + "target": "network-traffic" }, "office365": { - "record_type": 15, - "result_status": "Succeeded", - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" }, "auth": { - "user_authentication_method": 1, + "keep_me_signed_in": true, "request_type": "OAuth2:Authorize", "result_status_detail": "Redirect", - "keep_me_signed_in": true + "user_authentication_method": 1 }, "context": { "correlation": { "id": "d23dd5d2-ccc8-4928-b7a0-f446a2ca4a90" } - } - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", - "device": { - "name": "Other" }, - "name": "Chrome", - "version": "85.0.4183", - "os": { - "name": "Linux" + "record_type": 15, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" + }, "related": { "ip": [ "1.2.3.4" @@ -108,6 +85,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user@company.onmicrosoft.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "user@company.onmicrosoft.com", + "id": "10030000A9F382C6@sekoiacorp.onmicrosoft.com", + "name": "user@company.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "85.0.4183" } } @@ -122,66 +122,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\"}\", \"Actions\": [ \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", "event": { "action": "AirInvestigationData", - "kind": "alert", "code": "64", - "start": "2023-04-17T14:11:38Z", - "end": "2023-04-17T14:27:07Z" + "end": "2023-04-17T14:27:07Z", + "kind": "alert", + "start": "2023-04-17T14:11:38Z" }, "@timestamp": "2023-04-17T14:27:09Z", - "service": { - "name": "AirInvestigation" - }, - "user": { - "name": "AirInvestigation", - "id": "AirInvestigation" - }, - "organization": { - "id": "774d3f25-d4cf-4544-811f-fdb0e60e9ffd" - }, "action": { "id": 64, "name": "AirInvestigationData", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" + }, + "host": { + "name": "machine_name_value" + }, + "log": { + "level": "severity_value" }, "office365": { - "record_type": 64, - "user_type": { - "code": 4, - "name": "System" - }, "audit": { "object_id": "60eaf0aa-edc3-4f8d-8275-bc82d9500e59" }, "investigation": { - "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86", - "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1", - "type": "ZappedUrlInvestigation", - "status": "Remediated", "alert": { - "type": "alert_type_value", + "category": "category_value", + "correlation_key": "correlation_key_value", + "is_incident": true, "provider": { "name": "OATP", "status": "status_value" }, "severity": "severity_value", - "is_incident": true, - "correlation_key": "correlation_key_value", - "category": "category_value", - "source_type": "source_alert_type_value" - } + "source_type": "source_alert_type_value", + "type": "alert_type_value" + }, + "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86", + "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1", + "status": "Remediated", + "type": "ZappedUrlInvestigation" + }, + "record_type": 64, + "user_type": { + "code": 4, + "name": "System" } }, - "host": { - "name": "machine_name_value" - }, - "log": { - "level": "severity_value" + "organization": { + "id": "774d3f25-d4cf-4544-811f-fdb0e60e9ffd" }, "related": { "user": [ "AirInvestigation" ] + }, + "service": { + "name": "AirInvestigation" + }, + "user": { + "id": "AirInvestigation", + "name": "AirInvestigation" } } @@ -196,106 +196,106 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\",\\\"Entities\\\": [{\\\"Urls\\\":[\\\"http://1.2.3.4\\\",\\\"http://1.2.3.5\\\"],\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"Subject\\\":\\\"subject_value\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.4\\\",\\\"Threats\\\":1,\\\"Sender\\\":\\\"test@test.test\\\",\\\"Recipient\\\":\\\"test1@test.test\\\"},{\\\"Urls\\\":[\\\"http://1.2.3.6\\\",\\\"http://1.2.3.7\\\"],\\\"SenderIP\\\":\\\"1.2.3.8\\\",\\\"Subject\\\":\\\"subject_value_1\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.9\\\",\\\"Threats\\\":2,\\\"Sender\\\":\\\"test3@test.test\\\",\\\"Recipient\\\":\\\"test4@test.test\\\"}]}\", \"Actions\": [ \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", "event": { "action": "AirInvestigationData", - "kind": "alert", "code": "64", - "start": "2023-04-17T14:11:38Z", - "end": "2023-04-17T14:27:07Z" + "end": "2023-04-17T14:27:07Z", + "kind": "alert", + "start": "2023-04-17T14:11:38Z" }, "@timestamp": "2023-04-17T14:27:09Z", - "service": { - "name": "AirInvestigation" - }, - "user": { - "name": "AirInvestigation", - "id": "AirInvestigation" - }, - "organization": { - "id": "774d3f25-d4cf-4544-811f-fdb0e60e9ffd" - }, "action": { "id": 64, "name": "AirInvestigationData", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, - "office365": { - "record_type": 64, - "user_type": { - "code": 4, - "name": "System" + "email": { + "from": { + "address": [ + "test3@test.test", + "test@test.test" + ] }, + "to": { + "address": [ + "test1@test.test", + "test4@test.test" + ] + } + }, + "host": { + "name": "machine_name_value" + }, + "log": { + "level": "severity_value" + }, + "office365": { "audit": { "object_id": "60eaf0aa-edc3-4f8d-8275-bc82d9500e59" }, "investigation": { - "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86", - "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1", - "type": "ZappedUrlInvestigation", - "status": "Remediated", "alert": { - "type": "alert_type_value", + "category": "category_value", + "correlation_key": "correlation_key_value", + "is_incident": true, "provider": { "name": "OATP", "status": "status_value" }, "severity": "severity_value", - "is_incident": true, - "correlation_key": "correlation_key_value", - "category": "category_value", - "source_type": "source_alert_type_value" + "source_type": "source_alert_type_value", + "type": "alert_type_value" }, "email": { - "urls": [ - "http://1.2.3.4", - "http://1.2.3.5", - "http://1.2.3.6", - "http://1.2.3.7" - ], "sender": { - "ip": [ - "1.2.3.4", - "1.2.3.8" - ], "domains": [ "http://1.2.3.4", "http://1.2.3.9" + ], + "ip": [ + "1.2.3.4", + "1.2.3.8" ] }, "subjects": [ "subject_value", "subject_value_1" + ], + "urls": [ + "http://1.2.3.4", + "http://1.2.3.5", + "http://1.2.3.6", + "http://1.2.3.7" ] }, + "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86", + "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1", + "status": "Remediated", "threats": [ "1", "2" - ] - } - }, - "host": { - "name": "machine_name_value" - }, - "log": { - "level": "severity_value" - }, - "email": { - "from": { - "address": [ - "test@test.test", - "test3@test.test" - ] + ], + "type": "ZappedUrlInvestigation" }, - "to": { - "address": [ - "test1@test.test", - "test4@test.test" - ] + "record_type": 64, + "user_type": { + "code": 4, + "name": "System" } }, + "organization": { + "id": "774d3f25-d4cf-4544-811f-fdb0e60e9ffd" + }, "related": { "user": [ "AirInvestigation" ] + }, + "service": { + "name": "AirInvestigation" + }, + "user": { + "id": "AirInvestigation", + "name": "AirInvestigation" } } @@ -310,25 +310,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"ActionId\":\"a81edede-be03-41f4-aae2-b6b25186adc6\",\"ActionName\":\"Enable self-service password reset\",\"ActionProducts\":[],\"ActionScore\":26.0,\"ActionScoreChange\":-1.0,\"ActionActivity\":\"COMPLIANCEMANAGER-SCORECHANGE\",\"Assessments\":[],\"Templates\":[],\"Solutions\":[],\"ManagedBy\":\"User\",\"ActionScope\":\"Tenant\",\"UserId\":\"\",\"Id\":\"aa9367e4-9fa3-4709-8326-b35c04f784d2\",\"RecordType\":155,\"CreationTime\":\"2022-10-05T10:12:57\",\"Operation\":\"COMPLIANCEMANAGER-SCORECHANGE\",\"OrganizationId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"UserType\":2,\"UserKey\":\"Organization\",\"Workload\":\"ComplianceManager\",\"ResultStatus\":\"Successful\",\"Version\":1}", "event": { "action": "COMPLIANCEMANAGER-SCORECHANGE", - "kind": "event", "code": "155", + "kind": "event", "reason": "Enable self-service password reset" }, "@timestamp": "2022-10-05T10:12:57Z", - "service": { - "name": "ComplianceManager" - }, - "user": { - "id": "Organization" - }, - "organization": { - "id": "163381f4-6b9c-43c2-8b57-bfc16b7354f2" - }, "action": { "id": 155, "name": "COMPLIANCEMANAGER-SCORECHANGE", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { "record_type": 155, @@ -337,6 +328,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": 2, "name": "Admin" } + }, + "organization": { + "id": "163381f4-6b9c-43c2-8b57-bfc16b7354f2" + }, + "service": { + "name": "ComplianceManager" + }, + "user": { + "id": "Organization" } } @@ -351,53 +351,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-04-05T20:35:01\",\"Id\":\"5615b32d-4c18-4ada-cc88-08da1743c258\",\"Operation\":\"Create\",\"OrganizationId\":\"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"10033FFF80D15ECF\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"d498:796:298e:be16:1b11:29eb:9996:8a36\",\"UserId\":\"email@example.org\",\"AppId\":\"27922004-5251-4030-b22d-91ecd9a37ea4\",\"ClientIPAddress\":\"d498:796:298e:be16:1b11:29eb:9996:8a36\",\"ClientInfoString\":\"Client=OutlookService;Outlook-iOS/2.0;\",\"ClientRequestId\":\"1725\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-3620271904-3241272990-2175486473-1085344\",\"MailboxGuid\":\"24683bc8-fab1-48b3-b834-cb11b95bb911\",\"MailboxOwnerSid\":\"S-1-5-21-3620271904-3241272990-2175486473-1085344\",\"MailboxOwnerUPN\":\"email@example.org\",\"OrganizationName\":\"xxxx.onmicrosoft.com\",\"OriginatingServer\":\"PR3PR03MB6601 (15.20.4200.000)\\r\\n\",\"SessionId\":\"8ad3822b-1cfd-40e7-aeaa-6d0708691ad8\",\"Item\":{\"Id\":\"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQCB1ldAzYsRRItL+noffZbOAATJxTeHAAAJ\",\"InternetMessageId\":\"\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAAAbOnSFmOkITaMliEZRj+Z3AQAPzmaC0nx3Qo/JWqclreA/AAAEUskDAAAB\",\"Path\":\"\\\\Drafts1\"},\"SizeInBytes\":34785,\"Subject\":\"Email subject\"}}", "event": { "action": "Create", - "kind": "event", - "code": "2", "category": [ "email", "file" ], + "code": "2", + "kind": "event", "type": [ - "info", - "creation" + "creation", + "info" ] }, "@timestamp": "2022-04-05T20:35:01Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "email@example.org", - "id": "S-1-5-21-3620271904-3241272990-2175486473-1085344", - "email": "email@example.org" - }, - "organization": { - "id": "7f7e5b97-b780-473c-9c76-9182a9d7f2b4" - }, "action": { "id": 2, "name": "Create", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "d498:796:298e:be16:1b11:29eb:9996:8a36", - "address": "d498:796:298e:be16:1b11:29eb:9996:8a36" + "outcome": "success", + "target": "user" }, "office365": { + "context": { + "aad_session_id": "8ad3822b-1cfd-40e7-aeaa-6d0708691ad8" + }, + "exchange": { + "mailbox_guid": "24683bc8-fab1-48b3-b834-cb11b95bb911" + }, "record_type": 2, "result_status": "Succeeded", "user_type": { "code": 0, "name": "Regular" - }, - "exchange": { - "mailbox_guid": "24683bc8-fab1-48b3-b834-cb11b95bb911" - }, - "context": { - "aad_session_id": "8ad3822b-1cfd-40e7-aeaa-6d0708691ad8" } }, + "organization": { + "id": "7f7e5b97-b780-473c-9c76-9182a9d7f2b4" + }, "related": { "ip": [ "d498:796:298e:be16:1b11:29eb:9996:8a36" @@ -405,6 +393,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "email@example.org" ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "d498:796:298e:be16:1b11:29eb:9996:8a36", + "ip": "d498:796:298e:be16:1b11:29eb:9996:8a36" + }, + "user": { + "email": "email@example.org", + "id": "S-1-5-21-3620271904-3241272990-2175486473-1085344", + "name": "email@example.org" } } @@ -419,42 +419,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2023-09-15T18:16:53\",\"Id\":\"461a38ce-fc36-4a4d-b73e-643262cc063f\",\"Operation\":\"MailItemsAccessed\",\"OrganizationId\":\"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\",\"RecordType\":50,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"100320029D9C5179\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"UserId\":\"NestorW@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientIPAddress\":\"2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7\",\"ClientInfoString\":\"Client=OWA;Action=ViaProxy\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxGuid\":\"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\",\"MailboxOwnerSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxOwnerUPN\":\"NestorW@example.onmicrosoft.com\",\"OperationProperties\":[{\"Name\":\"MailAccessType\",\"Value\":\"Bind\"},{\"Name\":\"IsThrottled\",\"Value\":\"False\"}],\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.4200.000)\\r\\n\",\"SessionId\":\"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\",\"Folders\":[{\"FolderItems\":[{\"InternetMessageId\":\"\",\"Sensitivity\":\"defa4170-0d19-0005-0004-bc88714345d2\",\"SizeInBytes\":3476},{\"InternetMessageId\":\"\",\"SizeInBytes\":4871},{\"InternetMessageId\":\"\",\"SizeInBytes\":4873}],\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEPAAAB\",\"Path\":\"\\\\Brouillons\"}],\"OperationCount\":3}\r", "event": { "action": "MailItemsAccessed", - "kind": "event", - "code": "50" + "code": "50", + "kind": "event" }, "@timestamp": "2023-09-15T18:16:53Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "NestorW@example.onmicrosoft.com", - "id": "100320029D9C5179", - "email": "NestorW@example.onmicrosoft.com" - }, - "organization": { - "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" - }, "action": { "id": 50, "name": "MailItemsAccessed", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { + "context": { + "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" + }, "record_type": 50, "result_status": "Succeeded", "user_type": { "code": 0, "name": "Regular" - }, - "context": { - "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" } }, + "organization": { + "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" + }, "related": { "user": [ "NestorW@example.onmicrosoft.com" ] + }, + "service": { + "name": "Exchange" + }, + "user": { + "email": "NestorW@example.onmicrosoft.com", + "id": "100320029D9C5179", + "name": "NestorW@example.onmicrosoft.com" } } @@ -469,58 +469,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2023-09-15T18:11:42\",\"Id\":\"d0d7820c-cdbe-4524-bf75-08dbb61736bf\",\"Operation\":\"HardDelete\",\"OrganizationId\":\"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\",\"RecordType\":3,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"100320029D9C5179\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"12.34.56.78\",\"UserId\":\"NestorW@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientIPAddress\":\"12.34.56.78\",\"ClientInfoString\":\"Client=OWA;Action=ViaProxy\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxGuid\":\"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\",\"MailboxOwnerSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxOwnerUPN\":\"NestorW@example.onmicrosoft.com\",\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.4200.000)\\r\\n\",\"SessionId\":\"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\",\"AffectedItems\":[{\"Id\":\"RgAAAABxSjbeIoBUT6MlFIM9cqcFBwCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAACxmw0Q8U/kQIyFE2Uk+mwoAABVzgKRAAAJ\",\"InternetMessageId\":\"\",\"ParentFolder\":{\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\",\"Path\":\"\\\\Recoverable Items\\\\Deletions\"},\"Subject\":\"\"}],\"CrossMailboxOperation\":false,\"Folder\":{\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\",\"Path\":\"\\\\Recoverable Items\\\\Deletions\"}}\r\n\r", "event": { "action": "HardDelete", - "kind": "event", - "code": "3", "category": [ "email" ], + "code": "3", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-09-15T18:11:42Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "NestorW@example.onmicrosoft.com", - "id": "100320029D9C5179", - "email": "NestorW@example.onmicrosoft.com" - }, - "organization": { - "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" - }, "action": { "id": 3, "name": "HardDelete", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "12.34.56.78", - "address": "12.34.56.78" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 3, - "result_status": "Succeeded", - "user_type": { - "code": 0, - "name": "Regular" + "context": { + "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" }, "exchange": { "email": { - "subjects": [ - "" - ], "paths": [ "\\Recoverable Items\\Deletions" + ], + "subjects": [ + "" ] } }, - "context": { - "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" + "record_type": 3, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" + }, "related": { "ip": [ "12.34.56.78" @@ -528,6 +516,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NestorW@example.onmicrosoft.com" ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "12.34.56.78", + "ip": "12.34.56.78" + }, + "user": { + "email": "NestorW@example.onmicrosoft.com", + "id": "100320029D9C5179", + "name": "NestorW@example.onmicrosoft.com" } } @@ -542,61 +542,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-08-22T13:51:02\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"SoftDelete\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 3, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"11111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example.org\", \"ClientIPAddress\": \"1.2.3.4\", \"ClientInfoString\": \"Client=MSExchangeRPC\", \"ClientProcessName\": \"OUTLOOK.EXE\", \"ClientRequestId\": \"{037FD006-A72B-49AE-4BB0-08DBA30C8729}\", \"ClientVersion\": \"16.0.15601.20364\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxGuid\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MailboxOwnerSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxOwnerUPN\": \"john.doe@example.org\", \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"MYSERVER (15.20.4200.000)\\r\\n\", \"SessionId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AffectedItems\": [{\"Attachments\": \"image006.png (6438b); image007.png (449b); image008.png (448b); image009.png (449b); image010.jpg (2443b); image011.png (6444b); image012.png (447b); image013.png (448b)\", \"Id\": \"333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333\", \"InternetMessageId\": \"<44444444444444444444444444444444444444@MYSERVER.USA2345.PROD.OUTLOOK.COM>\", \"ParentFolder\": {\"Id\": \"1111111111111111111111111111111111111111111111111111111111111111\", \"Path\": \"\\\\Draft\"}, \"Subject\": \"Re: HI\"}], \"CrossMailboxOperation\": false, \"Folder\": {\"Id\": \"2222222222222222222222222222222222222222222222222222222222222222\", \"Path\": \"\\\\Draft\"}}", "event": { "action": "SoftDelete", - "kind": "event", - "code": "3", "category": [ "email" ], + "code": "3", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-08-22T13:51:02Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "john.doe@example.org", - "id": "11111111111111", - "email": "john.doe@example.org" - }, - "organization": { - "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" - }, "action": { "id": 3, "name": "SoftDelete", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "office365": { - "record_type": 3, - "result_status": "Succeeded", - "user_type": { - "code": 0, - "name": "Regular" - }, - "exchange": { - "client_version": "16.0.15601.20364", - "email": { - "subjects": [ - "Re: HI" - ], - "paths": [ - "\\Draft" - ] - } - }, - "context": { - "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - } - }, - "process": { - "name": "OUTLOOK.EXE" + "outcome": "success", + "target": "user" }, "email": { "attachments": [ @@ -650,6 +610,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ] }, + "office365": { + "context": { + "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "exchange": { + "client_version": "16.0.15601.20364", + "email": { + "paths": [ + "\\Draft" + ], + "subjects": [ + "Re: HI" + ] + } + }, + "record_type": 3, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, + "process": { + "name": "OUTLOOK.EXE" + }, "related": { "ip": [ "1.2.3.4" @@ -657,6 +645,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.org", + "id": "11111111111111", + "name": "john.doe@example.org" } } @@ -671,103 +671,91 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-08-22T13:49:36\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"Update\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 2, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"1111111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"UserId\": \"john.doe@example.org\", \"AppId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ClientAppId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ClientIPAddress\": \"2603:1026:c09:834::5\", \"ClientInfoString\": \"Client=REST;Client=RESTSystem;;\", \"ClientRequestId\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxGuid\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MailboxOwnerSid\": \"S-1-5-21-1111111111-2222222222-3333333333-4444444\", \"MailboxOwnerUPN\": \"john.doe@example.org\", \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"MYSERVER (15.20.4200.000)\\r\\n\", \"Item\": {\"Id\": \"333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333\", \"InternetMessageId\": \"<44444444444444444444444444444444444444@MYSERVER.USA2345.PROD.OUTLOOK.COM>\", \"ParentFolder\": {\"Id\": \"1111111111111111111111111111111111111111111111111111111111111111\", \"Path\": \"\\\\Draft\"}, \"SizeInBytes\": 70806, \"Subject\": \"HI\"}, \"ModifiedProperties\": [\"MapiEndTime\", \"MapiPREndDate\", \"TimeZone\", \"TimeZoneBlob\", \"TimeZoneDefinitionStart\", \"TimeZoneDefinitionEnd\", \"MapiStartTime\", \"MapiPRStartDate\", \"MapiIsAllDayEvent\", \"TimeZoneDefinitionRecurring\", \"AppointmentRecurring\", \"AttendeeCriticalChangeTime\", \"Location\", \"SendRichInfo\", \"PartnerNetworkUserId\", \"PartnerNetworkId\", \"SentRepresentingDisplayName\", \"SentRepresentingEmailAddress\", \"SentRepresentingType\", \"SentRepresentingEntryId\", \"SentRepresentingSmtpAddress\", \"SipUri\", \"SentRepresentingSID\", \"When\", \"BirthdayContactAttributionDisplayName\", \"BirthdayLocal\", \"ReceivedByName\", \"ReceivedByEmailAddress\", \"ReceivedByAddrType\", \"ReceivedByEntryId\", \"ReceivedBySmtpAddress\", \"AllAttachmentsHidden\", \"SenderDisplayName\", \"SenderEmailAddress\", \"SenderAddressType\", \"SenderEntryId\", \"SenderSmtpAddress\", \"SenderSID\", \"SentTime\", \"HtmlBody\", \"RtfBody\", \"TextBody\", \"DisplayName\", \"CreationTime\", \"MapiSubject\", \"NormalizedSubjectInternal\", \"SubjectPrefixInternal\", \"ItemClass\", \"ReplyForwardStatus\", \"ReceivedTime\", \"RecipientCollection\"]}", "event": { "action": "Update", - "kind": "event", - "code": "2", "category": [ "email", "file" ], + "code": "2", + "kind": "event", "type": [ - "info", - "change" + "change", + "info" ] }, "@timestamp": "2023-08-22T13:49:36Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "john.doe@example.org", - "id": "S-1-5-21-1111111111-2222222222-3333333333-4444444", - "email": "john.doe@example.org" - }, - "organization": { - "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" - }, "action": { "id": 2, "name": "Update", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", - "address": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 2, - "result_status": "Succeeded", - "user_type": { - "code": 0, - "name": "Regular" - }, "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507", "modified_properties": [ - "MapiEndTime", - "MapiPREndDate", - "TimeZone", - "TimeZoneBlob", - "TimeZoneDefinitionStart", - "TimeZoneDefinitionEnd", - "MapiStartTime", - "MapiPRStartDate", - "MapiIsAllDayEvent", - "TimeZoneDefinitionRecurring", + "AllAttachmentsHidden", "AppointmentRecurring", "AttendeeCriticalChangeTime", - "Location", - "SendRichInfo", - "PartnerNetworkUserId", - "PartnerNetworkId", - "SentRepresentingDisplayName", - "SentRepresentingEmailAddress", - "SentRepresentingType", - "SentRepresentingEntryId", - "SentRepresentingSmtpAddress", - "SipUri", - "SentRepresentingSID", - "When", "BirthdayContactAttributionDisplayName", "BirthdayLocal", - "ReceivedByName", - "ReceivedByEmailAddress", + "CreationTime", + "DisplayName", + "HtmlBody", + "ItemClass", + "Location", + "MapiEndTime", + "MapiIsAllDayEvent", + "MapiPREndDate", + "MapiPRStartDate", + "MapiStartTime", + "MapiSubject", + "NormalizedSubjectInternal", + "PartnerNetworkId", + "PartnerNetworkUserId", "ReceivedByAddrType", + "ReceivedByEmailAddress", "ReceivedByEntryId", + "ReceivedByName", "ReceivedBySmtpAddress", - "AllAttachmentsHidden", + "ReceivedTime", + "RecipientCollection", + "ReplyForwardStatus", + "RtfBody", + "SendRichInfo", + "SenderAddressType", "SenderDisplayName", "SenderEmailAddress", - "SenderAddressType", "SenderEntryId", - "SenderSmtpAddress", "SenderSID", + "SenderSmtpAddress", + "SentRepresentingDisplayName", + "SentRepresentingEmailAddress", + "SentRepresentingEntryId", + "SentRepresentingSID", + "SentRepresentingSmtpAddress", + "SentRepresentingType", "SentTime", - "HtmlBody", - "RtfBody", - "TextBody", - "DisplayName", - "CreationTime", - "MapiSubject", - "NormalizedSubjectInternal", + "SipUri", "SubjectPrefixInternal", - "ItemClass", - "ReplyForwardStatus", - "ReceivedTime", - "RecipientCollection" + "TextBody", + "TimeZone", + "TimeZoneBlob", + "TimeZoneDefinitionEnd", + "TimeZoneDefinitionRecurring", + "TimeZoneDefinitionStart", + "When" ] + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, "related": { "ip": [ "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" @@ -775,6 +763,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "ip": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" + }, + "user": { + "email": "john.doe@example.org", + "id": "S-1-5-21-1111111111-2222222222-3333333333-4444444", + "name": "john.doe@example.org" } } @@ -789,88 +789,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2020-09-29T07:32:51\", \"Id\": \"4e597c8c-e185-4ea5-3413-08d86449df74\", \"Operation\": \"FilePreviewed\", \"OrganizationId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"RecordType\": 6, \"UserKey\": \"i:0h.f|membership|10032000e70d7559@live.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx\", \"UserId\": \"jane.doe@company.onmicrosoft.com\", \"ApplicationId\": \"4345a7b9-9a63-4910-a426-35363201d503\", \"CorrelationId\": \"41af7e9f-30a8-9000-8f78-756aca9a7474\", \"DoNotDistributeEvent\": \"True\", \"EventSource\": \"SharePoint\", \"ItemType\": \"File\", \"ListId\": \"2db6ee74-6bd7-4d9b-a63f-26ae6eef9fb3\", \"ListItemUniqueId\": \"0e3f3538-8a03-4728-b431-225bc10687b6\", \"Site\": \"2d3c44c1-d225-499d-a47f-bda2751a00b9\", \"UserAgent\": \"OneDriveMpc-Transform_Thumbnail/1.0\", \"WebId\": \"c4b81f7e-4f91-4b3a-97a7-660709edef15\", \"HighPriorityMediaProcessing\": \"False\", \"SourceFileExtension\": \"xlsx\", \"SiteUrl\": \"https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/\", \"SourceFileName\": \"MyDocument.docx\", \"SourceRelativeUrl\": \"Documents\"}", "event": { "action": "FilePreviewed", - "kind": "event", - "code": "6", "category": [ "file" ], + "code": "6", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2020-09-29T07:32:51Z", - "service": { - "name": "OneDrive" - }, - "user": { - "name": "jane.doe@company.onmicrosoft.com", - "id": "i:0h.f|membership|10032000e70d7559@live.com", - "email": "jane.doe@company.onmicrosoft.com" - }, - "organization": { - "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" - }, "action": { "id": 6, "name": "FilePreviewed", - "target": "user", "outcome": "success", "properties": [ { + "SiteUrl": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/", "SourceFileName": "MyDocument.docx", "SourceRelativeUrl": "Documents", - "SiteUrl": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/", "UserAgent": "OneDriveMpc-Transform_Thumbnail/1.0" } - ] + ], + "target": "user" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "file": { + "directory": "Documents", + "extension": "xlsx", + "name": "MyDocument.docx" }, "office365": { + "audit": { + "object_id": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx" + }, "record_type": 6, "user_type": { "code": 0, "name": "Regular" - }, - "audit": { - "object_id": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx" } }, - "file": { - "name": "MyDocument.docx", - "directory": "Documents", - "extension": "xlsx" + "organization": { + "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jane.doe@company.onmicrosoft.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "company-my.sharepoint.com", + "full": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", + "original": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", + "path": "/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", + "port": 443, + "registered_domain": "sharepoint.com", + "scheme": "https", + "subdomain": "company-my", + "top_level_domain": "com" + }, + "user": { + "email": "jane.doe@company.onmicrosoft.com", + "id": "i:0h.f|membership|10032000e70d7559@live.com", + "name": "jane.doe@company.onmicrosoft.com" }, "user_agent": { - "original": "OneDriveMpc-Transform_Thumbnail/1.0", "device": { "name": "Other" }, "name": "Other", + "original": "OneDriveMpc-Transform_Thumbnail/1.0", "os": { "name": "Other" } - }, - "url": { - "full": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", - "original": "https://company-my.sharepoint.com/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", - "domain": "company-my.sharepoint.com", - "top_level_domain": "com", - "subdomain": "company-my", - "registered_domain": "sharepoint.com", - "path": "/personal/jane_doe_company_onmicrosoft_com/Documents/MyDocument.docx", - "scheme": "https", - "port": 443 - }, - "related": { - "ip": [ - "1.2.3.4" - ], - "user": [ - "jane.doe@company.onmicrosoft.com" - ] } } @@ -885,51 +885,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"AppAccessContext\":{\"AADSessionId\":\"0e042318-7c78-4acb-ae00-5ee74465bca3\",\"CorrelationId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"UniqueTokenId\":\"0000000000000000000000\"},\"CreationTime\":\"2022-06-10T12:00:14\",\"Id\":\"7c13b5d5-aa8d-48d1-b3d1-5f4b657136ba\",\"Operation\":\"FileSyncDownloadedFull\",\"OrganizationId\":\"2d7585dc-97bc-4494-b98c-79f2a4946931\",\"RecordType\":6,\"UserKey\":\"i:0h.f|membership|0000000000000000@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"SharePoint\",\"ClientIP\":\"1.2.3.4\",\"ObjectId\":\"https://company.sharepoint.com/sites/shared/public/assets/website/logo.png\",\"UserId\":\"marketing@company.com\",\"CorrelationId\":\"4b25e3d9-1e4f-4c62-a544-da747449f144\",\"EventSource\":\"SharePoint\",\"ItemType\":\"File\",\"ListId\":\"ca07dda5-0cdc-4399-94a6-303a7aa8ac00\",\"ListItemUniqueId\":\"ab5a159c-c8fd-409c-a48f-524c29df0341\",\"Site\":\"1a53ae0f-8405-42ec-8c43-724101fd34a2\",\"UserAgent\":\"Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)\",\"WebId\":\"ba71b4fe-22e8-41cf-9eaf-48b1787bad16\",\"MachineDomainInfo\":\"f059d209-e819-402b-a391-4941ff3860c6\",\"MachineId\":\"884ecccb-1e44-4dd4-a2b5-b60517893ce0\",\"FileSyncBytesCommitted\":\"1344200\",\"HighPriorityMediaProcessing\":false,\"SourceFileExtension\":\"png\",\"SiteUrl\":\"https://company.sharepoint.com/sites/shared\",\"SourceFileName\":\"logo.png\",\"SourceRelativeUrl\":\"public/assets/website\"}", "event": { "action": "FileSyncDownloadedFull", - "kind": "event", - "code": "6", "category": [ "file" ], + "code": "6", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-06-10T12:00:14Z", - "service": { - "name": "SharePoint" - }, - "user": { - "name": "marketing@company.com", - "id": "i:0h.f|membership|0000000000000000@live.com", - "email": "marketing@company.com" - }, - "organization": { - "id": "2d7585dc-97bc-4494-b98c-79f2a4946931" - }, "action": { "id": 6, "name": "FileSyncDownloadedFull", - "target": "user", "outcome": "success", "properties": [ { + "SiteUrl": "https://company.sharepoint.com/sites/shared", "SourceFileName": "logo.png", "SourceRelativeUrl": "public/assets/website", - "SiteUrl": "https://company.sharepoint.com/sites/shared", "UserAgent": "Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)" } - ] + ], + "target": "user" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "file": { + "directory": "public/assets/website", + "extension": "png", + "name": "logo.png" }, "office365": { - "record_type": 6, - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "https://company.sharepoint.com/sites/shared/public/assets/website/logo.png" }, @@ -938,35 +923,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "correlation": { "id": "c299a0a0-14da-428a-b08d-481d562298cb" } - } - }, - "file": { - "name": "logo.png", - "directory": "public/assets/website", - "extension": "png" - }, - "user_agent": { - "original": "Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)", - "device": { - "name": "Other" }, - "name": "Microsoft SkyDriveSync", - "version": "22.099.0508", - "os": { - "name": "Windows", - "version": "10" + "record_type": 6, + "user_type": { + "code": 0, + "name": "Regular" } }, - "url": { - "full": "https://company.sharepoint.com/sites/shared/public/assets/website/logo.png", - "original": "https://company.sharepoint.com/sites/shared/public/assets/website/logo.png", - "domain": "company.sharepoint.com", - "top_level_domain": "com", - "subdomain": "company", - "registered_domain": "sharepoint.com", - "path": "/sites/shared/public/assets/website/logo.png", - "scheme": "https", - "port": 443 + "organization": { + "id": "2d7585dc-97bc-4494-b98c-79f2a4946931" }, "related": { "ip": [ @@ -975,6 +940,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "marketing@company.com" ] + }, + "service": { + "name": "SharePoint" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "company.sharepoint.com", + "full": "https://company.sharepoint.com/sites/shared/public/assets/website/logo.png", + "original": "https://company.sharepoint.com/sites/shared/public/assets/website/logo.png", + "path": "/sites/shared/public/assets/website/logo.png", + "port": 443, + "registered_domain": "sharepoint.com", + "scheme": "https", + "subdomain": "company", + "top_level_domain": "com" + }, + "user": { + "email": "marketing@company.com", + "id": "i:0h.f|membership|0000000000000000@live.com", + "name": "marketing@company.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Microsoft SkyDriveSync", + "original": "Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "22.099.0508" } } @@ -989,47 +989,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Id\":\"40094389-7baf-a3ba-5acc-2773c002cfbe\",\"RecordType\":22,\"CreationTime\":\"2022-09-07T12:22:07\",\"Operation\":\"FileVisited\",\"OrganizationId\":\"12b674a1-3497-4997-b4ab-2a40bf0e5139\",\"UserType\":0,\"UserKey\":\"10032001cf3045ad\",\"Workload\":\"Yammer\",\"ResultStatus\":\"TRUE\",\"ObjectId\":\"Pix_C'est la rentre!.png\",\"ClientIP\":\"2503:1026:c0a:70::5\",\"UserId\":\"Frodon.Saquet@comte.com\",\"ActorYammerUserId\":1315924230144,\"ActorUserId\":\"Frodon.Saquet@comte.com\",\"YammerNetworkId\":6358000,\"Version\":1,\"FileId\":1439262310400,\"FileName\":\"Pix_C'est la rentre!.png\",\"VersionId\":1460243079168}", "event": { "action": "FileVisited", - "kind": "event", - "code": "22", "category": [ "file" - ] + ], + "code": "22", + "kind": "event" }, "@timestamp": "2022-09-07T12:22:07Z", - "service": { - "name": "Yammer" - }, - "user": { - "name": "Frodon.Saquet@comte.com", - "id": "10032001cf3045ad", - "email": "Frodon.Saquet@comte.com" - }, - "organization": { - "id": "12b674a1-3497-4997-b4ab-2a40bf0e5139" - }, "action": { "id": 22, "name": "FileVisited", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, - "source": { - "ip": "2503:1026:c0a:70::5", - "address": "2503:1026:c0a:70::5" + "file": { + "name": "Pix_C'est la rentre!.png" }, "office365": { + "audit": { + "object_id": "Pix_C'est la rentre!.png" + }, "record_type": 22, "result_status": "TRUE", "user_type": { "code": 0, "name": "Regular" - }, - "audit": { - "object_id": "Pix_C'est la rentre!.png" } }, - "file": { - "name": "Pix_C'est la rentre!.png" + "organization": { + "id": "12b674a1-3497-4997-b4ab-2a40bf0e5139" }, "related": { "ip": [ @@ -1038,6 +1026,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Frodon.Saquet@comte.com" ] + }, + "service": { + "name": "Yammer" + }, + "source": { + "address": "2503:1026:c0a:70::5", + "ip": "2503:1026:c0a:70::5" + }, + "user": { + "email": "Frodon.Saquet@comte.com", + "id": "10032001cf3045ad", + "name": "Frodon.Saquet@comte.com" } } @@ -1052,69 +1052,69 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2023-05-24T15:10:53\",\"Id\":\"9cf2a1f7-90bc-494b-2784-08db5c691133\",\"Operation\":\"New-InboxRule\",\"OrganizationId\":\"49c2f50d-d36c-4b88-8511-55ce3ea9e53f\",\"RecordType\":1,\"ResultStatus\":\"True\",\"UserKey\":\"100320028D9C5197\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"240.157.135.119:63070\",\"ObjectId\":\"EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\\\RULE_NAME\",\"UserId\":\"RobertP@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientAppId\":\"\",\"ExternalAccess\":false,\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.6411.029)\",\"Parameters\":[{\"Name\":\"ForwardTo\",\"Value\":\"bob@example.org\"},{\"Name\":\"Force\",\"Value\":\"False\"},{\"Name\":\"AlwaysDeleteOutlookRulesBlob\",\"Value\":\"False\"},{\"Name\":\"RedirectTo\",\"Value\":\"joe@example.org\"},{\"Name\":\"From\",\"Value\":\"alice@example.org\"},{\"Name\":\"Name\",\"Value\":\"RULE_NAME\"},{\"Name\":\"DeleteMessage\",\"Value\":\"True\"},{\"Name\":\"FromAddressContainsWords\",\"Value\":\"@example.org\"},{\"Name\":\"MarkAsRead\",\"Value\":\"True\"},{\"Name\":\"StopProcessingRules\",\"Value\":\"True\"},{\"Name\":\"SubjectOrBodyContainsWords\",\"Value\":\"keyword\"},{\"Name\":\"MoveToFolder\",\"Value\":\"Historique des conversations\"}],\"SessionId\":\"984c0958-0631-4b90-b116-15094fc36847\"}\r\n\r", "event": { "action": "New-InboxRule", - "kind": "event", - "code": "1" + "code": "1", + "kind": "event" }, "@timestamp": "2023-05-24T15:10:53Z", - "service": { - "name": "Exchange" - }, - "user": { - "name": "RobertP@example.onmicrosoft.com", - "id": "100320028D9C5197", - "email": "RobertP@example.onmicrosoft.com" - }, - "organization": { - "id": "49c2f50d-d36c-4b88-8511-55ce3ea9e53f" - }, "action": { "id": 1, "name": "New-InboxRule", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "240.157.135.119", - "port": 63070, - "address": "240.157.135.119" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 1, - "result_status": "True", - "user_type": { - "code": 2, - "name": "Admin" - }, "audit": { "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME" }, + "context": { + "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + }, "exchange_admin": { "parameters": [ - "ForwardTo:bob@example.org", - "Force:False", "AlwaysDeleteOutlookRulesBlob:False", - "RedirectTo:joe@example.org", - "From:alice@example.org", - "Name:RULE_NAME", "DeleteMessage:True", + "Force:False", + "ForwardTo:bob@example.org", + "From:alice@example.org", "FromAddressContainsWords:@example.org", "MarkAsRead:True", + "MoveToFolder:Historique des conversations", + "Name:RULE_NAME", + "RedirectTo:joe@example.org", "StopProcessingRules:True", - "SubjectOrBodyContainsWords:keyword", - "MoveToFolder:Historique des conversations" + "SubjectOrBodyContainsWords:keyword" ] }, - "context": { - "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + "record_type": 1, + "result_status": "True", + "user_type": { + "code": 2, + "name": "Admin" } }, - "related": { + "organization": { + "id": "49c2f50d-d36c-4b88-8511-55ce3ea9e53f" + }, + "related": { "ip": [ "240.157.135.119" ], "user": [ "RobertP@example.onmicrosoft.com" ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "240.157.135.119", + "ip": "240.157.135.119", + "port": 63070 + }, + "user": { + "email": "RobertP@example.onmicrosoft.com", + "id": "100320028D9C5197", + "name": "RobertP@example.onmicrosoft.com" } } @@ -1129,42 +1129,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"AppAccessContext\": {\"AADSessionId\": \"fbe7d318-3d7f-4645-9e03-caa46e2a8f01\", \"CorrelationId\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"UniqueTokenId\": \"2222222222222222222222\"}, \"CreationTime\": \"2023-08-22T12:37:20\", \"Id\": \"037fd006-a72b-49ae-4bb0-08dba30c8729\", \"Operation\": \"ManagedSyncClientAllowed\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 4, \"UserKey\": \"i:0h.f|membership|1111111111111111@live.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example.org\", \"AuthenticationType\": \"FormsCookieAuth\", \"BrowserName\": \"Edge\", \"BrowserVersion\": \"114.0.1823.79\", \"CorrelationId\": \"ec84154f-db9d-47cd-b1be-56d75cb8840e\", \"EventSource\": \"SharePoint\", \"IsManagedDevice\": false, \"ItemType\": \"DocumentLibrary\", \"Platform\": \"WinDesktop\", \"Site\": \"1435321e-2bbb-417d-b21c-533e3ec15f5f\", \"UserAgent\": \"Microsoft SkyDriveSync 23.101.0514.0004 ship; Windows NT 10.0 (19045)\", \"WebId\": \"50ad5578-0fa1-4285-9cde-1e4f067fb892\", \"DeviceDisplayName\": \"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"MachineDomainInfo\": \"8208550a-4001-439d-a9f6-e95d76767507\", \"MachineId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}", "event": { "action": "ManagedSyncClientAllowed", - "kind": "event", - "code": "4", "category": [ "file" ], + "code": "4", + "kind": "event", "type": [ "access" ] }, "@timestamp": "2023-08-22T12:37:20Z", - "service": { - "name": "SharePoint" - }, - "user": { - "name": "john.doe@example.org", - "id": "i:0h.f|membership|1111111111111111@live.com", - "email": "john.doe@example.org" - }, - "organization": { - "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" - }, "action": { "id": 4, "name": "ManagedSyncClientAllowed", - "target": "user", - "outcome": "success" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 4, - "user_type": { - "code": 0, - "name": "Regular" + "audit": { + "event_source": "SharePoint", + "item_type": "DocumentLibrary", + "platform": "WinDesktop", + "site": "1435321e-2bbb-417d-b21c-533e3ec15f5f" }, "context": { "aad_session_id": "fbe7d318-3d7f-4645-9e03-caa46e2a8f01", @@ -1172,24 +1158,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "5f24aa82-f874-44d1-b6df-857cd9e1decf" } }, - "audit": { - "site": "1435321e-2bbb-417d-b21c-533e3ec15f5f", - "event_source": "SharePoint", - "item_type": "DocumentLibrary", - "platform": "WinDesktop" + "record_type": 4, + "user_type": { + "code": 0, + "name": "Regular" } }, - "user_agent": { - "original": "Microsoft SkyDriveSync 23.101.0514.0004 ship; Windows NT 10.0 (19045)", - "device": { - "name": "Other" - }, - "name": "Microsoft SkyDriveSync", - "version": "23.101.0514", - "os": { - "name": "Windows", - "version": "10" - } + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" }, "related": { "ip": [ @@ -1198,6 +1174,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] + }, + "service": { + "name": "SharePoint" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.org", + "id": "i:0h.f|membership|1111111111111111@live.com", + "name": "john.doe@example.org" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Microsoft SkyDriveSync", + "original": "Microsoft SkyDriveSync 23.101.0514.0004 ship; Windows NT 10.0 (19045)", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "23.101.0514" } } @@ -1212,58 +1212,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Applications\": [{\"Name\": \"Microsoft SharePoint Online\"}], \"AlertCategory\": \"ANOMALY_DETECTION\", \"AlertDisplayName\": \"Impossible travel activity\", \"AlertDescription\": \"The user JOHN DOE (john.doe@example.org) was involved in an impossible travel\\n incident. The user connected from two countries within 10 minutes, from these IP addresses: Belgium\\n (3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6) and France (1.2.3.4). If any of these IP addresses are used by the\\n organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as\\n VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.\", \"AlertSeverity\": \"Medium\", \"AssignedTo\": null, \"LastUpdatedTime\": \"2023-04-19T12:24:16\", \"ActivityStartTime\": \"2023-04-19T12:07:08\", \"ItemCount\": 0, \"AlertUri\": \"https://example.portal.cloudappsecurity.com/#/alerts/111111111111111111111111\", \"ClientIPs\": [\"3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6\", \"1.2.3.4\"], \"ObjectId\": \"643fdd70e8ff3e15bba6dfd8\", \"UserId\": \"john.doe@example.org\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 98, \"CreationTime\": \"2023-04-19T12:24:16\", \"Operation\": \"MCAS_ALERT_ANUBIS_DETECTION_VELOCITY\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserType\": 0, \"UserKey\": \"john.doe@example.org\", \"Workload\": \"MCAS\", \"ResultStatus\": \"New\", \"Version\": 1}", "event": { "action": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", - "kind": "alert", - "code": "98", "category": [ "intrusion_detection" ], + "code": "98", + "kind": "alert", "type": [ "info" ] }, "@timestamp": "2023-04-19T12:24:16Z", - "service": { - "name": "MCAS" - }, - "user": { - "name": "john.doe@example.org", - "id": "john.doe@example.org", - "email": "john.doe@example.org" - }, - "organization": { - "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - }, "action": { "id": 98, "name": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { + "alert": { + "category": "ANOMALY_DETECTION", + "client_ips": [ + "1.2.3.4", + "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6" + ], + "description": "The user JOHN DOE (john.doe@example.org) was involved in an impossible travel\n incident. The user connected from two countries within 10 minutes, from these IP addresses: Belgium\n (3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6) and France (1.2.3.4). If any of these IP addresses are used by the\n organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as\n VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.", + "display_name": "Impossible travel activity", + "severity": "Medium" + }, + "audit": { + "object_id": "643fdd70e8ff3e15bba6dfd8" + }, "record_type": 98, "result_status": "New", "user_type": { "code": 0, "name": "Regular" - }, - "audit": { - "object_id": "643fdd70e8ff3e15bba6dfd8" - }, - "alert": { - "category": "ANOMALY_DETECTION", - "display_name": "Impossible travel activity", - "description": "The user JOHN DOE (john.doe@example.org) was involved in an impossible travel\n incident. The user connected from two countries within 10 minutes, from these IP addresses: Belgium\n (3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6) and France (1.2.3.4). If any of these IP addresses are used by the\n organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as\n VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.", - "severity": "Medium", - "client_ips": [ - "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", - "1.2.3.4" - ] } }, + "organization": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, "related": { "user": [ "john.doe@example.org" ] + }, + "service": { + "name": "MCAS" + }, + "user": { + "email": "john.doe@example.org", + "id": "john.doe@example.org", + "name": "john.doe@example.org" } } @@ -1278,56 +1278,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-07-07T22:38:49\",\"Id\":\"266f5962-ffad-4fce-a101-3197581af3d4\",\"Operation\":\"AtpDetection\",\"OrganizationId\":\"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\",\"RecordType\":47,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"UserId\":\"people@example.org\",\"DetectionDate\":\"2022-07-07T22:38:11\",\"DetectionMethod\":\"AntiMalware\",\"EventDeepLink\":\"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&query-Id=2ab4791e-fdd4-42f9-ad3c-c54ef7a4d548\",\"FileData\":{\"DocumentId\":\"03254108-f682-417d-f3e6-08da605bf091\",\"FileName\":\"malware\",\"FilePath\":\"https://example.sharepoint.com/personal/people_example_org/Documents/malware\",\"FileSize\":\"12345\",\"FileVerdict\":1,\"MalwareFamily\":\"iPhoneOS/Vortex.C\",\"SHA256\":\"SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=\"},\"LastModifiedBy\":\"people@example.org\",\"LastModifiedDate\":\"2022-01-01T13:00:53\",\"SourceWorkload\":1}\n", "event": { "action": "AtpDetection", - "kind": "event", "code": "47", + "kind": "event", "url": "https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&query-Id=2ab4791e-fdd4-42f9-ad3c-c54ef7a4d548" }, "@timestamp": "2022-07-07T22:38:49Z", - "service": { - "name": "ThreatIntelligence" - }, - "user": { - "name": "people@example.org", - "id": "ThreatIntel", - "email": "people@example.org" - }, - "organization": { - "id": "7f7e5b97-b780-473c-9c76-9182a9d7f2b4" - }, "action": { "id": 47, "name": "AtpDetection", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, - "office365": { - "record_type": 47, - "user_type": { - "code": 4, - "name": "System" + "file": { + "hash": { + "sha256": "SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=" }, + "name": "malware" + }, + "office365": { "defender": { "detection": { "method": "AntiMalware" }, "malware_family": "iPhoneOS/Vortex.C" + }, + "record_type": 47, + "user_type": { + "code": 4, + "name": "System" } }, - "file": { - "name": "malware", - "hash": { - "sha256": "SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=" - } - }, - "url": { - "original": "https://example.sharepoint.com/personal/people_example_org/Documents/malware", - "domain": "example.sharepoint.com", - "top_level_domain": "com", - "subdomain": "example", - "registered_domain": "sharepoint.com", - "path": "/personal/people_example_org/Documents/malware", - "scheme": "https", - "port": 443 + "organization": { + "id": "7f7e5b97-b780-473c-9c76-9182a9d7f2b4" }, "related": { "hash": [ @@ -1336,6 +1318,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "people@example.org" ] + }, + "service": { + "name": "ThreatIntelligence" + }, + "url": { + "domain": "example.sharepoint.com", + "original": "https://example.sharepoint.com/personal/people_example_org/Documents/malware", + "path": "/personal/people_example_org/Documents/malware", + "port": 443, + "registered_domain": "sharepoint.com", + "scheme": "https", + "subdomain": "example", + "top_level_domain": "com" + }, + "user": { + "email": "people@example.org", + "id": "ThreatIntel", + "name": "people@example.org" } } @@ -1350,64 +1350,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-07-08T09:10:19\",\"Id\":\"50906475-74dd-4447-ae4d-595d225d0055\",\"Operation\":\"TIMailData\",\"OrganizationId\":\"8a457951-a594-4607-a5dc-dfc72338eb13\",\"RecordType\":28,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"ObjectId\":\"4ca2df96-4488-4f3b-a265-b4edaa3c4d8f\",\"UserId\":\"ThreatIntel\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AttachmentData\":[{\"FileName\":\"malicious.pdf.exe\",\"FileType\":\"exe;zip\",\"FileVerdict\":1,\"MalwareFamily\":\"Trojan_Gen_FileWithSpoofedExtension_A\",\"SHA256\":\"E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855\"}],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Fail\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"DeliveryAction\":\"Blocked\",\"DetectionMethod\":\"File detonation\",\"DetectionType\":\"Inline\",\"Directionality\":\"Inbound\",\"EventDeepLink\":\"https://protection.office.com/?hash=/threatexplorer?messageParams=a4dbf74a-89e0-40de-b14d-df573f48aa45,a4dbf74a-89e0-40de-b14d-df573f48aa45-0000000000000000000-1,2022-07-08T00:00:00,2022-07-08T23:59:59&view=Malware\",\"InternetMessageId\":\"<4cc4a74e-a195-4222-abd7-a8adf2cd347d@sender.com>\",\"LatestDeliveryLocation\":\"Quarantine\",\"MessageTime\":\"2022-07-08T09:07:47\",\"NetworkMessageId\":\"7250ff78-fd13-45a2-bb5d-23a5d59c2699\",\"OriginalDeliveryLocation\":\"Quarantine\",\"P1Sender\":\"prvs=0000000000=human@sender.com\",\"P2Sender\":\"human@sender.com\",\"Policy\":\"SafeAttachements\",\"PolicyAction\":\"Quarantine\",\"Recipients\":[\"human@example.com\"],\"SenderIp\":\"1.2.3.4\",\"Subject\":\"Refund to you\",\"SystemOverrides\":[{\"Details\":\"Antimalware policy block by file type\",\"FinalOverride\":\"No\",\"Result\":\"Block\",\"Source\":\"Tenant\"}],\"ThreatsAndDetectionTech\":[\"Malware: [File detonation]\",\"Spam: [General filter]\"],\"Verdict\":\"Malware\"}\n", "event": { "action": "Blocked", - "kind": "event", "code": "28", + "kind": "event", "url": "https://protection.office.com/?hash=/threatexplorer?messageParams=a4dbf74a-89e0-40de-b14d-df573f48aa45,a4dbf74a-89e0-40de-b14d-df573f48aa45-0000000000000000000-1,2022-07-08T00:00:00,2022-07-08T23:59:59&view=Malware" }, "@timestamp": "2022-07-08T09:10:19Z", - "service": { - "name": "ThreatIntelligence" - }, - "user": { - "name": "ThreatIntel", - "id": "ThreatIntel" - }, - "organization": { - "id": "8a457951-a594-4607-a5dc-dfc72338eb13" - }, "action": { "id": 28, "name": "Blocked", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, - "office365": { - "record_type": 28, - "user_type": { - "code": 4, - "name": "System" + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855" + }, + "mime_type": "exe;zip", + "name": "malicious.pdf.exe" + } + } + ], + "delivery_timestamp": "2022-07-08T09:07:47", + "from": { + "address": [ + "human@sender.com" + ] }, + "local_id": "7250ff78-fd13-45a2-bb5d-23a5d59c2699", + "message_id": "4cc4a74e-a195-4222-abd7-a8adf2cd347d@sender.com", + "reply_to": { + "address": [ + "prvs=0000000000=human@sender.com" + ] + }, + "subject": "Refund to you", + "to": { + "address": [ + "human@example.com" + ] + } + }, + "office365": { "audit": { "object_id": "4ca2df96-4488-4f3b-a265-b4edaa3c4d8f" }, "defender": { - "email": { - "verdict": { - "reason": "Malware" - }, - "delivery": { - "action": "Blocked", - "original_location": "Quarantine", - "latest_location": "Quarantine" - }, - "attachments": [ - { - "name": "Trojan_Gen_FileWithSpoofedExtension_A", - "verdict": { - "code": "1", - "name": "bad" - } - } - ] - }, - "detection": { - "type": "Inline", - "method": "File detonation", - "technology": [ - "Malware: [File detonation]", - "Spam: [General filter]" - ] - }, "additional_actions": [ "OriginalDelivery: [N/A]" ], @@ -1429,51 +1419,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Value": "pass" } ], - "system_overrides": [ - { - "Details": "Antimalware policy block by file type", - "FinalOverride": "No", - "Result": "Block", - "Source": "Tenant" - } - ] - } - }, - "email": { - "local_id": "7250ff78-fd13-45a2-bb5d-23a5d59c2699", - "subject": "Refund to you", - "delivery_timestamp": "2022-07-08T09:07:47", - "message_id": "4cc4a74e-a195-4222-abd7-a8adf2cd347d@sender.com", - "reply_to": { - "address": [ - "prvs=0000000000=human@sender.com" - ] - }, - "from": { - "address": [ - "human@sender.com" - ] - }, - "to": { - "address": [ - "human@example.com" - ] - }, - "attachments": [ - { - "file": { - "name": "malicious.pdf.exe", - "mime_type": "exe;zip", - "hash": { - "sha256": "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855" + "detection": { + "method": "File detonation", + "technology": [ + "Malware: [File detonation]", + "Spam: [General filter]" + ], + "type": "Inline" + }, + "email": { + "attachments": [ + { + "name": "Trojan_Gen_FileWithSpoofedExtension_A", + "verdict": { + "code": "1", + "name": "bad" + } } + ], + "delivery": { + "action": "Blocked", + "latest_location": "Quarantine", + "original_location": "Quarantine" + }, + "verdict": { + "reason": "Malware" } - } - ] + }, + "system_overrides": [ + { + "Details": "Antimalware policy block by file type", + "FinalOverride": "No", + "Result": "Block", + "Source": "Tenant" + } + ] + }, + "record_type": 28, + "user_type": { + "code": 4, + "name": "System" + } }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "organization": { + "id": "8a457951-a594-4607-a5dc-dfc72338eb13" }, "related": { "ip": [ @@ -1482,6 +1471,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "ThreatIntel" ] + }, + "service": { + "name": "ThreatIntelligence" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "ThreatIntel", + "name": "ThreatIntel" } } @@ -1496,27 +1496,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-07-07T10:10:52\",\"Id\":\"47bf7844-15bf-4cf2-91a3-15b32ceb89b5\",\"Operation\":\"TIUrlClickData\",\"OrganizationId\":\"0eaa2260-b241-410b-bcae-e38c8b68787f\",\"RecordType\":41,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"UserId\":\"human@example.org\",\"AppName\":\"Mail\",\"AppVersion\":\"0.0.0000\",\"EventDeepLink\":\"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=Phish&query-Recipients=people@xample.org&query-NetworkMessageId=53b5da37-1893-4e78-a89f-a4d26b53184c\",\"SourceId\":\"8a8634d0-d803-4bc9-b221-2863bff6a001\",\"TimeOfClick\":\"2022-07-07T09:33:33\",\"Url\":\"https://malicious.domain.com\",\"UserIp\":\"1.2.3.4\"}\n", "event": { "action": "TIUrlClickData", - "kind": "event", "code": "41", + "kind": "event", "url": "https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=Phish&query-Recipients=people@xample.org&query-NetworkMessageId=53b5da37-1893-4e78-a89f-a4d26b53184c" }, "@timestamp": "2022-07-07T10:10:52Z", - "service": { - "name": "ThreatIntelligence" - }, - "user": { - "name": "human@example.org", - "id": "ThreatIntel", - "email": "human@example.org" - }, - "organization": { - "id": "0eaa2260-b241-410b-bcae-e38c8b68787f" - }, "action": { "id": 41, "name": "TIUrlClickData", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { "record_type": 41, @@ -1525,10 +1514,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "System" } }, + "organization": { + "id": "0eaa2260-b241-410b-bcae-e38c8b68787f" + }, "related": { "user": [ "human@example.org" ] + }, + "service": { + "name": "ThreatIntelligence" + }, + "user": { + "email": "human@example.org", + "id": "ThreatIntel", + "name": "human@example.org" } } @@ -1543,57 +1543,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-08-31T07:24:24\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Operation\": \"AlertTriggered\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"ts\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"te\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"tid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"tdc\\\":\\\"1\\\",\\\"af\\\":\\\"0\\\",\\\"tht\\\":\\\"Phish,\\n\\nMalicious\\\",\\\"als\\\":\\\"Protection\\\",\\\"op\\\":\\\"Protection\\\",\\\"wsrt\\\":\\\"0001-01-01T00:00:00\\\",\\\"mdt\\\":\\\"u\\\",\\\"rid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"cid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"ad\\\":\\\"This\\nalert fires when message containing phish was delivered due to an ETR override. \\n-V1.0.0.5\\\",\\\"lon\\\":\\\"Protection\\\",\\\"an\\\":\\\"Phish delivered due to an ETR override\\\",\\\"sev\\\":\\\"Informational\\\"}\", \"Name\": \"Phish delivered due to an ETR override\", \"PolicyId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Severity\": \"Informational\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", "event": { "action": "AlertTriggered", - "kind": "alert", - "code": "40", "category": [ "intrusion_detection" ], + "code": "40", + "kind": "alert", "type": [ "info" ] }, "@timestamp": "2023-08-31T07:24:24Z", - "service": { - "name": "SecurityComplianceCenter" - }, - "user": { - "name": "SecurityComplianceAlerts", - "id": "SecurityComplianceAlerts" - }, - "organization": { - "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - }, "action": { "id": 40, "name": "AlertTriggered", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 40, - "result_status": "Succeeded", - "user_type": { - "code": 4, - "name": "System" - }, - "audit": { - "object_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - }, "alert": { "category": "ThreatManagement", "display_name": "Phish delivered due to an ETR override", "severity": "Informational", "source": "Office 365 Security & Compliance", "status": "Active" + }, + "audit": { + "object_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" } }, - "rule": { + "organization": { "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" }, "related": { "user": [ "SecurityComplianceAlerts" ] + }, + "rule": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" } } @@ -1608,53 +1608,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-04-05T19:51:35\",\"Id\":\"1324e3d2-f29c-5c15-9f44-1ca64e42250f\",\"Operation\":\"MessageCreatedHasLink\",\"OrganizationId\":\"34314e6e-4023-4e4b-a15e-143f63244e2b\",\"RecordType\":25,\"UserKey\":\"11dbae04-5d5d-4bc7-9766-16793ed91233\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\",\"ClientIP\":\"::ffff:1.2.3.4\",\"UserId\":\"email@example.org\",\"ChatThreadId\":\"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\",\"CommunicationType\":\"OneOnOne\",\"ExtraProperties\":[{\"Key\":\"TimeZone\",\"Value\":\"Europe/Paris\"},{\"Key\":\"OsName\",\"Value\":\"windows\"},{\"Key\":\"OsVersion\",\"Value\":\"10\"},{\"Key\":\"Country\",\"Value\":\"fr\"},{\"Key\":\"ClientName\",\"Value\":\"skypeteams\"},{\"Key\":\"ClientVersion\",\"Value\":\"27/1.0.0.2022031814\"},{\"Key\":\"ClientUtcOffsetSeconds\",\"Value\":\"7200\"}],\"MessageId\":\"1649188295480\",\"MessageVersion\":\"1649188295480\",\"ItemName\":\"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\",\"MessageURLs\":[\"https://www.amazon.fr/s?i=merchant-items&me=A1TLEYKQIC7812&marketplaceID=A13V1IB3VIYZZH&qid=1649187214&ref=sr_pg_1\"],\"Members\": [{\"UPN\": \"admin@example.org\", \"Role\": 1}, {\"UPN\": \"user1@example.org\", \"Role\": 0}]}", "event": { "action": "MessageCreatedHasLink", - "kind": "event", - "code": "25", "category": [ "network" ], + "code": "25", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-04-05T19:51:35Z", - "service": { - "name": "MicrosoftTeams" - }, - "user": { - "name": "email@example.org", - "id": "11dbae04-5d5d-4bc7-9766-16793ed91233", - "email": "email@example.org" - }, - "organization": { - "id": "34314e6e-4023-4e4b-a15e-143f63244e2b" - }, "action": { "id": 25, "name": "MessageCreatedHasLink", - "target": "network-traffic", - "outcome": "success" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "outcome": "success", + "target": "network-traffic" }, "office365": { "record_type": 25, - "user_type": { - "code": 0, - "name": "Regular" - }, "teams": { "communication": { "type": "OneOnOne" }, "message": { "id": "1649188295480", - "version": "1649188295480", "urls": [ "https://www.amazon.fr/s?i=merchant-items&me=A1TLEYKQIC7812&marketplaceID=A13V1IB3VIYZZH&qid=1649187214&ref=sr_pg_1" - ] + ], + "version": "1649188295480" }, "team": { "members": [ @@ -1668,8 +1649,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ] } + }, + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "34314e6e-4023-4e4b-a15e-143f63244e2b" + }, "related": { "ip": [ "1.2.3.4" @@ -1677,6 +1665,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "email@example.org" ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "email@example.org", + "id": "11dbae04-5d5d-4bc7-9766-16793ed91233", + "name": "email@example.org" } } @@ -1691,56 +1691,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-08-30T20:49:04\", \"Id\": \"f872f447-2417-492a-d462-08dba99a7777\", \"Operation\": \"AtpDetection\", \"OrganizationId\": \"4720ed5e-c545-46eb-99a5-958dd3337777\", \"RecordType\": 47, \"UserKey\": \"ThreatIntel\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"ThreatIntelligence\", \"UserId\": \"user@user.com\", \"DetectionDate\": \"2023-08-30T20:48:08\", \"DetectionMethod\": \"AntiMalware\", \"EventDeepLink\": \"https://security.mamamia.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2023-07-30T23:59:59.002Z&endtime=2023-09-01T23:59:59.002Z&query-Id=f872f447-2417-492a-d462-08dba99a7777\", \"FileData\": {\"DocumentId\": \"f773238b-ef02-41f4-94db-bbd7d5167777\", \"FileName\": \"file.exe\", \"FilePath\": \"https://user-my.sharepoint.com/personal/user_user_com/Documents/blabla .exe\", \"FileSize\": \"9670017\", \"FileVerdict\": 1, \"MalwareFamily\": \"Malicious Payload\", \"SHA256\": \"G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=\"}}", "event": { "action": "AtpDetection", - "kind": "event", "code": "47", + "kind": "event", "url": "https://security.mamamia.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2023-07-30T23:59:59.002Z&endtime=2023-09-01T23:59:59.002Z&query-Id=f872f447-2417-492a-d462-08dba99a7777" }, "@timestamp": "2023-08-30T20:49:04Z", - "service": { - "name": "ThreatIntelligence" - }, - "user": { - "name": "user@user.com", - "id": "ThreatIntel", - "email": "user@user.com" - }, - "organization": { - "id": "4720ed5e-c545-46eb-99a5-958dd3337777" - }, "action": { "id": 47, "name": "AtpDetection", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, - "office365": { - "record_type": 47, - "user_type": { - "code": 4, - "name": "System" + "file": { + "hash": { + "sha256": "G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=" }, + "name": "file.exe" + }, + "office365": { "defender": { "detection": { "method": "AntiMalware" }, "malware_family": "Malicious Payload" + }, + "record_type": 47, + "user_type": { + "code": 4, + "name": "System" } }, - "file": { - "name": "file.exe", - "hash": { - "sha256": "G2RPEZx++scsgqDs6wo6GyZpJuWbzRj0iPDSaGE7777=" - } - }, - "url": { - "original": "https://user-my.sharepoint.com/personal/user_user_com/Documents/blabla .exe", - "domain": "user-my.sharepoint.com", - "top_level_domain": "com", - "subdomain": "user-my", - "registered_domain": "sharepoint.com", - "path": "/personal/user_user_com/Documents/blabla .exe", - "scheme": "https", - "port": 443 + "organization": { + "id": "4720ed5e-c545-46eb-99a5-958dd3337777" }, "related": { "hash": [ @@ -1749,6 +1731,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user@user.com" ] + }, + "service": { + "name": "ThreatIntelligence" + }, + "url": { + "domain": "user-my.sharepoint.com", + "original": "https://user-my.sharepoint.com/personal/user_user_com/Documents/blabla .exe", + "path": "/personal/user_user_com/Documents/blabla .exe", + "port": 443, + "registered_domain": "sharepoint.com", + "scheme": "https", + "subdomain": "user-my", + "top_level_domain": "com" + }, + "user": { + "email": "user@user.com", + "id": "ThreatIntel", + "name": "user@user.com" } } @@ -1763,48 +1763,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2019-11-18T13:40:24\", \"Id\": \"038ae875-ffd8-45e4-9dcf-6e385cfad349\", \"Operation\": \"Update group.\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 8, \"ResultStatus\": \"Success\", \"UserKey\": \"10030000A96EA230@acme.onmicrosoft.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"\", \"ObjectId\": \"Not Available\", \"UserId\": \"Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}]}", "event": { "action": "Update group.", - "kind": "event", - "code": "8", "category": [ "iam" ], + "code": "8", + "kind": "event", "type": [ "change" ] }, "@timestamp": "2019-11-18T13:40:24Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com", - "id": "10030000A96EA230@acme.onmicrosoft.com", - "email": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" - }, - "organization": { - "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" - }, "action": { "id": 8, "name": "Update group.", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { + "audit": { + "object_id": "Not Available" + }, "record_type": 8, "result_status": "Success", "user_type": { "code": 0, "name": "Regular" - }, - "audit": { - "object_id": "Not Available" } }, + "organization": { + "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" + }, "related": { "user": [ "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "email": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com", + "id": "10030000A96EA230@acme.onmicrosoft.com", + "name": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" } } @@ -1819,48 +1819,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2019-12-09T14:18:19\", \"Id\": \"359154c4-72c5-4ba0-bbf9-7eb1dff88af7\", \"Operation\": \"Update user.\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 8, \"ResultStatus\": \"Success\", \"UserKey\": \"10030000A96EA230@acme.onmicrosoft.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"\", \"ObjectId\": \"bob.smith@acme.org\", \"UserId\": \"Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"resultType\", \"Value\": \"Success\"}, {\"Name\": \"auditEventCategory\", \"Value\": \"UserManagement\"}, {\"Name\": \"nCloud\", \"Value\": \"\"}]}", "event": { "action": "Update user.", - "kind": "event", - "code": "8", "category": [ "iam" ], + "code": "8", + "kind": "event", "type": [ "change" ] }, "@timestamp": "2019-12-09T14:18:19Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com", - "id": "10030000A96EA230@acme.onmicrosoft.com", - "email": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" - }, - "organization": { - "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" - }, "action": { "id": 8, "name": "Update user.", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { + "audit": { + "object_id": "bob.smith@acme.org" + }, "record_type": 8, "result_status": "Success", "user_type": { "code": 0, "name": "Regular" - }, - "audit": { - "object_id": "bob.smith@acme.org" } }, + "organization": { + "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" + }, "related": { "user": [ "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "email": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com", + "id": "10030000A96EA230@acme.onmicrosoft.com", + "name": "Sync_V-WATT_83d3b7098669@acme.onmicrosoft.com" } } @@ -1875,40 +1875,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2021-03-05T14:43:17\",\"Id\":\"21a107c2-2071-4ce3-8330-cf82f3caa79f\",\"Operation\":\"Update user.\",\"OrganizationId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"UserKey\":\"10030000A96EA230@domain.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"\",\"ObjectId\":\"aaaa.bbbb@example.org\",\"UserId\":\"user@domain.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"}],\"ModifiedProperties\":[{\"Name\":\"LastDirSyncTime\",\"NewValue\":\"[\\r\\n \\\"2021-03-05T14:43:17Z\\\"\\r\\n]\",\"OldValue\":\"[\\r\\n \\\"2021-03-03T12:30:50Z\\\"\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"LastDirSyncTime\",\"OldValue\":\"\"},{\"Name\":\"Action Client Name\",\"NewValue\":\"DirectorySync\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"Actor\":[{\"ID\":\"user@domain.onmicrosoft.com\",\"Type\":5},{\"ID\":\"10030000A96EA230\",\"Type\":3},{\"ID\":\"User_c96cf894-cca6-438b-b6f2-c2744c1680f5\",\"Type\":2},{\"ID\":\"c96cf894-cca6-438b-b6f2-c2744c1680f5\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\",\"ActorIpAddress\":\"\",\"InterSystemsId\":\"92d46438-1e67-43e3-91ca-039ff39d7217\",\"IntraSystemId\":\"bd8cc421-efe8-4a44-b61d-44670fc6f56e\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\",\"Type\":2},{\"ID\":\"de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"aaaa.bbbb@example.org\",\"Type\":5},{\"ID\":\"1003200119762B26\",\"Type\":3}],\"TargetContextId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\"}", "event": { "action": "Update user.", - "kind": "event", - "code": "8", "category": [ "iam" ], + "code": "8", + "kind": "event", "type": [ "change" ] }, "@timestamp": "2021-03-05T14:43:17Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "user@domain.onmicrosoft.com", - "id": "10030000A96EA230@domain.onmicrosoft.com", - "email": "user@domain.onmicrosoft.com" - }, - "organization": { - "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" - }, "action": { "id": 8, "name": "Update user.", - "target": "user", - "outcome": "success" + "outcome": "success", + "target": "user" }, "office365": { - "record_type": 8, - "result_status": "Success", - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "aaaa.bbbb@example.org" }, @@ -1916,12 +1899,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. "correlation": { "id": "92d46438-1e67-43e3-91ca-039ff39d7217" } + }, + "record_type": 8, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" + }, "related": { "user": [ "user@domain.onmicrosoft.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "email": "user@domain.onmicrosoft.com", + "id": "10030000A96EA230@domain.onmicrosoft.com", + "name": "user@domain.onmicrosoft.com" } } @@ -1936,72 +1936,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2019-11-18T10:15:52\", \"Id\": \"405f795f-8bff-45d2-98c9-ef675d7d2db6\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 15, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"10037FFEA0A22006@company.onmicrosoft.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"1.2.3.4:8085\", \"ObjectId\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"UserId\": \"REDACTED@company.onmicrosoft.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}, {\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"KeepMeSignedIn\", \"Value\": \"True\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"3d0e7ff9-261e-440f-a2f8-9e1ec4072f3e\", \"Type\": 0}, {\"ID\": \"REDACTED@company.onmicrosoft.com\", \"Type\": 5}, {\"ID\": \"10037FFEA0A22006\", \"Type\": 3}], \"ActorContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"ActorIpAddress\": \"1.2.3.4\", \"InterSystemsId\": \"794c9504-66fe-441c-831a-5fc2badfcdc8\", \"IntraSystemId\": \"99f54f6a-ddfe-4916-b89b-edd9fcac4500\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"5f09333a-842c-47da-a157-57da27fcbca5\", \"Type\": 0}], \"TargetContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"ApplicationId\": \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\"}", "event": { "action": "UserLoggedIn", - "kind": "event", - "code": "15", "category": [ "authentication" ], + "code": "15", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2019-11-18T10:15:52Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "REDACTED@company.onmicrosoft.com", - "id": "10037FFEA0A22006@company.onmicrosoft.com", - "email": "REDACTED@company.onmicrosoft.com" - }, - "organization": { - "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" - }, "action": { "id": 15, "name": "UserLoggedIn", - "target": "network-traffic", - "outcome": "success" - }, - "source": { - "ip": "1.2.3.4", - "port": 8085, - "address": "1.2.3.4" + "outcome": "success", + "target": "network-traffic" }, "office365": { - "record_type": 15, - "result_status": "Succeeded", - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "5f09333a-842c-47da-a157-57da27fcbca5" }, "auth": { - "user_authentication_method": 1, + "keep_me_signed_in": true, "request_type": "OAuth2:Authorize", "result_status_detail": "Redirect", - "keep_me_signed_in": true + "user_authentication_method": 1 }, "context": { "correlation": { "id": "794c9504-66fe-441c-831a-5fc2badfcdc8" } - } - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763", - "device": { - "name": "Other" }, - "name": "Edge", - "version": "18.17763", - "os": { - "name": "Windows", - "version": "10" + "record_type": 15, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" + }, "related": { "ip": [ "1.2.3.4" @@ -2009,6 +1984,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "REDACTED@company.onmicrosoft.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 8085 + }, + "user": { + "email": "REDACTED@company.onmicrosoft.com", + "id": "10037FFEA0A22006@company.onmicrosoft.com", + "name": "REDACTED@company.onmicrosoft.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "18.17763" } } @@ -2023,83 +2023,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\": \"2023-05-02T18:02:13\", \"Id\": \"5f24aa82-f874-44d1-b6df-857cd9e1decf\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"e1a908bd-8353-44e1-b957-5b8f1d90bde1\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"1111111111111111\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"john.doe@example.org\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Authorize\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Type\": 0}, {\"ID\": \"john.doe@example.org\", \"Type\": 5}], \"ActorContextId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"ActorIpAddress\": \"1.2.3.4\", \"InterSystemsId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"IntraSystemId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"00000003-0000-0ff1-ce00-000000000000\", \"Type\": 0}], \"TargetContextId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"ApplicationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"DeviceProperties\": [{\"Name\": \"Id\", \"Value\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}, {\"Name\": \"DisplayName\", \"Value\": \"displayname\"}, {\"Name\": \"OS\", \"Value\": \"Windows 10\"}, {\"Name\": \"BrowserType\", \"Value\": \"Firefox\"}, {\"Name\": \"IsCompliant\", \"Value\": \"True\"}, {\"Name\": \"IsCompliantAndManaged\", \"Value\": \"True\"}, {\"Name\": \"TrustType\", \"Value\": \"2\"}, {\"Name\": \"SessionId\", \"Value\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\"}], \"ErrorNumber\": \"0\"}", "event": { "action": "UserLoggedIn", - "kind": "event", - "code": "15", "category": [ "authentication" ], + "code": "15", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2023-05-02T18:02:13Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "john.doe@example.org", - "id": "1111111111111111", - "email": "john.doe@example.org" - }, - "organization": { - "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" - }, "action": { "id": 15, "name": "UserLoggedIn", - "target": "network-traffic", - "outcome": "success" + "outcome": "success", + "target": "network-traffic" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "host": { + "name": "displayname", + "os": { + "full": "Windows 10" + } }, "office365": { - "record_type": 15, - "result_status": "Success", - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" }, - "error_number": 0, - "device": { - "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", - "is_compliant": true, - "is_compliant_and_managed": true, - "trust_type": 2 - }, "auth": { "request_type": "OAuth2:Authorize", "result_status_detail": "Redirect" }, "context": { + "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", "correlation": { "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - }, - "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" - } - }, - "host": { - "os": { - "full": "Windows 10" + } }, - "name": "displayname" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "device": { - "name": "Other" + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", + "is_compliant": true, + "is_compliant_and_managed": true, + "trust_type": 2 }, - "name": "Firefox", - "version": "102.0", - "os": { - "name": "Windows", - "version": "10" + "error_number": 0, + "record_type": 15, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "e1a908bd-8353-44e1-b957-5b8f1d90bde1" + }, "related": { "ip": [ "1.2.3.4" @@ -2107,6 +2083,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.org", + "id": "1111111111111111", + "name": "john.doe@example.org" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "102.0" } } @@ -2121,81 +2121,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"CreationTime\":\"2022-10-14T13:48:03\",\"Id\":\"4af0b443-42dd-4dc6-9bd1-751a55441000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"785d81fb-82aa-4ff3-9cbc-e3280761f36a\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"20.250.8.183\",\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"UserId\":\"user@mycompany.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:EndAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"785d81fb-82aa-4ff3-9cbc-e3280761f36a\",\"Type\":0},{\"ID\":\"user@mycompany.com\",\"Type\":5}],\"ActorContextId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"ActorIpAddress\":\"20.250.8.183\",\"InterSystemsId\":\"d48e6ea0-40c1-5000-5eba-0ee33d13b1ca\",\"IntraSystemId\":\"4af0b443-42dd-4dc6-9bd1-751a55441000\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows 10\"},{\"Name\":\"BrowserType\",\"Value\":\"Firefox\"},{\"Name\":\"IsCompliantAndManaged\",\"Value\":\"False\"},{\"Name\":\"SessionId\",\"Value\":\"b3a9b2b4-57c9-406b-9a2d-106b7f612248\"}],\"ErrorNumber\":\"500121\",\"LogonError\":\"AuthenticationFailedSasError\"}", "event": { "action": "UserLoginFailed", - "kind": "event", - "code": "15", "category": [ "iam" ], + "code": "15", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-10-14T13:48:03Z", - "service": { - "name": "AzureActiveDirectory" - }, - "user": { - "name": "user@mycompany.com", - "id": "785d81fb-82aa-4ff3-9cbc-e3280761f36a", - "email": "user@mycompany.com" - }, - "organization": { - "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" - }, "action": { "id": 15, "name": "UserLoginFailed", - "target": "network-traffic", - "outcome": "success" + "outcome": "success", + "target": "network-traffic" }, - "source": { - "ip": "20.250.8.183", - "address": "20.250.8.183" + "host": { + "os": { + "full": "Windows 10" + } }, "office365": { - "record_type": 15, - "result_status": "Success", - "user_type": { - "code": 0, - "name": "Regular" - }, "audit": { "object_id": "00000003-0000-0ff1-ce00-000000000000" }, - "logon_error": "AuthenticationFailedSasError", - "error_number": 500121, - "device": { - "is_compliant_and_managed": false - }, "auth": { - "user_authentication_method": 1, "request_type": "SAS:EndAuth", - "result_status_detail": "Success" + "result_status_detail": "Success", + "user_authentication_method": 1 }, "context": { + "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248", "correlation": { "id": "d48e6ea0-40c1-5000-5eba-0ee33d13b1ca" - }, - "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248" - } - }, - "host": { - "os": { - "full": "Windows 10" - } - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0", + } + }, "device": { - "name": "Other" + "is_compliant_and_managed": false }, - "name": "Firefox", - "version": "105.0", - "os": { - "name": "Windows", - "version": "10" + "error_number": 500121, + "logon_error": "AuthenticationFailedSasError", + "record_type": 15, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" } }, + "organization": { + "id": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2" + }, "related": { "ip": [ "20.250.8.183" @@ -2203,6 +2179,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "user@mycompany.com" ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "20.250.8.183", + "ip": "20.250.8.183" + }, + "user": { + "email": "user@mycompany.com", + "id": "785d81fb-82aa-4ff3-9cbc-e3280761f36a", + "name": "user@mycompany.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "105.0" } } diff --git a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md index 90138eb3d7..11d6769ad8 100644 --- a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md +++ b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md @@ -36,30 +36,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"id\": \"00a8bc91-bd77-45d5-bf45-213c6b7fee19\", \"portal-id\": \"XXXXXX\", \"classification\": \"impersonating-domain-alert\", \"risk-assessment\": { \"risk-level\": \"low\" }, \"risk-factors\": [ \"Has assets in content\", \"Hosting content\", \"Has a DNS record\", \"Newly registered when raised\" ], \"title\": \"Impersonating Domain example.info\", \"description\": \"A domain that is possibly impersonating your assets was detected.\\n\\nRisk Level: Low\\nImpersonating Domain: example.info\\nLast Registered: \\n\\nRisk Factors:\\n* Has assets in content\\n* Hosting content\\n* Has a DNS record\\n* Newly registered when raised\\n\\nMatched Assets:\\n* example\\n* example.biz\\n* example.eu\\n* example.fr\\n\\n\\nWHOIS records provide the following information:\\nRegistrar: Epik, Inc.\\nRegistrar abuse contact email: donuts@epik.com\\nRegistrar abuse contact phone: 425-765-0077\\nCreated: 19 Feb 2021 16:35\\nLast updated: 21 Feb 2022 09:35\\nRegistrar registration expiration date: 19 Feb 2023 16:35\\n\\nDNS Record\\nA - 185.255.121.5\\nNS - ns3.epik.com.\\nNS - ns4.epik.com.\\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\\nTXT - \\\"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\\\"\\nTXT - \\\"dan-ownership-verification=54z0h1kj\\\"\\nTXT - \\\"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\\\"\\n\\nAlert Raised: 05 Dec 2019 21:03\\nAlert Updated: 03 Mar 2022 13:03\\n\\nSearchlight Portal ID: XXXXX\\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\\n\", \"assets\": [ { \"id\": \"76ab3f96-c12c-428d-b213-446f17b7ab9b\" }, { \"id\": \"5fa68b35-a58f-40de-b2af-74be78b45b2d\" }, { \"id\": \"1647634f-d3e4-4150-991a-a99d5682644b\" }, { \"id\": \"1bf42c15-4d9d-40cc-b63a-e6e9a08151dc\" } ], \"raised\": \"2019-12-05T21:03:10.433Z\", \"updated\": \"2022-03-03T13:03:51.044370Z\" }", "event": { - "kind": "alert", + "action": "impersonating-domain-alert", "category": [ "threat" ], - "type": [ - "indicator" - ], - "action": "impersonating-domain-alert", + "end": "2022-03-03T13:03:51.044370Z", + "kind": "alert", "reason": "Impersonating Domain example.info", "start": "2019-12-05T21:03:10.433000Z", - "end": "2022-03-03T13:03:51.044370Z" + "type": [ + "indicator" + ] }, "digital_shadows_searchlight": { + "description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n", "event": { "id": "00a8bc91-bd77-45d5-bf45-213c6b7fee19" }, + "portal_id": "XXXXXX", "risk_factors": [ + "Has a DNS record", "Has assets in content", "Hosting content", - "Has a DNS record", "Newly registered when raised" ], - "portal_id": "XXXXXX", - "description": "A domain that is possibly impersonating your assets was detected.\n\nRisk Level: Low\nImpersonating Domain: example.info\nLast Registered: \n\nRisk Factors:\n* Has assets in content\n* Hosting content\n* Has a DNS record\n* Newly registered when raised\n\nMatched Assets:\n* example\n* example.biz\n* example.eu\n* example.fr\n\n\nWHOIS records provide the following information:\nRegistrar: Epik, Inc.\nRegistrar abuse contact email: donuts@epik.com\nRegistrar abuse contact phone: 425-765-0077\nCreated: 19 Feb 2021 16:35\nLast updated: 21 Feb 2022 09:35\nRegistrar registration expiration date: 19 Feb 2023 16:35\n\nDNS Record\nA - 185.255.121.5\nNS - ns3.epik.com.\nNS - ns4.epik.com.\nSOA - ns3.epik.com. support.epik.com. 2022022101 10800 3600 604800 3600\nTXT - \"841f65603f47f3a7c35da7caf0f2ceaee92a1ed6\"\nTXT - \"dan-ownership-verification=54z0h1kj\"\nTXT - \"godaddyverification=Q8293uVVCXS1ttOuxPoOKg==\"\n\nAlert Raised: 05 Dec 2019 21:03\nAlert Updated: 03 Mar 2022 13:03\n\nSearchlight Portal ID: XXXXX\nSearchlight Portal Link: https://portal-digitalshadows.com/triage/alerts/XXXXX\n", "risk_level": "low" } } @@ -74,25 +74,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"id\":8484455,\"classification\":\"exposed-port-incident\",\"risk-level\":\"low\",\"title\":\"Exposed open port\",\"description\":\"The following ports have been detected on IP 11.22.33.44\\nPort 123\\n\",\"impact-description\":\"Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\\n\",\"mitigation\":\"Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\\t\\n\",\"assets\":[{\"id\":\"7332ea8f-cfbf-4bcf-8a1b-3b0991258dac\"}],\"raised\":\"2022-03-15T19:16:06.981Z\",\"updated\":\"2022-03-15T19:16:06.981Z\"}", "event": { - "kind": "alert", + "action": "exposed-port-incident", "category": [ "threat" ], - "type": [ - "indicator" - ], - "action": "exposed-port-incident", + "end": "2022-03-15T19:16:06.981000Z", + "kind": "alert", "reason": "Exposed open port", "start": "2022-03-15T19:16:06.981000Z", - "end": "2022-03-15T19:16:06.981000Z" + "type": [ + "indicator" + ] }, "digital_shadows_searchlight": { + "description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n", "event": { "id": "8484455" }, "impact_description": "Port 123: Port 123 (Network Time Protocol) can be abused to cause a denial-of-service attack and should not be exposed to the public Internet.\n", "mitigation": "Port 123: This port should ideally not be reachable from the public Internet and so should be firewalled off. In cases where this is not feasible, a technical compensating control could be the introduction of IP allowlisting of known IPs to prevent unauthorized access.\t\n", - "description": "The following ports have been detected on IP 11.22.33.44\nPort 123\n", "risk_level": "low" } } diff --git a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md index e7f57de720..bd160742ab 100644 --- a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md +++ b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md @@ -35,41 +35,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/index.html\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"100000\",\n \"driveUid\": \"\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"false\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/index.html\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "brain", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/index.html" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -77,25 +65,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "false", + "appliedAction": "brain", "auditMode": "false", - "geoblocked": "false", + "blocked": "false", "credibility": "100000", - "appliedAction": "brain", - "whitelistedIp": "false", + "geoblocked": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/index.html" } } @@ -109,45 +109,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"-1\",\n \"driveUid\": \"4F1AB8245012413EBC182B80AAC1FFF3\",\n \"driveLabel\":\"Linux files\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"true\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "brain", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd" - }, - "rule": { - "uuid": "4F1AB8245012413EBC182B80AAC1FFF3", - "name": "Linux files" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -155,29 +139,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "true", + "appliedAction": "brain", "auditMode": "false", + "blocked": "true", + "credibility": "-1", "drive": { - "uid": "4F1AB8245012413EBC182B80AAC1FFF3", - "label": "Linux files" + "label": "Linux files", + "uid": "4F1AB8245012413EBC182B80AAC1FFF3" }, "geoblocked": "false", - "credibility": "-1", - "appliedAction": "brain", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "rule": { + "name": "Linux files", + "uuid": "4F1AB8245012413EBC182B80AAC1FFF3" + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd" } } @@ -191,45 +191,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"19000\",\n \"driveUid\": \"4F1AB8245012413EBC182B80AAC1FFF3\",\n \"driveLabel\":\"Linux files\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"false\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "brain", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd" - }, - "rule": { - "uuid": "4F1AB8245012413EBC182B80AAC1FFF3", - "name": "Linux files" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -237,29 +221,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "false", + "appliedAction": "brain", "auditMode": "false", + "blocked": "false", + "credibility": "19000", "drive": { - "uid": "4F1AB8245012413EBC182B80AAC1FFF3", - "label": "Linux files" + "label": "Linux files", + "uid": "4F1AB8245012413EBC182B80AAC1FFF3" }, "geoblocked": "false", - "credibility": "19000", - "appliedAction": "brain", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "rule": { + "name": "Linux files", + "uuid": "4F1AB8245012413EBC182B80AAC1FFF3" + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd" } } @@ -273,41 +273,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/\",\n \"ogo\": {\n \"appliedAction\": \"denied\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"true\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "denied", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -315,24 +303,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "true", + "appliedAction": "denied", "auditMode": "false", + "blocked": "true", "geoblocked": "false", - "appliedAction": "denied", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/" } } @@ -346,41 +346,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/index.html\",\n \"ogo\": {\n \"appliedAction\": \"bypass\",\n \"driveUid\": \"\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"false\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/index.html\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "bypass", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/index.html" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -388,24 +376,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "false", + "appliedAction": "bypass", "auditMode": "false", + "blocked": "false", "geoblocked": "false", - "appliedAction": "bypass", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/index.html" } } @@ -419,41 +419,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/index.html\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"driveUid\": \"\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"true\",\n \"blocked\": \"true\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/index.html\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "brain", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/index.html" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -461,24 +449,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "true", + "appliedAction": "brain", "auditMode": "false", + "blocked": "true", "geoblocked": "true", - "appliedAction": "brain", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/index.html" } } @@ -492,45 +492,29 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/index.html\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"99782\",\n \"driveUid\": \"41150EF72BD544529AA67E9B1C0310DC\",\n \"driveLabel\":\"Smart Rate Limiting\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"false\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/index.html\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { - "kind": "event", - "type": [ - "connection", - "access" - ], "action": "brain", - "module": "ogo.shield.waf", - "dataset": "ogo-shield", "category": [ "network" ], - "duration": 0 - }, - "url": { - "full": "https://example.com/index.html" - }, - "rule": { - "uuid": "41150EF72BD544529AA67E9B1C0310DC", - "name": "Smart Rate Limiting" - }, - "source": { - "ip": "20.20.20.20", - "address": "20.20.20.20" + "dataset": "ogo-shield", + "duration": 0, + "kind": "event", + "module": "ogo.shield.waf", + "type": [ + "access", + "connection" + ] }, "@timestamp": "2023-05-24T14:00:10.291000Z", - "observer": { - "type": "firewall", - "vendor": "OGO Security", - "product": "Web Application Firewall" - }, "client": { "address": "20.20.20.20", "geo": { + "city_name": "Paris", + "country_iso_code": "FR", "location": { "lat": 48.844, "lon": 2.408 - }, - "city_name": "Paris", - "country_iso_code": "FR" + } } }, "http": { @@ -538,29 +522,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. "status_code": 200 } }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "OGO Security" + }, "ogo": { - "site": "example.com", - "blocked": "false", + "appliedAction": "brain", "auditMode": "false", + "blocked": "false", + "credibility": "99782", "drive": { - "uid": "41150EF72BD544529AA67E9B1C0310DC", - "label": "Smart Rate Limiting" + "label": "Smart Rate Limiting", + "uid": "41150EF72BD544529AA67E9B1C0310DC" }, "geoblocked": "false", - "credibility": "99782", - "appliedAction": "brain", - "whitelistedIp": "false", "request": { "headers": "{\"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\", \"accept-encoding\": \"gzip, deflate, br\", \"connection\": \"keep-alive\", \"host\": \"example.com\", \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\", \"x-forwarded-for\": [\"20.20.20.20\"], \"x-forwarded-host\": \"example.com\", \"x-forwarded-port\": \"80\", \"x-forwarded-proto\": \"http\", \"x-forwarded-server\": \"677de812e565\", \"x-ogo-shield\": \"0487b7d5\", \"x-real-ip\": \"20.20.20.20\"}" }, "response": { "headers": "{\"content-encoding\": \"gzip\", \"content-type\": \"text/html; charset=UTF-8\", \"date\": \"Wed, 24 May 2023 13:58:44 GMT\", \"server\": \"nginx/1.6.2 (Ubuntu)\"}" - } + }, + "site": "example.com", + "whitelistedIp": "false" }, "related": { "ip": [ "20.20.20.20" ] + }, + "rule": { + "name": "Smart Rate Limiting", + "uuid": "41150EF72BD544529AA67E9B1C0310DC" + }, + "source": { + "address": "20.20.20.20", + "ip": "20.20.20.20" + }, + "url": { + "full": "https://example.com/index.html" } } diff --git a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md index 584028e00f..fc52d556e8 100644 --- a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md +++ b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md @@ -52,32 +52,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, + "cloudflare": { + "OverridePort": 0, + "SessionID": "1725de7a2d0000215517735400000001" + }, "destination": { + "address": "104.244.42.193", "domain": "www.twitter.com", "ip": "104.244.42.193", - "address": "104.244.42.193", "port": 443 }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, "network": { "transport": "tcp" }, - "source": { - "ip": "15.188.186.81", - "port": 34080, - "address": "15.188.186.81" - }, - "tls": { - "client": { - "server_name": "www.twitter.com" - } - }, - "cloudflare": { - "OverridePort": 0, - "SessionID": "1725de7a2d0000215517735400000001" + "observer": { + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "hosts": [ @@ -87,6 +77,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "104.244.42.193", "15.188.186.81" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 34080 + }, + "tls": { + "client": { + "server_name": "www.twitter.com" + } } } @@ -116,10 +116,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, + "cloudflare": { + "OverridePort": 0, + "SessionID": "187ee08b7d00003d0d8e47f400000001" + }, "destination": { + "address": "104.18.5.35", "domain": "commandandcontrolandbotnet.testcategory.com", "ip": "104.18.5.35", - "address": "104.18.5.35", "port": 443 }, "device": { @@ -129,30 +133,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hostname": "DESKTOP-ABCDEF", "name": "DESKTOP-ABCDEF" }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, "network": { "transport": "tcp" }, - "user": { - "email": "john.doe@test.com", - "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3" - }, - "source": { - "ip": "15.188.186.81", - "port": 54945, - "address": "15.188.186.81" - }, - "tls": { - "client": { - "server_name": "commandandcontrolandbotnet.testcategory.com" - } - }, - "cloudflare": { - "OverridePort": 0, - "SessionID": "187ee08b7d00003d0d8e47f400000001" + "observer": { + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "hosts": [ @@ -163,6 +149,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "104.18.5.35", "15.188.186.81" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 54945 + }, + "tls": { + "client": { + "server_name": "commandandcontrolandbotnet.testcategory.com" + } + }, + "user": { + "email": "john.doe@test.com", + "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3" } } @@ -192,32 +192,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, + "cloudflare": { + "OverridePort": 0, + "SessionID": "1725de7a2d0000215517735400000001" + }, "destination": { - "ip": "104.244.42.193", "address": "104.244.42.193", + "ip": "104.244.42.193", "port": 443 }, - "observer": { - "type": "proxy", - "vendor": "Cloudflare" - }, "network": { "transport": "tcp" }, - "source": { - "ip": "15.188.186.81", - "port": 34080, - "address": "15.188.186.81" - }, - "cloudflare": { - "OverridePort": 0, - "SessionID": "1725de7a2d0000215517735400000001" + "observer": { + "type": "proxy", + "vendor": "Cloudflare" }, "related": { "ip": [ "104.244.42.193", "15.188.186.81" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 34080 } } diff --git a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md index 7506a79f9f..1f8e4ca479 100644 --- a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md +++ b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md @@ -39,21 +39,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"Apex Execution\",\"USER\":\"john.doe@example.com\",\"CLASS_NAME\":\"AccountTrigger\",\"METHOD_NAME\":\"beforeInsert\",\"EXECUTION_TIME\":100,\"ERROR_MESSAGE\":\"\",\"DEBUG_LOG_ID\":\"XYZ987ABC\",\"NAMESPACE\":\"my_namespace\",\"SANDBOX\":true}", "event": { - "kind": "event", - "dataset": "Apex Execution", "category": [ "network" ], + "dataset": "Apex Execution", + "kind": "event", "type": [ "info" ] }, "salesforce": { - "method": { - "name": "beforeInsert" - }, "class": { "name": "AccountTrigger" + }, + "method": { + "name": "beforeInsert" } }, "user": { @@ -71,16 +71,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"API\",\"USER\":\"john.doe@example.com\",\"API_METHOD\":\"update\",\"OBJECT_TYPE\":\"Account\",\"OBJECT_ID\":\"001\",\"TIMESTAMP\":\"2023-07-03T11:30:00Z\",\"RESPONSE_CODE\":200,\"ERROR_MESSAGE\":\"\",\"API_VERSION\":\"49.0\",\"API_ENDPOINT\":\"/services/data/v49.0/sobjects/Account/001\"}", "event": { - "kind": "event", - "dataset": "API", "category": [ "network" ], + "dataset": "API", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-07-03T11:30:00Z", + "http": { + "request": { + "method": "update" + } + }, "salesforce": { "api": { "version": "49.0" @@ -89,11 +94,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Account" } }, - "http": { - "request": { - "method": "update" - } - }, "url": { "path": "/services/data/v49.0/sobjects/Account/001" }, @@ -112,16 +112,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"ApiTotalUsage\",\"TIMESTAMP\":\"20230718225959.250\",\"REQUEST_ID\":\"4rBNTaVtlWrsM8G-mMBYk-\",\"ORGANIZATION_ID\":\"00D68000004DKqo\",\"USER_ID\":\"00568000004ogT4\",\"API_FAMILY\":\"REST\",\"API_VERSION\":\"58.0\",\"API_RESOURCE\":\"/v58.0/query\",\"CLIENT_NAME\":\"\",\"HTTP_METHOD\":\"GET\",\"CLIENT_IP\":\"141.95.144.78\",\"COUNTS_AGAINST_API_LIMIT\":\"1\",\"CONNECTED_APP_ID\":\"0H468000000kPN4\",\"ENTITY_NAME\":\"EventLogFile\",\"STATUS_CODE\":\"200\",\"TIMESTAMP_DERIVED\":\"2023-07-18T22:59:59.250Z\"}", "event": { - "kind": "event", - "dataset": "ApiTotalUsage", "category": [ "network" ], + "dataset": "ApiTotalUsage", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2034-02-09T04:23:42.595925Z", + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "organization": { + "id": "00D68000004DKqo" + }, + "related": { + "ip": [ + "141.95.144.78" + ] + }, "salesforce": { "api": { "version": "58.0" @@ -134,28 +150,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "resource": "/v58.0/query" } }, - "http": { - "response": { - "status_code": 200 - }, - "request": { - "method": "GET" - } - }, - "organization": { - "id": "00D68000004DKqo" - }, "source": { - "ip": "141.95.144.78", - "address": "141.95.144.78" + "address": "141.95.144.78", + "ip": "141.95.144.78" }, "user": { "id": "00568000004ogT4" - }, - "related": { - "ip": [ - "141.95.144.78" - ] } } @@ -169,12 +169,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"Audit Trail\",\"USER\":\"john.doe@example.com\",\"ACTION\":\"Field Update\",\"OBJECT_TYPE\":\"Opportunity\",\"OBJECT_ID\":\"002\",\"FIELD_NAME\":\"Stage\",\"OLD_VALUE\":\"Prospecting\",\"NEW_VALUE\":\"Closed Won\",\"TIMESTAMP\":\"2023-07-03T14:00:00Z\",\"RECORD_NAME\":\"Acme Opportunity\",\"RECORD_OWNER\":\"jane.smith@example.com\",\"RECORD_CREATED_DATE\":\"2023-07-01\",\"RECORD_LAST_MODIFIED_DATE\":\"2023-07-03\"}", "event": { - "kind": "event", - "dataset": "Audit Trail", "action": "Field Update", "category": [ "network" ], + "dataset": "Audit Trail", + "kind": "event", "type": [ "info" ] @@ -200,21 +200,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"API_TYPE\": \"myAPI\", \"API_VERSION\": \"1.0\", \"CLIENT_ID\": \"myClient123\", \"COMPONENT_NAME\": \"myComponent\", \"CONNECTION_TYPE\": \"wifi\", \"CONTROLLER_TYPE\": \"myController\", \"ENTITY_NAME\": \"myEntity\", \"LOGIN_KEY\": \"myLoginKey\", \"LOGIN_STATUS\": \"success\", \"LOGIN_SUB_TYPE\": \"myLoginSubType\", \"LOGIN_TYPE\": \"myLoginType\", \"METHOD_NAME\": \"myMethod\", \"OPERATION_TYPE\": \"myOperation\", \"LOGIN_STATUS\": \"success\", \"ORGANIZATION_ID\": \"myOrg123\", \"QUIDDITY\": \"myQuiddity\", \"REFERER_URI\": \"https://example.com\", \"REQUEST_ID\": \"myRequest123\", \"REQUEST_STATUS\": \"completed\", \"SESSION_KEY\": \"mySessionKey\", \"USER_INITIATED_LOGOUT\": true, \"USER_TYPE\": \"admin\", \"APP_NAME\": \"myAPP\", \"BROWSER_NAME\": \"Chrome\", \"BROWSER_TYPE\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\", \"BROWSER_VERSION\": \"93.0.4577.82\", \"CIPHER_SUITE\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"CLIENT_GEO\": \"United States/California\", \"CLIENT_IP\": \"1.2.3.4\", \"DEVICE_ID\": \"customDeviceId\", \"DEVICE_MODEL\": \"myDeviceModel\", \"DEVICE_PLATFORM\": \"iOS\", \"DURATION\": 123, \"EVENT_TYPE\": \"LightningPageView\", \"HTTP_METHOD\": \"GET\", \"MEDIA_TYPE\": \"someMediaType\", \"MESSAGE\": \"custom message\", \"OS_NAME\": \"Windows\", \"OS_VERSION\": \"10.0\", \"PAGE_START_TIME\": 1471564788642, \"PAGE_URL\": \"/sObject/0064100000JXITSAA5/view\", \"QUERY\": \"?queryParam1=val1&queryParam2=val2\", \"REQUEST_SIZE\": 123321, \"RESPONSE_SIZE\": 321321, \"TIMESTAMP_DERIVED\": \"2015-07-27T11:32:59.555Z\", \"TLS_PROTOCOL\": \"tlsProtocol\", \"UI_EVENT_ID\": \"ltng:error\", \"UI_EVENT_TYPE\": \"eventType\", \"USER_ID\": \"00530000009M943\", \"USER_NAME\": \"test_user\" }", "event": { - "kind": "event", - "dataset": "LightningPageView", - "reason": "custom message", - "start": "2016-08-18T23:59:48.642000Z", - "code": "ltng:error", "action": "eventType", "category": [ "network" ], + "code": "ltng:error", + "dataset": "LightningPageView", + "duration": 123, + "kind": "event", + "reason": "custom message", + "start": "2016-08-18T23:59:48.642000Z", "type": [ "info" - ], - "duration": 123 + ] }, "@timestamp": "2015-07-27T11:32:59.555000Z", + "host": { + "id": "customDeviceId", + "os": { + "name": "Windows", + "version": "10.0" + } + }, + "http": { + "request": { + "bytes": 123321, + "method": "GET" + }, + "response": { + "bytes": 321321, + "mime_type": "someMediaType" + } + }, + "network": { + "application": "myAPP" + }, + "organization": { + "id": "myOrg123" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "salesforce": { "api": { "type": "myAPI", @@ -223,17 +251,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "client": { "id": "myClient123" }, - "device": { - "model": "myDeviceModel", - "platform": "iOS" - }, - "entity": { - "name": "myEntity" - }, - "user": { - "type": "admin", - "initiated_logout": true - }, "component": { "name": "myComponent" }, @@ -243,6 +260,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "controller": { "type": "myController" }, + "device": { + "model": "myDeviceModel", + "platform": "iOS" + }, + "entity": { + "name": "myEntity" + }, "login": { "key": "myLoginKey", "status": "success", @@ -254,11 +278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operation": { "type": "myOperation" }, - "session": { - "key": { - "id": "mySessionKey" - } - }, "quiddity": { "name": "myQuiddity" }, @@ -268,66 +287,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. "request": { "id": "myRequest123", "status": "completed" - } - }, - "network": { - "application": "myAPP" - }, - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "version": "tlsProtocol" - }, - "host": { - "id": "customDeviceId", - "os": { - "name": "Windows", - "version": "10.0" - } - }, - "http": { - "request": { - "bytes": 123321, - "method": "GET" }, - "response": { - "mime_type": "someMediaType", - "bytes": 321321 + "session": { + "key": { + "id": "mySessionKey" + } + }, + "user": { + "initiated_logout": true, + "type": "admin" } }, - "organization": { - "id": "myOrg123" - }, "source": { + "address": "1.2.3.4", "geo": { "country_name": "United States", "region_name": "California" }, - "ip": "1.2.3.4", - "address": "1.2.3.4" + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "version": "tlsProtocol" }, "url": { "path": "/sObject/0064100000JXITSAA5/view", "query": "queryParam1=val1&queryParam2=val2" }, + "user": { + "id": "00530000009M943" + }, "user_agent": { - "name": "Chrome", - "version": "93.0.4577", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", "device": { "name": "Other" }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "user": { - "id": "00530000009M943" - }, - "related": { - "ip": [ - "1.2.3.4" - ] + }, + "version": "93.0.4577" } } @@ -341,21 +341,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{ \"API_TYPE\": \"myAPI\", \"API_VERSION\": \"1.0\", \"CLIENT_ID\": \"myClient123\", \"COMPONENT_NAME\": \"myComponent\", \"CONNECTION_TYPE\": \"wifi\", \"CONTROLLER_TYPE\": \"myController\", \"ENTITY_NAME\": \"myEntity\", \"LOGIN_KEY\": \"myLoginKey\", \"LOGIN_STATUS\": \"success\", \"LOGIN_SUB_TYPE\": \"myLoginSubType\", \"LOGIN_TYPE\": \"myLoginType\", \"METHOD_NAME\": \"myMethod\", \"OPERATION_TYPE\": \"myOperation\", \"LOGIN_STATUS\": \"success\", \"ORGANIZATION_ID\": \"myOrg123\", \"QUIDDITY\": \"myQuiddity\", \"REFERER_URI\": \"https://example.com\", \"REQUEST_ID\": \"myRequest123\", \"REQUEST_STATUS\": \"completed\", \"SESSION_KEY\": \"mySessionKey\", \"USER_INITIATED_LOGOUT\": true, \"USER_TYPE\": \"admin\", \"APP_NAME\": \"myAPP\", \"BROWSER_NAME\": \"Chrome\", \"USER_AGENT\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\", \"BROWSER_VERSION\": \"93.0.4577.82\", \"CIPHER_SUITE\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"SOURCE_IP\": \"1.2.3.4\", \"DEVICE_ID\": \"customDeviceId\", \"DEVICE_MODEL\": \"myDeviceModel\", \"DEVICE_PLATFORM\": \"iOS\", \"EXEC_TIME\": 123, \"EVENT_TYPE\": \"LightningPageView\", \"METHOD\": \"GET\", \"MEDIA_TYPE\": \"someMediaType\", \"MESSAGE\": \"custom message\", \"OS_NAME\": \"Windows\", \"OS_VERSION\": \"10.0\", \"PAGE_START_TIME\": 1471564788642, \"URI\": \"/sObject/0064100000JXITSAA5/view\", \"REQUEST_SIZE\": 123321, \"RESPONSE_SIZE\": 321321, \"TIMESTAMP_DERIVED\": \"2015-07-27T11:32:59.555Z\", \"TLS_PROTOCOL\": \"tlsProtocol\", \"UI_EVENT_ID\": \"ltng:error\", \"UI_EVENT_TYPE\": \"eventType\", \"USER_ID\": \"00530000009M943\", \"USER_NAME\": \"test_user\" }", "event": { - "kind": "event", - "dataset": "LightningPageView", - "reason": "custom message", - "start": "2016-08-18T23:59:48.642000Z", - "code": "ltng:error", "action": "eventType", "category": [ "network" ], + "code": "ltng:error", + "dataset": "LightningPageView", + "duration": 123, + "kind": "event", + "reason": "custom message", + "start": "2016-08-18T23:59:48.642000Z", "type": [ "info" - ], - "duration": 123 + ] }, "@timestamp": "2015-07-27T11:32:59.555000Z", + "host": { + "id": "customDeviceId", + "os": { + "name": "Windows", + "version": "10.0" + } + }, + "http": { + "request": { + "bytes": 123321, + "method": "GET" + }, + "response": { + "bytes": 321321, + "mime_type": "someMediaType" + } + }, + "network": { + "application": "myAPP" + }, + "organization": { + "id": "myOrg123" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "salesforce": { "api": { "type": "myAPI", @@ -364,17 +392,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "client": { "id": "myClient123" }, - "device": { - "model": "myDeviceModel", - "platform": "iOS" - }, - "entity": { - "name": "myEntity" - }, - "user": { - "type": "admin", - "initiated_logout": true - }, "component": { "name": "myComponent" }, @@ -384,6 +401,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "controller": { "type": "myController" }, + "device": { + "model": "myDeviceModel", + "platform": "iOS" + }, + "entity": { + "name": "myEntity" + }, "login": { "key": "myLoginKey", "status": "success", @@ -395,11 +419,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operation": { "type": "myOperation" }, - "session": { - "key": { - "id": "mySessionKey" - } - }, "quiddity": { "name": "myQuiddity" }, @@ -409,61 +428,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "request": { "id": "myRequest123", "status": "completed" + }, + "session": { + "key": { + "id": "mySessionKey" + } + }, + "user": { + "initiated_logout": true, + "type": "admin" } }, - "network": { - "application": "myAPP" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "tls": { "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "version": "tlsProtocol" }, - "host": { - "id": "customDeviceId", - "os": { - "name": "Windows", - "version": "10.0" - } - }, - "http": { - "request": { - "bytes": 123321, - "method": "GET" - }, - "response": { - "mime_type": "someMediaType", - "bytes": 321321 - } - }, - "organization": { - "id": "myOrg123" - }, "url": { "path": "/sObject/0064100000JXITSAA5/view" }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "user": { + "id": "00530000009M943" }, "user_agent": { - "name": "Chrome", - "version": "93.0.4577", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", "device": { "name": "Other" }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "user": { - "id": "00530000009M943" - }, - "related": { - "ip": [ - "1.2.3.4" - ] + }, + "version": "93.0.4577" } } @@ -477,32 +477,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"Login\",\"USER\":\"john.doe@example.com\",\"LOGIN_STATUS\":\"Success\",\"IP_ADDRESS\":\"192.168.0.1\",\"LOGIN_TIME\":\"2023-07-03T10:15:00Z\",\"DEVICE_TYPE\":\"Desktop\",\"BROWSER\":\"Chrome\",\"PLATFORM\":\"Windows 10\",\"LOGIN_GEO_LOCATION\":\"San Francisco, CA\",\"SESSION_ID\":\"ABC123XYZ\",\"LOGIN_URL\":\"https://login.salesforce.com\"}", "event": { - "kind": "event", - "dataset": "Login", "category": [ "authentication" ], + "dataset": "Login", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2023-07-03T10:15:00Z", + "related": { + "ip": [ + "192.168.0.1" + ] + }, "salesforce": { "login": { "status": "Success" } }, "source": { - "ip": "192.168.0.1", - "address": "192.168.0.1" + "address": "192.168.0.1", + "ip": "192.168.0.1" }, "user": { "email": "john.doe@example.com" - }, - "related": { - "ip": [ - "192.168.0.1" - ] } } @@ -516,26 +516,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"EVENT_TYPE\":\"Report/Dashboard\",\"USER\":\"john.doe@example.com\",\"ACTION\":\"Run\",\"REPORT_NAME\":\"Sales Performance\",\"TIMESTAMP\":\"2023-07-03T12:45:00Z\",\"DASHBOARD_ID\":\"ABCDEF123\",\"FILTERS\":{\"REGION\":\"West\",\"TIMEFRAME\":\"Last Month\"},\"REPORT_URL\":\"https://example.salesforce.com/001/o\"}", "event": { - "kind": "event", - "dataset": "Report/Dashboard", "action": "Run", "category": [ "network" ], + "dataset": "Report/Dashboard", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-07-03T12:45:00Z", "url": { - "original": "https://example.salesforce.com/001/o", "domain": "example.salesforce.com", - "top_level_domain": "com", - "subdomain": "example", - "registered_domain": "salesforce.com", + "original": "https://example.salesforce.com/001/o", "path": "/001/o", + "port": 443, + "registered_domain": "salesforce.com", "scheme": "https", - "port": 443 + "subdomain": "example", + "top_level_domain": "com" }, "user": { "email": "john.doe@example.com" diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index 203562851f..46257bdfc0 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -36,108 +36,108 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"1111111111\",\"arn\":\"arn:aws:iam::1111111111:root\",\"accountId\":\"1111111111\",\"accessKeyId\":\"ASIA1111111111111\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2022-08-31T07:20:10Z\",\"mfaAuthenticated\":\"true\"}}},\"eventTime\":\"2022-08-31T09:48:47Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"ModifyInstanceAttribute\",\"awsRegion\":\"eu-west-3\",\"sourceIPAddress\":\"aws.internal\",\"userAgent\":\"aws.internal\",\"requestParameters\":{\"instanceId\":\"i-00000000000000000\",\"userData\":\"\"},\"responseElements\":{\"requestId\":\"5fcae0f1-790c-4a86-85aa-0b3fd120e341\",\"_return\":true},\"requestID\":\"5fcae0f1-790c-4a86-85aa-0b3fd120e341\",\"eventID\":\"8311ce18-5d58-40f1-a4b3-a757df7cbe47\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"1111111111\",\"eventCategory\":\"Management\",\"sessionCredentialFromConsole\":\"true\"}", "event": { - "kind": "event", + "action": "ModifyInstanceAttribute", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "ec2.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "ModifyInstanceAttribute", - "provider": "ec2.amazonaws.com" + ] }, "@timestamp": "2022-08-31T09:48:47Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "1111111111" - }, - "instance": { - "id": "i-00000000000000000" - } - }, "action": { - "type": "AwsApiCall", "name": "ModifyInstanceAttribute", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", + "requestParameters": { + "userData": "" + }, "userIdentity": { - "type": "Root", - "principalId": "1111111111", - "arn": "arn:aws:iam::1111111111:root", - "accountId": "1111111111", "accessKeyId": "ASIA1111111111111", + "accountId": "1111111111", + "arn": "arn:aws:iam::1111111111:root", + "principalId": "1111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-31T07:20:10Z", "mfaAuthenticated": "true" - } - } - }, - "requestParameters": { - "userData": "" + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } - } - }, - "user_agent": { - "original": "aws.internal", - "device": { - "name": "Other" }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "user": { - "id": "1111111111" - }, - "source": { - "domain": "aws.internal", - "address": "aws.internal", - "subdomain": "aws" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.08", + "flattened": { + "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}", + "response_elements": "{\"_return\": true, \"requestId\": \"5fcae0f1-790c-4a86-85aa-0b3fd120e341\"}" + }, "recipient_account_id": "1111111111", + "request_parameters": { + "userData": "" + }, "user_identity": { - "type": "Root", - "principalId": "1111111111", - "arn": "arn:aws:iam::1111111111:root", - "accountId": "1111111111", "accessKeyId": "ASIA1111111111111", + "accountId": "1111111111", + "arn": "arn:aws:iam::1111111111:root", + "principalId": "1111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-08-31T07:20:10Z", "mfaAuthenticated": "true" - } - } - }, - "request_parameters": { - "userData": "" - }, - "flattened": { - "response_elements": "{\"_return\": true, \"requestId\": \"5fcae0f1-790c-4a86-85aa-0b3fd120e341\"}", - "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}" + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } } }, + "cloud": { + "account": { + "id": "1111111111" + }, + "instance": { + "id": "i-00000000000000000" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, "related": { "hosts": [ "aws.internal" ] + }, + "source": { + "address": "aws.internal", + "domain": "aws.internal", + "subdomain": "aws" + }, + "user": { + "id": "1111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "aws.internal", + "os": { + "name": "Other" + } } } @@ -151,33 +151,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"awsRegion\":\"eu-west-3\",\"eventID\":\"6ffb6978-7b42-47d1-9aa1-1838ec08b514\",\"eventName\":\"LookupEvents\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventTime\":\"2020-08-12T12:26:51Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.05\",\"readOnly\":true,\"recipientAccountId\":\"1111111111\",\"requestID\":\"5b8387cf-59e8-4e6e-ba6d-5fe417820c13\",\"requestParameters\":{\"eventCategory\":\"insight\",\"maxResults\":50},\"responseElements\":null,\"sourceIPAddress\":\"1.2.3.4\",\"userAgent\":\"console.amazonaws.com\",\"userIdentity\":{\"accessKeyId\":\"ASIA1111111111111\",\"accountId\":\"1111111111\",\"arn\":\"arn:aws:iam::1111111111:root\",\"principalId\":\"1111111111\",\"sessionContext\":{\"attributes\":{\"creationDate\":\"2020-08-12T07:04:40Z\",\"mfaAuthenticated\":\"false\"},\"sessionIssuer\":{},\"webIdFederationData\":{}},\"type\":\"Root\"}}", "event": { - "kind": "event", + "action": "LookupEvents", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "cloudtrail.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "LookupEvents", - "provider": "cloudtrail.amazonaws.com" + ] }, "@timestamp": "2020-08-12T12:26:51Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "1111111111" - } - }, "action": { - "type": "AwsApiCall", "name": "LookupEvents", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", "userIdentity": { @@ -195,28 +183,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "type": "Root" } - } - }, - "user_agent": { - "original": "console.amazonaws.com", - "device": { - "name": "Other" }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "user": { - "id": "1111111111" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.05", + "flattened": { + "request_parameters": "{\"eventCategory\": \"insight\", \"maxResults\": 50}" + }, "recipient_account_id": "1111111111", "user_identity": { "accessKeyId": "ASIA1111111111111", @@ -232,16 +208,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. "webIdFederationData": {} }, "type": "Root" - }, - "flattened": { - "request_parameters": "{\"eventCategory\": \"insight\", \"maxResults\": 50}" } } }, + "cloud": { + "account": { + "id": "1111111111" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "1111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "console.amazonaws.com", + "os": { + "name": "Other" + } } } @@ -255,195 +255,195 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\": \"1.05\", \"userIdentity\": {\"type\": \"Root\", \"principalId\": \"1111111111\", \"arn\": \"arn:aws:iam::1111111111:root\", \"accountId\": \"1111111111\", \"accessKeyId\": \"AKIA1111111111\"}, \"eventTime\": \"2020-09-22T15:05:22Z\", \"eventSource\": \"ec2.amazonaws.com\", \"eventName\": \"CreateInstanceExportTask\", \"awsRegion\": \"eu-west-3\", \"sourceIPAddress\": \"1.2.3.4\", \"userAgent\": \"aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30\", \"errorCode\": \"Client.AuthFailure\", \"errorMessage\": \"vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.\", \"requestParameters\": {\"instanceId\": \"i-00000000000000\", \"targetEnvironment\": \"vmware\", \"exportToS3\": {\"diskImageFormat\": \"VMDK\", \"containerFormat\": \"ova\", \"s3Bucket\": \"qbo-export-instance-bucket\", \"s3Prefix\": \"vms\"}}, \"responseElements\": null, \"requestID\": \"5d1c2af1-f216-4771-9922-5a032e2826f5\", \"eventID\": \"249e3b13-41d4-4007-8f04-ef4b4f4341ed\", \"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111\"}", "event": { - "kind": "event", + "action": "CreateInstanceExportTask", "category": [ "network" ], - "type": [ - "access" - ], - "dataset": "cloudtrail", - "action": "CreateInstanceExportTask", "code": "Client.AuthFailure", + "dataset": "cloudtrail", + "kind": "event", + "provider": "ec2.amazonaws.com", "reason": "vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.", - "provider": "ec2.amazonaws.com" + "type": [ + "access" + ] }, "@timestamp": "2020-09-22T15:05:22Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "1111111111" - }, - "instance": { - "id": "i-00000000000000" - } - }, "action": { - "type": "AwsApiCall", "name": "CreateInstanceExportTask", "outcome": "success", - "target": "network-traffic", "properties": { "errorCode": "Client.AuthFailure", "errorMessage": "vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.", "recipientAccountId": "1111111111", "userIdentity": { - "type": "Root", - "principalId": "1111111111", - "arn": "arn:aws:iam::1111111111:root", + "accessKeyId": "AKIA1111111111", "accountId": "1111111111", - "accessKeyId": "AKIA1111111111" + "arn": "arn:aws:iam::1111111111:root", + "principalId": "1111111111", + "type": "Root" } - } - }, - "user_agent": { - "original": "aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30", - "device": { - "name": "Spider" }, - "name": "aws-cli", - "version": "1.18.87", - "os": { - "name": "Linux", - "version": "4.19.0" - } - }, - "user": { - "id": "1111111111" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.05", + "flattened": { + "request_parameters": "{\"exportToS3\": {\"containerFormat\": \"ova\", \"diskImageFormat\": \"VMDK\", \"s3Bucket\": \"qbo-export-instance-bucket\", \"s3Prefix\": \"vms\"}, \"instanceId\": \"i-00000000000000\", \"targetEnvironment\": \"vmware\"}" + }, "recipient_account_id": "1111111111", "user_identity": { - "type": "Root", - "principalId": "1111111111", - "arn": "arn:aws:iam::1111111111:root", + "accessKeyId": "AKIA1111111111", "accountId": "1111111111", - "accessKeyId": "AKIA1111111111" - }, - "flattened": { - "request_parameters": "{\"exportToS3\": {\"containerFormat\": \"ova\", \"diskImageFormat\": \"VMDK\", \"s3Bucket\": \"qbo-export-instance-bucket\", \"s3Prefix\": \"vms\"}, \"instanceId\": \"i-00000000000000\", \"targetEnvironment\": \"vmware\"}" + "arn": "arn:aws:iam::1111111111:root", + "principalId": "1111111111", + "type": "Root" } } }, - "related": { - "ip": [ - "1.2.3.4" - ] - } - } - - ``` - - -=== "event_ec2.json" + "cloud": { + "account": { + "id": "1111111111" + }, + "instance": { + "id": "i-00000000000000" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "1111111111" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "aws-cli", + "original": "aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30", + "os": { + "name": "Linux", + "version": "4.19.0" + }, + "version": "1.18.87" + } + } + + ``` + + +=== "event_ec2.json" ```json { "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"111111111111\",\"arn\":\"arn:aws:iam::111111111111:root\",\"accountId\":\"111111111111\",\"accessKeyId\":\"ASI00000000000000000\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2022-09-01T06:46:50Z\",\"mfaAuthenticated\":\"true\"}}},\"eventTime\":\"2022-09-01T13:09:23Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"ModifyInstanceAttribute\",\"awsRegion\":\"eu-west-3\",\"sourceIPAddress\":\"AWS Internal\",\"userAgent\":\"AWS Internal\",\"requestParameters\":{\"instanceId\":\"i-00000000000000000\",\"userData\":\"\"},\"responseElements\":{\"requestId\":\"190dc310-2b3e-41bc-ad3f-970f95f24c1b\",\"_return\":true},\"requestID\":\"190dc310-2b3e-41bc-ad3f-970f95f24c1b\",\"eventID\":\"f832abd6-9496-4f3e-9112-796f64b786e3\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"111111111111\",\"eventCategory\":\"Management\",\"sessionCredentialFromConsole\":\"true\"}\n", "event": { - "kind": "event", + "action": "ModifyInstanceAttribute", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "ec2.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "ModifyInstanceAttribute", - "provider": "ec2.amazonaws.com" + ] }, "@timestamp": "2022-09-01T13:09:23Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "111111111111" - }, - "instance": { - "id": "i-00000000000000000" - } - }, "action": { - "type": "AwsApiCall", "name": "ModifyInstanceAttribute", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "111111111111", + "requestParameters": { + "userData": "" + }, "userIdentity": { - "type": "Root", - "principalId": "111111111111", - "arn": "arn:aws:iam::111111111111:root", - "accountId": "111111111111", "accessKeyId": "ASI00000000000000000", + "accountId": "111111111111", + "arn": "arn:aws:iam::111111111111:root", + "principalId": "111111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - } - } - }, - "requestParameters": { - "userData": "" + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } - } - }, - "user_agent": { - "original": "AWS Internal", - "device": { - "name": "Other" }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "user": { - "id": "111111111111" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.08", + "flattened": { + "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}", + "response_elements": "{\"_return\": true, \"requestId\": \"190dc310-2b3e-41bc-ad3f-970f95f24c1b\"}" + }, "recipient_account_id": "111111111111", + "request_parameters": { + "userData": "" + }, "user_identity": { - "type": "Root", - "principalId": "111111111111", - "arn": "arn:aws:iam::111111111111:root", - "accountId": "111111111111", "accessKeyId": "ASI00000000000000000", + "accountId": "111111111111", + "arn": "arn:aws:iam::111111111111:root", + "principalId": "111111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - } - } - }, - "request_parameters": { - "userData": "" - }, - "flattened": { - "response_elements": "{\"_return\": true, \"requestId\": \"190dc310-2b3e-41bc-ad3f-970f95f24c1b\"}", - "request_parameters": "{\"instanceId\": \"i-00000000000000000\", \"userData\": \"\"}" + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "i-00000000000000000" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, + "user": { + "id": "111111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AWS Internal", + "os": { + "name": "Other" + } } } @@ -457,33 +457,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"awsRegion\":\"us-east-1\",\"eventID\":\"76a4c7d1-1f00-4ceb-b7ad-3d355a3515cd\",\"eventName\":\"CreateUser\",\"eventSource\":\"iam.amazonaws.com\",\"eventTime\":\"2020-08-12T12:16:24Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.05\",\"recipientAccountId\":\"1111111111\",\"requestID\":\"4ba495c6-03b8-4eb9-a812-95f89835f68c\",\"requestParameters\":{\"userName\":\"user\"},\"responseElements\":{\"user\":{\"arn\":\"arn:aws:iam::1111111111:user/user\",\"createDate\":\"Aug 12, 2020 12:16:24 PM\",\"path\":\"/\",\"userId\":\"AIDA11111111111111\",\"userName\":\"user\"}},\"sourceIPAddress\":\"1.2.3.4\",\"userAgent\":\"aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30\",\"userIdentity\":{\"accessKeyId\":\"AKIA11111111111111\",\"accountId\":\"1111111111\",\"arn\":\"arn:aws:iam::1111111111:root\",\"principalId\":\"1111111111\",\"type\":\"Root\"}}", "event": { - "kind": "event", + "action": "CreateUser", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "iam.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "CreateUser", - "provider": "iam.amazonaws.com" + ] }, "@timestamp": "2020-08-12T12:16:24Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "us-east-1", - "account": { - "id": "1111111111" - } - }, "action": { - "type": "AwsApiCall", "name": "CreateUser", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", "userIdentity": { @@ -493,54 +481,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "principalId": "1111111111", "type": "Root" } - } - }, - "user_agent": { - "original": "aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30", - "device": { - "name": "Spider" }, - "name": "aws-cli", - "version": "1.18.87", - "os": { - "name": "Linux", - "version": "4.19.0" - } - }, - "user": { - "id": "1111111111", - "name": "AIDA11111111111111" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.05", - "recipient_account_id": "1111111111", - "user_identity": { - "accessKeyId": "AKIA11111111111111", - "accountId": "1111111111", - "arn": "arn:aws:iam::1111111111:root", - "principalId": "1111111111", - "type": "Root" + "flattened": { + "request_parameters": "{\"userName\": \"user\"}", + "response_elements": "{\"user\": {\"arn\": \"arn:aws:iam::1111111111:user/user\", \"createDate\": \"Aug 12, 2020 12:16:24 PM\", \"path\": \"/\", \"userId\": \"AIDA11111111111111\", \"userName\": \"user\"}}" }, + "recipient_account_id": "1111111111", "request_parameters": { "userName": "user" }, "response_elements": { "user": { - "userName": "user", - "arn": "arn:aws:iam::1111111111:user/user" + "arn": "arn:aws:iam::1111111111:user/user", + "userName": "user" } }, - "flattened": { - "response_elements": "{\"user\": {\"arn\": \"arn:aws:iam::1111111111:user/user\", \"createDate\": \"Aug 12, 2020 12:16:24 PM\", \"path\": \"/\", \"userId\": \"AIDA11111111111111\", \"userName\": \"user\"}}", - "request_parameters": "{\"userName\": \"user\"}" + "user_identity": { + "accessKeyId": "AKIA11111111111111", + "accountId": "1111111111", + "arn": "arn:aws:iam::1111111111:root", + "principalId": "1111111111", + "type": "Root" } } }, + "cloud": { + "account": { + "id": "1111111111" + }, + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "cloudtrail" + } + }, "related": { "ip": [ "1.2.3.4" @@ -548,6 +528,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "AIDA11111111111111" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "1111111111", + "name": "AIDA11111111111111" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "aws-cli", + "original": "aws-cli/1.18.87 Python/3.7.3 Linux/4.19.0-6-amd64 botocore/1.17.30", + "os": { + "name": "Linux", + "version": "4.19.0" + }, + "version": "1.18.87" } } @@ -561,35 +561,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"awsRegion\":\"eu-west-3\",\"eventID\":\"6a957c22-7dd9-4d2e-a9ba-7c869d726293\",\"eventName\":\"Decrypt\",\"eventSource\":\"kms.amazonaws.com\",\"eventTime\":\"2020-08-12T12:48:09Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.05\",\"readOnly\":true,\"recipientAccountId\":\"1111111111\",\"requestID\":\"3d03af66-1431-4911-b809-ab08b9bd604a\",\"requestParameters\":{\"encryptionAlgorithm\":\"SYMMETRIC_DEFAULT\",\"encryptionContext\":{\"aws:lambda:FunctionArn\":\"arn:aws:lambda:eu-west-3:1111111111:function:ctstreamer-dev-s3\"}},\"resources\":[{\"ARN\":\"arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c\",\"accountId\":\"1111111111\",\"type\":\"AWS::KMS::Key\"}],\"responseElements\":null,\"sourceIPAddress\":\"1.2.3.4\",\"userAgent\":\"aws-internal/3 aws-sdk-java/1.11.802 Linux/4.14.181-108.257.amzn1.x86_64 OpenJDK_64-Bit_Server_VM/11.0.7+10-LTS java/11.0.7 vendor/Amazon.com_Inc.\",\"userIdentity\":{\"accessKeyId\":\"ASIA11111111111111\",\"accountId\":\"1111111111\",\"arn\":\"arn:aws:sts::1111111111:assumed-role/user/ctstreamer-dev-s3\",\"principalId\":\"AROA11111111111111:ctstreamer-dev-s3\",\"sessionContext\":{\"attributes\":{\"creationDate\":\"2020-08-12T12:03:12Z\",\"mfaAuthenticated\":\"false\"},\"sessionIssuer\":{\"accountId\":\"1111111111\",\"arn\":\"arn:aws:iam::1111111111:role/user\",\"principalId\":\"AROA11111111111111\",\"type\":\"Role\",\"userName\":\"user\"},\"webIdFederationData\":{}},\"type\":\"AssumedRole\"}}", "event": { - "kind": "event", + "action": "Decrypt", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "kms.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "Decrypt", - "provider": "kms.amazonaws.com" + ] }, "@timestamp": "2020-08-12T12:48:09Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "1111111111" - } - }, "action": { - "type": "AwsApiCall", "name": "Decrypt", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", + "resources": [ + { + "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c", + "accountId": "1111111111", + "type": "AWS::KMS::Key" + } + ], "userIdentity": { "accessKeyId": "ASIA11111111111111", "accountId": "1111111111", @@ -610,39 +605,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "webIdFederationData": {} }, "type": "AssumedRole" + } + }, + "target": "network-traffic", + "type": "AwsApiCall" + }, + "aws": { + "cloudtrail": { + "event_version": "1.05", + "flattened": { + "request_parameters": "{\"encryptionAlgorithm\": \"SYMMETRIC_DEFAULT\", \"encryptionContext\": {\"aws:lambda:FunctionArn\": \"arn:aws:lambda:eu-west-3:1111111111:function:ctstreamer-dev-s3\"}}" }, + "recipient_account_id": "1111111111", "resources": [ { "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c", "accountId": "1111111111", "type": "AWS::KMS::Key" } - ] - } - }, - "user_agent": { - "original": "aws-internal/3 aws-sdk-java/1.11.802 Linux/4.14.181-108.257.amzn1.x86_64 OpenJDK_64-Bit_Server_VM/11.0.7+10-LTS java/11.0.7 vendor/Amazon.com_Inc.", - "device": { - "name": "Other" - }, - "name": "aws-sdk-java", - "version": "1.11.802", - "os": { - "name": "Linux", - "version": "4.14.181" - } - }, - "user": { - "id": "1111111111" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" - }, - "aws": { - "cloudtrail": { - "event_version": "1.05", - "recipient_account_id": "1111111111", + ], "user_identity": { "accessKeyId": "ASIA11111111111111", "accountId": "1111111111", @@ -663,23 +644,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "webIdFederationData": {} }, "type": "AssumedRole" - }, - "resources": [ - { - "ARN": "arn:aws:kms:eu-west-3:1111111111:key/14eb3a8a-ffec-4b0e-a6da-e901d5e6ee9c", - "accountId": "1111111111", - "type": "AWS::KMS::Key" - } - ], - "flattened": { - "request_parameters": "{\"encryptionAlgorithm\": \"SYMMETRIC_DEFAULT\", \"encryptionContext\": {\"aws:lambda:FunctionArn\": \"arn:aws:lambda:eu-west-3:1111111111:function:ctstreamer-dev-s3\"}}" } } }, + "cloud": { + "account": { + "id": "1111111111" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "1111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-sdk-java", + "original": "aws-internal/3 aws-sdk-java/1.11.802 Linux/4.14.181-108.257.amzn1.x86_64 OpenJDK_64-Bit_Server_VM/11.0.7+10-LTS java/11.0.7 vendor/Amazon.com_Inc.", + "os": { + "name": "Linux", + "version": "4.14.181" + }, + "version": "1.11.802" } } @@ -693,98 +693,98 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"Root\",\"principalId\":\"111111111111\",\"arn\":\"arn:aws:iam::111111111111:root\",\"accountId\":\"111111111111\",\"accessKeyId\":\"ASI00000000000000000\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2022-09-01T06:46:50Z\",\"mfaAuthenticated\":\"true\"}}},\"eventTime\":\"2022-09-01T14:13:11Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"ModifyDBInstance\",\"awsRegion\":\"eu-west-3\",\"sourceIPAddress\":\"AWS Internal\",\"userAgent\":\"AWS Internal\",\"requestParameters\":{\"dBInstanceIdentifier\":\"database-1\",\"applyImmediately\":true,\"masterUserPassword\":\"****\",\"allowMajorVersionUpgrade\":false,\"maxAllocatedStorage\":1000},\"responseElements\":{\"dBInstanceIdentifier\":\"database-1\",\"dBInstanceClass\":\"db.m6g.large\",\"engine\":\"postgres\",\"dBInstanceStatus\":\"available\",\"masterUsername\":\"postgres\",\"endpoint\":{\"address\":\"x.rds.amazonaws.com\",\"port\":5432,\"hostedZoneId\":\"ZMESEXB7ZGGQ3\"},\"allocatedStorage\":100,\"instanceCreateTime\":\"Sep 1, 2022 12:47:35 PM\",\"preferredBackupWindow\":\"10:10-10:40\",\"backupRetentionPeriod\":7,\"dBSecurityGroups\":[],\"vpcSecurityGroups\":[{\"vpcSecurityGroupId\":\"sg-00000000000000000\",\"status\":\"active\"}],\"dBParameterGroups\":[{\"dBParameterGroupName\":\"default.postgres13\",\"parameterApplyStatus\":\"in-sync\"}],\"availabilityZone\":\"eu-west-3b\",\"dBSubnetGroup\":{\"dBSubnetGroupName\":\"default-vpc-00000000000000000\",\"dBSubnetGroupDescription\":\"Created from the RDS Management Console\",\"vpcId\":\"vpc-00000000000000000\",\"subnetGroupStatus\":\"Complete\",\"subnets\":[{\"subnetIdentifier\":\"subnet-00000000000000000\",\"subnetAvailabilityZone\":{\"name\":\"eu-west-3a\"},\"subnetOutpost\":{},\"subnetStatus\":\"Active\"}]},\"preferredMaintenanceWindow\":\"thu:04:33-thu:05:03\",\"pendingModifiedValues\":{\"masterUserPassword\":\"****\"},\"latestRestorableTime\":\"Sep 1, 2022 2:07:11 PM\",\"multiAZ\":true,\"engineVersion\":\"13.7\",\"autoMinorVersionUpgrade\":true,\"readReplicaDBInstanceIdentifiers\":[],\"licenseModel\":\"postgresql-license\",\"iops\":3000,\"storageThroughput\":0,\"optionGroupMemberships\":[{\"optionGroupName\":\"default:postgres-13\",\"status\":\"in-sync\"}],\"secondaryAvailabilityZone\":\"eu-west-3c\",\"publiclyAccessible\":false,\"storageType\":\"io1\",\"dbInstancePort\":0,\"storageEncrypted\":true,\"kmsKeyId\":\"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\",\"dbiResourceId\":\"db-00000000000000000000000000\",\"cACertificateIdentifier\":\"rds-ca-2019\",\"domainMemberships\":[],\"copyTagsToSnapshot\":true,\"monitoringInterval\":60,\"enhancedMonitoringResourceArn\":\"arn:aws:logs:eu-west-3:111111111111:group:schema:stream:db-00000000000000000000000000\",\"monitoringRoleArn\":\"arn:aws:iam::111111111111:role/role\",\"dBInstanceArn\":\"arn:aws:rds:eu-west-3:111111111111:db:database-1\",\"iAMDatabaseAuthenticationEnabled\":false,\"performanceInsightsEnabled\":true,\"performanceInsightsKMSKeyId\":\"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\",\"performanceInsightsRetentionPeriod\":7,\"deletionProtection\":true,\"associatedRoles\":[],\"httpEndpointEnabled\":false,\"maxAllocatedStorage\":1000,\"tagList\":[],\"customerOwnedIpEnabled\":false,\"networkType\":\"IPV4\",\"backupTarget\":\"region\"},\"requestID\":\"fc070739-07b9-4533-9652-eec872b5ad3d\",\"eventID\":\"eee4217d-4a93-4ad3-89ff-108b25c4c9ab\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"111111111111\",\"eventCategory\":\"Management\",\"sessionCredentialFromConsole\":\"true\"}\n", "event": { - "kind": "event", + "action": "ModifyDBInstance", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "rds.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "ModifyDBInstance", - "provider": "rds.amazonaws.com" + ] }, "@timestamp": "2022-09-01T14:13:11Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3", - "account": { - "id": "111111111111" - } - }, "action": { - "type": "AwsApiCall", "name": "ModifyDBInstance", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "111111111111", + "responseElements": { + "publiclyAccessible": false + }, "userIdentity": { - "type": "Root", - "principalId": "111111111111", - "arn": "arn:aws:iam::111111111111:root", - "accountId": "111111111111", "accessKeyId": "ASI00000000000000000", + "accountId": "111111111111", + "arn": "arn:aws:iam::111111111111:root", + "principalId": "111111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - } - } - }, - "responseElements": { - "publiclyAccessible": false + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } - } - }, - "user_agent": { - "original": "AWS Internal", - "device": { - "name": "Other" }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "user": { - "id": "111111111111" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.08", + "flattened": { + "request_parameters": "{\"allowMajorVersionUpgrade\": false, \"applyImmediately\": true, \"dBInstanceIdentifier\": \"database-1\", \"masterUserPassword\": \"****\", \"maxAllocatedStorage\": 1000}", + "response_elements": "{\"allocatedStorage\": 100, \"associatedRoles\": [], \"autoMinorVersionUpgrade\": true, \"availabilityZone\": \"eu-west-3b\", \"backupRetentionPeriod\": 7, \"backupTarget\": \"region\", \"cACertificateIdentifier\": \"rds-ca-2019\", \"copyTagsToSnapshot\": true, \"customerOwnedIpEnabled\": false, \"dBInstanceArn\": \"arn:aws:rds:eu-west-3:111111111111:db:database-1\", \"dBInstanceClass\": \"db.m6g.large\", \"dBInstanceIdentifier\": \"database-1\", \"dBInstanceStatus\": \"available\", \"dBParameterGroups\": [{\"dBParameterGroupName\": \"default.postgres13\", \"parameterApplyStatus\": \"in-sync\"}], \"dBSecurityGroups\": [], \"dBSubnetGroup\": {\"dBSubnetGroupDescription\": \"Created from the RDS Management Console\", \"dBSubnetGroupName\": \"default-vpc-00000000000000000\", \"subnetGroupStatus\": \"Complete\", \"subnets\": [{\"subnetAvailabilityZone\": {\"name\": \"eu-west-3a\"}, \"subnetIdentifier\": \"subnet-00000000000000000\", \"subnetOutpost\": {}, \"subnetStatus\": \"Active\"}], \"vpcId\": \"vpc-00000000000000000\"}, \"dbInstancePort\": 0, \"dbiResourceId\": \"db-00000000000000000000000000\", \"deletionProtection\": true, \"domainMemberships\": [], \"endpoint\": {\"address\": \"x.rds.amazonaws.com\", \"hostedZoneId\": \"ZMESEXB7ZGGQ3\", \"port\": 5432}, \"engine\": \"postgres\", \"engineVersion\": \"13.7\", \"enhancedMonitoringResourceArn\": \"arn:aws:logs:eu-west-3:111111111111:group:schema:stream:db-00000000000000000000000000\", \"httpEndpointEnabled\": false, \"iAMDatabaseAuthenticationEnabled\": false, \"instanceCreateTime\": \"Sep 1, 2022 12:47:35 PM\", \"iops\": 3000, \"kmsKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"latestRestorableTime\": \"Sep 1, 2022 2:07:11 PM\", \"licenseModel\": \"postgresql-license\", \"masterUsername\": \"postgres\", \"maxAllocatedStorage\": 1000, \"monitoringInterval\": 60, \"monitoringRoleArn\": \"arn:aws:iam::111111111111:role/role\", \"multiAZ\": true, \"networkType\": \"IPV4\", \"optionGroupMemberships\": [{\"optionGroupName\": \"default:postgres-13\", \"status\": \"in-sync\"}], \"pendingModifiedValues\": {\"masterUserPassword\": \"****\"}, \"performanceInsightsEnabled\": true, \"performanceInsightsKMSKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"performanceInsightsRetentionPeriod\": 7, \"preferredBackupWindow\": \"10:10-10:40\", \"preferredMaintenanceWindow\": \"thu:04:33-thu:05:03\", \"publiclyAccessible\": false, \"readReplicaDBInstanceIdentifiers\": [], \"secondaryAvailabilityZone\": \"eu-west-3c\", \"storageEncrypted\": true, \"storageThroughput\": 0, \"storageType\": \"io1\", \"tagList\": [], \"vpcSecurityGroups\": [{\"status\": \"active\", \"vpcSecurityGroupId\": \"sg-00000000000000000\"}]}" + }, "recipient_account_id": "111111111111", + "response_elements": { + "pendingModifiedValues": { + "masterUserPassword": "****" + }, + "publiclyAccessible": false + }, "user_identity": { - "type": "Root", - "principalId": "111111111111", - "arn": "arn:aws:iam::111111111111:root", - "accountId": "111111111111", "accessKeyId": "ASI00000000000000000", + "accountId": "111111111111", + "arn": "arn:aws:iam::111111111111:root", + "principalId": "111111111111", "sessionContext": { - "sessionIssuer": {}, - "webIdFederationData": {}, "attributes": { "creationDate": "2022-09-01T06:46:50Z", "mfaAuthenticated": "true" - } - } - }, - "response_elements": { - "publiclyAccessible": false, - "pendingModifiedValues": { - "masterUserPassword": "****" - } - }, - "flattened": { - "response_elements": "{\"allocatedStorage\": 100, \"associatedRoles\": [], \"autoMinorVersionUpgrade\": true, \"availabilityZone\": \"eu-west-3b\", \"backupRetentionPeriod\": 7, \"backupTarget\": \"region\", \"cACertificateIdentifier\": \"rds-ca-2019\", \"copyTagsToSnapshot\": true, \"customerOwnedIpEnabled\": false, \"dBInstanceArn\": \"arn:aws:rds:eu-west-3:111111111111:db:database-1\", \"dBInstanceClass\": \"db.m6g.large\", \"dBInstanceIdentifier\": \"database-1\", \"dBInstanceStatus\": \"available\", \"dBParameterGroups\": [{\"dBParameterGroupName\": \"default.postgres13\", \"parameterApplyStatus\": \"in-sync\"}], \"dBSecurityGroups\": [], \"dBSubnetGroup\": {\"dBSubnetGroupDescription\": \"Created from the RDS Management Console\", \"dBSubnetGroupName\": \"default-vpc-00000000000000000\", \"subnetGroupStatus\": \"Complete\", \"subnets\": [{\"subnetAvailabilityZone\": {\"name\": \"eu-west-3a\"}, \"subnetIdentifier\": \"subnet-00000000000000000\", \"subnetOutpost\": {}, \"subnetStatus\": \"Active\"}], \"vpcId\": \"vpc-00000000000000000\"}, \"dbInstancePort\": 0, \"dbiResourceId\": \"db-00000000000000000000000000\", \"deletionProtection\": true, \"domainMemberships\": [], \"endpoint\": {\"address\": \"x.rds.amazonaws.com\", \"hostedZoneId\": \"ZMESEXB7ZGGQ3\", \"port\": 5432}, \"engine\": \"postgres\", \"engineVersion\": \"13.7\", \"enhancedMonitoringResourceArn\": \"arn:aws:logs:eu-west-3:111111111111:group:schema:stream:db-00000000000000000000000000\", \"httpEndpointEnabled\": false, \"iAMDatabaseAuthenticationEnabled\": false, \"instanceCreateTime\": \"Sep 1, 2022 12:47:35 PM\", \"iops\": 3000, \"kmsKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"latestRestorableTime\": \"Sep 1, 2022 2:07:11 PM\", \"licenseModel\": \"postgresql-license\", \"masterUsername\": \"postgres\", \"maxAllocatedStorage\": 1000, \"monitoringInterval\": 60, \"monitoringRoleArn\": \"arn:aws:iam::111111111111:role/role\", \"multiAZ\": true, \"networkType\": \"IPV4\", \"optionGroupMemberships\": [{\"optionGroupName\": \"default:postgres-13\", \"status\": \"in-sync\"}], \"pendingModifiedValues\": {\"masterUserPassword\": \"****\"}, \"performanceInsightsEnabled\": true, \"performanceInsightsKMSKeyId\": \"arn:aws:kms:eu-west-3:111111111111:key/a7dce59f-5b3c-4178-90e1-91103a32b26d\", \"performanceInsightsRetentionPeriod\": 7, \"preferredBackupWindow\": \"10:10-10:40\", \"preferredMaintenanceWindow\": \"thu:04:33-thu:05:03\", \"publiclyAccessible\": false, \"readReplicaDBInstanceIdentifiers\": [], \"secondaryAvailabilityZone\": \"eu-west-3c\", \"storageEncrypted\": true, \"storageThroughput\": 0, \"storageType\": \"io1\", \"tagList\": [], \"vpcSecurityGroups\": [{\"status\": \"active\", \"vpcSecurityGroupId\": \"sg-00000000000000000\"}]}", - "request_parameters": "{\"allowMajorVersionUpgrade\": false, \"applyImmediately\": true, \"dBInstanceIdentifier\": \"database-1\", \"masterUserPassword\": \"****\", \"maxAllocatedStorage\": 1000}" + }, + "sessionIssuer": {}, + "webIdFederationData": {} + }, + "type": "Root" } } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, + "user": { + "id": "111111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AWS Internal", + "os": { + "name": "Other" + } } } @@ -798,69 +798,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"awsRegion\":\"eu-west-3\",\"eventID\":\"bcf6f457-76bc-4e8c-8a7b-8a2451481675\",\"eventName\":\"AssumeRole\",\"eventSource\":\"sts.amazonaws.com\",\"eventTime\":\"2020-08-12T12:03:12Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.05\",\"recipientAccountId\":\"1111111111\",\"requestID\":\"34c3d58a-83f5-42cc-9e4d-1beeb85f809c\",\"requestParameters\":{\"roleArn\":\"arn:aws:iam::1111111111:role/user\",\"roleSessionName\":\"session-name\"},\"resources\":[{\"ARN\":\"arn:aws:iam::1111111111:role/user\",\"accountId\":\"1111111111\",\"type\":\"AWS::IAM::Role\"}],\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIA11111111111111\",\"expiration\":\"Aug 13, 2020, 12:03:12 AM\",\"sessionToken\":\"11111111111111111111111111111111111111111\"}},\"sharedEventID\":\"e0b224e9-a818-452c-87e3-a1d4078bb102\",\"sourceIPAddress\":\"lambda.amazonaws.com\",\"userAgent\":\"lambda.amazonaws.com\",\"userIdentity\":{\"invokedBy\":\"lambda.amazonaws.com\",\"type\":\"AWSService\"}}", "event": { - "kind": "event", + "action": "AssumeRole", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "sts.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "AssumeRole", - "provider": "sts.amazonaws.com" + ] }, "@timestamp": "2020-08-12T12:03:12Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3" - }, "action": { - "type": "AwsApiCall", "name": "AssumeRole", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", - "userIdentity": { - "invokedBy": "lambda.amazonaws.com", - "type": "AWSService" - }, "resources": [ { "ARN": "arn:aws:iam::1111111111:role/user", "accountId": "1111111111", "type": "AWS::IAM::Role" } - ] - } - }, - "user_agent": { - "original": "lambda.amazonaws.com", - "device": { - "name": "Other" + ], + "userIdentity": { + "invokedBy": "lambda.amazonaws.com", + "type": "AWSService" + } }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "source": { - "domain": "lambda.amazonaws.com", - "address": "lambda.amazonaws.com", - "top_level_domain": "com", - "subdomain": "lambda", - "registered_domain": "amazonaws.com" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.05", - "recipient_account_id": "1111111111", - "user_identity": { - "type": "AWSService" + "flattened": { + "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}", + "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"11111111111111111111111111111111111111111\"}}" }, + "recipient_account_id": "1111111111", "resources": [ { "ARN": "arn:aws:iam::1111111111:role/user", @@ -868,16 +845,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "AWS::IAM::Role" } ], - "flattened": { - "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"11111111111111111111111111111111111111111\"}}", - "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}" + "user_identity": { + "type": "AWSService" } } }, + "cloud": { + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, "related": { "hosts": [ "lambda.amazonaws.com" ] + }, + "source": { + "address": "lambda.amazonaws.com", + "domain": "lambda.amazonaws.com", + "registered_domain": "amazonaws.com", + "subdomain": "lambda", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "lambda.amazonaws.com", + "os": { + "name": "Other" + } } } @@ -891,33 +891,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"additionalEventData\":{\"LoginTo\":\"https://console.aws.amazon.com/billing/home?region=eu-west-3&state=hashArgs%23%2F&isauthcode=true\",\"MFAUsed\":\"No\",\"MobileVersion\":\"No\"},\"awsRegion\":\"us-east-1\",\"eventID\":\"9d4ca355-a7d3-4422-96ae-dbe2c3431609\",\"eventName\":\"ConsoleLogin\",\"eventSource\":\"signin.amazonaws.com\",\"eventTime\":\"2020-08-19T15:33:43Z\",\"eventType\":\"AwsConsoleSignIn\",\"eventVersion\":\"1.05\",\"recipientAccountId\":\"1111111111\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"sourceIPAddress\":\"1.2.3.4\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\",\"userIdentity\":{\"accessKeyId\":\"\",\"accountId\":\"1111111111\",\"arn\":\"arn:aws:iam::1111111111:root\",\"principalId\":\"1111111111\",\"type\":\"Root\"}}", "event": { - "kind": "event", + "action": "ConsoleLogin", "category": [ "authentication" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "signin.amazonaws.com", "type": [ "allowed" - ], - "dataset": "cloudtrail", - "action": "ConsoleLogin", - "provider": "signin.amazonaws.com" + ] }, "@timestamp": "2020-08-19T15:33:43Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "us-east-1", - "account": { - "id": "1111111111" - } - }, "action": { - "type": "AwsConsoleSignIn", "name": "ConsoleLogin", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", "userIdentity": { @@ -927,29 +915,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "principalId": "1111111111", "type": "Root" } - } - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", - "device": { - "name": "Other" }, - "name": "Firefox", - "version": "68.0", - "os": { - "name": "Linux" - } - }, - "user": { - "id": "1111111111" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "target": "network-traffic", + "type": "AwsConsoleSignIn" }, "aws": { "cloudtrail": { "event_version": "1.05", + "flattened": { + "response_elements": "{\"ConsoleLogin\": \"Success\"}" + }, "recipient_account_id": "1111111111", "user_identity": { "accessKeyId": "", @@ -957,16 +932,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", "type": "Root" - }, - "flattened": { - "response_elements": "{\"ConsoleLogin\": \"Success\"}" } } }, + "cloud": { + "account": { + "id": "1111111111" + }, + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "cloudtrail" + } + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "id": "1111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", + "os": { + "name": "Linux" + }, + "version": "68.0" } } @@ -980,69 +980,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"awsRegion\":\"eu-west-3\",\"eventID\":\"bcf6f457-76bc-4e8c-8a7b-8a2451481675\",\"eventName\":\"AssumeRole\",\"eventSource\":\"sts.amazonaws.com\",\"eventTime\":\"2020-08-12T12:03:12Z\",\"eventType\":\"AwsApiCall\",\"eventVersion\":\"1.05\",\"recipientAccountId\":\"1111111111\",\"requestID\":\"34c3d58a-83f5-42cc-9e4d-1beeb85f809c\",\"requestParameters\":{\"roleArn\":\"arn:aws:iam::1111111111:role/user\",\"roleSessionName\":\"session-name\"},\"resources\":[{\"ARN\":\"arn:aws:iam::1111111111:role/user\",\"accountId\":\"1111111111\",\"type\":\"AWS::IAM::Role\"}],\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIA11111111111111\",\"expiration\":\"Aug 13, 2020, 12:03:12 AM\",\"sessionToken\":\"1111111111111111111111111111111111111111111111111111111111111111111111111\"}},\"sharedEventID\":\"e0b224e9-a818-452c-87e3-a1d4078bb102\",\"sourceIPAddress\":\"lambda.amazonaws.com\",\"userAgent\":\"lambda.amazonaws.com\",\"userIdentity\":{\"invokedBy\":\"lambda.amazonaws.com\",\"type\":\"AWSService\"}}", "event": { - "kind": "event", + "action": "AssumeRole", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "sts.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "AssumeRole", - "provider": "sts.amazonaws.com" + ] }, "@timestamp": "2020-08-12T12:03:12Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3" - }, "action": { - "type": "AwsApiCall", "name": "AssumeRole", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", - "userIdentity": { - "invokedBy": "lambda.amazonaws.com", - "type": "AWSService" - }, "resources": [ { "ARN": "arn:aws:iam::1111111111:role/user", "accountId": "1111111111", "type": "AWS::IAM::Role" } - ] - } - }, - "user_agent": { - "original": "lambda.amazonaws.com", - "device": { - "name": "Other" + ], + "userIdentity": { + "invokedBy": "lambda.amazonaws.com", + "type": "AWSService" + } }, - "name": "Other", - "os": { - "name": "Other" - } - }, - "source": { - "domain": "lambda.amazonaws.com", - "address": "lambda.amazonaws.com", - "top_level_domain": "com", - "subdomain": "lambda", - "registered_domain": "amazonaws.com" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { "event_version": "1.05", - "recipient_account_id": "1111111111", - "user_identity": { - "type": "AWSService" + "flattened": { + "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}", + "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"1111111111111111111111111111111111111111111111111111111111111111111111111\"}}" }, + "recipient_account_id": "1111111111", "resources": [ { "ARN": "arn:aws:iam::1111111111:role/user", @@ -1050,16 +1027,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "AWS::IAM::Role" } ], - "flattened": { - "response_elements": "{\"credentials\": {\"accessKeyId\": \"ASIA11111111111111\", \"expiration\": \"Aug 13, 2020, 12:03:12 AM\", \"sessionToken\": \"1111111111111111111111111111111111111111111111111111111111111111111111111\"}}", - "request_parameters": "{\"roleArn\": \"arn:aws:iam::1111111111:role/user\", \"roleSessionName\": \"session-name\"}" + "user_identity": { + "type": "AWSService" } } }, + "cloud": { + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" + } + }, "related": { "hosts": [ "lambda.amazonaws.com" ] + }, + "source": { + "address": "lambda.amazonaws.com", + "domain": "lambda.amazonaws.com", + "registered_domain": "amazonaws.com", + "subdomain": "lambda", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "lambda.amazonaws.com", + "os": { + "name": "Other" + } } } @@ -1073,43 +1073,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\":\"1.08\",\"eventTime\":\"2022-09-05T07:45:00Z\",\"awsRegion\":\"eu-west-3\",\"eventID\":\"7a9130fc-ca15-49d9-b4aa-685f7a0c182a\",\"eventType\":\"AwsCloudTrailInsight\",\"recipientAccountId\":\"1111111111\",\"sharedEventID\":\"0a771801-c0cc-406d-a080-219de884f089\",\"insightDetails\":{\"state\":\"End\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"GetBucketPolicy\",\"insightType\":\"ApiErrorRateInsight\",\"errorCode\":\"NoSuchBucketPolicy\",\"insightContext\":{\"statistics\":{\"baseline\":{\"average\":0.0021817492},\"insight\":{\"average\":1.3333333333},\"insightDuration\":3,\"baselineDuration\":10542},\"attributions\":[{\"attribute\":\"userIdentityArn\",\"insight\":[{\"value\":\"arn:aws:iam::1111111111:root\",\"average\":1.3333333333}],\"baseline\":[{\"value\":\"arn:aws:iam::1111111111:root\",\"average\":0.0020868905},{\"value\":\"arn:aws:sts::1111111111:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe\",\"average\":9.48587e-05}]},{\"attribute\":\"userAgent\",\"insight\":[{\"value\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"average\":0.6666666667},{\"value\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"average\":0.6666666667}],\"baseline\":[{\"value\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"average\":0.0010434453},{\"value\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"average\":0.0009485866},{\"value\":\"AWS Internal\",\"average\":0.0001897173}]}]}},\"eventCategory\":\"Insight\"}\n", "event": { - "kind": "event", + "action": "GetBucketPolicy", "category": [ "network" ], + "code": "NoSuchBucketPolicy", + "dataset": "cloudtrail", + "kind": "event", + "provider": "s3.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "GetBucketPolicy", - "code": "NoSuchBucketPolicy", - "provider": "s3.amazonaws.com" + ] }, "@timestamp": "2022-09-05T07:45:00Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-3" - }, "action": { - "type": "AwsCloudTrailInsight", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111" - } + }, + "target": "network-traffic", + "type": "AwsCloudTrailInsight" }, "aws": { "cloudtrail": { "event_version": "1.08", - "recipient_account_id": "1111111111", "insight_details": { + "context": "{\"attributions\": [{\"attribute\": \"userIdentityArn\", \"baseline\": [{\"average\": 0.0020868905, \"value\": \"arn:aws:iam::1111111111:root\"}, {\"average\": 9.48587e-05, \"value\": \"arn:aws:sts::1111111111:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe\"}], \"insight\": [{\"average\": 1.3333333333, \"value\": \"arn:aws:iam::1111111111:root\"}]}, {\"attribute\": \"userAgent\", \"baseline\": [{\"average\": 0.0010434453, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0009485866, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0001897173, \"value\": \"AWS Internal\"}], \"insight\": [{\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}]}], \"statistics\": {\"baseline\": {\"average\": 0.0021817492}, \"baselineDuration\": 10542, \"insight\": {\"average\": 1.3333333333}, \"insightDuration\": 3}}", "state": "End", - "type": "ApiErrorRateInsight", - "context": "{\"attributions\": [{\"attribute\": \"userIdentityArn\", \"baseline\": [{\"average\": 0.0020868905, \"value\": \"arn:aws:iam::1111111111:root\"}, {\"average\": 9.48587e-05, \"value\": \"arn:aws:sts::1111111111:assumed-role/AWSServiceRoleForConfig/AWSConfig-Describe\"}], \"insight\": [{\"average\": 1.3333333333, \"value\": \"arn:aws:iam::1111111111:root\"}]}, {\"attribute\": \"userAgent\", \"baseline\": [{\"average\": 0.0010434453, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0009485866, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.0001897173, \"value\": \"AWS Internal\"}], \"insight\": [{\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.204-124.362.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}, {\"average\": 0.6666666667, \"value\": \"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.207-126.363.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]\"}]}], \"statistics\": {\"baseline\": {\"average\": 0.0021817492}, \"baselineDuration\": 10542, \"insight\": {\"average\": 1.3333333333}, \"insightDuration\": 3}}" - } + "type": "ApiErrorRateInsight" + }, + "recipient_account_id": "1111111111" + } + }, + "cloud": { + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "cloudtrail" } } } @@ -1124,121 +1124,121 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AR0000000000000000:1111111111111111111111111\",\"arn\":\"arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111\",\"accountId\":\"1111111111\",\"accessKeyId\":\"AS000000000000000000\",\"sessionContext\":{\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AR0000000000000000\",\"arn\":\"arn:aws:iam::1111111111:role/service-role/username\",\"accountId\":\"1111111111\",\"userName\":\"username\"},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2022-09-09T07:45:14Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2022-09-09T09:17:32Z\",\"eventSource\":\"elasticfilesystem.amazonaws.com\",\"eventName\":\"NewClientConnection\",\"awsRegion\":\"eu-central-1\",\"sourceIPAddress\":\"AWS Internal\",\"userAgent\":\"elasticfilesystem\",\"requestParameters\":null,\"responseElements\":null,\"eventID\":\"6ff7e265-b0b9-42c0-b4b5-ad140a7f1baa\",\"readOnly\":true,\"resources\":[{\"accountId\":\"1111111111\",\"type\":\"AWS::EFS::FileSystem\",\"ARN\":\"arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000\"},{\"accountId\":\"1111111111\",\"type\":\"AWS::EFS::AccessPoint\",\"ARN\":\"arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000\"}],\"eventType\":\"AwsServiceEvent\",\"managementEvent\":true,\"recipientAccountId\":\"1111111111\",\"serviceEventDetails\":{\"permissions\":{\"ClientRootAccess\":false,\"ClientMount\":true,\"ClientWrite\":true},\"sourceIpAddress\":\"1.2.3.4\"},\"eventCategory\":\"Management\"}\n", "event": { - "kind": "event", + "action": "NewClientConnection", "category": [ "network" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "elasticfilesystem.amazonaws.com", "type": [ "access" - ], - "dataset": "cloudtrail", - "action": "NewClientConnection", - "provider": "elasticfilesystem.amazonaws.com" + ] }, "@timestamp": "2022-09-09T09:17:32Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-central-1", - "account": { - "id": "1111111111" - } - }, "action": { - "type": "AwsServiceEvent", "name": "NewClientConnection", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "1111111111", + "resources": [ + { + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000", + "accountId": "1111111111", + "type": "AWS::EFS::FileSystem" + }, + { + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000", + "accountId": "1111111111", + "type": "AWS::EFS::AccessPoint" + } + ], "userIdentity": { - "type": "AssumedRole", - "principalId": "AR0000000000000000:1111111111111111111111111", - "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", - "accountId": "1111111111", "accessKeyId": "AS000000000000000000", + "accountId": "1111111111", + "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", + "principalId": "AR0000000000000000:1111111111111111111111111", "sessionContext": { + "attributes": { + "creationDate": "2022-09-09T07:45:14Z", + "mfaAuthenticated": "false" + }, "sessionIssuer": { - "type": "Role", - "principalId": "AR0000000000000000", - "arn": "arn:aws:iam::1111111111:role/service-role/username", "accountId": "1111111111", + "arn": "arn:aws:iam::1111111111:role/service-role/username", + "principalId": "AR0000000000000000", + "type": "Role", "userName": "username" }, - "webIdFederationData": {}, - "attributes": { - "creationDate": "2022-09-09T07:45:14Z", - "mfaAuthenticated": "false" - } - } - }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + }, + "target": "network-traffic", + "type": "AwsServiceEvent" + }, + "aws": { + "cloudtrail": { + "event_version": "1.08", + "recipient_account_id": "1111111111", "resources": [ { + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000", "accountId": "1111111111", - "type": "AWS::EFS::FileSystem", - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000" + "type": "AWS::EFS::FileSystem" }, { + "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000", "accountId": "1111111111", - "type": "AWS::EFS::AccessPoint", - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000" + "type": "AWS::EFS::AccessPoint" } - ] + ], + "user_identity": { + "accessKeyId": "AS000000000000000000", + "accountId": "1111111111", + "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", + "principalId": "AR0000000000000000:1111111111111111111111111", + "sessionContext": { + "attributes": { + "creationDate": "2022-09-09T07:45:14Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "1111111111", + "arn": "arn:aws:iam::1111111111:role/service-role/username", + "principalId": "AR0000000000000000", + "type": "Role", + "userName": "username" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + } + }, + "cloud": { + "account": { + "id": "1111111111" + }, + "provider": "aws", + "region": "eu-central-1", + "service": { + "name": "cloudtrail" } }, + "user": { + "id": "1111111111" + }, "user_agent": { - "original": "elasticfilesystem", "device": { "name": "Other" }, "name": "Other", + "original": "elasticfilesystem", "os": { "name": "Other" } - }, - "user": { - "id": "1111111111" - }, - "aws": { - "cloudtrail": { - "event_version": "1.08", - "recipient_account_id": "1111111111", - "user_identity": { - "type": "AssumedRole", - "principalId": "AR0000000000000000:1111111111111111111111111", - "arn": "arn:aws:sts::1111111111:assumed-role/role/1111111111111111111111111", - "accountId": "1111111111", - "accessKeyId": "AS000000000000000000", - "sessionContext": { - "sessionIssuer": { - "type": "Role", - "principalId": "AR0000000000000000", - "arn": "arn:aws:iam::1111111111:role/service-role/username", - "accountId": "1111111111", - "userName": "username" - }, - "webIdFederationData": {}, - "attributes": { - "creationDate": "2022-09-09T07:45:14Z", - "mfaAuthenticated": "false" - } - } - }, - "resources": [ - { - "accountId": "1111111111", - "type": "AWS::EFS::FileSystem", - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:file-system/fs-00000000" - }, - { - "accountId": "1111111111", - "type": "AWS::EFS::AccessPoint", - "ARN": "arn:aws:elasticfilesystem:eu-central-1:1111111111:access-point/fsap-00000000000000000" - } - ] - } } } @@ -1252,85 +1252,85 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"A00000000000000000000:user@example.org\",\"arn\":\"arn:aws:sts::111111111:assumed-role/role/user@example.org\",\"accountId\":\"111111111\"},\"eventTime\":\"2022-09-08T15:01:59Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"1.2.3.4\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"LoginTo\":\"https://console.aws.amazon.com/console/home\",\"MobileVersion\":\"No\",\"MFAUsed\":\"No\",\"SamlProviderArn\":\"arn:aws:iam::111111111:saml-provider/provider-name\"},\"eventID\":\"e7dd6d97-2d3a-45dc-bb19-a3ea347091e3\",\"readOnly\":false,\"eventType\":\"AwsConsoleSignIn\",\"managementEvent\":true,\"recipientAccountId\":\"111111111\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"signin.aws.amazon.com\"}}\n", "event": { - "kind": "event", + "action": "ConsoleLogin", "category": [ "authentication" ], + "dataset": "cloudtrail", + "kind": "event", + "provider": "signin.amazonaws.com", "type": [ "allowed" - ], - "dataset": "cloudtrail", - "action": "ConsoleLogin", - "provider": "signin.amazonaws.com" + ] }, "@timestamp": "2022-09-08T15:01:59Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "us-east-1", - "account": { - "id": "111111111" - } - }, "action": { - "type": "AwsConsoleSignIn", "name": "ConsoleLogin", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "111111111", "userIdentity": { - "type": "AssumedRole", - "principalId": "A00000000000000000000:user@example.org", + "accountId": "111111111", "arn": "arn:aws:sts::111111111:assumed-role/role/user@example.org", - "accountId": "111111111" + "principalId": "A00000000000000000000:user@example.org", + "type": "AssumedRole" } - } - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36", - "device": { - "name": "Other" }, - "name": "Chrome", - "version": "105.0.0", - "os": { - "name": "Windows", - "version": "10" - } - }, - "user": { - "id": "111111111" - }, - "tls": { - "cipher": "ECDHE-RSA-AES128-GCM-SHA256", - "version": "TLSv1.2" - }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "target": "network-traffic", + "type": "AwsConsoleSignIn" }, "aws": { "cloudtrail": { "event_version": "1.08", + "flattened": { + "response_elements": "{\"ConsoleLogin\": \"Success\"}" + }, "recipient_account_id": "111111111", "user_identity": { - "type": "AssumedRole", - "principalId": "A00000000000000000000:user@example.org", + "accountId": "111111111", "arn": "arn:aws:sts::111111111:assumed-role/role/user@example.org", - "accountId": "111111111" - }, - "flattened": { - "response_elements": "{\"ConsoleLogin\": \"Success\"}" + "principalId": "A00000000000000000000:user@example.org", + "type": "AssumedRole" } } }, + "cloud": { + "account": { + "id": "111111111" + }, + "provider": "aws", + "region": "us-east-1", + "service": { + "name": "cloudtrail" + } + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "version": "TLSv1.2" + }, + "user": { + "id": "111111111" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "105.0.0" } } diff --git a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md index ec49365ea0..a68c0fd41d 100644 --- a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md +++ b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md @@ -35,23 +35,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "auth: ST1-CMDR: Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4", "event": { - "dataset": "auth", - "reason": "Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4", - "kind": "event", "category": [ "authentication" ], + "dataset": "auth", + "kind": "event", + "reason": "Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4", "type": [ "info" ] }, - "user": { - "name": "john.doe" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" @@ -59,6 +52,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" } } @@ -72,23 +72,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "auth: ST1-CMDR: User 'john.doe' logged in from 1.2.3.4 to SSH session", "event": { - "dataset": "auth", - "reason": "User 'john.doe' logged in from 1.2.3.4 to SSH session", - "kind": "event", "category": [ "authentication" ], + "dataset": "auth", + "kind": "event", + "reason": "User 'john.doe' logged in from 1.2.3.4 to SSH session", "type": [ "start" ] }, - "user": { - "name": "john.doe" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" @@ -96,6 +89,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" } } @@ -109,24 +109,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "dhcp-snoop: ST1-CMDR: backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8", "event": { - "dataset": "dhcp-snoop", - "reason": "backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8", - "kind": "event", "category": [ "network" ], + "dataset": "dhcp-snoop", + "kind": "event", + "reason": "backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8", "type": [ "connection" ] }, - "source": { - "ip": "3.4.5.6", - "address": "3.4.5.6" - }, "related": { "ip": [ "3.4.5.6" ] + }, + "source": { + "address": "3.4.5.6", + "ip": "3.4.5.6" } } @@ -140,12 +140,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "dhcp-snoop: ST1-CMDR: backplane: Ceasing bad release logs for 5m", "event": { - "dataset": "dhcp-snoop", - "reason": "backplane: Ceasing bad release logs for 5m", - "kind": "event", "category": [ "network" ], + "dataset": "dhcp-snoop", + "kind": "event", + "reason": "backplane: Ceasing bad release logs for 5m", "type": [ "connection" ] @@ -162,24 +162,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "mgr: ST1-CMDR: SME SSH from 1.2.3.4 - MANAGER Mode", "event": { - "dataset": "mgr", - "reason": "SME SSH from 1.2.3.4 - MANAGER Mode", - "kind": "event", "category": [ "session" ], + "dataset": "mgr", + "kind": "event", + "reason": "SME SSH from 1.2.3.4 - MANAGER Mode", "type": [ "start" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -193,12 +193,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "crypto: ST1-CMDR: Certificate used by http-ssl application is expired.", "event": { - "dataset": "crypto", - "reason": "Certificate used by http-ssl application is expired.", - "kind": "event", "category": [ "network" ], + "dataset": "crypto", + "kind": "event", + "reason": "Certificate used by http-ssl application is expired.", "type": [ "connection" ] @@ -215,12 +215,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "dhcp-server: ST1-CMDR: No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)", "event": { - "dataset": "dhcp-server", - "reason": "No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)", - "kind": "event", "category": [ "network" ], + "dataset": "dhcp-server", + "kind": "event", + "reason": "No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)", "type": [ "connection" ] @@ -237,12 +237,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "dhcp-server: ST1-CMDR: High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0", "event": { - "dataset": "dhcp-server", - "reason": "High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0", - "kind": "event", "category": [ "network" ], + "dataset": "dhcp-server", + "kind": "event", + "reason": "High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0", "type": [ "connection" ] @@ -259,12 +259,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FFI: ST1-CMDR: port 1/11-High collision or drop rate. See help.", "event": { - "dataset": "FFI", - "reason": "port 1/11-High collision or drop rate. See help.", - "kind": "event", "category": [ "network" ], + "dataset": "FFI", + "kind": "event", + "reason": "port 1/11-High collision or drop rate. See help.", "type": [ "connection" ] @@ -281,12 +281,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ports: ST1-CMDR: port 2/16 in Trk7 is now on-line", "event": { - "dataset": "ports", - "reason": "port 2/16 in Trk7 is now on-line", - "kind": "event", "category": [ "network" ], + "dataset": "ports", + "kind": "event", + "reason": "port 2/16 in Trk7 is now on-line", "type": [ "connection" ] @@ -303,12 +303,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ports: ST1-CMDR: port 2/16 is Blocked by LACP", "event": { - "dataset": "ports", - "reason": "port 2/16 is Blocked by LACP", - "kind": "event", "category": [ "network" ], + "dataset": "ports", + "kind": "event", + "reason": "port 2/16 is Blocked by LACP", "type": [ "connection" ] @@ -325,12 +325,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ports: ST1-CMDR: port 1/8 is now on-line", "event": { - "dataset": "ports", - "reason": "port 1/8 is now on-line", - "kind": "event", "category": [ "network" ], + "dataset": "ports", + "kind": "event", + "reason": "port 1/8 is now on-line", "type": [ "connection" ] @@ -347,12 +347,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ports: ST1-CMDR: port 1/8 is now off-line", "event": { - "dataset": "ports", - "reason": "port 1/8 is now off-line", - "kind": "event", "category": [ "network" ], + "dataset": "ports", + "kind": "event", + "reason": "port 1/8 is now off-line", "type": [ "connection" ] @@ -369,24 +369,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "snmp: ST1-CMDR: Security access violation from 1.2.3.4 for the community name or user name : internal", "event": { - "dataset": "snmp", - "reason": "Security access violation from 1.2.3.4 for the community name or user name : internal", - "kind": "alert", "category": [ "session" ], + "dataset": "snmp", + "kind": "alert", + "reason": "Security access violation from 1.2.3.4 for the community name or user name : internal", "type": [ "info" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -400,24 +400,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "snmp: ST1-CMDR: Security access violation from 1.2.3.4 for the community name or user name : internal (1 times in 60 seconds)", "event": { - "dataset": "snmp", - "reason": "Security access violation from 1.2.3.4 for the community name or user name : internal (1 times in 60 seconds)", - "kind": "alert", "category": [ "session" ], + "dataset": "snmp", + "kind": "alert", + "reason": "Security access violation from 1.2.3.4 for the community name or user name : internal (1 times in 60 seconds)", "type": [ "info" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -431,24 +431,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "SNTP: ST1-CMDR: Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.", "event": { - "dataset": "SNTP", - "reason": "Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.", - "kind": "event", "category": [ "network" ], + "dataset": "SNTP", + "kind": "event", + "reason": "Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.", "type": [ "connection" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -462,24 +462,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ssl: ST1-CMDR: User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)", "event": { - "dataset": "ssl", - "reason": "User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)", - "kind": "event", "category": [ "session" ], + "dataset": "ssl", + "kind": "event", + "reason": "User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)", "type": [ "info" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -493,24 +493,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "ssl: ST1-CMDR: SSL/TLS session closed for WEB-UI from 1.2.3.4.", "event": { - "dataset": "ssl", - "reason": "SSL/TLS session closed for WEB-UI from 1.2.3.4.", - "kind": "event", "category": [ "session" ], + "dataset": "ssl", + "kind": "event", + "reason": "SSL/TLS session closed for WEB-UI from 1.2.3.4.", "type": [ "end" ] }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" } } diff --git a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md index 3398445e3e..59ef152a25 100644 --- a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md +++ b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md @@ -35,47 +35,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"ADMIN\", \"modificationDiff\": \"\", \"serviceName\": \"MY-SERVICE\", \"serviceType\": \"https\", \"severity\": \"WARNING\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"172.17.0.30\", \"osInfo\": \"Windows(10)\", \"profiles\": [\"ADMINISTRATOR\"], \"protocol\": \"WEB\", \"realmName\": \"my-realm.local\", \"roles\": [\"PROVEIT-ADMINISTRATOR-PROFILE\"], \"sessionId\": \"6c036039-2ea0-4a12-bf54-98c827db986b\", \"softwareInfo\": \"Firefox (107.0)\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-08T21:37:18.323112+01:00\", \"type\": \"ADMIN_SERVICES_SERVICE_MODIFY\"}\n\n", "event": { - "kind": "event", "action": "admin_services_service_modify", + "kind": "event", "severity": 30 }, "@timestamp": "2022-12-08T20:37:18.323112Z", + "network": { + "protocol": "web" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "172.17.0.30" + ], + "user": [ + "my.user" + ] }, "rubycat": { "proveit": { "source": { - "type": "HB", + "profiles": [ + "ADMINISTRATOR" + ], "roles": [ "PROVEIT-ADMINISTRATOR-PROFILE" ], - "profiles": [ - "ADMINISTRATOR" - ] + "type": "HB" } } }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "172.17.0.30", "ip": "172.17.0.30", - "address": "172.17.0.30" - }, - "network": { - "protocol": "web" - }, - "related": { - "user": [ - "my.user" - ], - "ip": [ - "172.17.0.30" - ] + "user": { + "domain": "my-realm.local", + "name": "my.user" + } } } @@ -89,21 +89,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"SYSTEM\", \"severity\": \"INFO\", \"source\": {\"componentId\": \"coremanager\", \"type\": \"SYSTEM\"}, \"timestamp\": \"2022-12-13T06:25:56.859488+01:00\", \"type\": \"SYSTEM_SIMM_UNLOCKED\"}\n\n", "event": { - "kind": "event", "action": "system_simm_unlocked", + "kind": "event", "severity": 10 }, "@timestamp": "2022-12-13T05:25:56.859488Z", "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" }, "rubycat": { "proveit": { "source": { - "type": "SYSTEM", - "componentId": "coremanager" + "componentId": "coremanager", + "type": "SYSTEM" } } } @@ -119,21 +119,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"auditRecordsNumber\": 202, \"category\": \"SYSTEM\", \"severity\": \"INFO\", \"source\": {\"componentId\": \"coremanager\", \"type\": \"SYSTEM\"}, \"storageCurrentSpace\": 3336175616, \"storageFreeSpace\": 66275975168, \"storageId\": 1, \"storageName\": \"d\\\\u00e9faut\", \"storageTotalSpace\": 73386811392, \"timestamp\": \"2022-12-12T21:27:04.063158+01:00\", \"type\": \"SYSTEM_STORAGE_STATS\"}", "event": { - "kind": "event", "action": "system_storage_stats", + "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T20:27:04.063158Z", "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" }, "rubycat": { "proveit": { "source": { - "type": "SYSTEM", - "componentId": "coremanager" + "componentId": "coremanager", + "type": "SYSTEM" } } } @@ -149,52 +149,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"authServerName\": \"AD\", \"authServerType\": \"LDAP\", \"category\": \"USER\", \"reason\": \"BAD_CREDENTIALS\", \"severity\": \"WARNING\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.8\", \"osInfo\": \"Windows(10)\", \"profiles\": [\"USER\"], \"protocol\": \"web\", \"realmName\": \"my-realm.local\", \"roles\": [], \"sessionId\": \"\", \"softwareInfo\": \"Firefox (107.0)\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-09T10:38:55.552544+01:00\", \"type\": \"USER_CONNECTION_FAILURE\"}\n\n", "event": { - "kind": "event", "action": "user_connection_failure", - "reason": "BAD_CREDENTIALS", - "severity": 30, "category": [ "authentication" ], + "kind": "event", + "reason": "BAD_CREDENTIALS", + "severity": 30, "type": [ "start" ] }, "@timestamp": "2022-12-09T09:38:55.552544Z", + "network": { + "protocol": "web" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.8" + ], + "user": [ + "my.user" + ] }, "rubycat": { "proveit": { "source": { - "type": "HB", - "roles": [], "profiles": [ "USER" - ] + ], + "roles": [], + "type": "HB" } } }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.8", "ip": "10.1.2.8", - "address": "10.1.2.8" - }, - "network": { - "protocol": "web" - }, - "related": { - "user": [ - "my.user" - ], - "ip": [ - "10.1.2.8" - ] + "user": { + "domain": "my-realm.local", + "name": "my.user" + } } } @@ -208,53 +208,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"20ed63ad-cd6d-4bfa-9251-09cdb3a2133e\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T09:06:39.737567+01:00\", \"type\": \"USER_CONNECTION_SUCCESS\"}\n\n", "event": { - "kind": "event", "action": "user_connection_success", - "severity": 10, "category": [ "authentication" ], + "kind": "event", + "severity": 10, "type": [ "start" ] }, "@timestamp": "2022-12-12T08:06:39.737567Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.5" + ], + "user": [ + "my.user" + ] }, "rubycat": { "proveit": { "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - RESTREINT" ], - "profiles": [ - "USER" - ] + "type": "HB" } } }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.5", "ip": "10.1.2.5", - "address": "10.1.2.5" - }, - "network": { - "protocol": "rdp" - }, - "related": { - "user": [ - "my.user" - ], - "ip": [ - "10.1.2.5" - ] + "user": { + "domain": "my-realm.local", + "name": "my.user" + } } } @@ -268,53 +268,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"7b4b9364-fa4a-4507-8976-f75056a3a546\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T17:23:52.226809+01:00\", \"type\": \"USER_DISCONNECTION\"}\n\n", "event": { - "kind": "event", "action": "user_disconnection", - "severity": 10, "category": [ "authentication" ], + "kind": "event", + "severity": 10, "type": [ "end" ] }, "@timestamp": "2022-12-12T16:23:52.226809Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.5" + ], + "user": [ + "my.user" + ] }, "rubycat": { "proveit": { "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - RESTREINT" ], - "profiles": [ - "USER" - ] + "type": "HB" } } }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.5", "ip": "10.1.2.5", - "address": "10.1.2.5" - }, - "network": { - "protocol": "rdp" - }, - "related": { - "user": [ - "my.user" - ], - "ip": [ - "10.1.2.5" - ] + "user": { + "domain": "my-realm.local", + "name": "my.user" + } } } @@ -328,53 +328,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.7\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - ALL\"], \"sessionId\": \"e4cc4c66-e7cd-4c13-b626-200016b048c5\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.other.user\"}, \"timestamp\": \"2022-12-12T11:34:36.291768+01:00\", \"type\": \"USER_DISCONNECTION_ON_INACTIVITY\"}\n", "event": { - "kind": "event", "action": "user_disconnection_on_inactivity", - "severity": 10, "category": [ "authentication" ], + "kind": "event", + "severity": 10, "type": [ "end" ] }, "@timestamp": "2022-12-12T10:34:36.291768Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.7" + ], + "user": [ + "my.other.user" + ] }, "rubycat": { "proveit": { "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - ALL" ], - "profiles": [ - "USER" - ] + "type": "HB" } } }, "source": { - "user": { - "name": "my.other.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.7", "ip": "10.1.2.7", - "address": "10.1.2.7" - }, - "network": { - "protocol": "rdp" - }, - "related": { - "user": [ - "my.other.user" - ], - "ip": [ - "10.1.2.7" - ] + "user": { + "domain": "my-realm.local", + "name": "my.other.user" + } } } @@ -388,59 +388,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"adminisitrateur\"}, \"reason\": \"AUTH_ERROR\", \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"10.1.0.26\", \"name\": \"AD2\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"WARNING\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"20ed63ad-cd6d-4bfa-9251-09cdb3a2133e\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T09:09:20.974448+01:00\", \"type\": \"USER_SERVICE_CONNECTION_FAILURE\"}\n", "event": { - "kind": "event", "action": "user_service_connection_failure", + "kind": "event", "reason": "AUTH_ERROR", "severity": 30 }, "@timestamp": "2022-12-12T08:09:20.974448Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.5" + ], + "user": [ + "adminisitrateur", + "my.user" + ] }, "rubycat": { "proveit": { + "context": { + "auth_mode": "PASSWORD" + }, "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - RESTREINT" ], - "profiles": [ - "USER" - ] - }, - "context": { - "auth_mode": "PASSWORD" + "type": "HB" } } }, + "service": { + "address": "10.1.0.26", + "name": "AD2" + }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.5", "ip": "10.1.2.5", - "address": "10.1.2.5" - }, - "network": { - "protocol": "rdp" - }, - "service": { - "name": "AD2", - "address": "10.1.0.26" + "user": { + "domain": "my-realm.local", + "name": "my.user" + } }, "user": { "name": "adminisitrateur" - }, - "related": { - "user": [ - "adminisitrateur", - "my.user" - ], - "ip": [ - "10.1.2.5" - ] } } @@ -454,60 +454,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"beginDate\": \"2022-12-11T18:27:27.581333+01:00\", \"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"administrateur\"}, \"duration\": 10, \"endDate\": \"2022-12-11T18:27:37.690038+01:00\", \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"serveur17\", \"name\": \"serveur17\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"172.17.0.10\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - ALL\"], \"sessionId\": \"82a60aef-dbde-4a3b-8b21-df00712038e6\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.other.user\"}, \"status\": \"NETWORK_ERROR\", \"timestamp\": \"2022-12-11T18:27:37.725334+01:00\", \"type\": \"USER_SERVICE_CONNECTION_SUMMARY\"}\n\n", "event": { - "kind": "event", "action": "user_service_connection_summary", - "start": "2022-12-11T17:27:27.581333Z", "end": "2022-12-11T17:27:37.690038Z", - "severity": 10 + "kind": "event", + "severity": 10, + "start": "2022-12-11T17:27:27.581333Z" }, "@timestamp": "2022-12-11T17:27:37.725334Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "172.17.0.10" + ], + "user": [ + "administrateur", + "my.other.user" + ] }, "rubycat": { "proveit": { + "context": { + "auth_mode": "PASSWORD" + }, "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - ALL" ], - "profiles": [ - "USER" - ] - }, - "context": { - "auth_mode": "PASSWORD" + "type": "HB" } } }, + "service": { + "address": "serveur17", + "name": "serveur17" + }, "source": { - "user": { - "name": "my.other.user", - "domain": "my-realm.local" - }, + "address": "172.17.0.10", "ip": "172.17.0.10", - "address": "172.17.0.10" - }, - "network": { - "protocol": "rdp" - }, - "service": { - "name": "serveur17", - "address": "serveur17" + "user": { + "domain": "my-realm.local", + "name": "my.other.user" + } }, "user": { "name": "administrateur" - }, - "related": { - "user": [ - "administrateur", - "my.other.user" - ], - "ip": [ - "172.17.0.10" - ] } } @@ -521,58 +521,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"administrateur\"}, \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"10.1.0.26\", \"name\": \"AD2\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"7b4b9364-fa4a-4507-8976-f75056a3a546\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T16:58:58.072633+01:00\", \"type\": \"USER_SERVICE_DISCONNECTION\"}", "event": { - "kind": "event", "action": "user_service_disconnection", + "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T15:58:58.072633Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.5" + ], + "user": [ + "administrateur", + "my.user" + ] }, "rubycat": { "proveit": { + "context": { + "auth_mode": "PASSWORD" + }, "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - RESTREINT" ], - "profiles": [ - "USER" - ] - }, - "context": { - "auth_mode": "PASSWORD" + "type": "HB" } } }, + "service": { + "address": "10.1.0.26", + "name": "AD2" + }, "source": { - "user": { - "name": "my.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.5", "ip": "10.1.2.5", - "address": "10.1.2.5" - }, - "network": { - "protocol": "rdp" - }, - "service": { - "name": "AD2", - "address": "10.1.0.26" + "user": { + "domain": "my-realm.local", + "name": "my.user" + } }, "user": { "name": "administrateur" - }, - "related": { - "user": [ - "administrateur", - "my.user" - ], - "ip": [ - "10.1.2.5" - ] } } @@ -586,57 +586,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"my.other.user\"}, \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"serveur1.my-realm.local\", \"name\": \"titan\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.7\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - ALL\"], \"sessionId\": \"e4cc4c66-e7cd-4c13-b626-200016b048c5\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.other.user\"}, \"timestamp\": \"2022-12-12T11:34:35.608171+01:00\", \"type\": \"USER_SERVICE_DISCONNECTION_ON_INACTIVITY\"}\n", "event": { - "kind": "event", "action": "user_service_disconnection_on_inactivity", + "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T10:34:35.608171Z", + "network": { + "protocol": "rdp" + }, "observer": { - "vendor": "RubyCat", "product": "prove-it", - "type": "bastion" + "type": "bastion", + "vendor": "RubyCat" + }, + "related": { + "ip": [ + "10.1.2.7" + ], + "user": [ + "my.other.user" + ] }, "rubycat": { "proveit": { + "context": { + "auth_mode": "PASSWORD" + }, "source": { - "type": "HB", + "profiles": [ + "USER" + ], "roles": [ "DSI - ALL" ], - "profiles": [ - "USER" - ] - }, - "context": { - "auth_mode": "PASSWORD" + "type": "HB" } } }, + "service": { + "address": "serveur1.my-realm.local", + "name": "titan" + }, "source": { - "user": { - "name": "my.other.user", - "domain": "my-realm.local" - }, + "address": "10.1.2.7", "ip": "10.1.2.7", - "address": "10.1.2.7" - }, - "network": { - "protocol": "rdp" - }, - "service": { - "name": "titan", - "address": "serveur1.my-realm.local" + "user": { + "domain": "my-realm.local", + "name": "my.other.user" + } }, "user": { "name": "my.other.user" - }, - "related": { - "user": [ - "my.other.user" - ], - "ip": [ - "10.1.2.7" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index ab0138240f..ad9adcb94a 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -36,48 +36,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000148|sys_name=SystemName\tdevTimeFormat=MMM dd yyyy HH:mm:ss Z\tdevTime=Sep 23 2022 09:51:24 +0200\tpolicy=Any From Firebox-00\tdisp=Allow\tin_if=Firebox\tout_if=LAN\tsrc=10.10.1.1\tsrcPort=46416\tdst=10.10.1.2\tdstPort=443\tip_len=52\tip_TTL=64\tproto=tcp\ttcp_offset=8\ttcp_flag=S\ttcp_seq=4071455733\ttcp_window=4210", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "30000148", - "action": "Allow" + "kind": "event", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "10.10.1.2", + "ip": "10.10.1.2", + "port": 443 + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "ingress": { + "egress": { "interface": { - "name": "Firebox" + "name": "LAN" } }, - "egress": { + "ingress": { "interface": { - "name": "LAN" + "name": "Firebox" } - } + }, + "product": "XTM", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "10.10.1.1", + "10.10.1.2" + ] }, "rule": { "ruleset": "Any From Firebox-00" }, "source": { - "port": 46416, + "address": "10.10.1.1", "ip": "10.10.1.1", - "address": "10.10.1.1" - }, - "destination": { - "port": 443, - "ip": "10.10.1.2", - "address": "10.10.1.2" - }, - "network": { - "transport": "tcp" + "port": 46416 }, "watchguard": { "firebox": { @@ -87,19 +93,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ttl": 64 }, "tcp": { - "offset": 8, "flag": "S", + "offset": 8, "sequence": "4071455733", "window": "4210" } } } - }, - "related": { - "ip": [ - "10.10.1.1", - "10.10.1.2" - ] } } @@ -113,55 +113,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000151|serial=000000000000\tpolicy=DNS-srv-00\tdisp=Allow\tin_if=Lab\tout_if=WAN2\tgeo_dst=USA\tsrc=192.168.91.11\tsrcPort=52075\tsrcPostNAT=192.168.0.20\tsrcPostNATPORT=58586\tdst=8.8.4.4\tdstPort=53\tsrc_user=admin@test.org\tduration=38\tsent_bytes=69\trcvd_bytes=185", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "30000151", - "action": "Allow" + "kind": "event", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "8.8.4.4", + "bytes": 185, + "geo": { + "country_iso_code": "USA" + }, + "ip": "8.8.4.4", + "port": 53 }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "Lab" + "name": "WAN2" } }, - "egress": { + "ingress": { "interface": { - "name": "WAN2" + "name": "Lab" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "192.168.0.20", + "192.168.91.11", + "8.8.4.4" + ] }, "rule": { "ruleset": "DNS-srv-00" }, "source": { - "port": 52075, - "nat": { - "port": 58586, - "ip": "192.168.0.20" - }, + "address": "192.168.91.11", "bytes": 69, "ip": "192.168.91.11", - "address": "192.168.91.11" - }, - "destination": { - "port": 53, - "geo": { - "country_iso_code": "USA" + "nat": { + "ip": "192.168.0.20", + "port": 58586 }, - "bytes": 185, - "ip": "8.8.4.4", - "address": "8.8.4.4" + "port": 52075 }, "user": { "email": "admin@test.org" @@ -172,13 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "duration": 38 } } - }, - "related": { - "ip": [ - "192.168.0.20", - "192.168.91.11", - "8.8.4.4" - ] } } @@ -192,49 +192,55 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000148|serial=000000000000\tpolicy=Any From Firebox-00\tdisp=Allow\tin_if=Firebox\tout_if=Lab\tsrc=192.168.91.253\tsrcPort=35979\tdst=192.168.91.37\tdstPort=24594\tip_len=58\tip_TTL=64\tproto=udp", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "30000148", - "action": "Allow" + "kind": "event", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "192.168.91.37", + "ip": "192.168.91.37", + "port": 24594 + }, + "network": { + "transport": "udp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "Firebox" + "name": "Lab" } }, - "egress": { + "ingress": { "interface": { - "name": "Lab" + "name": "Firebox" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "192.168.91.253", + "192.168.91.37" + ] }, "rule": { "ruleset": "Any From Firebox-00" }, "source": { - "port": 35979, + "address": "192.168.91.253", "ip": "192.168.91.253", - "address": "192.168.91.253" - }, - "destination": { - "port": 24594, - "ip": "192.168.91.37", - "address": "192.168.91.37" - }, - "network": { - "transport": "udp" + "port": 35979 }, "watchguard": { "firebox": { @@ -245,12 +251,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } } - }, - "related": { - "ip": [ - "192.168.91.253", - "192.168.91.37" - ] } } @@ -264,51 +264,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000151|serial=000000000000\tpolicy=DNS-Wifi-Home-00\tdisp=Allow\tin_if=Wifi_Home\tout_if=Firebox\tgeo_dst=USA\tsrc=10.10.10.11\tsrcPort=38547\tdst=8.8.4.4\tdstPort=53\tdstPostNAT=10.10.10.1\tduration=40\tsent_bytes=60\trcvd_bytes=116", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "30000151", - "action": "Allow" + "kind": "event", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "8.8.4.4", + "bytes": 116, + "geo": { + "country_iso_code": "USA" + }, + "ip": "8.8.4.4", + "port": 53 }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "Wifi_Home" + "name": "Firebox" } }, - "egress": { + "ingress": { "interface": { - "name": "Firebox" + "name": "Wifi_Home" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "10.10.10.11", + "8.8.4.4" + ] }, "rule": { "ruleset": "DNS-Wifi-Home-00" }, "source": { - "port": 38547, + "address": "10.10.10.11", "bytes": 60, "ip": "10.10.10.11", - "address": "10.10.10.11" - }, - "destination": { - "port": 53, - "geo": { - "country_iso_code": "USA" - }, - "bytes": 116, - "ip": "8.8.4.4", - "address": "8.8.4.4" + "port": 38547 }, "watchguard": { "firebox": { @@ -316,12 +322,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "duration": 40 } } - }, - "related": { - "ip": [ - "10.10.10.11", - "8.8.4.4" - ] } } @@ -335,53 +335,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000148|serial=000000000000\tpolicy=Internal Policy\tdisp=Deny\tin_if=WAN1\tout_if=Firebox\tgeo_src=UKR\tsrc=1.2.3.4\tsrcPort=65006\tdst=192.168.1.2\tdstPort=443\tip_len=87\tip_TTL=115\tproto=tcp\ttcp_offset=5\ttcp_flag=A\ttcp_seq=1843525890\ttcp_window=51200\tmsg=tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).", "event": { - "kind": "event", + "action": "Deny", "category": [ "network" ], + "code": "30000148", + "kind": "event", + "reason": "tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).", "type": [ "connection", "denied" - ], - "code": "30000148", - "action": "Deny", - "reason": "tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead)." + ] + }, + "destination": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 443 + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "WAN1" + "name": "Firebox" } }, - "egress": { + "ingress": { "interface": { - "name": "Firebox" + "name": "WAN1" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "1.2.3.4", + "192.168.1.2" + ] }, "rule": { "ruleset": "Internal Policy" }, "source": { - "port": 65006, + "address": "1.2.3.4", "geo": { "country_iso_code": "UKR" }, "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "port": 443, - "ip": "192.168.1.2", - "address": "192.168.1.2" - }, - "network": { - "transport": "tcp" + "port": 65006 }, "watchguard": { "firebox": { @@ -391,19 +397,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ttl": 115 }, "tcp": { - "offset": 5, "flag": "A", + "offset": 5, "sequence": "1843525890", "window": "51200" } } } - }, - "related": { - "ip": [ - "1.2.3.4", - "192.168.1.2" - ] } } @@ -417,28 +417,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|16000065|serial=000000000000\tmsg=DHCPACK on 10.0.2.52 to 00:01:21:30:0f:a0 (Lab001) via vlan2", "event": { - "kind": "event", "category": [ "network" ], + "code": "16000065", + "kind": "event", + "reason": "DHCPACK on 10.0.2.52 to 00:01:21:30:0f:a0 (Lab001) via vlan2", "type": [ "info" - ], - "code": "16000065", - "reason": "DHCPACK on 10.0.2.52 to 00:01:21:30:0f:a0 (Lab001) via vlan2" + ] }, "observer": { - "type": "firewall", "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000" + "version": "12.8.2.B666661" + }, + "related": { + "hosts": [ + "Lab001" + ], + "ip": [ + "10.0.2.52" + ] }, "source": { - "mac": "00:01:21:30:0f:a0", + "address": "Lab001", "domain": "Lab001", "ip": "10.0.2.52", - "address": "Lab001" + "mac": "00:01:21:30:0f:a0" }, "watchguard": { "firebox": { @@ -446,14 +454,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operation": "ack" } } - }, - "related": { - "hosts": [ - "Lab001" - ], - "ip": [ - "10.0.2.52" - ] } } @@ -467,28 +467,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|16000066|serial=000000000000\tmsg=DHCPREQUEST for 10.0.2.52 from 00:01:21:30:0f:a0 (Lab001) via vlan2", "event": { - "kind": "event", "category": [ "network" ], + "code": "16000066", + "kind": "event", + "reason": "DHCPREQUEST for 10.0.2.52 from 00:01:21:30:0f:a0 (Lab001) via vlan2", "type": [ "info" - ], - "code": "16000066", - "reason": "DHCPREQUEST for 10.0.2.52 from 00:01:21:30:0f:a0 (Lab001) via vlan2" + ] }, "observer": { - "type": "firewall", "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000" + "version": "12.8.2.B666661" + }, + "related": { + "hosts": [ + "Lab001" + ], + "ip": [ + "10.0.2.52" + ] }, "source": { - "mac": "00:01:21:30:0f:a0", + "address": "Lab001", "domain": "Lab001", "ip": "10.0.2.52", - "address": "Lab001" + "mac": "00:01:21:30:0f:a0" }, "watchguard": { "firebox": { @@ -496,14 +504,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operation": "request" } } - }, - "related": { - "hosts": [ - "Lab001" - ], - "ip": [ - "10.0.2.52" - ] } } @@ -517,95 +517,95 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|1AFF0024|serial=000000000000\tpolicy=HTTPS-LAN-00\tdisp=Allow\tin_if=LAN\tout_if=WAN2\tgeo_dst=USA\tsrc=10.10.1.22\tsrcPort=52804\tdst=5.6.7.8\tdstPort=443\tproto=tcp\tproxy_act=HTTP-Client-LAN\top=GET\tdstname=www.forbidden.com\targ=/favicon.ico\tsent_bytes=604\trcvd_bytes=0\telapsed_time=0.001407 sec(s)\tapp_id=173\tapp_cat_id=5\tapp_name=Forbidden.com\tapp_cat_name=Media streaming services\tsig_vers=18.230\treputation=-1\tmsg=HTTP request", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "1AFF0024", - "action": "Allow", - "reason": "HTTP request" + "kind": "event", + "reason": "HTTP request", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "www.forbidden.com", + "bytes": 0, + "domain": "www.forbidden.com", + "geo": { + "country_iso_code": "USA" + }, + "ip": "5.6.7.8", + "port": 443, + "registered_domain": "forbidden.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "http": { + "request": { + "method": "GET" + } + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "LAN" + "name": "WAN2" } }, - "egress": { + "ingress": { "interface": { - "name": "WAN2" + "name": "LAN" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "hosts": [ + "www.forbidden.com" + ], + "ip": [ + "10.10.1.22", + "5.6.7.8" + ] }, "rule": { "category": "HTTP-Client-LAN", "ruleset": "HTTPS-LAN-00" }, "source": { - "port": 52804, + "address": "10.10.1.22", "bytes": 604, "ip": "10.10.1.22", - "address": "10.10.1.22" - }, - "destination": { - "domain": "www.forbidden.com", - "port": 443, - "geo": { - "country_iso_code": "USA" - }, - "bytes": 0, - "ip": "5.6.7.8", - "address": "www.forbidden.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "forbidden.com" - }, - "network": { - "transport": "tcp" - }, - "http": { - "request": { - "method": "GET" - } + "port": 52804 }, "url": { - "path": "/favicon.ico", "domain": "www.forbidden.com", - "top_level_domain": "com", + "path": "/favicon.ico", + "registered_domain": "forbidden.com", "subdomain": "www", - "registered_domain": "forbidden.com" + "top_level_domain": "com" }, "watchguard": { "firebox": { "application": { - "id": 173, - "name": "Forbidden.com", "category": { "id": 5, "name": "Media streaming services" }, - "reputation": -1, - "duration": 0.001407 + "duration": 0.001407, + "id": 173, + "name": "Forbidden.com", + "reputation": -1 } } - }, - "related": { - "hosts": [ - "www.forbidden.com" - ], - "ip": [ - "10.10.1.22", - "5.6.7.8" - ] } } @@ -619,54 +619,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "1.0|WatchGuard|XTM|12.8.2.B666661|2CFF0009|serial=000000000000\tpolicy=HTTPS-LAN-00\tdisp=Allow\tin_if=LAN\tout_if=WAN2\tgeo_dst=USA\tsrc=10.10.1.22\tsrcPort=52803\tdst=5.6.7.8\tdstPort=443\tproto=tcp\tproxy_act=HTTPS-Client-LAN\ttls_profile=TLS-Client-HTTPS\tinspect_action=HTTP-Client-LAN\tserver_ssl=TLS_AES_128_GCM_SHA256\tclient_ssl=TLS_AES_128_GCM_SHA256\ttls_version=TLS_V13\tmsg=ProxyInspect: HTTPS content inspection", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "2CFF0009", - "action": "Allow", - "reason": "ProxyInspect: HTTPS content inspection" + "kind": "event", + "reason": "ProxyInspect: HTTPS content inspection", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_iso_code": "USA" + }, + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "LAN" + "name": "WAN2" } }, - "egress": { + "ingress": { "interface": { - "name": "WAN2" + "name": "LAN" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "10.10.1.22", + "5.6.7.8" + ] }, "rule": { "category": "HTTPS-Client-LAN", "ruleset": "HTTPS-LAN-00" }, "source": { - "port": 52803, + "address": "10.10.1.22", "ip": "10.10.1.22", - "address": "10.10.1.22" - }, - "destination": { - "port": 443, - "geo": { - "country_iso_code": "USA" - }, - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "network": { - "transport": "tcp" + "port": 52803 }, "tls": { "cipher": "TLS_AES_128_GCM_SHA256", @@ -678,12 +684,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "profile": "TLS-Client-HTTPS" } } - }, - "related": { - "ip": [ - "10.10.1.22", - "5.6.7.8" - ] } } @@ -697,70 +697,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|1AFF0021|serial=000000000000\tpolicy=HTTPS-LAN-00\tdisp=Deny\tin_if=LAN\tout_if=WAN2\tgeo_dst=USA\tsrc=10.10.1.22\tsrcPort=52803\tdst=5.6.7.8\tdstPort=443\tproto=tcp\tproxy_act=HTTP-Client-LAN\tcats=Sex\top=GET\tdstname=www.forbidden.com\targ=/\taction=www.forbidden.com\tmsg=ProxyDeny: HTTP Request categories", "event": { - "kind": "event", + "action": "Deny", "category": [ "network" ], + "code": "1AFF0021", + "kind": "event", + "reason": "ProxyDeny: HTTP Request categories", "type": [ "connection", "denied" - ], - "code": "1AFF0021", - "action": "Deny", - "reason": "ProxyDeny: HTTP Request categories" - }, - "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { - "interface": { - "name": "LAN" - } - }, - "egress": { - "interface": { - "name": "WAN2" - } - } - }, - "rule": { - "category": "HTTP-Client-LAN", - "ruleset": "HTTPS-LAN-00" - }, - "source": { - "port": 52803, - "ip": "10.10.1.22", - "address": "10.10.1.22" + ] }, "destination": { + "address": "www.forbidden.com", "domain": "www.forbidden.com", - "port": 443, "geo": { "country_iso_code": "USA" }, "ip": "5.6.7.8", - "address": "www.forbidden.com", - "top_level_domain": "com", + "port": 443, + "registered_domain": "forbidden.com", "subdomain": "www", - "registered_domain": "forbidden.com" - }, - "network": { - "transport": "tcp" + "top_level_domain": "com" }, "http": { "request": { "method": "GET" } }, - "url": { - "path": "/", - "domain": "www.forbidden.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "forbidden.com" + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN2" + } + }, + "ingress": { + "interface": { + "name": "LAN" + } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" }, "related": { "hosts": [ @@ -770,6 +754,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.10.1.22", "5.6.7.8" ] + }, + "rule": { + "category": "HTTP-Client-LAN", + "ruleset": "HTTPS-LAN-00" + }, + "source": { + "address": "10.10.1.22", + "ip": "10.10.1.22", + "port": 52803 + }, + "url": { + "domain": "www.forbidden.com", + "path": "/", + "registered_domain": "forbidden.com", + "subdomain": "www", + "top_level_domain": "com" } } @@ -783,87 +783,87 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000149|serial=000000000000\tpolicy=HTTPS-Wifi-Home-00\tdisp=Allow\tin_if=Wifi_Home\tout_if=WAN2\tgeo_dst=GBR\tsrc=10.10.10.7\tsrcPort=61561\tsrcPostNAT=192.168.0.20\tdst=104.98.231.118\tdstPort=443\tip_len=364\tip_TTL=64\tproto=tcp\ttcp_offset=5\ttcp_flag=A\ttcp_seq=2533718466\ttcp_window=258\tapp=Sony PlayStation\tapp_cat=Online games\tapp_behavior=Access\tmsg=Application identified", "event": { - "kind": "event", + "action": "Allow", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "code": "30000149", - "action": "Allow", - "reason": "Application identified" + "kind": "event", + "reason": "Application identified", + "type": [ + "allowed", + "connection" + ] + }, + "destination": { + "address": "104.98.231.118", + "geo": { + "country_iso_code": "GBR" + }, + "ip": "104.98.231.118", + "port": 443 + }, + "network": { + "application": "Sony PlayStation", + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "Wifi_Home" + "name": "WAN2" } }, - "egress": { + "ingress": { "interface": { - "name": "WAN2" + "name": "Wifi_Home" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "10.10.10.7", + "104.98.231.118", + "192.168.0.20" + ] }, "rule": { "ruleset": "HTTPS-Wifi-Home-00" }, "source": { - "port": 61561, + "address": "10.10.10.7", "ip": "10.10.10.7", "nat": { "ip": "192.168.0.20" }, - "address": "10.10.10.7" - }, - "destination": { - "port": 443, - "geo": { - "country_iso_code": "GBR" - }, - "ip": "104.98.231.118", - "address": "104.98.231.118" - }, - "network": { - "transport": "tcp", - "application": "Sony PlayStation" + "port": 61561 }, "watchguard": { "firebox": { + "application": { + "behavior": "Access", + "category": { + "name": "Online games" + }, + "name": "Sony PlayStation" + }, "network": { "ip": { "len": 364, "ttl": 64 }, "tcp": { - "offset": 5, "flag": "A", + "offset": 5, "sequence": "2533718466", "window": "258" } - }, - "application": { - "name": "Sony PlayStation", - "category": { - "name": "Online games" - }, - "behavior": "Access" } } - }, - "related": { - "ip": [ - "10.10.10.7", - "104.98.231.118", - "192.168.0.20" - ] } } @@ -877,53 +877,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000173|serial=000000000000\tpolicy=WatchGuard SSLVPN-00\tdisp=Deny\tin_if=WAN1\tout_if=Firebox\tgeo_src=UKR\tgeo=geo_src\tsrc=1.2.3.4\tsrcPort=65006\tdst=192.168.1.2\tdstPort=443\tip_len=52\tip_TTL=115\tproto=tcp\ttcp_offset=8\ttcp_flag=S\ttcp_seq=1826748674\ttcp_window=51200\tmsg=blocked sites (geolocation source)", "event": { - "kind": "event", + "action": "Deny", "category": [ "network" ], + "code": "30000173", + "kind": "event", + "reason": "blocked sites (geolocation source)", "type": [ "connection", "denied" - ], - "code": "30000173", - "action": "Deny", - "reason": "blocked sites (geolocation source)" + ] + }, + "destination": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 443 + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "WAN1" + "name": "Firebox" } }, - "egress": { + "ingress": { "interface": { - "name": "Firebox" + "name": "WAN1" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "1.2.3.4", + "192.168.1.2" + ] }, "rule": { "ruleset": "WatchGuard SSLVPN-00" }, "source": { - "port": 65006, + "address": "1.2.3.4", "geo": { "country_iso_code": "UKR" }, "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "port": 443, - "ip": "192.168.1.2", - "address": "192.168.1.2" - }, - "network": { - "transport": "tcp" + "port": 65006 }, "watchguard": { "firebox": { @@ -933,19 +939,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ttl": 115 }, "tcp": { - "offset": 8, "flag": "S", + "offset": 8, "sequence": "1826748674", "window": "51200" } } } - }, - "related": { - "ip": [ - "1.2.3.4", - "192.168.1.2" - ] } } @@ -959,52 +959,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|30000148|serial=000000000000\tpolicy=Unhandled External Packet-00\tdisp=Deny\tin_if=WAN1\tout_if=Firebox\tgeo_src=CHN\tsrc=1.2.3.4\tsrcPort=35186\tdst=192.168.1.2\tdstPort=6379\tip_len=60\tip_TTL=49\tproto=tcp\ttcp_offset=10\ttcp_flag=S\ttcp_seq=2630166840\ttcp_window=4210", "event": { - "kind": "event", + "action": "Deny", "category": [ "network" ], + "code": "30000148", + "kind": "event", "type": [ "connection", "denied" - ], - "code": "30000148", - "action": "Deny" + ] + }, + "destination": { + "address": "192.168.1.2", + "ip": "192.168.1.2", + "port": 6379 + }, + "network": { + "transport": "tcp" }, "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { + "egress": { "interface": { - "name": "WAN1" + "name": "Firebox" } }, - "egress": { + "ingress": { "interface": { - "name": "Firebox" + "name": "WAN1" } - } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, + "related": { + "ip": [ + "1.2.3.4", + "192.168.1.2" + ] }, "rule": { "ruleset": "Unhandled External Packet-00" }, "source": { - "port": 35186, + "address": "1.2.3.4", "geo": { "country_iso_code": "CHN" }, "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "destination": { - "port": 6379, - "ip": "192.168.1.2", - "address": "192.168.1.2" - }, - "network": { - "transport": "tcp" + "port": 35186 }, "watchguard": { "firebox": { @@ -1014,19 +1020,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ttl": 49 }, "tcp": { - "offset": 10, "flag": "S", + "offset": 10, "sequence": "2630166840", "window": "4210" } } } - }, - "related": { - "ip": [ - "1.2.3.4", - "192.168.1.2" - ] } } @@ -1040,65 +1040,65 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "LEEF:1.0|WatchGuard|XTM|12.8.2.B666661|1AFF0018|serial=000000000000\tpolicy=HTTP-Wifi-WGCloud-00\tdisp=Allow\tin_if=Mgmt\tout_if=WAN2\tgeo_dst=USA\tsrc=10.0.2.54\tsrcPort=49946\tdst=5.6.7.8\tdstPort=80\tproto=tcp\tproxy_act=HTTP-Wifi-WGCloud\trule_name=All text types\tcontent_type=text/html\tmsg=ProxyAvScan: HTTP Content Type match", "event": { - "kind": "event", + "action": "Allow", "category": [ "malware" ], + "code": "1AFF0018", + "kind": "event", + "reason": "ProxyAvScan: HTTP Content Type match", "type": [ "info" - ], - "code": "1AFF0018", - "action": "Allow", - "reason": "ProxyAvScan: HTTP Content Type match" - }, - "observer": { - "type": "firewall", - "product": "XTM", - "vendor": "WatchGuard", - "version": "12.8.2.B666661", - "serial_number": "000000000000", - "ingress": { - "interface": { - "name": "Mgmt" - } - }, - "egress": { - "interface": { - "name": "WAN2" - } - } - }, - "rule": { - "category": "HTTP-Wifi-WGCloud", - "ruleset": "HTTP-Wifi-WGCloud-00", - "name": "All text types" - }, - "source": { - "port": 49946, - "ip": "10.0.2.54", - "address": "10.0.2.54" + ] }, "destination": { - "port": 80, + "address": "5.6.7.8", "geo": { "country_iso_code": "USA" }, "ip": "5.6.7.8", - "address": "5.6.7.8" - }, - "network": { - "transport": "tcp" + "port": 80 }, "http": { "response": { "mime_type": "text/html" } }, + "network": { + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN2" + } + }, + "ingress": { + "interface": { + "name": "Mgmt" + } + }, + "product": "XTM", + "serial_number": "000000000000", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.8.2.B666661" + }, "related": { "ip": [ "10.0.2.54", "5.6.7.8" ] + }, + "rule": { + "category": "HTTP-Wifi-WGCloud", + "name": "All text types", + "ruleset": "HTTP-Wifi-WGCloud-00" + }, + "source": { + "address": "10.0.2.54", + "ip": "10.0.2.54", + "port": 49946 } } diff --git a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md index 91bf60b2d1..48cb1132a0 100644 --- a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md +++ b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md @@ -36,77 +36,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia ccode=IL tag=www.elvis.com cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 siteTag=my-site-tag start=123456789 request=site123.abcd.info/main.css ref=www.incapsula.com/lama requestmethod=GET cn1=200 app=HTTP deviceExternalID=33411452762204224 in=54 xff=44.44.44.44 cpt=443 src=12.12.12.12 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=223456789 additionalReqHeaders=[{\"Accept\":\"*/*\"},{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"10.10.10.10\"}] additionalResHeaders=[{\"Content-Type\":\"text/html; charset\\=UTF-8\"}]", "event": { - "start": "2009-02-13T23:31:30Z", - "end": "2040-10-23T01:18:10Z", - "duration": 100000000.0, - "kind": "event", "category": [ "network" ], - "type": [ - "connection", - "access" - ], "dataset": "imperva-waf", - "module": "imperva.waf" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", - "device": { - "name": "Other" - }, - "name": "Firefox", - "version": "40.0", - "os": { - "name": "Windows", - "version": "7" - } + "duration": 100000000.0, + "end": "2040-10-23T01:18:10Z", + "kind": "event", + "module": "imperva.waf", + "start": "2009-02-13T23:31:30Z", + "type": [ + "access", + "connection" + ] }, + "@timestamp": "2009-02-13T23:31:30Z", "client": { "geo": { - "country_iso_code": "IL", "city_name": "Rehovot", + "country_iso_code": "IL", "location": { "lat": 31.8969, "lon": 34.8186 } } }, - "url": { - "full": "site123.abcd.info/main.css", - "original": "site123.abcd.info/main.css", - "path": "site123.abcd.info/main.css" - }, "http": { "request": { - "referrer": "www.incapsula.com/lama", - "method": "GET", "bytes": 54, - "id": "33411452762204224" + "id": "33411452762204224", + "method": "GET", + "referrer": "www.incapsula.com/lama" }, "response": { "status_code": 200 } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 443, - "ip": "12.12.12.12", - "address": "12.12.12.12" - }, - "@timestamp": "2009-02-13T23:31:30Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, - "tls": { - "version": "1.2", - "version_protocol": "tls", - "cipher": "ECDHE-RSA-AES128-GCM-SHA256" - }, "imperva": { "pop": "mia", "request": { @@ -131,10 +96,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "12.12.12.12" ] + }, + "source": { + "address": "12.12.12.12", + "ip": "12.12.12.12", + "port": 443 + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "full": "site123.abcd.info/main.css", + "original": "site123.abcd.info/main.css", + "path": "site123.abcd.info/main.css" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "40.0" } } @@ -149,88 +149,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Blocked country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_BAD_PARSE_ERROR deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_BAD_PARSE_ERROR", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "reason": "The HTTP request was malformated", + "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", "error" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "The HTTP request was malformated" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -245,88 +245,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Blocked country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_DOMAIN_BLACKLISTED deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_DOMAIN_BLACKLISTED", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "reason": "The destination was blacklisted", + "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", "denied" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "The destination was blacklisted" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -341,88 +341,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Blocked country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_BLOCKED_VISITOR deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "block", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "reason": "The connection was blocked", + "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", "denied" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "The connection was blocked" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -437,87 +437,87 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Accepted country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_CACHED_WEBSITE deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_CACHED_WEBSITE", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "dataset": "imperva-waf", - "module": "imperva.waf" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "start": "2022-04-12T14:09:58.763000Z", + "type": [ + "allowed", + "connection" + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -532,82 +532,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support ccode=IL tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsig dproc=Browser cs6=Firefox cs6Label=clapp ccode=IL cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 siteTag=my-site-tag start=123456789 request=site123.abcd.info/ requestMethod=GET qstr=p\\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGED_CAPTCHA deviceExternalId=33411452762204224 cpt=443 src=12.12.12.12 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=223456789 additionalReqHeaders=[{\"Accept\":\"*/*\"},{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"10.10.10.10\"}] additionalResHeaders=[{\"Content-Type\":\"text/html; charset\\=UTF-8\"}] filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name cs11=,,[{\"api_specification_violation_type\":\"INVALID_PARAM_NAME\",\"parameter_name\":\"somename\"}] cs11Label=Rule Additional Info", "event": { "action": "REQ_CHALLENGED_CAPTCHA", - "start": "2009-02-13T23:31:30Z", - "end": "2040-10-23T01:18:10Z", - "duration": 100000000.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 100000000.0, + "end": "2040-10-23T01:18:10Z", + "kind": "event", + "module": "imperva.waf", + "reason": "A challenge was submitted to the client", + "start": "2009-02-13T23:31:30Z", "type": [ "connection", "denied" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "A challenge was submitted to the client" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "40.0", - "os": { - "name": "Windows", - "version": "7" - } + ] }, + "@timestamp": "2009-02-13T23:31:30Z", "client": { "geo": { - "country_iso_code": "IL", "city_name": "Rehovot", + "country_iso_code": "IL", "location": { "lat": 31.8969, "lon": 34.8186 } } }, - "url": { - "full": "site123.abcd.info/", - "original": "site123.abcd.info/", - "query": "p\\=%2fetc%2fpasswd", - "path": "site123.abcd.info/" - }, "http": { "request": { - "method": "GET", "bytes": 54, - "id": "33411452762204224" + "id": "33411452762204224", + "method": "GET" }, "response": { "status_code": 200 } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 443, - "ip": "12.12.12.12", - "address": "12.12.12.12" - }, - "rule": { - "name": "Block Malicious User,High Risk Resources," - }, - "@timestamp": "2009-02-13T23:31:30Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, - "tls": { - "version": "1.2", - "version_protocol": "tls", - "cipher": "ECDHE-RSA-AES128-GCM-SHA256" - }, "imperva": { + "attack": { + "id": "2,1,", + "type": "30037,1001," + }, + "client": { + "captcha_support": "NOT_SUPPORTED", + "cookie_support": true, + "js_support": true + }, "pop": "mia", "request": { "headers": [ @@ -630,36 +600,66 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ] }, - "session": { - "id": 3412341160002518171 - }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NOT_SUPPORTED" - }, - "visitor": { - "id": "c2e72124-0e8a-4dd8-b13b-3da246af3ab2" - }, - "user_agent": { - "type": "Browser" - }, - "attack": { - "type": "30037,1001,", - "id": "2,1," - }, "rule": { "additional_info": ",,[{\"api_specification_violation_type\":\"INVALID_PARAM_NAME\",\"parameter_name\":\"somename\"}]", "names": [ "Block Malicious User", "High Risk Resources" ] + }, + "session": { + "id": 3412341160002518171 + }, + "user_agent": { + "type": "Browser" + }, + "visitor": { + "id": "c2e72124-0e8a-4dd8-b13b-3da246af3ab2" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "12.12.12.12" ] + }, + "rule": { + "name": "Block Malicious User,High Risk Resources," + }, + "source": { + "address": "12.12.12.12", + "ip": "12.12.12.12", + "port": 443 + }, + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "full": "site123.abcd.info/", + "original": "site123.abcd.info/", + "path": "site123.abcd.info/", + "query": "p\\=%2fetc%2fpasswd" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "40.0" } } @@ -674,88 +674,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Accepted country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_IPV6_NOT_SUPPORTED deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_IPV6_NOT_SUPPORTED", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "reason": "The destination doesn't support IPv6 addresses", + "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", "error" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "The destination doesn't support IPv6 addresses" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -770,87 +770,87 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Accepted country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_PASSED deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_PASSED", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], - "type": [ - "connection", - "allowed" - ], "dataset": "imperva-waf", - "module": "imperva.waf" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "start": "2022-04-12T14:09:58.763000Z", + "type": [ + "allowed", + "connection" + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } @@ -865,88 +865,88 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Incapsula|SIEMintegration|1|1|Blocked country|-1| fileId=393000630126853202 sourceServiceName=www.test.com siteid=38097258 suid=1928034 requestClientApplication=Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0 deviceFacility=cdg cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=a99e6166-5092-4cce-8fb6-afae61ef7493 cs4Label=VID cs5=438c978a6198632a5439b8bce551a3bc5e29598526d64adcd1c8a12e289a7edd09b13fde8d8fb77e7dfff3e3d29526a3b01fcc9ec47ce2cedf1ab6630a8eab5ffc328c910a566d653fc81ae43248023b662d6a84849da3688453b98caa60947a cs5Label=clappsig dproc=Browser cs6=Webkit Browser cs6Label=clapp ccode=FR cicode=Strasbourg cs7=48.34 cs7Label=latitude cs8=7.4508 cs8Label=longitude Customer=mycustomer@example.org start=1649772598763 request=www.test.com/ requestMethod=GET app=HTTP act=REQ_UNRESOLVED_SITE_INVALID_CNAME deviceExternalId=195557299895996363 cpt=45208 src=1.2.3.4 end=1649772598765", "event": { "action": "REQ_UNRESOLVED_SITE_INVALID_CNAME", - "start": "2022-04-12T14:09:58.763000Z", - "end": "2022-04-12T14:09:58.765000Z", - "duration": 2.0, - "kind": "event", "category": [ "network" ], + "dataset": "imperva-waf", + "duration": 2.0, + "end": "2022-04-12T14:09:58.765000Z", + "kind": "event", + "module": "imperva.waf", + "reason": "The proxy failed to resolve the destination", + "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", "error" - ], - "dataset": "imperva-waf", - "module": "imperva.waf", - "reason": "The proxy failed to resolve the destination" - }, - "user_agent": { - "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", - "name": "Firefox", - "device": { - "name": "Other" - }, - "version": "99.0", - "os": { - "name": "Linux" - } + ] }, + "@timestamp": "2022-04-12T14:09:58.763000Z", "client": { "geo": { - "country_iso_code": "FR", "city_name": "Strasbourg", + "country_iso_code": "FR", "location": { "lat": 48.34, "lon": 7.4508 } } }, - "url": { - "full": "www.test.com/", - "original": "www.test.com/", - "path": "www.test.com/" - }, "http": { "request": { - "method": "GET", - "id": "195557299895996363" + "id": "195557299895996363", + "method": "GET" } }, - "network": { - "protocol": "http" - }, - "source": { - "port": 45208, - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "@timestamp": "2022-04-12T14:09:58.763000Z", - "observer": { - "vendor": "Imperva", - "type": "firewall", - "product": "Web Application Firewall" - }, "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": true, + "js_support": true + }, "pop": "cdg", "session": { "id": 393000630126853202 }, - "client": { - "js_support": true, - "cookie_support": true, - "captcha_support": "NA" + "user_agent": { + "type": "Browser" }, "visitor": { "id": "a99e6166-5092-4cce-8fb6-afae61ef7493" - }, - "user_agent": { - "type": "Browser" } }, + "network": { + "protocol": "http" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, "related": { "ip": [ "1.2.3.4" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45208 + }, + "url": { + "full": "www.test.com/", + "original": "www.test.com/", + "path": "www.test.com/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0", + "os": { + "name": "Linux" + }, + "version": "99.0" } } diff --git a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md index 6749fc681a..d4c27bfcf3 100644 --- a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md +++ b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md @@ -37,50 +37,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:1|Panda Security|paps|02.45.00.0000|registryc|registryc|1|Client=1212122 Date=2018-09-27 02:26:52.200188 MachineName=DESKTOP-PC MachineIP=192.168.0.11 User=NT AUTHORITY\\SYSTEM MUID=713FC2B45B429J291EB53467357AC1B7 Op=CreateExeKey Hash=C86854DF4F3AEC59D523DBAD1F5031FD DriveType=Fixed Path=SYSTEMX86|\\CompatTelRunner.exe ValidSig=true Company=Microsoft Corporation Broken=true ImageType=EXE 32 ExeType=Unknown Prevalence=Medium PrevLastDay=Low Cat=Goodware MWName= TargetPath=3|PROGRAM_FILESX86|\\Windows Defender\\MsMpeng.exe RegKey=\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\WicaAvPathsExpiredTemp?0", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", "type": [ "info" ] }, - "siemfeeder": { - "RegKey": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\WicaAvPathsExpiredTemp?0", - "TargetPath": "3|PROGRAM_FILESX86|\\Windows Defender\\MsMpeng.exe", - "Cat": "Goodware", - "PrevLastDay": "Low", - "Prevalence": "Medium", - "ExeType": "Unknown", - "ImageType": "EXE 32", - "Broken": "true", - "Company": "Microsoft Corporation", - "ValidSig": "true", - "Path": "SYSTEMX86|\\CompatTelRunner.exe", - "DriveType": "Fixed", - "Hash": "C86854DF4F3AEC59D523DBAD1F5031FD", - "Op": "CreateExeKey", - "MUID": "713FC2B45B429J291EB53467357AC1B7", - "User": "NT AUTHORITY\\SYSTEM", - "MachineIP": "192.168.0.11", - "MachineName": "DESKTOP-PC", - "Date": "2018-09-27 02:26:52.200188", - "Client": "1212122" - }, "host": { - "name": "DESKTOP-PC", - "id": "713FC2B45B429J291EB53467357AC1B7" - }, - "user": { - "name": "NT AUTHORITY\\SYSTEM" + "id": "713FC2B45B429J291EB53467357AC1B7", + "name": "DESKTOP-PC" }, "registry": { "key": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\WicaAvPathsExpiredTemp?0" }, - "source": { - "ip": "192.168.0.11", - "address": "192.168.0.11" - }, "related": { "ip": [ "192.168.0.11" @@ -88,6 +59,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "NT AUTHORITY\\SYSTEM" ] + }, + "siemfeeder": { + "Broken": "true", + "Cat": "Goodware", + "Client": "1212122", + "Company": "Microsoft Corporation", + "Date": "2018-09-27 02:26:52.200188", + "DriveType": "Fixed", + "ExeType": "Unknown", + "Hash": "C86854DF4F3AEC59D523DBAD1F5031FD", + "ImageType": "EXE 32", + "MUID": "713FC2B45B429J291EB53467357AC1B7", + "MachineIP": "192.168.0.11", + "MachineName": "DESKTOP-PC", + "Op": "CreateExeKey", + "Path": "SYSTEMX86|\\CompatTelRunner.exe", + "PrevLastDay": "Low", + "Prevalence": "Medium", + "RegKey": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\WicaAvPathsExpiredTemp?0", + "TargetPath": "3|PROGRAM_FILESX86|\\Windows Defender\\MsMpeng.exe", + "User": "NT AUTHORITY\\SYSTEM", + "ValidSig": "true" + }, + "source": { + "address": "192.168.0.11", + "ip": "192.168.0.11" + }, + "user": { + "name": "NT AUTHORITY\\SYSTEM" } } diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index c9077d651b..1656c6608e 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -37,39 +37,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-audit\",\"event\": {\"time\": \"Mon Aug 28 08:04:30 2023\",\"recordid\": \"0\",\"action\": \"UPDATE\",\"category\": \"Unknown\",\"subcategory\": \"Unknown\",\"resource\": \"com.zscaler.zapi.domain.nss.ZmanageNssFeed\",\"interface\": \"UI\",\"adminid\": \"None\",\"clientip\": \"1.2.3.4\",\"result\": \"SUCCESS\",\"errorcode\": \"None\",\"auditlogtype\": \"ZIA\",\"preaction\": \"Unknown\",\"postaction\": \"Unknown\"}}", "event": { - "kind": "event", "action": "update", - "dataset": "audit", "category": [ "configuration" ], + "dataset": "audit", + "kind": "event", "type": [ "change" ] }, "@timestamp": "2023-08-28T08:04:30Z", + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "zscaler": { "zia": { - "source_type": "zscalernss-audit", - "event": { - "outcome": "SUCCESS" - }, - "category": "Unknown", - "sub_category": "Unknown", "audit": { "log_type": "ZIA" }, - "resource": "com.zscaler.zapi.domain.nss.ZmanageNssFeed" + "category": "Unknown", + "event": { + "outcome": "SUCCESS" + }, + "resource": "com.zscaler.zapi.domain.nss.ZmanageNssFeed", + "source_type": "zscalernss-audit", + "sub_category": "Unknown" } - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -83,39 +83,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-audit\",\"event\": {\"time\": \"Mon Aug 28 08:04:30 2023\",\"recordid\": \"0\",\"action\": \"SIGN_IN\",\"category\": \"Unknown\",\"subcategory\": \"Unknown\",\"resource\": \"com.zscaler.zapi.domain.AuthCredentials\",\"interface\": \"UI\",\"adminid\": \"None\",\"clientip\": \"1.2.3.4\",\"result\": \"SUCCESS\",\"errorcode\": \"None\",\"auditlogtype\": \"ZIA\",\"preaction\": \"Unknown\",\"postaction\": \"Unknown\"}}", "event": { - "kind": "event", "action": "sign_in", - "dataset": "audit", "category": [ "authentication" ], + "dataset": "audit", + "kind": "event", "type": [ "start" ] }, "@timestamp": "2023-08-28T08:04:30Z", + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "zscaler": { "zia": { - "source_type": "zscalernss-audit", - "event": { - "outcome": "SUCCESS" - }, - "category": "Unknown", - "sub_category": "Unknown", "audit": { "log_type": "ZIA" }, - "resource": "com.zscaler.zapi.domain.AuthCredentials" + "category": "Unknown", + "event": { + "outcome": "SUCCESS" + }, + "resource": "com.zscaler.zapi.domain.AuthCredentials", + "source_type": "zscalernss-audit", + "sub_category": "Unknown" } - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -129,28 +129,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-casb\",\"event\": {\"login\": \"john.doe@example.org\",\"tenant\": \"example\",\"object_type\": \"0\",\"applicationname\": \"ONEDRIVE\",\"object_name_1\": \"sanity2022-09-04 00-06.pdf\",\"object_name_2\": \"Maverick\"}}", "event": { - "kind": "event", - "dataset": "casb", "category": [ "process" ], + "dataset": "casb", + "kind": "event", "type": [ "info" ] }, - "zscaler": { - "zia": { - "source_type": "zscalernss-casb" - } + "file": { + "name": "sanity2022-09-04 00-06.pdf" }, "network": { "application": "ONEDRIVE" }, - "file": { - "name": "sanity2022-09-04 00-06.pdf" - }, "user": { "email": "john.doe@example.org" + }, + "zscaler": { + "zia": { + "source_type": "zscalernss-casb" + } } } @@ -164,45 +164,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-dns\",\"event\": {\"datetime\": \"Mon Aug 28 08:05:55 2023\",\"user\": \"john.doe@example.orf\",\"department\": \"Financial%20Dept\",\"location\": \"Road%20Warrior\",\"reqaction\": \"Allow\",\"resaction\": \"Allow\",\"reqrulelabel\": \"DNS_1\",\"resrulelabel\": \"Zscaler Bypass Traffic\",\"dns_reqtype\": \"AAAA\",\"dns_req\": \"test.example.org\",\"dns_resp\": \"NotFound\",\"srv_dport\": \"53\",\"durationms\": \"0\",\"clt_sip\": \"1.2.3.4\",\"srv_dip\": \"5.6.7.8\",\"category\": \"Corporate Marketing\",\"respipcategory\": \"Other\",\"deviceowner\": \"johndoe\",\"devicehostname\": \"hostname\"}}", "event": { - "kind": "event", - "dataset": "dns", "category": [ "network" ], + "dataset": "dns", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-08-28T08:05:55Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-dns", - "category": "Corporate Marketing", - "department": "Financial%20Dept", - "device": { - "owner": "johndoe" - } - } - }, - "user": { - "email": "john.doe@example.orf" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, "destination": { - "port": 53, + "address": "5.6.7.8", "ip": "5.6.7.8", - "address": "5.6.7.8" + "port": 53 }, "dns": { "question": { "name": "test.example.org", - "type": "AAAA", - "top_level_domain": "org", + "registered_domain": "example.org", "subdomain": "test", - "registered_domain": "example.org" + "top_level_domain": "org", + "type": "AAAA" }, "response_code": "NotFound" }, @@ -210,13 +193,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "hostname" }, "related": { + "hosts": [ + "test.example.org" + ], "ip": [ "1.2.3.4", "5.6.7.8" - ], - "hosts": [ - "test.example.org" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.orf" + }, + "zscaler": { + "zia": { + "category": "Corporate Marketing", + "department": "Financial%20Dept", + "device": { + "owner": "johndoe" + }, + "source_type": "zscalernss-dns" + } } } @@ -230,62 +230,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-fw\",\"event\": {\"datetime\": \"Mon Aug 28 15:43:59 2023\",\"user\": \"john.doe@example.org\",\"department\": \"Financial%20Dept\",\"locationname\": \"Road%20Warrior\",\"cdport\": \"443\",\"csport\": \"52352\",\"sdport\": \"443\",\"ssport\": \"43007\",\"csip\": \"1.2.3.4\",\"cdip\": \"1.2.3.4\",\"ssip\": \"5.6.7.8\",\"sdip\": \"5.6.7.8\",\"tsip\": \"0.0.0.0\",\"tunsport\": \"0\",\"tuntype\": \"ZscalerClientConnector\",\"action\": \"Allow\",\"dnat\": \"No\",\"stateful\": \"Yes\",\"aggregate\": \"Yes\",\"nwsvc\": \"HTTPS\",\"nwapp\": \"mozilla\",\"proto\": \"TCP\",\"ipcat\": \"Internet Services\",\"destcountry\": \"United States\",\"avgduration\": \"170000\",\"rulelabel\": \"Recommended%20Firewall%20Rule\",\"inbytes\": \"3367\",\"outbytes\": \"5894\",\"duration\": \"340\",\"durationms\": \"340000\",\"numsessions\": \"2\",\"ipsrulelabel\": \"None\",\"threatcat\": \"Threat category 2\",\"threatname\": \"Threat name 1\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \"}}", "event": { - "kind": "event", - "duration": 340, "action": "allow", - "dataset": "firewall", "category": [ "network" ], + "dataset": "firewall", + "duration": 340, + "kind": "event", "type": [ "connection" ] }, "@timestamp": "2023-08-28T15:43:59Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-fw", - "department": "Financial%20Dept", - "threat": { - "name": "Threat name 1", - "category": "Threat category 2" - }, - "device": { - "owner": "johndoe" - }, - "tuntype": "ZscalerClientConnector", - "avgduration": "170000" - } - }, - "user": { - "email": "john.doe@example.org" - }, - "network": { - "protocol": "TCP" - }, - "source": { - "ip": "1.2.3.4", - "port": 52352, - "bytes": 3367, - "address": "1.2.3.4" - }, "destination": { - "port": 443, - "ip": "5.6.7.8", + "address": "5.6.7.8", "bytes": 5894, "geo": { "country_name": "United States" }, - "address": "5.6.7.8" + "ip": "5.6.7.8", + "port": 443 }, "host": { "name": " " }, + "network": { + "protocol": "TCP" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "bytes": 3367, + "ip": "1.2.3.4", + "port": 52352 + }, + "user": { + "email": "john.doe@example.org" + }, + "zscaler": { + "zia": { + "avgduration": "170000", + "department": "Financial%20Dept", + "device": { + "owner": "johndoe" + }, + "source_type": "zscalernss-fw", + "threat": { + "category": "Threat category 2", + "name": "Threat name 1" + }, + "tuntype": "ZscalerClientConnector" + } } } @@ -299,93 +299,93 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"a.et.nytimes.com\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"None\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"None\",\"fileclass\": \"None\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"None\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", "event": { - "kind": "event", "action": "allowed", - "dataset": "web", "category": [ "network" ], + "dataset": "web", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2023-08-28T15:43:14Z", - "zscaler": { - "zia": { - "event_id": "1111111111111111111", - "source_type": "zscalernss-web", - "vendor": "Zscaler", - "product": "NSS", - "appname": "General Browsing", - "department": "Financial%20Dept", - "threat": { - "name": "Threat Name 1", - "class": "threat class # 1", - "category": "Threat category 1" - }, - "device": { - "owner": "johndoe" - }, - "keyprotectiontype": "N/A" - } + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "type": "filetype 1" + }, + "host": { + "name": "a.et.nytimes.com" }, "http": { "request": { - "method": "NA", - "bytes": 608 + "bytes": 608, + "method": "NA" }, "response": { "bytes": 0, "mime_type": "Other" } }, + "network": { + "protocol": "SSL" + }, + "related": { + "hosts": [ + "a.et.nytimes.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, "server": { "ip": "5.6.7.8" }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "a.et.nytimes.com", + "registered_domain": "nytimes.com", + "subdomain": "a.et", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.org" }, "user_agent": { - "original": "Unknown", "device": { "name": "Other" }, "name": "Other", + "original": "Unknown", "os": { "name": "Other" } }, - "file": { - "type": "filetype 1" - }, - "url": { - "domain": "a.et.nytimes.com", - "top_level_domain": "com", - "subdomain": "a.et", - "registered_domain": "nytimes.com" - }, - "user": { - "email": "john.doe@example.org" - }, - "network": { - "protocol": "SSL" - }, - "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" - }, - "host": { - "name": "a.et.nytimes.com" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "hosts": [ - "a.et.nytimes.com" - ] + "zscaler": { + "zia": { + "appname": "General Browsing", + "department": "Financial%20Dept", + "device": { + "owner": "johndoe" + }, + "event_id": "1111111111111111111", + "keyprotectiontype": "N/A", + "product": "NSS", + "source_type": "zscalernss-web", + "threat": { + "category": "Threat category 1", + "class": "threat class # 1", + "name": "Threat Name 1" + }, + "vendor": "Zscaler" + } } } @@ -399,23 +399,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"sourcetype\": \"zscalernss-casb\",\n \"event\": {\n \"datetime\": \"Wed Aug 17 15:35:15 2022\",\n \"recordid\": \"7132869149011804161\",\n \"company\": \"Example\",\n \"tenant\": \"example-tenant\",\n \"login\": \"john.doe@example.onmicrosoft.com\",\n \"dept\": \"Financial%20Dept\",\n \"applicationname\": \"SHAREPOINT\",\n \"filename\": \"sanity2022-08-16 14-03.pdf\",\n \"filesource\": \"/sites/tanya/Shared%20Documents/Activity\",\n \"filemd5\": \"01565bf41f1cb993d69334f409835293\",\n \"threatname\": \"malpdf\",\n \"policy\": \"Quarantine Malware\",\n \"dlpdictnames\": null,\n \"dlpdictcount\": null,\n \"dlpenginenames\": null,\n \"fullurl\": \"https://example.org/sites/\",\n \"lastmodtime\": \"Tue Aug 16 14:03:13 2022\",\n \"filescantimems\": \"537\",\n \"filedownloadtimems\": \"435\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "casb", "category": [ "process" ], + "dataset": "casb", + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-08-17T15:35:15Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-casb", - "threat": { - "name": "malpdf" - } - } + "file": { + "directory": "/sites/tanya/Shared%20Documents/Activity", + "hash": { + "md5": "01565bf41f1cb993d69334f409835293" + }, + "name": "sanity2022-08-16 14-03.pdf" }, "network": { "application": "SHAREPOINT" @@ -423,29 +422,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. "organization": { "name": "Example" }, - "file": { - "name": "sanity2022-08-16 14-03.pdf", - "directory": "/sites/tanya/Shared%20Documents/Activity", - "hash": { - "md5": "01565bf41f1cb993d69334f409835293" - } + "related": { + "hash": [ + "01565bf41f1cb993d69334f409835293" + ] }, "url": { - "original": "https://example.org/sites/", "domain": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org", + "original": "https://example.org/sites/", "path": "/sites/", + "port": 443, + "registered_domain": "example.org", "scheme": "https", - "port": 443 + "top_level_domain": "org" }, "user": { "email": "john.doe@example.onmicrosoft.com" }, - "related": { - "hash": [ - "01565bf41f1cb993d69334f409835293" - ] + "zscaler": { + "zia": { + "source_type": "zscalernss-casb", + "threat": { + "name": "malpdf" + } + } } } @@ -459,50 +459,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"GRE\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"event\": \"PHASE1_ERROR\",\n \"eventreason\": \"TIMEOUT\",\n \"recordid\": \"7112472280601133057\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "tunnel", "category": [ "network" ], + "dataset": "tunnel", + "kind": "event", "type": [ "connection" ] }, "@timestamp": "2022-06-23T16:24:59Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-tunnel", - "tunnel": { - "status": "PHASE1_ERROR" - }, - "event": { - "outcome": "failure" - } - } - }, - "network": { - "type": "GRE" - }, - "user": { - "email": "john.doe@example.org" - }, - "source": { - "ip": "1.2.3.4", - "port": 4535, - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "address": "5.6.7.8", + "ip": "5.6.7.8" }, "error": { "code": "TIMEOUT" }, + "network": { + "type": "GRE" + }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 4535 + }, + "user": { + "email": "john.doe@example.org" + }, + "zscaler": { + "zia": { + "event": { + "outcome": "failure" + }, + "source_type": "zscalernss-tunnel", + "tunnel": { + "status": "PHASE1_ERROR" + } + } } } @@ -516,48 +516,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"ipsec\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"sourceportstart\": \"10432\",\n \"destinationportstart\": \"23456\",\n \"srcipstart\": \"1.1.5.0\",\n \"srcipend\": \"1.2.123.254\",\n \"destinationipstart\": \"5.2.1.1\",\n \"destinationipend\": \"5.200.123.254\",\n \"lifetime\": \"3600\",\n \"ikeversion\": \"1\",\n \"lifebytes\": \"1560\",\n \"spi\": \"1111111111111111\",\n \"algo\": \"BLOWFISH_CBC\",\n \"authentication\": \"HMAC_SHA256\",\n \"authtype\": \"RSAENC\",\n \"protocol\": \"TCP\",\n \"tunnelprotocol\": \"ESP\",\n \"policydirection\": null,\n \"recordid\": \"7112472280601133057\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "tunnel", "category": [ "network" ], + "dataset": "tunnel", + "kind": "event", "type": [ "connection" ] }, "@timestamp": "2022-06-23T16:24:59Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-tunnel", - "tunnel": { - "ikeversion": "1" - }, - "event": { - "outcome": "success" - } - } + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" }, "network": { - "type": "ipsec", - "protocol": "TCP" - }, - "user": { - "email": "john.doe@example.org" - }, - "source": { - "ip": "1.2.3.4", - "port": 4535, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" + "protocol": "TCP", + "type": "ipsec" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 4535 + }, + "user": { + "email": "john.doe@example.org" + }, + "zscaler": { + "zia": { + "event": { + "outcome": "success" + }, + "source_type": "zscalernss-tunnel", + "tunnel": { + "ikeversion": "1" + } + } } } @@ -571,47 +571,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"ipsec\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"destinationport\": \"4564\",\n \"lifetime\": \"3600\",\n \"ikeversion\": \"1\",\n \"spi_in\": \"1111111\",\n \"spi_out\": \"22222222\",\n \"algo\": \"BLOWFISH_CBC\",\n \"authentication\": \"HMAC_SHA256\",\n \"authtype\": \"RSAENC\",\n \"recordid\": \"7112472280601133057\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "tunnel", "category": [ "network" ], + "dataset": "tunnel", + "kind": "event", "type": [ "connection" ] }, "@timestamp": "2022-06-23T16:24:59Z", - "zscaler": { - "zia": { - "source_type": "zscalernss-tunnel", - "tunnel": { - "ikeversion": "1" - }, - "event": { - "outcome": "success" - } - } + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" }, "network": { "type": "ipsec" }, - "user": { - "email": "john.doe@example.org" - }, - "source": { - "ip": "1.2.3.4", - "port": 4535, - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "address": "5.6.7.8" - }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 4535 + }, + "user": { + "email": "john.doe@example.org" + }, + "zscaler": { + "zia": { + "event": { + "outcome": "success" + }, + "source_type": "zscalernss-tunnel", + "tunnel": { + "ikeversion": "1" + } + } } } diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md index 2f62a543a1..457a1d30d5 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md @@ -39,25 +39,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1651451341,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Deleted inline policy\",\n \"supporting_data\": {\n \"data_type\": \"policy\",\n \"data_values\": [\n false\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Deleted inline policy", - "kind": "event", "category": [ "configuration" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Deleted inline policy", "type": [ "change" ] }, "@timestamp": "2022-05-02T00:29:01Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, "netskope": { "events": { "action": { @@ -72,10 +64,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -89,25 +89,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Edit admin record\",\n \"supporting_data\": {\n \"data_type\": \"admin\",\n \"data_values\": [\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Edit admin record", - "kind": "event", "category": [ "configuration" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Edit admin record", "type": [ "change" ] }, "@timestamp": "2022-05-02T11:09:47Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, "netskope": { "events": { "action": { @@ -122,10 +114,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -139,24 +139,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1651494031,\n \"type\": \"admin_audit_logs\",\n \"user\": \"student13\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Login Failed\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"4.5.6.7\",\n \"student13\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"student13\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Login Failed", - "kind": "event", "category": [ "authentication" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Login Failed", "type": [ "info" ] }, "@timestamp": "2022-05-02T12:20:31Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "student13", - "name": "student13" - }, "netskope": { "events": { "action": { @@ -172,10 +165,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "student13" ] + }, + "user": { + "email": "student13", + "name": "student13" } } @@ -189,25 +189,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1671727087,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Login Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"john.doe@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Login Successful", - "kind": "event", "category": [ "authentication" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Login Successful", "type": [ "start" ] }, "@timestamp": "2022-12-22T16:38:07Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, "netskope": { "events": { "action": { @@ -223,10 +215,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -240,25 +240,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1670409967,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Logout Successful\",\n \"supporting_data\": {\n \"data_type\": \"reason\",\n \"data_values\": [\n \"Logged out due to inactivity\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Logout Successful", - "kind": "event", "category": [ "authentication" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Logout Successful", "type": [ "end" ] }, "@timestamp": "2022-12-07T10:46:07Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, "netskope": { "events": { "action": { @@ -273,10 +265,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -290,25 +290,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Password Change Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "dataset": "admin_audit_logs", - "reason": "Password Change Successful", - "kind": "event", "category": [ "iam" ], + "dataset": "admin_audit_logs", + "kind": "event", + "reason": "Password Change Successful", "type": [ "change" ] }, "@timestamp": "2022-05-02T11:09:47Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, "netskope": { "events": { "action": { @@ -324,10 +316,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "user": [ "john.doe" ] + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -341,80 +341,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"_id\": \"69573873d4de0a4f1d2cbac4\",\n \"access_method\": \"Client\",\n \"app\": \"Swile\",\n \"appcategory\": \"HR\",\n \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n \"bypass_traffic\": \"yes\",\n \"category\": \"HR\",\n \"cci\": 16,\n \"ccl\": \"poor\",\n \"connection_id\": 0,\n \"count\": 1,\n \"domain\": \"test.example.org\",\n \"dst_country\": \"FR\",\n \"dst_geoip_src\": 1,\n \"dst_latitude\": 48.85836410522461,\n \"dst_location\": \"Paris\",\n \"dst_longitude\": 2.294532060623169,\n \"dst_region\": \"Ile-de-France\",\n \"dst_timezone\": \"Europe/Paris\",\n \"dst_zipcode\": \"N/A\",\n \"dstip\": \"5.6.7.8\",\n \"dstport\": 443,\n \"netskope_pop\": \"FR-PAR1\",\n \"organization_unit\": \"\",\n \"other_categories\": [\n \"Finance/Accounting\",\n \"All Categories\",\n \"HR\"\n ],\n \"page\": \"test.example.org\",\n \"policy\": \"bypass_ssl for regulation purpose\",\n \"request_id\": 1111111111111111111,\n \"site\": \"Swile\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.5.6.7\",\n \"ssl_decrypt_policy\": \"yes\",\n \"timestamp\": 1671639140,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 0,\n \"type\": \"connection\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"test.example.org\",\n \"user\": \"john.doe@example.org\",\n \"user_generated\": \"yes\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"org\": \"\",\n \"http_transaction_count\": 0,\n \"network\": \"\",\n \"useragent\": \"\",\n \"dsthost\": \"\",\n \"numbytes\": 0,\n \"CononicalName\": \"\",\n \"os_version\": \"\",\n \"browser_session_id\": 0,\n \"resp_cnt\": 0,\n \"log_file_name\": \"\",\n \"suppression_end_time\": 0,\n \"browser_version\": \"\",\n \"severity\": \"\",\n \"client_bytes\": 0,\n \"suppression_start_time\": 0,\n \"app_session_id\": 0,\n \"sAMAccountName\": \"\",\n \"req_cnt\": 0,\n \"device\": \"\",\n \"browser\": \"\",\n \"userPrincipalName\": \"\",\n \"conn_endtime\": 1671639139,\n \"conn_duration\": 3,\n \"protocol\": \"\",\n \"fromlogs\": \"\",\n \"serial\": \"\",\n \"resp_content_len\": 0,\n \"dynamic_classification\": \"\",\n \"hostname\": \"\",\n \"os\": \"\",\n \"server_bytes\": 0,\n \"conn_starttime\": 1671639136,\n \"sessionid\": \"\",\n \"resp_content_type\": \"\"\n}\n", "event": { + "category": [ + "network" + ], "dataset": "connection", - "reason": "SSL Do Not Decrypt Bypass Policy Matched", "duration": 3, + "end": "2022-12-21T16:12:19Z", "kind": "event", + "reason": "SSL Do Not Decrypt Bypass Policy Matched", "start": "2022-12-21T16:12:16Z", - "end": "2022-12-21T16:12:19Z", - "category": [ - "network" - ], "type": [ "info" ] }, "@timestamp": "2022-12-21T16:12:20Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, - "network": { - "bytes": 0 - }, - "source": { - "ip": "4.5.6.7", - "bytes": 0, - "geo": { - "timezone": "Europe/Paris", - "city_name": "Rennes", - "region_name": "Brittany", - "postal_code": "35000", - "country_iso_code": "FR", - "location": { - "lat": 48.11, - "lon": -1.6744 - } - }, - "address": "4.5.6.7" - }, "destination": { - "ip": "5.6.7.8", + "address": "5.6.7.8", "bytes": 0, "geo": { - "timezone": "Europe/Paris", "city_name": "Paris", - "region_name": "Ile-de-France", - "postal_code": "N/A", "country_iso_code": "FR", "location": { "lat": 48.85836410522461, "lon": 2.294532060623169 - } + }, + "postal_code": "N/A", + "region_name": "Ile-de-France", + "timezone": "Europe/Paris" }, - "address": "5.6.7.8" - }, - "rule": { - "name": "bypass_ssl for regulation purpose" - }, - "url": { - "original": "test.example.org", - "path": "test.example.org" + "ip": "5.6.7.8" }, "netskope": { "events": { + "access_method": "Client", "application": { - "name": "Swile", - "category": "HR" + "category": "HR", + "name": "Swile" }, - "access_method": "Client", "ccl": "poor" } }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, "related": { "ip": [ "4.5.6.7", @@ -423,6 +395,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "rule": { + "name": "bypass_ssl for regulation purpose" + }, + "source": { + "address": "4.5.6.7", + "bytes": 0, + "geo": { + "city_name": "Rennes", + "country_iso_code": "FR", + "location": { + "lat": 48.11, + "lon": -1.6744 + }, + "postal_code": "35000", + "region_name": "Brittany", + "timezone": "Europe/Paris" + }, + "ip": "4.5.6.7" + }, + "url": { + "original": "test.example.org", + "path": "test.example.org" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -437,27 +437,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"_id\":\"11fc1dee8256ff3645f6d25f06244e0ebf0d904515849b0c49f7901e2a2ad495\",\"access_method\":\"Client\",\"acting_user\":\"john.doe@example.org\",\"activity\":\"Upload\",\"app\":\"NextCloud\",\"app_session_id\":1111111111111111111,\"assignee\":\"None\",\"connection_id\":0,\"destination_app\":\"aws\",\"destination_instance_id\":\"securityforensic\",\"dlp_incident_id\":2222222222222222222,\"dlp_match_info\":[{\"dlp_action\":\"useralert\",\"dlp_forensic_id\":2222222222222222222,\"dlp_policy\":\"[DLP] Block sensitive files on Cloud Storage\",\"dlp_profile_name\":\"DLP-PII\",\"dlp_rules\":[{\"dlp_data_identifiers\":{\"industries/healthcare/medical_conditions/eng\":5,\"persons/proper_names/us/last\":5},\"dlp_incident_rule_count\":5,\"dlp_rule_name\":\"Name-Medical Condition\",\"dlp_rule_score\":10,\"dlp_rule_severity\":\"Low\",\"is_unique_count\":false,\"weighted\":false}]}],\"dlp_parent_id\":2222222222222222222,\"dst_location\":\"Paris\",\"file_lang\":\"ENGLISH\",\"file_size\":19154,\"file_type\":\"eicar.txt\",\"from_user\":\"john.doe@example.org\",\"instance_id\":\"example.org\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"object\":\"Ruby\",\"object_type\":\"Notebook\",\"referer\":\"https://intranet.example.org/\",\"severity\":\"Low\",\"site\":\"nextcloud\",\"src_location\":\"Rennes\",\"status\":\"new\",\"timestamp\":1675152713,\"title\":\"NextCloud\",\"true_obj_category\":\"Text\",\"true_obj_type\":\"Plain Text file\",\"url\":\"storage.example.org/files/eicar.txt\",\"user\":\"john.doe@example.org\",\"user_id\":\"example-netskope-repo-secu\",\"zip_file_id\":\"inci_2222222222222222222.zip\",\"exposure\":\"\",\"owner\":\"\",\"latest_incident_id\":0,\"file_path\":\"\",\"instance\":\"\",\"inline_dlp_match_info\":[],\"original_file_snapshot_id\":\"\",\"bcc\":\"\",\"to_user\":\"\",\"dlp_file\":\"\",\"classification\":\"\",\"cc\":\"\",\"owner_pdl\":\"\",\"channel\":\"\"}\n", "event": { "action": "Upload", - "kind": "alert", "category": [ "file" ], + "dataset": "dlp_incident", + "kind": "alert", "type": [ "info" - ], - "dataset": "dlp_incident" + ] }, "@timestamp": "2023-01-31T08:11:53Z", - "observer": { - "vendor": "Netskope" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, - "source": { - "geo": { - "city_name": "Rennes" + "cloud": { + "instance": { + "id": "example.org" } }, "destination": { @@ -465,39 +457,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. "city_name": "Paris" } }, - "url": { - "original": "storage.example.org/files/eicar.txt", - "path": "storage.example.org/files/eicar.txt" - }, - "http": { - "request": { - "referrer": "https://intranet.example.org/" - } - }, - "cloud": { - "instance": { - "id": "example.org" - } - }, "file": { "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "eicar.txt" }, + "http": { + "request": { + "referrer": "https://intranet.example.org/" + } + }, "netskope": { - "events": { - "application": { - "name": "NextCloud" - }, - "access_method": "Client" - }, "dlp": { "incident": { "id": "2222222222222222222" } + }, + "events": { + "access_method": "Client", + "application": { + "name": "NextCloud" + } } }, + "observer": { + "vendor": "Netskope" + }, "related": { "hash": [ "68b329da9893e34099c7d8ad5cb9c940" @@ -505,6 +491,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "geo": { + "city_name": "Rennes" + } + }, + "url": { + "original": "storage.example.org/files/eicar.txt", + "path": "storage.example.org/files/eicar.txt" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" } } @@ -518,79 +518,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"Detection\",\n \"activity\": \"Download\",\n \"alert\": \"yes\",\n \"alert_type\": \"Malware\",\n \"app\": \"eicar\",\n \"app_session_id\": 111111111111111111,\n \"appcategory\": \"n/a\",\n \"browser\": \"Safari\",\n \"category\": \"n/a\",\n \"cci\": \"\",\n \"ccl\": \"unknown\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Mac Device\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_path\": \"NA\",\n \"file_size\": 308,\n \"file_type\": \"File Type Not Detected\",\n \"hostname\": \"MacBook Pro\",\n \"instance\": null,\n \"managementID\": \"99999999999999999999999999999999\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"mime_type\": \"\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"eicarcom2.zip\",\n \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Monterey\",\n \"referer\": \"https://www.eicar.org/\",\n \"request_id\": 2222222222222222222,\n \"severity\": \"high\",\n \"site\": \"eicar\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"timestamp\": 1671631928,\n \"title\": \"eicarcom2.zip\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"secure.eicar.org/eicarcom2.zip\",\n \"user\": \"john.doe@example.org\",\n \"user_id\": \"john.doe@example.org\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"browser_version\": \"\",\n \"owner\": \"\",\n \"dlp_incident_id\": 0,\n \"channel_id\": \"\",\n \"from_user_category\": \"\",\n \"resp_cnt\": 0,\n \"suppression_key\": \"\",\n \"loginurl\": \"\",\n \"total_collaborator_count\": 0,\n \"os_version\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"instance_id\": \"\",\n \"to_user\": \"\",\n \"suppression_end_time\": 0,\n \"fromlogs\": \"\",\n \"dlp_parent_id\": 0,\n \"dstport\": 0,\n \"dst_timezone\": \"\",\n \"serial\": \"\",\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"from_user\": \"\",\n \"sAMAccountName\": \"\",\n \"app_activity\": \"\",\n \"useragent\": \"\",\n \"netskope_activity\": \"\",\n \"conn_duration\": 0,\n \"other_categories\": [],\n \"custom_connector\": \"\",\n \"dlp_rule_severity\": \"\",\n \"numbytes\": 0,\n \"telemetry_app\": \"\",\n \"true_obj_category\": \"\",\n \"userPrincipalName\": \"\",\n \"logintype\": \"\",\n \"suppression_start_time\": 0,\n \"browser_session_id\": 0,\n \"dlp_profile\": \"\",\n \"src_time\": \"\",\n \"modified\": 0,\n \"policy\": \"\",\n \"policy_id\": \"\",\n \"notify_template\": \"\",\n \"audit_type\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"org\": \"\",\n \"user_category\": \"\",\n \"dlp_unique_count\": 0,\n \"exposure\": \"\",\n \"netskope_pop\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"sanctioned_instance\": \"\",\n \"device_classification\": \"\",\n \"data_type\": \"\",\n \"scan_type\": \"\",\n \"internal_collaborator_count\": 0,\n \"CononicalName\": \"\",\n \"workspace\": \"\",\n \"log_file_name\": \"\",\n \"parent_id\": \"\",\n \"true_obj_type\": \"\",\n \"dlp_rule_count\": 0,\n \"sessionid\": \"\",\n \"workspace_id\": \"\",\n \"page_site\": \"\",\n \"universal_connector\": \"\",\n \"server_bytes\": 0,\n \"req_cnt\": 0,\n \"file_lang\": \"\",\n \"protocol\": \"\",\n \"web_universal_connector\": \"\",\n \"dsthost\": \"\",\n \"appsuite\": \"\",\n \"managed_app\": \"\",\n \"page\": \"\"\n}\n", "event": { - "dataset": "nspolicy", "action": "Download", - "duration": 0, - "kind": "alert", "category": [ "malware" ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", "type": [ "info" ] }, "@timestamp": "2022-12-21T14:12:08Z", - "observer": { - "vendor": "Netskope" - }, - "user_agent": { - "name": "Safari" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, - "network": { - "bytes": 0 - }, - "host": { - "name": "MacBook Pro", - "os": { - "name": "Monterey", - "type": "macos", - "platform": "darwin" - } - }, - "source": { - "ip": "4.3.2.1", - "bytes": 0, - "geo": { - "timezone": "Europe/Paris", - "city_name": "Rennes", - "region_name": "Brittany", - "postal_code": "35000", - "country_iso_code": "FR", - "location": { - "lat": 48.11, - "lon": -1.6744 - } - }, - "address": "4.3.2.1" - }, "destination": { - "ip": "5.6.7.8", + "address": "5.6.7.8", "bytes": 0, "geo": { "city_name": "Redmond", - "region_name": "Washington", - "postal_code": "98073", "country_iso_code": "US", "location": { "lat": 47.6711, "lon": -122.1253 - } + }, + "postal_code": "98073", + "region_name": "Washington" }, - "address": "5.6.7.8" - }, - "url": { - "original": "secure.eicar.org/eicarcom2.zip", - "path": "secure.eicar.org/eicarcom2.zip" - }, - "http": { - "request": { - "referrer": "https://www.eicar.org/" - } + "ip": "5.6.7.8" }, "file": { "hash": { @@ -598,19 +551,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "name": "eicarcom2.zip" }, + "host": { + "name": "MacBook Pro", + "os": { + "name": "Monterey", + "platform": "darwin", + "type": "macos" + } + }, + "http": { + "request": { + "referrer": "https://www.eicar.org/" + } + }, "netskope": { "alerts": { "type": "Malware" }, "events": { + "access_method": "Client", "application": { - "name": "eicar", - "category": "n/a" + "category": "n/a", + "name": "eicar" }, - "access_method": "Client", "ccl": "unknown" } }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, "related": { "hash": [ "68b329da9893e34099c7d8ad5cb9c940" @@ -622,6 +594,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "source": { + "address": "4.3.2.1", + "bytes": 0, + "geo": { + "city_name": "Rennes", + "country_iso_code": "FR", + "location": { + "lat": 48.11, + "lon": -1.6744 + }, + "postal_code": "35000", + "region_name": "Brittany", + "timezone": "Europe/Paris" + }, + "ip": "4.3.2.1" + }, + "url": { + "original": "secure.eicar.org/eicarcom2.zip", + "path": "secure.eicar.org/eicarcom2.zip" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" + }, + "user_agent": { + "name": "Safari" } } @@ -635,90 +635,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"activity\": \"Download\",\n \"alert\": \"no\",\n \"app\": \"Microsoft Office 365 Sharepoint Online\",\n \"app_session_id\": 2222222222222222222,\n \"appcategory\": \"Collaboration\",\n \"appsuite\": \"Office365\",\n \"browser\": \"Firefox\",\n \"browser_session_id\": 1111111111111111111,\n \"browser_version\": \"108.0\",\n \"category\": \"Collaboration\",\n \"cci\": 91,\n \"ccl\": \"excellent\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_size\": 204299,\n \"file_type\": \"image/gif\",\n \"from_user\": \"john.doe@example.org\",\n \"hostname\": \"TEST-1111111\",\n \"instance_id\": \"Example\",\n \"managed_app\": \"no\",\n \"managementID\": \"\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"netskope_pop\": \"FR-PAR1\",\n \"nsdeviceuid\": \"b05badf9-60ff-4b1e-a172-61a60b2f1fc4\",\n \"object\": \"giphy2.gif\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"web.yammer.com\",\n \"page_site\": \"Yammer\",\n \"policy_id\": \"FCA65744E4DA5594AC16F5AD1D05216C 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://web.yammer.com/\",\n \"request_id\": 2471498450631098400,\n \"sanctioned_instance\": \"\",\n \"severity\": \"unknown\",\n \"site\": \"Microsoft Office 365 Sharepoint Sites\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 16:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"1.2.3.4\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671637920,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"example.sharepoint.com/sites/mysite/_layouts/0/download.aspx\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"object_id\": \"\",\n \"channel_id\": \"\",\n \"sAMAccountName\": \"\",\n \"dsthost\": \"\",\n \"app_activity\": \"\",\n \"parent_id\": \"\",\n \"fromlogs\": \"\",\n \"owner\": \"\",\n \"dlp_rule_severity\": \"\",\n \"client_bytes\": 0,\n \"userPrincipalName\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_unique_count\": 0,\n \"user_id\": \"\",\n \"dlp_incident_id\": 0,\n \"dlp_file\": \"\",\n \"file_path\": \"\",\n \"dlp_parent_id\": 0,\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"from_user_category\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"shared_with\": \"\",\n \"suppression_start_time\": 0,\n \"title\": \"\",\n \"web_universal_connector\": \"\",\n \"universal_connector\": \"\",\n \"resp_cnt\": 0,\n \"loginurl\": \"\",\n \"req_cnt\": 0,\n \"conn_duration\": 0,\n \"server_bytes\": 0,\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"true_obj_type\": \"\",\n \"suppression_end_time\": 0,\n \"custom_connector\": \"\",\n \"netskope_activity\": \"\",\n \"internal_collaborator_count\": 0,\n \"notify_template\": \"\",\n \"total_collaborator_count\": 0,\n \"suppression_key\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"scan_type\": \"\",\n \"data_center\": \"\",\n \"dlp_rule_count\": 0,\n \"org\": \"\",\n \"action\": \"\",\n \"logintype\": \"\",\n \"exposure\": \"\",\n \"modified\": 0,\n \"log_file_name\": \"\",\n \"mime_type\": \"\",\n \"dstport\": 0,\n \"numbytes\": 0,\n \"to_user\": \"\",\n \"workspace\": \"\",\n \"instance\": \"\",\n \"CononicalName\": \"\",\n \"file_lang\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"alert_type\": \"\",\n \"sessionid\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_profile\": \"\",\n \"user_category\": \"\",\n \"data_type\": \"\",\n \"policy\": \"\"\n}\n", "event": { - "dataset": "nspolicy", "action": "Download", - "duration": 0, - "kind": "event", "category": [ "network" ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", "type": [ "info" ] }, "@timestamp": "2022-12-21T15:52:00Z", - "observer": { - "vendor": "Netskope" - }, - "user_agent": { - "name": "Firefox", - "version": "108.0" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, - "network": { - "bytes": 0 - }, - "host": { - "name": "TEST-1111111", - "os": { - "name": "Windows 11", - "version": "Windows 11", - "type": "windows", - "platform": "windows" + "cloud": { + "instance": { + "id": "Example" } }, - "source": { - "ip": "1.2.3.4", - "bytes": 0, - "geo": { - "timezone": "Europe/Paris", - "city_name": "Rennes", - "region_name": "Brittany", - "postal_code": "35000", - "country_iso_code": "FR", - "location": { - "lat": 48.11, - "lon": -1.6744 - } - }, - "address": "1.2.3.4" - }, "destination": { - "ip": "5.6.7.8", + "address": "5.6.7.8", "bytes": 0, "geo": { - "timezone": "America/Los_Angeles", "city_name": "Redmond", - "region_name": "Washington", - "postal_code": "98073", "country_iso_code": "US", "location": { "lat": 47.6711, "lon": -122.1253 - } + }, + "postal_code": "98073", + "region_name": "Washington", + "timezone": "America/Los_Angeles" }, - "address": "5.6.7.8" - }, - "rule": { - "id": "FCA65744E4DA5594AC16F5AD1D05216C 2022-12-21 14:31:09.981853" - }, - "url": { - "original": "example.sharepoint.com/sites/mysite/_layouts/0/download.aspx", - "path": "example.sharepoint.com/sites/mysite/_layouts/0/download.aspx" - }, - "http": { - "request": { - "referrer": "https://web.yammer.com/" - } - }, - "cloud": { - "instance": { - "id": "Example" - } + "ip": "5.6.7.8" }, "file": { "hash": { @@ -727,17 +675,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mime_type": "image/gif", "name": "giphy2.gif" }, + "host": { + "name": "TEST-1111111", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows 11" + } + }, + "http": { + "request": { + "referrer": "https://web.yammer.com/" + } + }, "netskope": { "events": { + "access_method": "Client", "application": { + "category": "Collaboration", "name": "Microsoft Office 365 Sharepoint Online", - "suite": "Office365", - "category": "Collaboration" + "suite": "Office365" }, - "access_method": "Client", "ccl": "excellent" } }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, "related": { "hash": [ "68b329da9893e34099c7d8ad5cb9c940" @@ -749,6 +717,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "rule": { + "id": "FCA65744E4DA5594AC16F5AD1D05216C 2022-12-21 14:31:09.981853" + }, + "source": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Rennes", + "country_iso_code": "FR", + "location": { + "lat": 48.11, + "lon": -1.6744 + }, + "postal_code": "35000", + "region_name": "Brittany", + "timezone": "Europe/Paris" + }, + "ip": "1.2.3.4" + }, + "url": { + "original": "example.sharepoint.com/sites/mysite/_layouts/0/download.aspx", + "path": "example.sharepoint.com/sites/mysite/_layouts/0/download.aspx" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" + }, + "user_agent": { + "name": "Firefox", + "version": "108.0" } } @@ -762,100 +762,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"useralert\",\n \"activity\": \"Share\",\n \"alert\": \"yes\",\n \"app\": \"WeTransfer\",\n \"app_session_id\": 1111111111111111111,\n \"appcategory\": \"Cloud Storage\",\n \"browser\": \"Edge\",\n \"browser_session_id\": 2222222222222222222,\n \"browser_version\": \"108.0.1462.54\",\n \"category\": \"Cloud Storage\",\n \"cci\": 58,\n \"ccl\": \"low\",\n \"connection_id\": 3333333333333333333,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"IE\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 53.3379,\n \"dst_location\": \"Dublin\",\n \"dst_longitude\": -6.2591,\n \"dst_region\": \"Leinster\",\n \"dst_timezone\": \"Europe/Dublin\",\n \"dst_zipcode\": \"D02\",\n \"dstip\": \"108.128.91.183\",\n \"from_user\": \"jane.doe@example.org\",\n \"hostname\": \"TEST-1234\",\n \"managed_app\": \"no\",\n \"managementID\": \"99999999999999999999999999999999\",\n \"netskope_pop\": \"FR-PAR1\",\n \"notify_template\": \"useralert_justify.html\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"Client.exe\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"wetransfer.com/\",\n \"page_site\": \"Web Background\",\n \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://wetransfer.com/\",\n \"request_id\": 4444444444444444444,\n \"severity\": \"unknown\",\n \"site\": \"WeTransfer\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671634321,\n \"to_user\": \"a@a.fr\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 4444444444444444444,\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"wetransfer.com/api/v4/transfers/email\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"internal_collaborator_count\": 0,\n \"fromlogs\": \"\",\n \"dlp_incident_id\": 0,\n \"owner\": \"\",\n \"dlp_profile\": \"\",\n \"workspace\": \"\",\n \"user_id\": \"\",\n \"userPrincipalName\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"orignal_file_path\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"tss_mode\": \"\",\n \"conn_duration\": 0,\n \"from_user_category\": \"\",\n \"md5\": \"\",\n \"data_type\": \"\",\n \"title\": \"\",\n \"log_file_name\": \"\",\n \"dstport\": 0,\n \"exposure\": \"\",\n \"instance_id\": \"\",\n \"audit_category\": \"\",\n \"netskope_activity\": \"\",\n \"file_type\": \"\",\n \"total_collaborator_count\": 0,\n \"file_path\": \"\",\n \"modified\": 0,\n \"dlp_rule_count\": 0,\n \"suppression_end_time\": 0,\n \"CononicalName\": \"\",\n \"alert_type\": \"\",\n \"sanctioned_instance\": \"\",\n \"suppression_start_time\": 0,\n \"dlp_parent_id\": 0,\n \"true_obj_type\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"dsthost\": \"\",\n \"web_universal_connector\": \"\",\n \"req_cnt\": 0,\n \"mime_type\": \"\",\n \"suppression_key\": \"\",\n \"scan_type\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"object_id\": \"\",\n \"user_category\": \"\",\n \"dlp_rule\": \"\",\n \"parent_id\": \"\",\n \"sha256\": \"\",\n \"dlp_rule_severity\": \"\",\n \"logintype\": \"\",\n \"org\": \"\",\n \"dlp_unique_count\": 0,\n \"file_size\": 0,\n \"instance\": \"\",\n \"sAMAccountName\": \"\",\n \"resp_cnt\": 0,\n \"universal_connector\": \"\",\n \"numbytes\": 0,\n \"server_bytes\": 0,\n \"channel_id\": \"\",\n \"file_lang\": \"\",\n \"app_activity\": \"\",\n \"appsuite\": \"\",\n \"sessionid\": \"\",\n \"loginurl\": \"\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"custom_connector\": \"\"\n}\n", "event": { - "dataset": "nspolicy", "action": "Share", - "duration": 0, - "kind": "alert", "category": [ "network" ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", "type": [ "info" ] }, "@timestamp": "2022-12-21T14:52:01Z", - "observer": { - "vendor": "Netskope" - }, - "user_agent": { - "name": "Edge", - "version": "108.0.1462.54" - }, - "user": { - "email": "john.doe@example.org", - "name": "john.doe", - "domain": "example.org" - }, - "network": { - "bytes": 0 - }, - "host": { - "name": "TEST-1234", - "os": { - "name": "Windows 11", - "version": "Windows 11", - "type": "windows", - "platform": "windows" - } - }, - "source": { - "ip": "4.3.2.1", - "bytes": 0, - "geo": { - "timezone": "Europe/Paris", - "city_name": "Rennes", - "region_name": "Brittany", - "postal_code": "35000", - "country_iso_code": "FR", - "location": { - "lat": 48.11, - "lon": -1.6744 - } - }, - "address": "4.3.2.1" - }, "destination": { - "ip": "108.128.91.183", + "address": "108.128.91.183", "bytes": 0, "geo": { - "timezone": "Europe/Dublin", "city_name": "Dublin", - "region_name": "Leinster", - "postal_code": "D02", "country_iso_code": "IE", "location": { "lat": 53.3379, "lon": -6.2591 - } + }, + "postal_code": "D02", + "region_name": "Leinster", + "timezone": "Europe/Dublin" }, - "address": "108.128.91.183" + "ip": "108.128.91.183" }, - "rule": { - "id": "99999999999999999999999999999999 2022-12-21 14:31:09.981853", - "name": "DO NOT CHANGE Educate Upload to Non-Corporate Storage" + "file": { + "name": "Client.exe" }, - "url": { - "original": "wetransfer.com/api/v4/transfers/email", - "path": "wetransfer.com/api/v4/transfers/email" + "host": { + "name": "TEST-1234", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows 11" + } }, "http": { "request": { "referrer": "https://wetransfer.com/" } }, - "file": { - "name": "Client.exe" - }, "netskope": { "events": { + "access_method": "Client", "application": { - "name": "WeTransfer", - "category": "Cloud Storage" + "category": "Cloud Storage", + "name": "WeTransfer" }, - "access_method": "Client", "ccl": "low" } }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, "related": { "ip": [ "108.128.91.183", @@ -864,6 +831,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe" ] + }, + "rule": { + "id": "99999999999999999999999999999999 2022-12-21 14:31:09.981853", + "name": "DO NOT CHANGE Educate Upload to Non-Corporate Storage" + }, + "source": { + "address": "4.3.2.1", + "bytes": 0, + "geo": { + "city_name": "Rennes", + "country_iso_code": "FR", + "location": { + "lat": 48.11, + "lon": -1.6744 + }, + "postal_code": "35000", + "region_name": "Brittany", + "timezone": "Europe/Paris" + }, + "ip": "4.3.2.1" + }, + "url": { + "original": "wetransfer.com/api/v4/transfers/email", + "path": "wetransfer.com/api/v4/transfers/email" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "name": "john.doe" + }, + "user_agent": { + "name": "Edge", + "version": "108.0.1462.54" } } diff --git a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md index 810b6dea17..952a77e4bc 100644 --- a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md +++ b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md @@ -35,35 +35,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"data\":\"2022-08-25T17:06:21.935763-07:00 m0169160 sendmail[22003]: 27PNO8ta032355: to=/dev/null, ctladdr= (8/0), delay=00:00:00, xdelay=00:00:00, mailer=*file*, tls_verify=NONE, tls_version=NONE, cipher=NONE, pri=32434, dsn=2.0.0, stat=Sent\",\"tls\":{\"version\":\"NONE\",\"verify\":\"NONE\",\"cipher\":\"NONE\"},\"sm\":{\"delay\":\"00:00:00\",\"to\":[\"/dev/null\"],\"pri\":\"32434\",\"dsn\":\"2.0.0\",\"ctladdr\":\" (8/0)\",\"qid\":\"27PNO8ta032355\",\"xdelay\":\"00:00:00\",\"stat\":\"Sent\",\"mailer\":\"*file*\"},\"pps\":{\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\",\"agent\":\"m0169160.ppops.net\"},\"ts\":\"2022-08-25T17:06:21.935763-0700\",\"id\":\"41K7tSNsqcyiZCuOX1wmnQ\",\"metadata\":{\"origin\":{\"schemaVersion\":\"20200420\",\"data\":{\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\",\"agent\":\"m0169160.ppops.net\"}},\"customerId\":\"6ae809da-7151-354f-8d3c-40fe90ec6eca\"},\"type\":\"maillog\"}\n", "event": { - "kind": "event", + "category": [ + "email" + ], "dataset": "maillog", + "kind": "event", "type": [ "info" - ], - "category": [ - "email" ] }, "@timestamp": "2022-08-26T00:06:21.935763Z", - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" - }, - "error": { - "code": "2.0.0" - }, "email": { "local_id": "27PNO8ta032355", - "x_mailer": "*file*", "to": { "address": [ "/dev/null" ] - } + }, + "x_mailer": "*file*" + }, + "error": { + "code": "2.0.0" }, "network": { "transport": "tcp" }, + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" + }, "proofpoint": { "pod": { "cluster": { @@ -83,76 +83,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"connection\":{\"protocol\":\"smtp:smtp\",\"ip\":\"66.218.66.103\",\"host\":\"n35.grp.scd.yahoo.com\",\"sid\":\"3j6jew035h\",\"resolveStatus\":\"ok\",\"helo\":\"n35.grp.scd.yahoo.com\",\"country\":\"us\"},\"filter\":{\"delivered\":{\"rcpts\":[\"amartinez@thopedia.com\"]},\"qid\":\"27Q0O7ss000303\",\"modules\":{\"spam\":{\"version\":{\"definitions\":\"main-2208250092\",\"engine\":\"8.19.0-2204280000\"},\"langs\":[\"en\",\"pt\",\"es\"],\"scores\":{\"classifiers\":{\"malware\":0,\"lowpriority\":0,\"adult\":0,\"mlx\":0,\"bulk\":0,\"spam\":0,\"phish\":0,\"mlxlog\":372,\"impostor\":0,\"suspect\":0},\"overall\":0,\"engine\":0}}},\"routes\":[\"allow_relay\",\"firewallsafe\",\"internalnet\",\"outbound\"],\"durationSecs\":0.169678,\"suborgs\":{\"sender\":\"0\",\"rcpts\":[\"0\"]},\"verified\":{\"rcpts\":[\"amartinez@thopedia.com\"]},\"disposition\":\"continue\",\"actions\":[{\"module\":\"av\",\"rule\":\"clean\",\"action\":\"add-header\"},{\"module\":\"av\",\"isFinal\":true,\"action\":\"continue\",\"rule\":\"clean\"},{\"module\":\"spam\",\"action\":\"add-header\",\"rule\":\"notspam\"}],\"msgSizeBytes\":4857,\"routeDirection\":\"outbound\"},\"guid\":\"rkuzwIede_tYDQ-P7qUoNlwm6Hz3u1R5\",\"msg\":{\"header\":{\"return-path\":[\"\"],\"to\":[\"\\\"wmoms\\\" \"],\"message-id\":[\"<1C30CBDA666538428B33679A1FB67AFDBA380B@bumail.bradley.edu>\"],\"from\":[\"\\\"Schweigert, Wendy\\\" \"],\"reply-to\":[\"wmoms@yahoogroups.com\"],\"subject\":[\"[wmoms] ctts\"]},\"sizeBytes\":4275,\"normalizedHeader\":{\"subject\":[\"[wmoms] ctts\"],\"reply-to\":[\"wmoms@yahoogroups.com\"],\"to\":[\"\\\"wmoms\\\" \"],\"message-id\":[\"1C30CBDA666538428B33679A1FB67AFDBA380B@bumail.bradley.edu\"],\"from\":[\"\\\"Schweigert, Wendy\\\" \"],\"return-path\":[\"\"]},\"parsedAddresses\":{\"from\":[\"wendy@bumail.bradley.edu\"],\"to\":[\"wmoms@yahoogroups.com\"],\"reply-to\":[\"wmoms@yahoogroups.com\"],\"fromDisplayNames\":[\"Schweigert, Wendy\"]},\"lang\":\"en\"},\"ts\":\"2022-08-25T17:25:21.071953-0700\",\"metadata\":{\"origin\":{\"data\":{\"agent\":\"m0169160.ppops.net\",\"version\":\"8.19.0.1216\",\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\"}}},\"envelope\":{\"rcpts\":[\"amartinez@thopedia.com\"],\"from\":\"kpereira@cloudadminuidemo.com\"},\"type\":\"message\"}\n", "event": { - "kind": "event", - "dataset": "message", + "action": "continue", "category": [ "email", "network" ], - "action": "continue", + "dataset": "message", + "kind": "event", "type": [ "allowed" ] }, "@timestamp": "2022-08-26T00:25:21.071953Z", - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" - }, "email": { - "local_id": "rkuzwIede_tYDQ-P7qUoNlwm6Hz3u1R5", - "message_id": "1C30CBDA666538428B33679A1FB67AFDBA380B@bumail.bradley.edu", - "subject": "[wmoms] ctts", "from": { "address": [ "wendy@bumail.bradley.edu" ] }, - "to": { + "local_id": "rkuzwIede_tYDQ-P7qUoNlwm6Hz3u1R5", + "message_id": "1C30CBDA666538428B33679A1FB67AFDBA380B@bumail.bradley.edu", + "reply_to": { "address": [ "wmoms@yahoogroups.com" ] }, - "reply_to": { + "subject": "[wmoms] ctts", + "to": { "address": [ "wmoms@yahoogroups.com" ] } }, - "source": { - "ip": "66.218.66.103", - "domain": "n35.grp.scd.yahoo.com", - "geo": { - "country_iso_code": "us" - }, - "address": "n35.grp.scd.yahoo.com", - "top_level_domain": "com", - "subdomain": "n35.grp.scd", - "registered_domain": "yahoo.com" - }, "network": { - "transport": "tcp", - "protocol": "smtp" + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" }, "proofpoint": { "pod": { "cluster": { "id": "proofpointdemo_cloudadminuidemo_hosted" }, - "threat": { - "scores": { - "malware": 0, - "lowpriority": 0, - "adult": 0, - "mlx": 0, - "bulk": 0, - "spam": 0, - "phish": 0, - "mlxlog": 372, - "impostor": 0, - "suspect": 0 - } - }, + "modules": [ + "spam" + ], "routes": [ "allow_relay", "firewallsafe", @@ -160,14 +138,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outbound" ], "smtp": { - "sender": "kpereira@cloudadminuidemo.com", "recipients": [ "amartinez@thopedia.com" - ] + ], + "sender": "kpereira@cloudadminuidemo.com" }, - "modules": [ - "spam" - ] + "threat": { + "scores": { + "adult": 0, + "bulk": 0, + "impostor": 0, + "lowpriority": 0, + "malware": 0, + "mlx": 0, + "mlxlog": 372, + "phish": 0, + "spam": 0, + "suspect": 0 + } + } } }, "related": { @@ -177,6 +166,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "66.218.66.103" ] + }, + "source": { + "address": "n35.grp.scd.yahoo.com", + "domain": "n35.grp.scd.yahoo.com", + "geo": { + "country_iso_code": "us" + }, + "ip": "66.218.66.103", + "registered_domain": "yahoo.com", + "subdomain": "n35.grp.scd", + "top_level_domain": "com" } } @@ -190,74 +190,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"origin\":{\"data\":{\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\",\"agent\":\"m0169161.ppops.net\",\"version\":\"8.19.0.1216\"}}},\"ts\":\"2022-09-11T18:28:19.902627-0700\",\"envelope\":{\"from\":\"rdmfe@yokm.net\",\"rcpts\":[\"ceo@exec.vogon.science\"]},\"connection\":{\"host\":\"208-86-203-0.proofpoint.com\",\"ip\":\"208.86.203.10\",\"sid\":\"3jgptm9dux\",\"tls\":{\"inbound\":{\"version\":\"TLSv1.2\",\"cipherBits\":256,\"cipher\":\"ECDHE-RSA-AES256-GCM-SHA384\"}},\"country\":\"us\",\"protocol\":\"smtp:smtp\",\"resolveStatus\":\"ok\",\"helo\":\"selabfork.ppslab.net\"},\"msg\":{\"lang\":\"ja\",\"normalizedHeader\":{\"to\":[\"\"],\"subject\":[\"\u3010\u60c5\u5831\u3011 Amazon.co.jp\uff1a\u304a\u5ba2\u69d8\u306e\u304a\u652f\u6255\u3044\u65b9\u6cd5\u304c\u627f\u8a8d\u3055\u308c\u307e\u305b\u3093 #878-9442229-8829554\"],\"message-id\":[\"20220912092800466772@yokm.net\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"from\":[\"\\\"Amazon\\\" \"]},\"parsedAddresses\":{\"fromDisplayNames\":[\"Amazon\"],\"from\":[\"rdmfe@yokm.net\"],\"to\":[\"sletre@vogon.science\"]},\"header\":{\"from\":[\"\\\"Amazon\\\" \"],\"message-id\":[\"<20220912092800466772@yokm.net>\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"subject\":[\"=?utf-8?B?44CQ5oOF5aCx44CRIEFtYXpvbi5jby5qcO+8muOBiuWuog==?=\\r\\n\\t=?utf-8?B?5qeY44Gu44GK5pSv5omV44GE5pa55rOV44GM5om/6KqN44GV44KM44G+44Gb44KTICM4Nw==?=\\r\\n\\t=?utf-8?B?OC05NDQyMjI5LTg4Mjk1NTQ=?=\"],\"to\":[\"\"]},\"sizeBytes\":33366},\"filter\":{\"actions\":[{\"rule\":\"clean\",\"action\":\"add-header\",\"module\":\"av\"},{\"rule\":\"clean\",\"action\":\"continue\",\"module\":\"av\"},{\"action\":\"add-header\",\"module\":\"spam\",\"rule\":\"phish\"},{\"rule\":\"phish\",\"action\":\"copy\",\"module\":\"spam\"},{\"rule\":\"phish\",\"module\":\"spam\",\"action\":\"quarantine\"},{\"module\":\"spam\",\"action\":\"discard\",\"rule\":\"phish\",\"isFinal\":true}],\"modules\":{\"urldefense\":{\"counts\":{\"total\":5,\"unique\":2,\"rewritten\":5},\"version\":{\"engine\":\"15\"}},\"spam\":{\"langs\":[\"en\",\"jp\",\"pt\"],\"triggeredClassifier\":\"phish\",\"scores\":{\"overall\":100,\"engine\":100,\"classifiers\":{\"adult\":0,\"mlx\":100,\"impostor\":0,\"spam\":100,\"malware\":0,\"mlxlog\":-1000,\"phish\":100,\"suspect\":0,\"lowpriority\":0,\"bulk\":0}},\"version\":{\"definitions\":\"main-2209120003\",\"engine\":\"8.19.0-2204280000\"}},\"spf\":{\"domain\":\"yokm.net\",\"result\":\"none\"},\"dmarc\":{\"records\":[{\"error\":\"NXDOMAIN\",\"query\":\"_dmarc.yokm.net\"}],\"filterdResult\":\"none\",\"authResults\":[{\"method\":\"spf\",\"emailIdentities\":{\"smtp.mailfrom\":\"rdmfe@yokm.net\"},\"result\":\"none\"},{\"method\":\"dmarc\",\"result\":\"none\"}],\"srvid\":\"ppops.net\"}},\"suborgs\":{\"sender\":\"0\",\"rcpts\":[\"0\"]},\"isMsgInDigest\":true,\"routeDirection\":\"internal\",\"verified\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"msgSizeBytes\":33278,\"routes\":[\"allow_relay\",\"default_inbound\",\"firewallsafe\",\"internalnet\"],\"durationSecs\":0.356614,\"delivered\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"disposition\":\"discard\",\"qid\":\"3jgptm9dux-1\",\"quarantine\":{\"module\":\"spam\",\"folderId\":\"phish\",\"type\":\"quarantine\",\"folder\":\"Phish\",\"rule\":\"phish\"}},\"guid\":\"5PVdahx3PMGFONShVUQ19uni34-uVQRm\",\"type\":\"message\"}\n", "event": { - "kind": "event", - "dataset": "message", + "action": "discard", "category": [ "email", "network" ], - "action": "discard", + "dataset": "message", + "kind": "event", "type": [ "denied" ] }, "@timestamp": "2022-09-12T01:28:19.902627Z", - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" - }, "email": { - "local_id": "5PVdahx3PMGFONShVUQ19uni34-uVQRm", - "message_id": "20220912092800466772@yokm.net", - "subject": "\u3010\u60c5\u5831\u3011 Amazon.co.jp\uff1a\u304a\u5ba2\u69d8\u306e\u304a\u652f\u6255\u3044\u65b9\u6cd5\u304c\u627f\u8a8d\u3055\u308c\u307e\u305b\u3093 #878-9442229-8829554", "from": { "address": [ "rdmfe@yokm.net" ] }, + "local_id": "5PVdahx3PMGFONShVUQ19uni34-uVQRm", + "message_id": "20220912092800466772@yokm.net", + "subject": "\u3010\u60c5\u5831\u3011 Amazon.co.jp\uff1a\u304a\u5ba2\u69d8\u306e\u304a\u652f\u6255\u3044\u65b9\u6cd5\u304c\u627f\u8a8d\u3055\u308c\u307e\u305b\u3093 #878-9442229-8829554", "to": { "address": [ "sletre@vogon.science" ] } }, - "source": { - "ip": "208.86.203.10", - "domain": "208-86-203-0.proofpoint.com", - "geo": { - "country_iso_code": "us" - }, - "address": "208-86-203-0.proofpoint.com", - "top_level_domain": "com", - "subdomain": "208-86-203-0", - "registered_domain": "proofpoint.com" - }, - "tls": { - "cipher": "ECDHE-RSA-AES256-GCM-SHA384", - "version": "TLSv1.2" - }, "network": { - "transport": "tcp", - "protocol": "smtp" + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" }, "proofpoint": { "pod": { "cluster": { "id": "proofpointdemo_cloudadminuidemo_hosted" }, - "threat": { - "scores": { - "adult": 0, - "mlx": 100, - "impostor": 0, - "spam": 100, - "malware": 0, - "mlxlog": -1000, - "phish": 100, - "suspect": 0, - "lowpriority": 0, - "bulk": 0 - } + "modules": [ + "dmarc", + "spam", + "spf", + "urldefense" + ], + "quarantine": { + "folder": "Phish", + "module": "spam", + "rule": "phish", + "type": "quarantine" }, "routes": [ "allow_relay", @@ -265,24 +248,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "firewallsafe", "internalnet" ], - "quarantine": { - "module": "spam", - "type": "quarantine", - "folder": "Phish", - "rule": "phish" - }, "smtp": { - "sender": "rdmfe@yokm.net", "recipients": [ "ceo@exec.vogon.science" - ] + ], + "sender": "rdmfe@yokm.net" }, - "modules": [ - "urldefense", - "spam", - "spf", - "dmarc" - ] + "threat": { + "scores": { + "adult": 0, + "bulk": 0, + "impostor": 0, + "lowpriority": 0, + "malware": 0, + "mlx": 100, + "mlxlog": -1000, + "phish": 100, + "spam": 100, + "suspect": 0 + } + } } }, "related": { @@ -292,6 +277,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "208.86.203.10" ] + }, + "source": { + "address": "208-86-203-0.proofpoint.com", + "domain": "208-86-203-0.proofpoint.com", + "geo": { + "country_iso_code": "us" + }, + "ip": "208.86.203.10", + "registered_domain": "proofpoint.com", + "subdomain": "208-86-203-0", + "top_level_domain": "com" + }, + "tls": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "version": "TLSv1.2" } } @@ -305,57 +305,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"connection\":{\"resolveStatus\":\"[unknown]\",\"host\":\"127.0.0.1\",\"country\":\"**\",\"ip\":\"127.0.0.1\",\"helo\":\"outbound.proofpointdemo\",\"protocol\":\"smtp:smtp\",\"sid\":\"3jryreg677\"},\"ts\":\"2022-09-22T17:06:53.370514-0700\",\"metadata\":{\"origin\":{\"data\":{\"agent\":\"m0169160.ppops.net\",\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\",\"version\":\"8.19.0.1216\"}}},\"msg\":{\"header\":{\"message-id\":[\"<3jryreg677-1@m0169160.ppops.net>\"],\"subject\":[\"\"]},\"lang\":\"und\",\"parsedAddresses\":{},\"normalizedHeader\":{\"message-id\":[\"3jryreg677-1@m0169160.ppops.net\"],\"subject\":[\"\"]},\"sizeBytes\":203},\"envelope\":{\"from\":\"wmacdonald@cloudadminuidemo.com\",\"rcpts\":[\"pchilson@huntingance.com\"]},\"guid\":\"xjin0zM1KZbSWy8mUJvOxTV7WqFRrbd1\",\"filter\":{\"durationSecs\":0.096616,\"disposition\":\"continue\",\"suborgs\":{\"rcpts\":[\"0\"],\"sender\":\"0\"},\"routeDirection\":\"outbound\",\"msgSizeBytes\":728,\"modules\":{\"spam\":{\"langs\":[\"en\"],\"scores\":{\"overall\":40,\"engine\":40,\"classifiers\":{\"lowpriority\":4,\"mlxlog\":18,\"suspect\":0,\"adult\":8,\"spam\":40,\"malware\":0,\"phish\":1,\"bulk\":4,\"impostor\":0,\"mlx\":40}},\"version\":{\"definitions\":\"main-2209220155\",\"engine\":\"8.19.0-2209130001\"}}},\"verified\":{\"rcpts\":[\"pchilson@huntingance.com\"]},\"routes\":[\"allow_relay\",\"firewallsafe\",\"internalnet\",\"outbound\"],\"actions\":[{\"module\":\"av\",\"action\":\"add-header\",\"rule\":\"clean\"},{\"module\":\"av\",\"action\":\"continue\",\"rule\":\"clean\",\"isFinal\":true},{\"module\":\"spam\",\"action\":\"add-header\",\"rule\":\"notspam\"}],\"delivered\":{\"rcpts\":[\"pchilson@huntingance.com\"]},\"qid\":\"28MNsFLm006936\"},\"type\":\"message\"}\n", "event": { - "kind": "event", - "dataset": "message", + "action": "continue", "category": [ "email", "network" ], - "action": "continue", + "dataset": "message", + "kind": "event", "type": [ "allowed" ] }, "@timestamp": "2022-09-23T00:06:53.370514Z", - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" - }, "email": { "local_id": "xjin0zM1KZbSWy8mUJvOxTV7WqFRrbd1", "message_id": "3jryreg677-1@m0169160.ppops.net" }, - "source": { - "ip": "127.0.0.1", - "domain": "127.0.0.1", - "geo": { - "country_iso_code": "**" - }, - "address": "127.0.0.1" - }, "network": { - "transport": "tcp", - "protocol": "smtp" + "protocol": "smtp", + "transport": "tcp" + }, + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" }, "proofpoint": { "pod": { "cluster": { "id": "proofpointdemo_cloudadminuidemo_hosted" }, - "threat": { - "scores": { - "lowpriority": 4, - "mlxlog": 18, - "suspect": 0, - "adult": 8, - "spam": 40, - "malware": 0, - "phish": 1, - "bulk": 4, - "impostor": 0, - "mlx": 40 - } - }, + "modules": [ + "spam" + ], "routes": [ "allow_relay", "firewallsafe", @@ -363,14 +344,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outbound" ], "smtp": { - "sender": "wmacdonald@cloudadminuidemo.com", "recipients": [ "pchilson@huntingance.com" - ] + ], + "sender": "wmacdonald@cloudadminuidemo.com" }, - "modules": [ - "spam" - ] + "threat": { + "scores": { + "adult": 8, + "bulk": 4, + "impostor": 0, + "lowpriority": 4, + "malware": 0, + "mlx": 40, + "mlxlog": 18, + "phish": 1, + "spam": 40, + "suspect": 0 + } + } } }, "related": { @@ -380,6 +372,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "127.0.0.1" ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "geo": { + "country_iso_code": "**" + }, + "ip": "127.0.0.1" } } @@ -393,33 +393,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"guid\":\"1234567890\",\"ts\":\"2023-04-12T06:00:05.289102-0700\",\"type\":\"msgPartsUrl\",\"part_uuid\":\"607330be-4eb6-4f6e-9f74-0cbcab2e1ad4\",\"url\":\"http://www.example.org/\",\"src\":[\"filter\"],\"disposition\":\"continue\"}\n", "event": { - "kind": "event", + "action": "continue", "category": [ "email" ], "dataset": "msgPartsUrl", + "kind": "event", "type": [ "info" - ], - "action": "continue" + ] }, "@timestamp": "2023-04-12T13:00:05.289102Z", - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" - }, "email": { "local_id": "1234567890" }, - "url": { - "original": "http://www.example.org/", - "domain": "www.example.org", - "top_level_domain": "org", - "subdomain": "www", - "registered_domain": "example.org", - "path": "/", - "scheme": "http", - "port": 80 + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" }, "proofpoint": { "pod": { @@ -427,6 +417,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "607330be-4eb6-4f6e-9f74-0cbcab2e1ad4" } } + }, + "url": { + "domain": "www.example.org", + "original": "http://www.example.org/", + "path": "/", + "port": 80, + "registered_domain": "example.org", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "org" } } @@ -440,68 +440,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"msgParts\":{\"structureId\":\"0\",\"isVirtual\":false,\"labeledName\":\"text.html\",\"isCorrupted\":false,\"md5\":\"f3226e81da52c0cb05d4a7599827b70c\",\"disposition\":\"inline\",\"detectedSizeBytes\":2118,\"detectedExt\":\"HTML\",\"detectedMime\":\"text/html\",\"labeledMime\":\"text/html\",\"textExtracted\":\"U0NBTEFSKDB4N2YxMDhhNzQ3ZDM4KQ==n\",\"isTimedOut\":false,\"isDeleted\":false,\"isArchive\":false,\"sizeDecodedBytes\":2118,\"detectedName\":\"text.html\",\"labeledCharset\":\"US-ASCII\",\"labeledExt\":\"html\",\"dataBase64\":\"U0NBTEFSKDB4N2YxMDVlMzNmNzA4KQ==n\",\"metadata\":{},\"detectedCharset\":\"US-ASCII\",\"isProtected\":false,\"urls\":[{\"url\":\"http://us.adserver.yahoo.com/l?M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046\",\"src\":[\"filter\"]},{\"url\":\"http://servedby.advertising.com/site=552006/size=300250/bnum=1074787264333730/bins=1/rich=0\",\"src\":[\"filter\"]},{\"url\":\"http://docs.yahoo.com/info/terms/\",\"src\":[\"filter\"]},{\"url\":\"http://groups.yahoo.com/group/wmoms/\",\"src\":[\"filter\"]},{\"src\":[\"filter\"],\"url\":\"http://rd.yahoo.com/SIG=12co2at1q/M=243273.4326031.5516772.1261774/D=egroupweb/S=1705042054:HM/EXP=1074873664/A=1750744/R=0/*http://servedby.advertising.com/click/site=552006/bnum=1074787264333730\"},{\"src\":[\"filter\"],\"url\":\"mailto:wmoms-unsubscribe@yahoogroups.com?subject=Unsubscribe\"}],\"sha256\":\"3b9778951a276e13059b1d2254cc93ab9744b6e71081c29918ba20ccaa80db9d\"}, \"type\": \"msgParts\", \"guid\": \"1234567890\", \"uuid\": \"eb99b626-c278-4af3-96f8-5a194e016a43\",\"disposition\":\"continue\"}", "event": { - "kind": "event", + "action": "continue", "category": [ "email" ], "dataset": "msgParts", + "kind": "event", "type": [ "info" - ], - "action": "continue" - }, - "observer": { - "vendor": "ProofPoint", - "product": "ProofPoint On Demand" + ] }, "email": { - "local_id": "1234567890", "attachments": [ { "file": { - "mime_type": "text/html", - "name": "text.html", "extension": "html", - "size": "2118", "hash": { "md5": "f3226e81da52c0cb05d4a7599827b70c", "sha256": "3b9778951a276e13059b1d2254cc93ab9744b6e71081c29918ba20ccaa80db9d" - } + }, + "mime_type": "text/html", + "name": "text.html", + "size": "2118" } } - ] + ], + "local_id": "1234567890" + }, + "file": { + "hash": { + "md5": "f3226e81da52c0cb05d4a7599827b70c", + "sha256": "3b9778951a276e13059b1d2254cc93ab9744b6e71081c29918ba20ccaa80db9d" + }, + "name": "text.html" + }, + "observer": { + "product": "ProofPoint On Demand", + "vendor": "ProofPoint" }, "proofpoint": { "pod": { + "msgpart": { + "id": "eb99b626-c278-4af3-96f8-5a194e016a43" + }, "urls": [ - "http://us.adserver.yahoo.com/l?M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", - "http://servedby.advertising.com/site=552006/size=300250/bnum=1074787264333730/bins=1/rich=0", "http://docs.yahoo.com/info/terms/", "http://groups.yahoo.com/group/wmoms/", "http://rd.yahoo.com/SIG=12co2at1q/M=243273.4326031.5516772.1261774/D=egroupweb/S=1705042054:HM/EXP=1074873664/A=1750744/R=0/*http://servedby.advertising.com/click/site=552006/bnum=1074787264333730", + "http://servedby.advertising.com/site=552006/size=300250/bnum=1074787264333730/bins=1/rich=0", + "http://us.adserver.yahoo.com/l?M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", "mailto:wmoms-unsubscribe@yahoogroups.com?subject=Unsubscribe" - ], - "msgpart": { - "id": "eb99b626-c278-4af3-96f8-5a194e016a43" - } - } - }, - "url": { - "original": "http://us.adserver.yahoo.com/l?M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", - "domain": "us.adserver.yahoo.com", - "top_level_domain": "com", - "subdomain": "us.adserver", - "registered_domain": "yahoo.com", - "path": "/l", - "query": "M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", - "scheme": "http", - "port": 80 - }, - "file": { - "name": "text.html", - "hash": { - "sha256": "3b9778951a276e13059b1d2254cc93ab9744b6e71081c29918ba20ccaa80db9d", - "md5": "f3226e81da52c0cb05d4a7599827b70c" + ] } }, "related": { @@ -509,6 +498,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "3b9778951a276e13059b1d2254cc93ab9744b6e71081c29918ba20ccaa80db9d", "f3226e81da52c0cb05d4a7599827b70c" ] + }, + "url": { + "domain": "us.adserver.yahoo.com", + "original": "http://us.adserver.yahoo.com/l?M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", + "path": "/l", + "port": 80, + "query": "M=243273.4326031.5516772.1261774/D=egroupmail/S=:HM/A=1750744/rand=299818046", + "registered_domain": "yahoo.com", + "scheme": "http", + "subdomain": "us.adserver", + "top_level_domain": "com" } } diff --git a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md index 77d4d43723..96f8632580 100644 --- a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md +++ b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md @@ -28,21 +28,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "Nov 15 08:51:42 subdomain.pradeo.net mtd-pradeosecuritysystems[6030]: {\"USER\":\"test_user\",\"SECTION\":\"MTD\\/Apps\",\"ACTION\":\"app_checking\",\"DESCRIPTION\":\"\",\"ITEM\":{\"APPLICATION_ID\":\"55936212\",\"APP_PKG_NAME\":\"com.an_app\",\"APP_VERSION\":\"4.394.10003\",\"APP_SHA1_SIG\":\"a92675ab3dafb37399c47a75ceac8effc4cb401d\"},\"ACTION_VALUES\":{\"ALLOWED\":\"true\",\"ACTION\":\"automatic\",\"POLICY\":\"Green\",\"MATCH_THREATS\":[\"cat_phone_cache_send\",\"cat_phone_device_info_send\",\"cat_phone_hardware_send\",\"cat_user_contact_info_send\",\"match_encrypt_with_key_downloaded_from_network\",\"match_exec_command_downloaded_from_network\",\"match_hide_app_icon_from_launcher\",\"match_priority\",\"match_rootkit\",\"match_rootkit_warning\",\"match_sms\"]}}\n", - "user": { - "name": "test_user" - }, "action": { - "type": "automatic", - "name": "app_checking" + "name": "app_checking", + "type": "automatic" }, "package": { "checksum": "a92675ab3dafb37399c47a75ceac8effc4cb401d", - "version": "4.394.10003", - "name": "com.an_app" + "name": "com.an_app", + "version": "4.394.10003" }, "pradeo": { "allowed": "true", - "policy": "Green", "match_threats": [ "cat_phone_cache_send", "cat_phone_device_info_send", @@ -55,12 +51,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "match_rootkit", "match_rootkit_warning", "match_sms" - ] + ], + "policy": "Green" }, "related": { "user": [ "test_user" ] + }, + "user": { + "name": "test_user" } } diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index 715ae08c30..dbe4924f41 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -36,50 +36,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-10T13:00:05.454Z\", \"sender_ip\": \"192.168.1.1\", \"from\": \"test@sekoia.io\", \"from_header\": \"\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" \", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>\", \"urls\": [{\"url\": \"https://sekoia.io\"}], \"attachments\": [{\"id\": \"ca9ph2ostndl7735uht0\", \"filename\": \"image001.png\", \"extension\": \"png\", \"size\": 12894},{\"id\": \"ca9okt0kn1e8usdf633g\", \"filename\": \"archive.zip\", \"extension\": \"zip\", \"size\": 10558}], \"status\": \"LEGIT\", \"substatus\": \"\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 113475, \"current_events\": [], \"whitelisted\": false}", "event": { + "action": "nothing", "category": [ "email" ], "kind": "event", "type": [ "info" - ], - "action": "nothing" + ] }, "email": { - "local_id": "zekfnzejnf576rge8768", - "message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>", - "to": { - "address": "test@vadesecure.com" - }, - "from": { - "address": "test@sekoia.io" - }, - "subject": "Lorem ipsum dolor", "attachments": [ { "file": { + "extension": "png", "name": "image001.png", - "size": 12894, - "extension": "png" + "size": 12894 } }, { "file": { + "extension": "zip", "name": "archive.zip", - "size": 10558, - "extension": "zip" + "size": 10558 } } + ], + "from": { + "address": "test@sekoia.io" + }, + "local_id": "zekfnzejnf576rge8768", + "message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>", + "subject": "Lorem ipsum dolor", + "to": { + "address": "test@vadesecure.com" + } + }, + "related": { + "ip": [ + "192.168.1.1" ] }, "source": { - "ip": "192.168.1.1", - "address": "192.168.1.1" + "address": "192.168.1.1", + "ip": "192.168.1.1" }, "vadesecure": { - "from_header": "", - "to_header": "\"test@vadesecure.com\" ", - "status": "LEGIT", "attachments": [ { "filename": "image001.png", @@ -90,12 +92,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "ca9okt0kn1e8usdf633g" } ], + "from_header": "", + "status": "LEGIT", + "to_header": "\"test@vadesecure.com\" ", "whitelist": "false" - }, - "related": { - "ip": [ - "192.168.1.1" - ] } } @@ -109,63 +109,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"id\": \"ch34aoqub3glupige13g\", \"date\": \"2023-04-24T09:01:23.666Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO \", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" \", \"subject\": \"OneDrive- Document No.: 1928578 - VadeSecure\", \"message_id\": \"<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>\", \"urls\": [{\"url\": \"https://www.facebo\\u1ecdk.com/login.php\"}, {\"url\": \"https://www.facelbo?k.com/login.php\"}, {\"url\": \"https://www.vadesecure.com/\"}, {\"url\": \"https://sites.google.com/view/gine-office/home\"}], \"attachments\": [{\"id\": \"ch34aoqub3glupige170\", \"filename\": \"\", \"extension\": \"\", \"size\": 10558, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}, {\"id\": \"ch34aoqub3glupige17g\", \"filename\": \"\", \"extension\": \"\", \"size\": 12894, \"hashes\": {\"md5\": \"0eb4a83f99c2cd38d9d4decf809d1701\", \"sha1\": \"4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f\", \"sha256\": \"f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae\", \"sha512\": \"c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156\"}}], \"status\": \"PHISHING\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"MOVE\", \"folder\": \"JunkEmail\", \"size\": 186849, \"current_events\": [], \"whitelisted\": false, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": false}", "event": { + "action": "move", "category": [ "email" ], "kind": "event", "type": [ "change" - ], - "action": "move" + ] }, "email": { - "local_id": "ch34aoqub3glupige13g", - "message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>", - "to": { - "address": "test@vadesecure.com" - }, - "from": { - "address": "test@sekoia.io" - }, - "subject": "OneDrive- Document No.: 1928578 - VadeSecure", "attachments": [ { "file": { - "name": "", - "size": 10558, "extension": "", "hash": { "md5": "7bc2b146a309acbff2da55e6b4124a82", "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" - } + }, + "name": "", + "size": 10558 } }, { "file": { - "name": "", - "size": 12894, "extension": "", "hash": { "md5": "0eb4a83f99c2cd38d9d4decf809d1701", "sha1": "4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f", "sha256": "f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae", "sha512": "c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156" - } + }, + "name": "", + "size": 12894 } } + ], + "from": { + "address": "test@sekoia.io" + }, + "local_id": "ch34aoqub3glupige13g", + "message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>", + "subject": "OneDrive- Document No.: 1928578 - VadeSecure", + "to": { + "address": "test@vadesecure.com" + } + }, + "related": { + "ip": [ + "163.172.240.104" ] }, "source": { - "ip": "163.172.240.104", - "address": "163.172.240.104" + "address": "163.172.240.104", + "ip": "163.172.240.104" }, "vadesecure": { - "folder": "JunkEmail", - "from_header": "Test SEKOIA.IO ", - "to_header": "\"test@vadesecure.com\" ", - "status": "PHISHING", "attachments": [ { "filename": "", @@ -176,12 +177,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "ch34aoqub3glupige17g" } ], + "folder": "JunkEmail", + "from_header": "Test SEKOIA.IO ", + "status": "PHISHING", + "to_header": "\"test@vadesecure.com\" ", "whitelist": "false" - }, - "related": { - "ip": [ - "163.172.240.104" - ] } } @@ -195,61 +195,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"id\": \"cgrqlp83v5prkopmecf0\", \"date\": \"2023-04-13T07:10:29.191Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO \", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" \", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"\", \"urls\": [], \"attachments\": [{\"id\": \"cgrqlp83v5prkopmecfg\", \"filename\": \"commande.docm\", \"extension\": \"docm\", \"size\": 96009, \"hashes\": {\"md5\": \"c1ea14accbb4f5ac66beac2d3f8de531\", \"sha1\": \"bfd1de0e780a3d7f047f6de00f44eaa1868e05e2\", \"sha256\": \"6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424\", \"sha512\": \"77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 179355, \"current_events\": [], \"whitelisted\": true, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": true}", "event": { + "action": "nothing", "category": [ "email" ], "kind": "event", "type": [ "info" - ], - "action": "nothing" + ] }, "email": { - "local_id": "cgrqlp83v5prkopmecf0", - "message_id": "", - "to": { - "address": "test@vadesecure.com" - }, - "from": { - "address": "test@sekoia.io" - }, - "subject": "Lorem ipsum dolor", "attachments": [ { "file": { - "name": "commande.docm", - "size": 96009, "extension": "docm", "hash": { "md5": "c1ea14accbb4f5ac66beac2d3f8de531", "sha1": "bfd1de0e780a3d7f047f6de00f44eaa1868e05e2", "sha256": "6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424", "sha512": "77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d" - } + }, + "name": "commande.docm", + "size": 96009 } } + ], + "from": { + "address": "test@sekoia.io" + }, + "local_id": "cgrqlp83v5prkopmecf0", + "message_id": "", + "subject": "Lorem ipsum dolor", + "to": { + "address": "test@vadesecure.com" + } + }, + "related": { + "ip": [ + "163.172.240.104" ] }, "source": { - "ip": "163.172.240.104", - "address": "163.172.240.104" + "address": "163.172.240.104", + "ip": "163.172.240.104" }, "vadesecure": { - "from_header": "Test SEKOIA.IO ", - "to_header": "\"test@vadesecure.com\" ", - "status": "LEGIT", "attachments": [ { "filename": "commande.docm", "id": "cgrqlp83v5prkopmecfg" } ], + "from_header": "Test SEKOIA.IO ", + "status": "LEGIT", + "to_header": "\"test@vadesecure.com\" ", "whitelist": "true" - }, - "related": { - "ip": [ - "163.172.240.104" - ] } } @@ -268,10 +268,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "kind": "event", + "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence", "type": [ "info" - ], - "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence" + ] }, "vadesecure": { "campaign": { diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index a3099ff5ff..2005edaad3 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -36,13 +36,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"uuid\": \"7a353625-99c9-435b-a4b6-b1137a5e6edb\",\n \"actor\": {\n \"id\": \"2pHxMaUZr2yoej9R2Lsf4\",\n \"type\": \"SystemPrincipal\",\n \"alternateId\": \"system@okta.com\",\n \"detailEntry\": null,\n \"displayName\": \"Okta System\"\n },\n \"client\": {\n \"id\": null,\n \"zone\": \"null\",\n \"device\": \"Computer\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Windows 10\",\n \"browser\": \"CHROME\",\n \"rawUserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Org2org\",\n \"detailEntry\": null,\n \"displayName\": \"SAML 2.0 IdP\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.auth_via_IDP\",\n \"published\": \"2022-11-15T08:04:22.213Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"Authenticate user via IDP\",\n \"legacyEventType\": \"core.user_auth.idp.saml.login_success\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": \"IDP Instance\",\n \"credentialType\": \"ASSERTION\",\n \"externalSessionId\": \"kjrgFtXuZnABQV9Vq1A2c\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": \"FEDERATION\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "system-log", "action": "user.authentication.auth_via_IDP", - "reason": "Authenticate user via IDP", "category": [ "authentication" ], + "dataset": "system-log", + "kind": "event", + "reason": "Authenticate user via IDP", "type": [ "start" ] @@ -51,77 +51,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "Okta" }, - "source": { - "ip": "1.2.3.4", - "domain": "example.org", - "as": { - "number": 3741, - "organization": { - "name": "Easttel" - } - }, - "geo": { - "city_name": "Paris", - "region_name": "Ile-de-France", - "country_name": "France", - "location": { - "lat": 48.856944, - "lon": 2.351389 - } - }, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" - }, - "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", - "email": "john.doe@example.org", - "full_name": "John Doe" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", - "name": "Chrome", - "device": { - "name": "Other" - }, - "version": "107.0.0", - "os": { - "name": "Windows", - "version": "10" - } - }, "okta": { "system": { - "severity": "INFO", "actor": { - "id": "2pHxMaUZr2yoej9R2Lsf4", - "type": "SystemPrincipal", "alternate_id": "system@okta.com", - "display_name": "Okta System" - }, - "transaction": { - "id": "jI80snAs0ZMym5tvc8Jbp", - "type": "WEB" + "display_name": "Okta System", + "id": "2pHxMaUZr2yoej9R2Lsf4", + "type": "SystemPrincipal" }, "authentication_context": { - "interface": "IDP Instance", "authentication": { "provider": "FEDERATION" }, "credential": { "type": "ASSERTION" }, - "external_session_id": "kjrgFtXuZnABQV9Vq1A2c" + "external_session_id": "kjrgFtXuZnABQV9Vq1A2c", + "interface": "IDP Instance" }, "outcome": { "result": "SUCCESS" }, + "severity": "INFO", "target": { "alternateId": "Org2org", "displayName": "SAML 2.0 IdP", "id": "kdYO9RZnIHNhV6vii333b", "type": "AppInstance" + }, + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" } } }, @@ -135,87 +95,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] - } - } - - ``` - - -=== "test_auth_via_mfa.json" - - ```json - - { - "message": "{\n \"uuid\": \"cb9a43c9-a765-49ba-b2d5-7b9a263d4061\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": null,\n \"zone\": \"null\",\n \"device\": \"Computer\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Windows 10\",\n \"browser\": \"CHROME\",\n \"rawUserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": \"75000\",\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AuthenticatorEnrollment\",\n \"alternateId\": \"unknown\",\n \"detailEntry\": {\n \"methodTypeUsed\": \"Password\",\n \"methodUsedVerifiedProperties\": \"[USER_PRESENCE]\"\n },\n \"displayName\": \"Password\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.auth_via_mfa\",\n \"published\": \"2022-11-02T12:00:00.000Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"Authentication of user via MFA\",\n \"legacyEventType\": \"core.user.factor.attempt_success\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"kjrgFtXuZnABQV9Vq1A2c\",\n \"authenticationStep\": 0,\n \"credentialProvider\": \"OKTA_CREDENTIAL_PROVIDER\",\n \"authenticationProvider\": \"FACTOR_PROVIDER\"\n }\n}\n", - "event": { - "kind": "event", - "dataset": "system-log", - "action": "user.authentication.auth_via_mfa", - "reason": "Authentication of user via MFA", - "category": [ - "authentication" - ], - "type": [ - "start" - ] - }, - "@timestamp": "2022-11-02T12:00:00Z", - "observer": { - "vendor": "Okta" }, "source": { - "ip": "1.2.3.4", - "domain": "example.org", + "address": "example.org", "as": { "number": 3741, "organization": { "name": "Easttel" } }, + "domain": "example.org", "geo": { "city_name": "Paris", - "region_name": "Ile-de-France", "country_name": "France", - "postal_code": "75000", "location": { "lat": 48.856944, "lon": 2.351389 - } + }, + "region_name": "Ile-de-France" }, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" }, "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", "email": "john.doe@example.org", - "full_name": "John Doe" + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", - "name": "Chrome", "device": { "name": "Other" }, - "version": "107.0.0", + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Windows", "version": "10" - } + }, + "version": "107.0.0" + } + } + + ``` + + +=== "test_auth_via_mfa.json" + + ```json + + { + "message": "{\n \"uuid\": \"cb9a43c9-a765-49ba-b2d5-7b9a263d4061\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": null,\n \"zone\": \"null\",\n \"device\": \"Computer\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Windows 10\",\n \"browser\": \"CHROME\",\n \"rawUserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": \"75000\",\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AuthenticatorEnrollment\",\n \"alternateId\": \"unknown\",\n \"detailEntry\": {\n \"methodTypeUsed\": \"Password\",\n \"methodUsedVerifiedProperties\": \"[USER_PRESENCE]\"\n },\n \"displayName\": \"Password\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.auth_via_mfa\",\n \"published\": \"2022-11-02T12:00:00.000Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"Authentication of user via MFA\",\n \"legacyEventType\": \"core.user.factor.attempt_success\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"kjrgFtXuZnABQV9Vq1A2c\",\n \"authenticationStep\": 0,\n \"credentialProvider\": \"OKTA_CREDENTIAL_PROVIDER\",\n \"authenticationProvider\": \"FACTOR_PROVIDER\"\n }\n}\n", + "event": { + "action": "user.authentication.auth_via_mfa", + "category": [ + "authentication" + ], + "dataset": "system-log", + "kind": "event", + "reason": "Authentication of user via MFA", + "type": [ + "start" + ] + }, + "@timestamp": "2022-11-02T12:00:00Z", + "observer": { + "vendor": "Okta" }, "okta": { "system": { - "severity": "INFO", "actor": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "type": "User", "alternate_id": "john.doe@example.org", - "display_name": "John Doe" - }, - "transaction": { - "id": "jI80snAs0ZMym5tvc8Jbp", - "type": "WEB" + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" }, "authentication_context": { "authentication": { @@ -228,6 +182,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "outcome": { "result": "SUCCESS" + }, + "severity": "INFO", + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" } } }, @@ -241,97 +200,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] - } - } - - ``` - - -=== "test_authentication_sso.json" - - ```json - - { - "message": "{\n \"uuid\": \"ea4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-11-15T08:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", - "event": { - "kind": "event", - "dataset": "system-log", - "action": "user.authentication.sso", - "reason": "User single sign on to app", - "category": [ - "authentication" - ], - "type": [ - "start" - ] - }, - "@timestamp": "2022-11-15T08:05:07.656000Z", - "observer": { - "vendor": "Okta" }, "source": { - "ip": "1.2.3.4", - "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg" - }, - "domain": "example.org", + "address": "example.org", "as": { "number": 3741, "organization": { "name": "Easttel" } }, + "domain": "example.org", "geo": { "city_name": "Paris", - "region_name": "Ile-de-France", "country_name": "France", "location": { "lat": 48.856944, "lon": 2.351389 - } + }, + "postal_code": "75000", + "region_name": "Ile-de-France" }, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" }, "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", "email": "john.doe@example.org", - "full_name": "John Doe" + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" }, "user_agent": { - "original": "axios/0.19.2", "device": { "name": "Other" }, - "name": "axios", - "version": "0.19.2", + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { - "name": "Other" - } + "name": "Windows", + "version": "10" + }, + "version": "107.0.0" + } + } + + ``` + + +=== "test_authentication_sso.json" + + ```json + + { + "message": "{\n \"uuid\": \"ea4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-11-15T08:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "dataset": "system-log", + "kind": "event", + "reason": "User single sign on to app", + "type": [ + "start" + ] + }, + "@timestamp": "2022-11-15T08:05:07.656000Z", + "observer": { + "vendor": "Okta" }, "okta": { "system": { - "severity": "INFO", "actor": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "type": "User", "alternate_id": "john.doe@example.org", - "display_name": "John Doe" - }, - "transaction": { - "id": "jI80snAs0ZMym5tvc8Jbp", - "type": "WEB" + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" }, "outcome": { "result": "SUCCESS" }, + "severity": "INFO", "target": { "alternateId": "Architecture Website", "displayName": "OpenID Connect Client", "id": "kdYO9RZnIHNhV6vii333b", "type": "AppInstance" + }, + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" } } }, @@ -345,111 +303,153 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "john.doe@example.org" ] - } - } - - ``` - - -=== "test_authentication_sso_failure.json" - - ```json - - { - "message": "{\n \"uuid\": \"fa4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": \"INVALID_CREDENTIALS\",\n \"result\": \"FAILURE\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-12-16T17:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", - "event": { - "kind": "event", - "dataset": "system-log", - "action": "user.authentication.sso", - "reason": "User single sign on to app", - "category": [ - "authentication" - ], - "type": [ - "start" - ] - }, - "@timestamp": "2022-12-16T17:05:07.656000Z", - "observer": { - "vendor": "Okta" }, "source": { - "ip": "1.2.3.4", - "user": { - "id": "fWiaLPtSTpjyy1BIwNFXg" - }, - "domain": "example.org", + "address": "example.org", "as": { "number": 3741, "organization": { "name": "Easttel" } }, + "domain": "example.org", "geo": { "city_name": "Paris", - "region_name": "Ile-de-France", "country_name": "France", "location": { "lat": 48.856944, "lon": 2.351389 - } + }, + "region_name": "Ile-de-France" }, - "address": "example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", "top_level_domain": "org", - "registered_domain": "example.org" + "user": { + "id": "eWiaLPtSTpjyy1BIwNFXg" + } }, "user": { - "id": "fWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", "email": "john.doe@example.org", - "full_name": "John Doe" + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" }, "user_agent": { - "original": "axios/0.19.2", "device": { "name": "Other" }, "name": "axios", - "version": "0.19.2", + "original": "axios/0.19.2", "os": { "name": "Other" - } + }, + "version": "0.19.2" + } + } + + ``` + + +=== "test_authentication_sso_failure.json" + + ```json + + { + "message": "{\n \"uuid\": \"fa4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"fWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": \"INVALID_CREDENTIALS\",\n \"result\": \"FAILURE\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-12-16T17:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "dataset": "system-log", + "kind": "event", + "reason": "User single sign on to app", + "type": [ + "start" + ] + }, + "@timestamp": "2022-12-16T17:05:07.656000Z", + "observer": { + "vendor": "Okta" }, "okta": { "system": { - "severity": "INFO", "actor": { - "id": "fWiaLPtSTpjyy1BIwNFXg", - "type": "User", "alternate_id": "john.doe@example.org", - "display_name": "John Doe" - }, - "transaction": { - "id": "jI80snAs0ZMym5tvc8Jbp", - "type": "WEB" + "display_name": "John Doe", + "id": "fWiaLPtSTpjyy1BIwNFXg", + "type": "User" }, "outcome": { "reason": "INVALID_CREDENTIALS", "result": "FAILURE" }, + "severity": "INFO", "target": { "alternateId": "Architecture Website", "displayName": "OpenID Connect Client", "id": "kdYO9RZnIHNhV6vii333b", "type": "AppInstance" + }, + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" + } + } + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + }, + "source": { + "address": "example.org", + "as": { + "number": 3741, + "organization": { + "name": "Easttel" } + }, + "domain": "example.org", + "geo": { + "city_name": "Paris", + "country_name": "France", + "location": { + "lat": 48.856944, + "lon": 2.351389 + }, + "region_name": "Ile-de-France" + }, + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org", + "user": { + "id": "fWiaLPtSTpjyy1BIwNFXg" } }, - "related": { - "hosts": [ - "example.org" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "john.doe@example.org" - ] + "user": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "fWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "axios", + "original": "axios/0.19.2", + "os": { + "name": "Other" + }, + "version": "0.19.2" } } @@ -463,13 +463,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"client\": {\n \"zone\": \"OFF_NETWORK\",\n \"device\": \"Unknown\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"UNKNOWN-DOWNLOAD\"\n },\n \"ipAddress\": \"12.97.85.90\"\n },\n \"actor\": {\n \"id\": \"00u1qw1mqitPHM8AJ0g7\",\n \"type\": \"User\",\n \"alternateId\": \"admin@example.com\",\n \"displayName\": \"John Doe\"\n },\n \"outcome\": {\n \"result\": \"SUCCESS\"\n },\n \"uuid\": \"f790999f-fe87-467a-9880-6982a583986c\",\n \"published\": \"2017-09-30T22:23:07.777Z\",\n \"eventType\": \"user.session.start\",\n \"displayMessage\": \"User login to Okta\",\n \"transaction\": {\n \"type\": \"WEB\",\n \"id\": \"V04Oy4ubUOc5UuG6s9DyNQAABtc\"\n },\n \"debugContext\": {\n \"debugData\": {\n \"requestUri\": \"/login/do-login\"\n }\n },\n \"legacyEventType\": \"core.user_auth.login_success\",\n \"authenticationContext\": {\n \"authenticationStep\": 0,\n \"externalSessionId\": \"1013FfF-DKQSvCI4RVXChzX-w\"\n }\n}\n", "event": { - "kind": "event", - "dataset": "system-log", "action": "user.session.start", - "reason": "User login to Okta", "category": [ "session" ], + "dataset": "system-log", + "kind": "event", + "reason": "User login to Okta", "type": [ "start" ] @@ -478,34 +478,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "Okta" }, - "source": { - "ip": "12.97.85.90", - "address": "12.97.85.90" - }, - "user": { - "id": "00u1qw1mqitPHM8AJ0g7", - "name": "admin@example.com", - "email": "admin@example.com", - "full_name": "John Doe" - }, "okta": { "system": { - "severity": "INFO", "actor": { - "id": "00u1qw1mqitPHM8AJ0g7", - "type": "User", "alternate_id": "admin@example.com", - "display_name": "John Doe" + "display_name": "John Doe", + "id": "00u1qw1mqitPHM8AJ0g7", + "type": "User" }, - "transaction": { - "id": "V04Oy4ubUOc5UuG6s9DyNQAABtc", - "type": "WEB" + "authentication_context": { + "external_session_id": "1013FfF-DKQSvCI4RVXChzX-w" }, "outcome": { "result": "SUCCESS" }, - "authentication_context": { - "external_session_id": "1013FfF-DKQSvCI4RVXChzX-w" + "severity": "INFO", + "transaction": { + "id": "V04Oy4ubUOc5UuG6s9DyNQAABtc", + "type": "WEB" } } }, @@ -516,6 +506,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "admin@example.com" ] + }, + "source": { + "address": "12.97.85.90", + "ip": "12.97.85.90" + }, + "user": { + "email": "admin@example.com", + "full_name": "John Doe", + "id": "00u1qw1mqitPHM8AJ0g7", + "name": "admin@example.com" } } @@ -529,13 +529,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"uuid\": \"d34ae6a4-b9d1-4885-b7ff-59e96829d5fc\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": null,\n \"zone\": \"null\",\n \"device\": \"Computer\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Windows 10\",\n \"browser\": \"CHROME\",\n \"rawUserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": \"75000\",\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"system.push.send_factor_verify_push\",\n \"published\": \"2022-11-01T11:04:00.364Z\",\n \"transaction\": {\n \"id\": \"Y3NH1qHvAmGouHz6XfAtaQAABNU\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"A push was sent to a user for verification\",\n \"legacyEventType\": null,\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"kjrgFtXuZnABQV9Vq1A2c\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", "event": { - "kind": "event", - "dataset": "system-log", "action": "system.push.send_factor_verify_push", - "reason": "A push was sent to a user for verification", "category": [ "authentication" ], + "dataset": "system-log", + "kind": "event", + "reason": "A push was sent to a user for verification", "type": [ "start" ] @@ -544,78 +544,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "Okta" }, + "okta": { + "system": { + "actor": { + "alternate_id": "john.doe@example.org", + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" + }, + "authentication_context": { + "external_session_id": "kjrgFtXuZnABQV9Vq1A2c" + }, + "outcome": { + "result": "SUCCESS" + }, + "severity": "INFO", + "transaction": { + "id": "Y3NH1qHvAmGouHz6XfAtaQAABNU", + "type": "WEB" + } + } + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + }, "source": { - "ip": "1.2.3.4", - "domain": "example.org", + "address": "example.org", "as": { "number": 3741, "organization": { "name": "Easttel" } }, + "domain": "example.org", "geo": { "city_name": "Paris", - "region_name": "Ile-de-France", "country_name": "France", - "postal_code": "75000", "location": { "lat": 48.856944, "lon": 2.351389 - } + }, + "postal_code": "75000", + "region_name": "Ile-de-France" }, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" }, "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", "email": "john.doe@example.org", - "full_name": "John Doe" + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", - "name": "Chrome", "device": { "name": "Other" }, - "version": "107.0.0", + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36", "os": { "name": "Windows", "version": "10" - } - }, - "okta": { - "system": { - "severity": "INFO", - "actor": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "type": "User", - "alternate_id": "john.doe@example.org", - "display_name": "John Doe" - }, - "transaction": { - "id": "Y3NH1qHvAmGouHz6XfAtaQAABNU", - "type": "WEB" - }, - "outcome": { - "result": "SUCCESS" - }, - "authentication_context": { - "external_session_id": "kjrgFtXuZnABQV9Vq1A2c" - } - } - }, - "related": { - "hosts": [ - "example.org" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "john.doe@example.org" - ] + }, + "version": "107.0.0" } } @@ -628,19 +628,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "\t\n{\"actor\":{\"id\":\"00u42g1huy7jGFsKX697\",\"type\":\"User\",\"alternateId\":\"john.doe@example.org\",\"displayName\":\"John Doe\",\"detailEntry\":null},\"client\":{\"userAgent\":{\"rawUserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0\",\"os\":\"Windows 10\",\"browser\":\"FIREFOX\"},\"zone\":\"null\",\"device\":\"Computer\",\"id\":\"okta.2b1959c8-bcc0-56eb-a589-cfcfb7422f26\",\"ipAddress\":\"1.2.3.4\",\"geographicalContext\":{\"city\":\"St-Malo\",\"state\":\"Brittany\",\"country\":\"France\",\"postalCode\":\"35400\",\"geolocation\":{\"lat\":48.6508,\"lon\":-2.0167}}},\"device\":null,\"authenticationContext\":{\"authenticationProvider\":null,\"credentialProvider\":null,\"credentialType\":null,\"issuer\":null,\"interface\":null,\"authenticationStep\":0,\"externalSessionId\":\"unknown\"},\"displayMessage\":\"User single sign on to app\",\"eventType\":\"user.authentication.sso\",\"outcome\":{\"result\":\"SUCCESS\",\"reason\":null},\"published\":\"2023-02-13T09:47:12.106Z\",\"securityContext\":{\"asNumber\":207215,\"asOrg\":\"habeum sas\",\"isp\":\"habeum sas\",\"domain\":\".\",\"isProxy\":false},\"severity\":\"INFO\",\"debugContext\":{\"debugData\":{\"initiationType\":\"NA\",\"redirectUri\":\"https://trial-7558749.okta.com/enduser/callback\",\"requestId\":\"Y-oHH0XgEgST5eLTP8DxiQAAA1c\",\"dtHash\":\"e79ed6baa52ce52628261203cb45d8e28bc6eff784eb2ea84df00c2a7fc6f915\",\"signOnMode\":\"OpenID Connect\",\"requestUri\":\"/oauth2/v1/token\",\"threatSuspected\":\"false\",\"url\":\"/oauth2/v1/token?\"}},\"legacyEventType\":\"app.auth.sso\",\"transaction\":{\"type\":\"WEB\",\"id\":\"Y-oHH0XgEgST5eLTP8DxiQAAA1c\",\"detail\":{}},\"uuid\":\"63c1bcb5-ab83-11ed-9b30-9968d65e9979\",\"version\":\"0\",\"request\":{\"ipChain\":[{\"ip\":\"1.2.3.4\",\"geographicalContext\":{\"city\":\"St-Malo\",\"state\":\"Brittany\",\"country\":\"France\",\"postalCode\":\"35400\",\"geolocation\":{\"lat\":48.6508,\"lon\":-2.0167}},\"version\":\"V4\",\"source\":null}]},\"target\":[{\"id\":\"0oa42g1hudoGAzC3z697\",\"type\":\"AppInstance\",\"alternateId\":\"Okta Dashboard\",\"displayName\":\"Okta Dashboard\",\"detailEntry\":{\"signOnModeType\":\"OPENID_CONNECT\"}},{\"id\":\"0ua42fzx6ndP18frF697\",\"type\":\"AppUser\",\"alternateId\":\"john.doe@example.org\",\"displayName\":\"John Doe\",\"detailEntry\":null}]}", - "@timestamp": "2023-02-13T09:47:12.106000Z", "event": { - "kind": "event", - "dataset": "system-log", "action": "user.authentication.sso", - "reason": "User single sign on to app", "category": [ "authentication" ], + "dataset": "system-log", + "kind": "event", + "reason": "User single sign on to app", "type": [ "start" ] }, + "@timestamp": "2023-02-13T09:47:12.106000Z", "observer": { "vendor": "Okta" }, @@ -652,6 +652,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "00u42g1huy7jGFsKX697", "type": "User" }, + "debug": { + "dtHash": "e79ed6baa52ce52628261203cb45d8e28bc6eff784eb2ea84df00c2a7fc6f915" + }, "outcome": { "result": "SUCCESS" }, @@ -665,9 +668,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "transaction": { "id": "Y-oHH0XgEgST5eLTP8DxiQAAA1c", "type": "WEB" - }, - "debug": { - "dtHash": "e79ed6baa52ce52628261203cb45d8e28bc6eff784eb2ea84df00c2a7fc6f915" } } }, @@ -736,13 +736,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"uuid\": \"b8d32533-0b5e-4081-b933-fb4433f25e95\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": null,\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"Okta-Integrations\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": \"75000\",\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.account.update_password\",\n \"published\": \"2022-11-15T08:00:41.468Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {\n \"requestApiTokenId\": \"REDACTED\"\n }\n },\n \"displayMessage\": \"User update password for Okta\",\n \"legacyEventType\": \"core.user.config.password_update.success\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"kjrgFtXuZnABQV9Vq1A2c\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", "event": { - "kind": "event", - "dataset": "system-log", "action": "user.account.update_password", - "reason": "User update password for Okta", "category": [ "iam" ], + "dataset": "system-log", + "kind": "event", + "reason": "User update password for Okta", "type": [ "change" ] @@ -751,76 +751,76 @@ Find below few samples of events and how they are normalized by Sekoia.io. "observer": { "vendor": "Okta" }, + "okta": { + "system": { + "actor": { + "alternate_id": "john.doe@example.org", + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" + }, + "authentication_context": { + "external_session_id": "kjrgFtXuZnABQV9Vq1A2c" + }, + "outcome": { + "result": "SUCCESS" + }, + "severity": "INFO", + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" + } + } + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + }, "source": { - "ip": "1.2.3.4", - "domain": "example.org", + "address": "example.org", "as": { "number": 3741, "organization": { "name": "Easttel" } }, + "domain": "example.org", "geo": { "city_name": "Paris", - "region_name": "Ile-de-France", "country_name": "France", - "postal_code": "75000", "location": { "lat": 48.856944, "lon": 2.351389 - } + }, + "postal_code": "75000", + "region_name": "Ile-de-France" }, - "address": "example.org", - "top_level_domain": "org", - "registered_domain": "example.org" + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" }, "user": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org", "email": "john.doe@example.org", - "full_name": "John Doe" + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" }, "user_agent": { - "original": "Okta-Integrations", "device": { "name": "Other" }, "name": "Other", + "original": "Okta-Integrations", "os": { "name": "Other" } - }, - "okta": { - "system": { - "severity": "INFO", - "actor": { - "id": "eWiaLPtSTpjyy1BIwNFXg", - "type": "User", - "alternate_id": "john.doe@example.org", - "display_name": "John Doe" - }, - "transaction": { - "id": "jI80snAs0ZMym5tvc8Jbp", - "type": "WEB" - }, - "outcome": { - "result": "SUCCESS" - }, - "authentication_context": { - "external_session_id": "kjrgFtXuZnABQV9Vq1A2c" - } - } - }, - "related": { - "hosts": [ - "example.org" - ], - "ip": [ - "1.2.3.4" - ], - "user": [ - "john.doe@example.org" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md index b9fb376fe5..32aed6a465 100644 --- a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md +++ b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md @@ -38,36 +38,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "AUD_It audit Pipin root OK 16 sep 2022 15:42:41.885007 No associated roles cmd: 1 arg: 0", "event": { - "kind": "event", + "action": "AUD_It", "category": [ "process" ], - "action": "AUD_It" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "Pipin" }, + "observer": { + "vendor": "IBM" + }, "process": { "args": "0", + "command_line": "1", "user": { "name": "root" - }, - "command_line": "1" - }, - "user": { - "name": "audit" + } }, "related": { "user": [ "audit" ] + }, + "user": { + "name": "audit" } } @@ -81,22 +81,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "AUD_Proc cron root root OK 25 sep 2022 23:10:00.924334 No associated roles pid: 0 cmd: 5", "event": { - "kind": "event", + "action": "AUD_Proc", "category": [ "process" ], - "action": "AUD_Proc" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "cron", "pid": 0, @@ -116,22 +116,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CRON_Finish cron root root OK 25 sep 2022 23:00:00.861158 No associated roles user = root pid = 3932756 time = Sun Sep 25 23:00:00 2022", "event": { - "kind": "event", + "action": "CRON_Finish", "category": [ "process" ], - "action": "CRON_Finish" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "cron", "pid": 3932756, @@ -151,28 +151,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CRON_Start cron root root OK 17 sep 2022 00:00:00.139458 No associated roles event = start cron job cmd = /usr/share/centrifydc/bin/logrotate.sh 2>&1 >> /var/log/centrify_logrotate.log time = Sat Sep 17 00:00:00 2022", "event": { - "kind": "event", + "action": "CRON_Start", "category": [ "process" ], - "action": "CRON_Start" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { + "command_line": "cron /usr/share/centrifydc/bin/logrotate.sh 2>&1 >> /var/log/centrify_logrotate.log", "name": "cron", "user": { "name": "root" - }, - "command_line": "cron /usr/share/centrifydc/bin/logrotate.sh 2>&1 >> /var/log/centrify_logrotate.log" + } } } @@ -186,18 +186,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FILE_Link dad root root OK 31 jul 2022 14:02:33.696402 No associated roles linkname /usr/bin/cdax/bsh filename /usr/bin/cdax/ksh93", "event": { - "kind": "event", + "action": "FILE_Link", "category": [ "process" ], - "action": "FILE_Link" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/usr/bin/cdax/ksh93", @@ -206,18 +203,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "dad" - }, "related": { "user": [ "dad" ] + }, + "user": { + "name": "dad" } } @@ -231,18 +231,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "filename /bin/cdax/ksh FILE_Link dad root root OK 31 jul 2022 15:02:33.597401 No associated roles", "event": { - "kind": "event", + "action": "FILE_Link", "category": [ "process" ], - "action": "FILE_Link" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/bin/cdax/ksh" @@ -250,18 +247,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "dad" - }, "related": { "user": [ "dad" ] + }, + "user": { + "name": "dad" } } @@ -275,34 +275,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": " FILE_Pipe Pipin root admin OK 10 Nov 2022 09:21:53.955363 No associated roles read: 7 write: 8", "event": { - "kind": "event", + "action": "FILE_Pipe", "category": [ "process" ], - "action": "FILE_Pipe" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "admin" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -316,18 +316,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FILE_Read tar Pipin root OK 10 Nov 2022 09:30:12.229710 No associated roles file descriptor = 1635083369 filename = t object read event detected /app1/coresec/active/BEKAL-CORE-01S.p12", "event": { - "kind": "event", + "action": "FILE_Read", "category": [ "process" ], - "action": "FILE_Read" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "t" @@ -335,6 +332,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "Pipin" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "tar", "user": { @@ -353,18 +353,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FILE_Rename BESClient root root OK 25 sep 2022 22:33:21.081155 No associated roles frompath: /var/opt/BESClient/besclient.config.tmp topath: /var/opt/BESClient/besclient.config", "event": { - "kind": "event", + "action": "FILE_Rename", "category": [ "process" ], - "action": "FILE_Rename" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": " /var/opt/BESClient/besclient.config", @@ -373,18 +370,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "BESClient" - }, "related": { "user": [ "BESClient" ] + }, + "user": { + "name": "BESClient" } } @@ -398,18 +398,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "SRC_Start srcmstr root root OK 21 sep 2022 00:00:08.467005 No associated roles syslog_ng", "event": { - "kind": "event", + "action": "SRC_Start", "category": [ "process" ], - "action": "SRC_Start" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "syslog_ng" @@ -417,6 +414,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "srcmstr", "user": { @@ -435,18 +435,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FILE_Unlink Pipin root root OK 25 sep 2022 23:14:20.756159 No associated roles filename /var/adm/nim/glock", "event": { - "kind": "event", + "action": "FILE_Unlink", "category": [ "process" ], - "action": "FILE_Unlink" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/var/adm/nim/glock" @@ -454,18 +451,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -479,18 +479,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FS_Chroot sshd root root OK 23 sep 2022 17:14:21.748158 No associated roles change root directory to: /var/empty", "event": { - "kind": "event", + "action": "FS_Chroot", "category": [ "process" ], - "action": "FS_Chroot" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/var/empty" @@ -498,6 +495,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "sshd", "user": { @@ -516,18 +516,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FS_Mkdir Pipin root root OK 25 sep 2022 23:04:23.825394 No associated roles mode: 755 dir: /var/adm/nim/6292044", "event": { - "kind": "event", + "action": "FS_Mkdir", "category": [ "process" ], - "action": "FS_Mkdir" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "directory": "/var/adm/nim/6292044" @@ -535,18 +532,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -560,18 +560,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "FS_Rmdir rm root root OK 25 sep 2022 23:14:20.859389 No associated roles remove of directory: /var/adm/nim/6292046", "event": { - "kind": "event", + "action": "FS_Rmdir", "category": [ "process" ], - "action": "FS_Rmdir" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "directory": "/var/adm/nim/6292046" @@ -579,6 +576,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "rm", "user": { @@ -597,22 +597,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_Adjtime xntpd root root OK 25 sep 2022 21:57:37.226128 No associated roles old time: 01 jan 1970 01:00:00.1664135, delta: 226172812:0", "event": { - "kind": "event", + "action": "PROC_Adjtime", "category": [ "process" ], - "action": "PROC_Adjtime" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "xntpd", "user": { @@ -631,32 +631,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_Execute sh root Pipin FAIL 22 Nov 2022 10:20:32.056053 No associated roles euid: 503 egid: 403 epriv: 0:0 name sh -c /app/DB2/11.1/instance/db2iset -i Pipin DB2AUTOSTART 2>&1 ", "event": { - "kind": "event", + "action": "PROC_Execute", "category": [ "process" ], - "action": "PROC_Execute" + "kind": "event" }, "action": { - "target": "process", - "status": "FAIL" - }, - "observer": { - "vendor": "IBM" + "status": "FAIL", + "target": "process" }, "file": { "name": "-c" }, "group": { - "name": "root", - "id": "403" + "id": "403", + "name": "root" + }, + "observer": { + "vendor": "IBM" }, "process": { + "command_line": "sh -c /app/DB2/11.1/instance/db2iset -i Pipin DB2AUTOSTART 2>&1 ", "name": "sh", "user": { "name": "Pipin" - }, - "command_line": "sh -c /app/DB2/11.1/instance/db2iset -i Pipin DB2AUTOSTART 2>&1 " + } }, "user": { "id": "503" @@ -673,22 +673,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_Kill rsyslogd root root OK 25 sep 2022 23:14:20.816166 No associated roles pid: 3605020, sig: 22", "event": { - "kind": "event", + "action": "PROC_Kill", "category": [ "process" ], - "action": "PROC_Kill" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "rsyslogd", "pid": 3605020, @@ -708,21 +708,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_LoadError perl5.28.1 root root FAIL 25 sep 2022 23:12:21.397204 No associated roles flags: 80, libpath: , file: /usr/lib/nls/loc/C C C C C C", "event": { - "kind": "event", + "action": "PROC_LoadError", "category": [ "process" ], - "action": "PROC_LoadError" + "kind": "event" }, "action": { "target": "process" }, - "observer": { - "vendor": "IBM" - }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "perl5.28.1", "user": { @@ -741,22 +741,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_RealGID rm_mlcache_file root root OK 25 sep 2022 21:13:31.584159 No associated roles old rgid: 0, new gid: 0, which: egid", "event": { - "kind": "event", + "action": "PROC_RealGID", "category": [ "process" ], - "action": "PROC_RealGID" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "rm_mlcache_file", "user": { @@ -775,22 +775,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_SetGroups cron root root OK 25 sep 2022 23:00:00.835203 No associated roles group set: system,bin,sys,security,cron,audit,lp,ivmgr,apache", "event": { - "kind": "event", + "action": "PROC_SetGroups", "category": [ "process" ], - "action": "PROC_SetGroups" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "cron", "user": { @@ -809,22 +809,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_SetUserIDs db2fm root db2inst1 OK 22 Nov 2022 14:19:42.790048 No associated roles effect: 503, real: 503, saved: -1, login: -1#012", "event": { - "kind": "event", + "action": "PROC_SetUserIDs", "category": [ "process" ], - "action": "PROC_SetUserIDs" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "db2inst1" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "db2fm", "user": { @@ -843,22 +843,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_SetUserIDs db2fm root db2inst1 OK 22 Nov 2022 14:19:42.790048 No associated roles effect: 503, real: 503, saved: -1, login: -1012", "event": { - "kind": "event", + "action": "PROC_SetUserIDs", "category": [ "process" ], - "action": "PROC_SetUserIDs" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "db2inst1" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "db2fm", "user": { @@ -877,22 +877,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "PROC_Sysconfig exportfs root root OK 25 sep 2022 23:14:20.836155 No associated roles 3", "event": { - "kind": "event", + "action": "PROC_Sysconfig", "category": [ "process" ], - "action": "PROC_Sysconfig" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "exportfs", "user": { @@ -911,18 +911,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "S_PASSWD_READ cron root root OK 25 sep 2022 23:10:00.924334 No associated roles audit object read event detected /etc/security/passwd", "event": { - "kind": "event", + "action": "S_PASSWD_READ", "category": [ "process" ], - "action": "S_PASSWD_READ" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/etc/security/passwd" @@ -930,18 +927,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "cron" - }, "related": { "user": [ "cron" ] + }, + "user": { + "name": "cron" } } @@ -955,18 +955,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "S_USER_WRITE vi Pipin root OK 21 sep 2022 10:26:12.893117 No associated roles audit object write event detected /etc/security/user", "event": { - "kind": "event", + "action": "S_USER_WRITE", "category": [ "process" ], - "action": "S_USER_WRITE" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/etc/security/user" @@ -974,16 +971,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "vi" }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -997,35 +997,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "TCP_kaccept Pipin root root OK 25 sep 2022 23:09:25.544152 No associated roles fd14 Port 10.30.134.100 1022 kx5frsip01-a nimaux", "event": { - "kind": "event", + "action": "TCP_kaccept", "category": [ "process" ], - "action": "TCP_kaccept" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "source": { - "port": 1022, - "ip": "10.30.134.100", - "address": "10.30.134.100" - }, - "user": { - "name": "Pipin" - }, "related": { "ip": [ "10.30.134.100" @@ -1033,6 +1025,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Pipin" ] + }, + "source": { + "address": "10.30.134.100", + "ip": "10.30.134.100", + "port": 1022 + }, + "user": { + "name": "Pipin" } } @@ -1046,18 +1046,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "TCP_kbind Pipin root root OK 25 sep 2022 23:14:20.826159 No associated roles fd11 /dev/.SRC-unix/SRC0006292046YEya", "event": { - "kind": "event", + "action": "TCP_kbind", "category": [ "process" ], - "action": "TCP_kbind" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/dev/.SRC-unix/SRC0006292046YEya" @@ -1065,18 +1062,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -1090,34 +1090,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "TCP_klisten Pipin root root OK 31 jul 2022 10:21:24.798402 0 fd15 qlimit 1", "event": { - "kind": "event", + "action": "TCP_klisten", "category": [ "process" ], - "action": "TCP_klisten" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "user": { "name": "root" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } @@ -1131,18 +1131,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "flags: 80, libpath: , file: /usr/lib/security/DCE USER_Login sshd root root OK 29 jul 2022 09:58:03.091427 No associated roles", "event": { - "kind": "event", + "action": "USER_Login", "category": [ "process" ], - "action": "USER_Login" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "file": { "name": "/usr/lib/security/DCE" @@ -1150,6 +1147,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "sshd", "user": { @@ -1168,22 +1168,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "USER_Login db2ckpw root Pipin OK 22 Nov 2022 13:41:34.586022 No associated roles user: Pipin tty: #012", "event": { - "kind": "event", + "action": "USER_Login", "category": [ "process" ], - "action": "USER_Login" + "kind": "event" }, "action": { - "target": "process", - "status": "OK" - }, - "observer": { - "vendor": "IBM" + "status": "OK", + "target": "process" }, "group": { "name": "root" }, + "observer": { + "vendor": "IBM" + }, "process": { "name": "db2ckpw", "tty": { @@ -1195,13 +1195,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Pipin" } }, - "user": { - "name": "Pipin" - }, "related": { "user": [ "Pipin" ] + }, + "user": { + "name": "Pipin" } } diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index 16b4e36c91..0031c13208 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -40,21 +40,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4700|7.0.1-1234-R5678|1154|Application Control Detection Alert|9|cat=0 gcat=3 smac=00:11:22:33:44:55 src=10.0.10.20 spt= 12345 deviceInboundInterface=X1 cs3Label=WAN dmac=12:cc:44:00:66:11 dst=10.0.20.30 dpt=49773 deviceOutboundInterface=X6-V320 cs4Label=WORKSTATION proto=tcp/https in=1240 app=49000 appName=\"General HTTPS\" sid=7900 appcat=\"PROTOCOLS\" appid=1234 catid=77 msg=\"Application Control Detection Alert: PROTOCOLS SSL/TLS Protocol -- TLSv1.2 Version, SID: 7900, AppID: 1200, CatID: 77\" msg=\"Application Control Detection Alert: PROTOCOLS SSL/TLS Protocol -- TLSv1.2 Version\" sid=7800 appcat=\"PROTOCOLS SSL/TLS Protocol -- TLSv1.2 Version\" appid=1234 catid=55 cnt=7800123 fw_action=\"NA\"", "event": { - "code": "1154", - "severity": 9, "category": [ "network" ], + "code": "1154", "kind": "alert", "reason": "Application Control Detection Alert: PROTOCOLS SSL/TLS Protocol -- TLSv1.2 Version, SID: 7900, AppID: 1200, CatID: 77", + "severity": 9, "type": [ "protocol" ] }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "10.0.20.30", + "bytes": 1240, + "ip": "10.0.20.30", + "mac": "12:cc:44:00:66:11", + "port": 49773 + }, + "host": { + "network": { + "ingress": { + "bytes": 1240 + } + } + }, + "network": { + "protocol": "https", + "transport": "tcp" + }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-1234-R5678", "egress": { "interface": { "name": "X6-V320" @@ -64,7 +82,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X1" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-1234-R5678" + }, + "process": { + "entity_id": "1234", + "name": "General HTTPS" + }, + "related": { + "ip": [ + "10.0.10.20", + "10.0.20.30" + ] }, "sonicwall": { "fw": { @@ -78,47 +109,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Application Control Detection Alert" }, "gcat": 3, - "sid": 7900, "gcatname": "Security Services", - "priority": "ALERT" - } - }, - "destination": { - "bytes": 1240, - "port": 49773, - "ip": "10.0.20.30", - "mac": "12:cc:44:00:66:11", - "address": "10.0.20.30" - }, - "host": { - "network": { - "ingress": { - "bytes": 1240 - } + "priority": "ALERT", + "sid": 7900 } }, - "network": { - "transport": "tcp", - "protocol": "https" - }, - "process": { - "entity_id": "1234", - "name": "General HTTPS" - }, "source": { + "address": "10.0.10.20", "ip": "10.0.10.20", "mac": "00:11:22:33:44:55", - "port": 12345, - "address": "10.0.10.20" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "10.0.10.20", - "10.0.20.30" - ] + "port": 12345 } } @@ -132,20 +132,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4500|7.0.1-1234-R5678|537|Connection Closed|4|cat=1024 gcat=6 src=12.3.123.123 spt=40000 deviceInboundInterface=X0-V12 cs3Label=LAN dmac=33:33:33:33:33:33 dst=22.3.4.55 dpt=55 deviceOutboundInterface=X0-V13 cs4Label=LAN proto=udp/dns out=77 in=99 cn2Label=1 cn1Label=1 cn3Label=33333 cs1=\"Default Access Rule\" app=49169 appName=\"General DNS\" cnt=2162123123 fw_action=\"NA\" dpi=0", "event": { - "code": "537", - "severity": 4, "category": [ "network" ], + "code": "537", "kind": "event", + "severity": 4, "type": [ "protocol" ] }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "22.3.4.55", + "bytes": 99, + "ip": "22.3.4.55", + "mac": "33:33:33:33:33:33", + "packets": 1, + "port": 55 + }, + "host": { + "network": { + "egress": { + "bytes": 77 + }, + "ingress": { + "bytes": 99 + } + } + }, + "network": { + "protocol": "dns", + "transport": "udp" + }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-1234-R5678", "egress": { "interface": { "name": "X0-V13" @@ -155,7 +177,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X0-V12" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-1234-R5678" + }, + "process": { + "name": "General DNS" + }, + "related": { + "ip": [ + "12.3.123.123", + "22.3.4.55" + ] + }, + "rule": { + "name": "Default Access Rule" }, "sonicwall": { "fw": { @@ -172,49 +209,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "priority": "INFO" } }, - "destination": { - "bytes": 99, - "port": 55, - "ip": "22.3.4.55", - "mac": "33:33:33:33:33:33", - "packets": 1, - "address": "22.3.4.55" - }, - "host": { - "network": { - "ingress": { - "bytes": 99 - }, - "egress": { - "bytes": 77 - } - } - }, - "network": { - "transport": "udp", - "protocol": "dns" - }, - "process": { - "name": "General DNS" - }, - "rule": { - "name": "Default Access Rule" - }, "source": { + "address": "12.3.123.123", "bytes": 77, "ip": "12.3.123.123", "packets": 1, - "port": 40000, - "address": "12.3.123.123" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "12.3.123.123", - "22.3.4.55" - ] + "port": 40000 } } @@ -228,20 +228,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4500|7.0.1-1234-R5678|98|Connection Opened|4|cat=262111 gcat=6 src=10.0.10.20 spt=12345 deviceInboundInterface=X6-V333 cs1Label=123.123.123.123 snpt=12345 dst=123.45.67.123 dpt=123 deviceOutboundInterface=X1 cs2Label=123.45.67.123 dnpt=123 susr=\"ABC\\user\" proto=tcp/https out=12 cs5Label=\"Auto\" app=12345 appName=\"General HTTPS\" cnt=1234567890 fw_action=\"NA\" dpi=0", "event": { - "code": "98", - "severity": 4, "category": [ "network" ], + "code": "98", "kind": "event", + "severity": 4, "type": [ "protocol" ] }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "123.45.67.123", + "ip": "123.45.67.123", + "nat": { + "ip": "123.45.67.123", + "port": 123 + }, + "port": 123 + }, + "host": { + "network": { + "egress": { + "bytes": 12 + } + } + }, + "network": { + "protocol": "https", + "transport": "tcp" + }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-1234-R5678", "egress": { "interface": { "name": "X1" @@ -251,7 +271,23 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X6-V333" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-1234-R5678" + }, + "process": { + "name": "General HTTPS" + }, + "related": { + "ip": [ + "10.0.10.20", + "123.123.123.123", + "123.45.67.123" + ], + "user": [ + "user" + ] }, "sonicwall": { "fw": { @@ -267,55 +303,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. "priority": "INFO" } }, - "destination": { - "port": 123, - "ip": "123.45.67.123", - "nat": { - "ip": "123.45.67.123", - "port": 123 - }, - "address": "123.45.67.123" - }, - "host": { - "network": { - "egress": { - "bytes": 12 - } - } - }, - "network": { - "transport": "tcp", - "protocol": "https" - }, - "process": { - "name": "General HTTPS" - }, "source": { + "address": "10.0.10.20", "bytes": 12, "ip": "10.0.10.20", "nat": { "ip": "123.123.123.123", "port": 12345 }, - "port": 12345, - "address": "10.0.10.20" + "port": 12345 }, "user": { - "name": "user", - "domain": "ABC" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "10.0.10.20", - "123.123.123.123", - "123.45.67.123" - ], - "user": [ - "user" - ] + "domain": "ABC", + "name": "user" } } @@ -329,21 +329,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4700|7.0.1-5000-R3000|1460|Capture ATP File Transfer Result|5|cat=1 gcat=3 src=10.0.10.20 spt=444 deviceInboundInterface=X6-V333 dst=123.45.67.123 dpt=123 deviceOutboundInterface=X1 proto=tcp/12345 in=1500 msg=\"Gateway Anti-Virus Status: SMB file restart detected. File forwarding to Sandbox truncated for filename: hello.xlsx.\" cnt=123456 fw_action=\"NA\" fileid=\"0b9999999999999999ff99\" filetxstatus=230", "event": { - "code": "1460", - "severity": 5, "category": [ "network" ], + "code": "1460", "kind": "event", "reason": "Gateway Anti-Virus Status: SMB file restart detected. File forwarding to Sandbox truncated for filename: hello.xlsx.", + "severity": 5, "type": [ "protocol" ] }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "123.45.67.123", + "bytes": 1500, + "ip": "123.45.67.123", + "port": 123 + }, + "file": { + "name": "hello.xlsx" + }, + "host": { + "network": { + "ingress": { + "bytes": 1500 + } + } + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-5000-R3000", "egress": { "interface": { "name": "X1" @@ -353,7 +372,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X6-V333" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-5000-R3000" + }, + "related": { + "ip": [ + "10.0.10.20", + "123.45.67.123" + ] }, "sonicwall": { "fw": { @@ -369,38 +397,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "priority": "INFO" } }, - "destination": { - "bytes": 1500, - "port": 123, - "ip": "123.45.67.123", - "address": "123.45.67.123" - }, - "file": { - "name": "hello.xlsx" - }, - "host": { - "network": { - "ingress": { - "bytes": 1500 - } - } - }, - "network": { - "transport": "tcp" - }, "source": { + "address": "10.0.10.20", "ip": "10.0.10.20", - "port": 444, - "address": "10.0.10.20" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "10.0.10.20", - "123.45.67.123" - ] + "port": 444 } } @@ -414,21 +414,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4500|7.0.1-1234-R5678|1574|Filename Logging|5|cat=0 gcat=3 smac=00:11:22:33:44:55 src=10.0.30.40 spt=12345 deviceInboundInterface=X3-V333 cs3Label=WORKSTATION dmac=66:77:88:99:00:11 dst=22.3.4.55 dpt=444 deviceOutboundInterface=X3-V33 cs4Label=LAN susr=\"USER\" proto=tcp/445 out=32701234 in=31445678 cs5Label=\"Auto\" cs1=\"555 (WORKSTATION->WORK)\" app=9876 msg=\"Filename: FILENAME\" cnt=123456789 fw_action=\"NA\" dpi=1", "event": { - "code": "1574", - "severity": 5, "category": [ "network" ], + "code": "1574", "kind": "event", "reason": "Filename: FILENAME", + "severity": 5, "type": [ "protocol" ] }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "22.3.4.55", + "bytes": 31445678, + "ip": "22.3.4.55", + "mac": "66:77:88:99:00:11", + "port": 444 + }, + "file": { + "name": "FILENAME" + }, + "host": { + "network": { + "egress": { + "bytes": 32701234 + }, + "ingress": { + "bytes": 31445678 + } + } + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-1234-R5678", "egress": { "interface": { "name": "X3-V33" @@ -438,7 +461,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X3-V333" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-1234-R5678" + }, + "related": { + "ip": [ + "10.0.30.40", + "22.3.4.55" + ], + "user": [ + "USER" + ] + }, + "rule": { + "name": "555 (WORKSTATION->WORK)" }, "sonicwall": { "fw": { @@ -456,53 +494,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "priority": "INFO" } }, - "destination": { - "bytes": 31445678, - "port": 444, - "ip": "22.3.4.55", - "mac": "66:77:88:99:00:11", - "address": "22.3.4.55" - }, - "file": { - "name": "FILENAME" - }, - "host": { - "network": { - "ingress": { - "bytes": 31445678 - }, - "egress": { - "bytes": 32701234 - } - } - }, - "network": { - "transport": "tcp" - }, - "rule": { - "name": "555 (WORKSTATION->WORK)" - }, "source": { + "address": "10.0.30.40", "bytes": 32701234, "ip": "10.0.30.40", "mac": "00:11:22:33:44:55", - "port": 12345, - "address": "10.0.30.40" + "port": 12345 }, "user": { "name": "USER" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "10.0.30.40", - "22.3.4.55" - ], - "user": [ - "USER" - ] } } @@ -516,21 +516,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|SonicWall|NSa 4500|7.0.1-1234-R5678|97|Syslog Website Accessed|4|cat=1024 gcat=2 smac=00:11:22:33:44:55 src=12.3.123.123 spt=60000 deviceInboundInterface=X0-V123 cs3Label=WORKSTATION cs1Label=123.123.123.123 snpt=12345 dmac=33:33:33:33:33:33 dst=123.3.4.55 dpt=444 deviceOutboundInterface=X1 cs4Label=WAN cs2Label=123.45.67.123 dnpt=444 susr=\"USER\" proto=tcp/https out=1234 in=4567 cs5Label=\"Auto\" cs1=\"WORKSTATIONS -> WEB\" app=2233 request=microsoft.com/ reason=22 Category-\"Computers\" cs6=\"Policy: Default Policy\" cnt=123456789 fw_action=\"drop\" dpi=1", "event": { - "code": "97", - "severity": 4, + "action": "dropped", "category": [ "network" ], + "code": "97", "kind": "event", + "severity": 4, "type": [ "denied" - ], - "action": "dropped" + ] + }, + "cef": { + "event_type": "base event" + }, + "destination": { + "address": "123.3.4.55", + "bytes": 4567, + "ip": "123.3.4.55", + "mac": "33:33:33:33:33:33", + "nat": { + "ip": "123.45.67.123", + "port": 444 + }, + "port": 444 + }, + "host": { + "network": { + "egress": { + "bytes": 1234 + }, + "ingress": { + "bytes": 4567 + } + } + }, + "network": { + "protocol": "https", + "transport": "tcp" }, "observer": { - "vendor": "SonicWall", - "type": "firewall", - "version": "7.0.1-1234-R5678", "egress": { "interface": { "name": "X1" @@ -540,7 +565,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. "interface": { "name": "X0-V123" } - } + }, + "type": "firewall", + "vendor": "SonicWall", + "version": "7.0.1-1234-R5678" + }, + "related": { + "ip": [ + "12.3.123.123", + "123.123.123.123", + "123.3.4.55", + "123.45.67.123" + ], + "user": [ + "USER" + ] + }, + "rule": { + "name": "WORKSTATIONS -> WEB\" app=2233 request=microsoft.com/ reason=22 Category-\"Computers" }, "sonicwall": { "fw": { @@ -560,35 +602,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "priority": "INFO" } }, - "destination": { - "bytes": 4567, - "port": 444, - "ip": "123.3.4.55", - "mac": "33:33:33:33:33:33", - "nat": { - "ip": "123.45.67.123", - "port": 444 - }, - "address": "123.3.4.55" - }, - "host": { - "network": { - "ingress": { - "bytes": 4567 - }, - "egress": { - "bytes": 1234 - } - } - }, - "network": { - "transport": "tcp", - "protocol": "https" - }, - "rule": { - "name": "WORKSTATIONS -> WEB\" app=2233 request=microsoft.com/ reason=22 Category-\"Computers" - }, "source": { + "address": "12.3.123.123", "bytes": 1234, "ip": "12.3.123.123", "mac": "00:11:22:33:44:55", @@ -596,25 +611,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "123.123.123.123", "port": 12345 }, - "port": 60000, - "address": "12.3.123.123" + "port": 60000 }, "user": { "name": "USER" - }, - "cef": { - "event_type": "base event" - }, - "related": { - "ip": [ - "12.3.123.123", - "123.123.123.123", - "123.3.4.55", - "123.45.67.123" - ], - "user": [ - "USER" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md index 2e61271ad0..772d7dcc41 100644 --- a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md +++ b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md @@ -35,46 +35,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"malware_counters\":{\"total_alerts\":1,\"total_executed\":1,\"total_data_access\":1,\"total_external_communications\":1,\"total_affected_devices\":1},\"pups_counters\":{\"total_alerts\":1,\"total_executed\":1,\"total_data_access\":1,\"total_external_communications\":1,\"total_affected_devices\":1},\"exploit_counters\":{\"total_alerts\":1,\"total_executed\":1,\"total_data_access\":1,\"total_external_communications\":1,\"total_affected_devices\":1},\"program_blocked_counters\":{\"total_programs_blocked\":1},\"threats_by_av_counters\":{\"total_phishing_detected_by_av\":1,\"total_tracking_cookies_detected_by_av\":1,\"total_devices_blocked_by_av\":1,\"total_malware_urls_blocked_by_av\":1,\"total_intrusion_attempted_blocked_by_av\":1,\"total_dangerous_actions_blocked_by_av\":1}}", "event": { - "kind": "metric", "category": [ "host" ], + "kind": "metric", "type": [ "info" ] }, "aether": { - "malware_counters": { + "exploit_counters": { + "total_affected_devices": 1, "total_alerts": 1, - "total_executed": 1, "total_data_access": 1, - "total_external_communications": 1, - "total_affected_devices": 1 - }, - "pups_counters": { - "total_alerts": 1, "total_executed": 1, - "total_data_access": 1, - "total_external_communications": 1, - "total_affected_devices": 1 + "total_external_communications": 1 }, - "exploit_counters": { + "malware_counters": { + "total_affected_devices": 1, "total_alerts": 1, - "total_executed": 1, "total_data_access": 1, - "total_external_communications": 1, - "total_affected_devices": 1 + "total_executed": 1, + "total_external_communications": 1 }, "program_blocked_counters": { "total_programs_blocked": 1 }, + "pups_counters": { + "total_affected_devices": 1, + "total_alerts": 1, + "total_data_access": 1, + "total_executed": 1, + "total_external_communications": 1 + }, "threats_by_av_counters": { - "total_phishing_detected_by_av": 1, - "total_tracking_cookies_detected_by_av": 1, + "total_dangerous_actions_blocked_by_av": 1, "total_devices_blocked_by_av": 1, - "total_malware_urls_blocked_by_av": 1, "total_intrusion_attempted_blocked_by_av": 1, - "total_dangerous_actions_blocked_by_av": 1 + "total_malware_urls_blocked_by_av": 1, + "total_phishing_detected_by_av": 1, + "total_tracking_cookies_detected_by_av": 1 } } } @@ -89,49 +89,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"malware_category\":8,\"path\":\"http://somewhere.net/click?i=lw3Bilut*ZE_0\",\"number_of_occurrences\":1,\"action\":2,\"id\":\"ae485846-fb1b-561b-98da-a8426caf65fa\",\"site_name\":\"GROUPE CORP\",\"host_name\":\"PC01234\",\"device_type\":1,\"security_event_date\":\"2022-04-07T16:54:09Z\",\"ip_address\":\"11.22.33.44\",\"custom_group_folder_id\":\"c0594d69-c988-4b59-a43f-c6a9ba130483\",\"custom_group_folder_info\":[{\"name\":\"Root\",\"is_translatable\":true,\"type\":1},{\"name\":\"PC\",\"is_translatable\":null,\"type\":2},{\"name\":\"Lorem Ipsum Foo Bar\",\"is_translatable\":null,\"type\":2}]}", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", "type": [ "info" ] }, + "action": { + "id": 2, + "name": "Blocked" + }, "aether": { - "malware_category": 8, - "path": "http://somewhere.net/click?i=lw3Bilut*ZE_0", - "number_of_occurrences": 1, "action": 2, - "id": "ae485846-fb1b-561b-98da-a8426caf65fa", - "site_name": "GROUPE CORP", - "host_name": "PC01234", - "device_type": 1, - "security_event_date": "2022-04-07T16:54:09Z", - "ip_address": "11.22.33.44", "custom_group_folder_id": "c0594d69-c988-4b59-a43f-c6a9ba130483", "custom_group_folder_info": [ - "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}", + "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}", "{\"is_translatable\": null, \"name\": \"PC\", \"type\": 2}", - "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}" + "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}" ], - "malware_category_translated": "Malware URL" - }, - "action": { - "id": 2, - "name": "Blocked" + "device_type": 1, + "host_name": "PC01234", + "id": "ae485846-fb1b-561b-98da-a8426caf65fa", + "ip_address": "11.22.33.44", + "malware_category": 8, + "malware_category_translated": "Malware URL", + "number_of_occurrences": 1, + "path": "http://somewhere.net/click?i=lw3Bilut*ZE_0", + "security_event_date": "2022-04-07T16:54:09Z", + "site_name": "GROUPE CORP" }, "host": { "name": "PC01234", "type": "Workstation" }, - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, "related": { "ip": [ "11.22.33.44" ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" } } @@ -145,49 +145,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"malware_category\":8,\"path\":\"https://somewhere.net\",\"number_of_occurrences\":2,\"action\":2,\"id\":\"d8309d70-489d-5c62-97e3-2994e9dd8f17\",\"site_name\":\"GROUPE CORP\",\"host_name\":\"PC01234\",\"device_type\":1,\"security_event_date\":\"2022-04-07T16:40:43Z\",\"ip_address\":\"11.22.33.44\",\"custom_group_folder_id\":\"c0594d69-c988-4b59-a43f-c6a9ba130483\",\"custom_group_folder_info\":[{\"name\":\"Root\",\"is_translatable\":true,\"type\":1},{\"name\":\"PC\",\"is_translatable\":null,\"type\":2},{\"name\":\"Lorem Ipsum Foo Bar\",\"is_translatable\":null,\"type\":2}]}", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", "type": [ "info" ] }, + "action": { + "id": 2, + "name": "Blocked" + }, "aether": { - "malware_category": 8, - "path": "https://somewhere.net", - "number_of_occurrences": 2, "action": 2, - "id": "d8309d70-489d-5c62-97e3-2994e9dd8f17", - "site_name": "GROUPE CORP", - "host_name": "PC01234", - "device_type": 1, - "security_event_date": "2022-04-07T16:40:43Z", - "ip_address": "11.22.33.44", "custom_group_folder_id": "c0594d69-c988-4b59-a43f-c6a9ba130483", "custom_group_folder_info": [ - "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}", + "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}", "{\"is_translatable\": null, \"name\": \"PC\", \"type\": 2}", - "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}" + "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}" ], - "malware_category_translated": "Malware URL" - }, - "action": { - "id": 2, - "name": "Blocked" + "device_type": 1, + "host_name": "PC01234", + "id": "d8309d70-489d-5c62-97e3-2994e9dd8f17", + "ip_address": "11.22.33.44", + "malware_category": 8, + "malware_category_translated": "Malware URL", + "number_of_occurrences": 2, + "path": "https://somewhere.net", + "security_event_date": "2022-04-07T16:40:43Z", + "site_name": "GROUPE CORP" }, "host": { "name": "PC01234", "type": "Workstation" }, - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, "related": { "ip": [ "11.22.33.44" ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" } } @@ -201,51 +201,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"security_event_type\":13, \"malware_category\":8,\"path\":\"https://somewhere.com\",\"number_of_occurrences\":8,\"action\":2,\"id\":\"6527fc9f-90ba-54b6-9116-b032ade14c05\",\"site_name\":\"CORP\",\"host_name\":\"M0897\",\"device_type\":2,\"security_event_date\":\"2022-04-08T10:12:21Z\",\"ip_address\":\"11.22.33.44\",\"custom_group_folder_id\":\"c0594d69-c988-4b59-a43f-c6a9ba130483\",\"custom_group_folder_info\":[{\"name\":\"Root\",\"is_translatable\":true,\"type\":1},{\"name\":\"PC\",\"is_translatable\":null,\"type\":2},{\"name\":\"PC - Lock + Update + Patching (lundi au dimanche) + Fw\",\"is_translatable\":null,\"type\":2}]}\n", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", + "reason": "Malware URLs detected", "type": [ "info" - ], - "reason": "Malware URLs detected" + ] + }, + "action": { + "id": 2, + "name": "Blocked" }, "aether": { - "security_event_type": 13, - "malware_category": 8, - "path": "https://somewhere.com", - "number_of_occurrences": 8, "action": 2, - "id": "6527fc9f-90ba-54b6-9116-b032ade14c05", - "site_name": "CORP", - "host_name": "M0897", - "device_type": 2, - "security_event_date": "2022-04-08T10:12:21Z", - "ip_address": "11.22.33.44", "custom_group_folder_id": "c0594d69-c988-4b59-a43f-c6a9ba130483", "custom_group_folder_info": [ - "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}", + "{\"is_translatable\": null, \"name\": \"PC - Lock + Update + Patching (lundi au dimanche) + Fw\", \"type\": 2}", "{\"is_translatable\": null, \"name\": \"PC\", \"type\": 2}", - "{\"is_translatable\": null, \"name\": \"PC - Lock + Update + Patching (lundi au dimanche) + Fw\", \"type\": 2}" + "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}" ], - "malware_category_translated": "Malware URL" - }, - "action": { - "id": 2, - "name": "Blocked" + "device_type": 2, + "host_name": "M0897", + "id": "6527fc9f-90ba-54b6-9116-b032ade14c05", + "ip_address": "11.22.33.44", + "malware_category": 8, + "malware_category_translated": "Malware URL", + "number_of_occurrences": 8, + "path": "https://somewhere.com", + "security_event_date": "2022-04-08T10:12:21Z", + "security_event_type": 13, + "site_name": "CORP" }, "host": { "name": "M0897", "type": "Laptop" }, - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, "related": { "ip": [ "11.22.33.44" ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" } } @@ -262,34 +262,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "reason": "Intrusion Attempts detected" }, "aether": { - "security_event_type": 15, - "network_activity_type": 14, - "id": "aebfd1b7-a6ec-5a18-8c55-7be2b4c8562e", - "site_name": "CORP", - "host_name": "PC123", - "device_type": 2, - "security_event_date": "2022-04-08T10:15:31.737Z", - "ip_address": "11.22.33.44", "custom_group_folder_id": "c0594d69-c988-4b59-a43f-c6a9ba130483", "custom_group_folder_info": [ - "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}", + "{\"is_translatable\": null, \"name\": \"PC - Lock + Update + Patching (lundi au dimanche) + Fw\", \"type\": 2}", "{\"is_translatable\": null, \"name\": \"PC\", \"type\": 2}", - "{\"is_translatable\": null, \"name\": \"PC - Lock + Update + Patching (lundi au dimanche) + Fw\", \"type\": 2}" + "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}" ], - "network_activity_type_translated": "SmartArp" + "device_type": 2, + "host_name": "PC123", + "id": "aebfd1b7-a6ec-5a18-8c55-7be2b4c8562e", + "ip_address": "11.22.33.44", + "network_activity_type": 14, + "network_activity_type_translated": "SmartArp", + "security_event_date": "2022-04-08T10:15:31.737Z", + "security_event_type": 15, + "site_name": "CORP" }, "host": { "name": "PC123", "type": "Laptop" }, - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, "related": { "ip": [ "11.22.33.44" ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" } } @@ -303,51 +303,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"security_event_type\":1, \"malware_category\":8,\"path\":\"https://somewhere.net\",\"number_of_occurrences\":2,\"action\":2,\"id\":\"b597cc26-eb5d-5fc4-be0d-b86c08d2d91d\",\"site_name\":\"GROUPE CORP\",\"host_name\":\"PC01234\",\"device_type\":1,\"security_event_date\":\"2022-04-07T16:42:25Z\",\"ip_address\":\"11.22.33.44\",\"custom_group_folder_id\":\"c0594d69-c988-4b59-a43f-c6a9ba130483\",\"custom_group_folder_info\":[{\"name\":\"Root\",\"is_translatable\":true,\"type\":1},{\"name\":\"PC\",\"is_translatable\":null,\"type\":2},{\"name\":\"Lorem Ipsum Foo Bar\",\"is_translatable\":null,\"type\":2}]}", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", + "reason": "Malware detected", "type": [ "info" - ], - "reason": "Malware detected" + ] + }, + "action": { + "id": 2, + "name": "Blocked" }, "aether": { - "security_event_type": 1, - "malware_category": 8, - "path": "https://somewhere.net", - "number_of_occurrences": 2, "action": 2, - "id": "b597cc26-eb5d-5fc4-be0d-b86c08d2d91d", - "site_name": "GROUPE CORP", - "host_name": "PC01234", - "device_type": 1, - "security_event_date": "2022-04-07T16:42:25Z", - "ip_address": "11.22.33.44", "custom_group_folder_id": "c0594d69-c988-4b59-a43f-c6a9ba130483", "custom_group_folder_info": [ - "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}", + "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}", "{\"is_translatable\": null, \"name\": \"PC\", \"type\": 2}", - "{\"is_translatable\": null, \"name\": \"Lorem Ipsum Foo Bar\", \"type\": 2}" + "{\"is_translatable\": true, \"name\": \"Root\", \"type\": 1}" ], - "malware_category_translated": "Malware URL" - }, - "action": { - "id": 2, - "name": "Blocked" + "device_type": 1, + "host_name": "PC01234", + "id": "b597cc26-eb5d-5fc4-be0d-b86c08d2d91d", + "ip_address": "11.22.33.44", + "malware_category": 8, + "malware_category_translated": "Malware URL", + "number_of_occurrences": 2, + "path": "https://somewhere.net", + "security_event_date": "2022-04-07T16:42:25Z", + "security_event_type": 1, + "site_name": "GROUPE CORP" }, "host": { "name": "PC01234", "type": "Workstation" }, - "source": { - "ip": "11.22.33.44", - "address": "11.22.33.44" - }, "related": { "ip": [ "11.22.33.44" ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" } } @@ -361,102 +361,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"accessed_data\":true,\"action\":1,\"date\":\"2020-11-20T20:27:18.725Z\",\"device_id\":\"8b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"site_id\":\"8b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"event_id\":69608597,\"security_event_type\":18,\"event_type\":-86726288.19318274,\"dwell_time\":51373899,\"is_excluded\":true,\"hash\":\"009a9b4ff00946f9a5a5659dfe9086da\",\"host_name\":\"WIN_SERVER_XY\",\"item_name\":\"NameMalware\",\"made_external_connections\":true,\"path\":\"ThreatPath\",\"protection_mode\":5799409.122032538,\"reclassified_to_type\":-88047622.99579449,\"like_lihood_of_being_malicious\":-18274273.348011777,\"discard_motive\":-77046516.51787202,\"lock_plus_rule_id\":-22540451.640785083,\"user_name\":\"Username\",\"was_run\":true,\"source_ip\":\"SourceIPName\",\"source_machine_name\":\"SourceDeviceName\",\"source_user\":\"SourceUsername\",\"detection_technology\":\"DetectionTechnologyName\",\"exploit_technique\":\"ExploitTechnique\",\"risk\":true,\"description\":\"DeviceDescriptionName\",\"domain\":\"DeviceDomain\",\"detected_by\":68864810.84915292,\"device_type\":-73108038.14936246,\"platform_id\":-70290399.75311546,\"excluded\":true,\"file_info_discard\":\"FileIndentifierHash\",\"id\":\"8b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"ip_address\":\"192.168.0.123\",\"malware_name\":\"MalwareName\",\"malware_category\":-85107213.72887051,\"malware_type\":-62357590.74048821,\"number_of_occurrences\":20674256,\"security_event_date\":\"2021-07-20T20:27:18.725Z\",\"site_name\":\"SiteName\",\"network_activity_type\":-85774927.58794248,\"direction\":50845497.54724711,\"protocol\":-86318449.566446,\"local_endpoint\":{},\"remote_endpoint\":{},\"firewall_rule_definition\":{},\"rule_id\":\"8b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"rule_name\":\"RuleName\",\"rule_configuration_id\":\"9b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"rule_obsolete\":false,\"alias\":\"AliasName\",\"instance_id\":\"9b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"type\":-51429435.96722382,\"rule_risk\":-54492359.89028178,\"rule_mitre\":\"tactic: TA0006, technique: T1003\",\"status\":31156035.444223955,\"endpoint_event_date\":\"2021-07-20T20:27:18.725Z\",\"filed_date\":\"2021-07-20T20:27:18.725Z\",\"since_until_filed\":\"8.07:06:05\",\"count\":-10808344,\"custom_group_folder_id\":\"1b7205bc-60e0-45a0-9956-b17b6a8673f6\",\"custom_group_folder_info\":\"urn:uuid:f4f661be-c970-38a6-b384-3b5697ffef28\"}", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", + "reason": "Indicators of Attack", "type": [ "info" - ], - "reason": "Indicators of Attack" + ] + }, + "action": { + "id": 1, + "name": "Informed" }, "aether": { "accessed_data": true, "action": 1, + "alias": "AliasName", + "count": -10808344, + "custom_group_folder_id": "1b7205bc-60e0-45a0-9956-b17b6a8673f6", + "custom_group_folder_info": "urn:uuid:f4f661be-c970-38a6-b384-3b5697ffef28", "date": "2020-11-20T20:27:18.725Z", + "description": "DeviceDescriptionName", + "detected_by": 68864810.84915292, + "detection_technology": "DetectionTechnologyName", "device_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", - "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", + "device_type": -73108038.14936246, + "direction": 50845497.54724711, + "discard_motive": -77046516.51787202, + "domain": "DeviceDomain", + "dwell_time": 51373899, + "endpoint_event_date": "2021-07-20T20:27:18.725Z", "event_id": 69608597, - "security_event_type": 18, "event_type": -86726288.19318274, - "dwell_time": 51373899, - "is_excluded": true, + "excluded": true, + "exploit_technique": "ExploitTechnique", + "file_info_discard": "FileIndentifierHash", + "filed_date": "2021-07-20T20:27:18.725Z", "hash": "009a9b4ff00946f9a5a5659dfe9086da", "host_name": "WIN_SERVER_XY", + "id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", + "instance_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6", + "ip_address": "192.168.0.123", + "is_excluded": true, "item_name": "NameMalware", - "made_external_connections": true, - "path": "ThreatPath", - "protection_mode": 5799409.122032538, - "reclassified_to_type": -88047622.99579449, "like_lihood_of_being_malicious": -18274273.348011777, - "discard_motive": -77046516.51787202, + "local_endpoint": [ + {} + ], "lock_plus_rule_id": -22540451.640785083, - "user_name": "Username", - "was_run": true, - "source_ip": "SourceIPName", - "source_machine_name": "SourceDeviceName", - "source_user": "SourceUsername", - "detection_technology": "DetectionTechnologyName", - "exploit_technique": "ExploitTechnique", - "risk": true, - "description": "DeviceDescriptionName", - "domain": "DeviceDomain", - "detected_by": 68864810.84915292, - "device_type": -73108038.14936246, - "platform_id": -70290399.75311546, - "excluded": true, - "file_info_discard": "FileIndentifierHash", - "id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", - "ip_address": "192.168.0.123", - "malware_name": "MalwareName", + "made_external_connections": true, "malware_category": -85107213.72887051, + "malware_name": "MalwareName", "malware_type": -62357590.74048821, - "number_of_occurrences": 20674256, - "security_event_date": "2021-07-20T20:27:18.725Z", - "site_name": "SiteName", "network_activity_type": -85774927.58794248, - "direction": 50845497.54724711, + "number_of_occurrences": 20674256, + "path": "ThreatPath", + "platform_id": -70290399.75311546, + "protection_mode": 5799409.122032538, "protocol": -86318449.566446, - "local_endpoint": [ - {} - ], + "reclassified_to_type": -88047622.99579449, "remote_endpoint": [ {} ], + "risk": true, + "rule_configuration_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6", "rule_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", + "rule_mitre": "tactic: TA0006, technique: T1003", "rule_name": "RuleName", - "rule_configuration_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6", "rule_obsolete": false, - "alias": "AliasName", - "instance_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6", - "type": -51429435.96722382, "rule_risk": -54492359.89028178, - "rule_mitre": "tactic: TA0006, technique: T1003", - "status": 31156035.444223955, - "endpoint_event_date": "2021-07-20T20:27:18.725Z", - "filed_date": "2021-07-20T20:27:18.725Z", + "security_event_date": "2021-07-20T20:27:18.725Z", + "security_event_type": 18, "since_until_filed": "8.07:06:05", - "count": -10808344, - "custom_group_folder_id": "1b7205bc-60e0-45a0-9956-b17b6a8673f6", - "custom_group_folder_info": "urn:uuid:f4f661be-c970-38a6-b384-3b5697ffef28" - }, - "action": { - "id": 1, - "name": "Informed" + "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6", + "site_name": "SiteName", + "source_ip": "SourceIPName", + "source_machine_name": "SourceDeviceName", + "source_user": "SourceUsername", + "status": 31156035.444223955, + "type": -51429435.96722382, + "user_name": "Username", + "was_run": true }, "host": { "name": "WIN_SERVER_XY" }, - "rule": { - "id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6" - }, - "user": { - "name": "Username" - }, - "source": { - "ip": "192.168.0.123", - "address": "192.168.0.123" - }, "related": { "ip": [ "192.168.0.123" @@ -464,6 +454,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": [ "Username" ] + }, + "rule": { + "id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6" + }, + "source": { + "address": "192.168.0.123", + "ip": "192.168.0.123" + }, + "user": { + "name": "Username" } } @@ -477,35 +477,35 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"security_event_type\":4, \"event_id\":1796693,\"event_type\":1,\"date\":\"2022-04-07T11:02:36.06\",\"host_name\":\"PC123\",\"path\":\"COMMON_APPDATA|\\\\softxyz-scc-0x60dd82a3\\\\softxyz-scc.exe\",\"action\":13,\"hash\":\"5692CD3902FE3A9619F4B31A36643BAB\",\"risk\":false,\"protection_mode\":0,\"detection_technology\":null,\"site_id\":null,\"exploit_technique\":\"Exploit/RunPE\"}\n", "event": { - "kind": "event", "category": [ "host" ], + "kind": "event", + "reason": "Exploits", "type": [ "info" - ], - "reason": "Exploits" + ] + }, + "action": { + "id": 13, + "name": "After Process Blocked" }, "aether": { - "security_event_type": 4, + "action": 13, + "date": "2022-04-07T11:02:36.06", + "detection_technology": "null", "event_id": 1796693, "event_type": 1, - "date": "2022-04-07T11:02:36.06", + "event_type_translated": "Exploit", + "exploit_technique": "Exploit/RunPE", + "hash": "5692CD3902FE3A9619F4B31A36643BAB", "host_name": "PC123", "path": "COMMON_APPDATA|\\softxyz-scc-0x60dd82a3\\softxyz-scc.exe", - "action": 13, - "hash": "5692CD3902FE3A9619F4B31A36643BAB", - "risk": false, "protection_mode": 0, - "detection_technology": "null", - "site_id": "null", - "exploit_technique": "Exploit/RunPE", - "event_type_translated": "Exploit", - "protection_mode_translated": "Undefined" - }, - "action": { - "id": 13, - "name": "After Process Blocked" + "protection_mode_translated": "Undefined", + "risk": false, + "security_event_type": 4, + "site_id": "null" }, "host": { "name": "PC123" diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md index 472ea7d29d..bda73652dc 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md @@ -37,96 +37,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": " 0|Forcepoint|Security|8.5.4|9|Transaction blocked|7| act=blocked app=http dvc=9.8.7.6 dst=5.6.7.8 dhost=ctldl.windowsupdate.com dpt=80 src=1.2.3.4 spt=62062 suser=- loginID=- destinationTranslatedPort=0 rt=1653557213000 in=0 out=0 requestMethod=GET requestClientApplication=Microsoft-CryptoAPI/10.0 reason=- cs1Label=Policy cs1=SupAd**_O365_ cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1025 cn2Label=ScanDuration cn2=5 request=http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab logRecordSource=OnPrem", "event": { "action": "Transaction blocked", - "severity": 7, - "code": "1025", "category": [ "network" ], + "code": "1025", "kind": "event", + "reason": "Category blocked", + "severity": 7, "type": [ "denied" - ], - "reason": "Category blocked" + ] }, "@timestamp": "2022-05-26T09:26:53Z", - "observer": { - "vendor": "Forcepoint", - "product": "Secure Web Gateway", - "version": "8.5.4" + "destination": { + "address": "ctldl.windowsupdate.com", + "domain": "ctldl.windowsupdate.com", + "ip": "5.6.7.8", + "port": 80, + "registered_domain": "windowsupdate.com", + "subdomain": "ctldl", + "top_level_domain": "com" + }, + "forcepoint": { + "cef": { + "version": "0" + }, + "webgateway": { + "category": "0", + "log": { + "source": "OnPrem" + }, + "policies": [ + "SupAd**_O365_" + ] + } }, "host": { "ip": "9.8.7.6" }, + "http": { + "request": { + "method": "GET" + } + }, "network": { "protocol": "http" }, - "destination": { - "ip": "5.6.7.8", - "port": 80, - "domain": "ctldl.windowsupdate.com", - "address": "ctldl.windowsupdate.com", - "top_level_domain": "com", - "subdomain": "ctldl", - "registered_domain": "windowsupdate.com" + "observer": { + "product": "Secure Web Gateway", + "vendor": "Forcepoint", + "version": "8.5.4" }, - "source": { - "ip": "1.2.3.4", - "port": 62062, - "address": "1.2.3.4" + "related": { + "hosts": [ + "ctldl.windowsupdate.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8", + "9.8.7.6" + ] }, "rule": { "id": "9", "ruleset": "Information Technology" }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 62062 + }, "url": { - "original": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab", "domain": "ctldl.windowsupdate.com", - "top_level_domain": "com", - "subdomain": "ctldl", - "registered_domain": "windowsupdate.com", + "original": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab", "path": "/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab", + "port": 80, + "registered_domain": "windowsupdate.com", "scheme": "http", - "port": 80 - }, - "http": { - "request": { - "method": "GET" - } + "subdomain": "ctldl", + "top_level_domain": "com" }, "user_agent": { - "original": "Microsoft-CryptoAPI/10.0", "device": { "name": "Other" }, "name": "Microsoft-CryptoAPI", - "version": "10.0", + "original": "Microsoft-CryptoAPI/10.0", "os": { "name": "Other" - } - }, - "forcepoint": { - "webgateway": { - "policies": [ - "SupAd**_O365_" - ], - "category": "0", - "log": { - "source": "OnPrem" - } }, - "cef": { - "version": "0" - } - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8", - "9.8.7.6" - ], - "hosts": [ - "ctldl.windowsupdate.com" - ] + "version": "10.0" } } @@ -141,114 +141,114 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "0|Forcepoint|Security|8.5.4|222|Transaction permitted|1| act=permitted app=https dvc=9.8.7.6 dst=5.6.7.8 dhost=outlook.office365.com dpt=443 src=1.2.3.4 spt=50345 suser=LDAP://4.3.2.1 OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL/User 1 loginID=n_nini destinationTranslatedPort=47486 rt=1653555521000 in=1038458 out=3967 requestMethod=POST requestClientApplication=Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro) reason=- cs1Label=Policy cs1=SupAd**1,SupAd**2 cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=application/mapi-http cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=31 request=https://outlook.office365.com/ logRecordSource=OnPrem", "event": { "action": "Transaction permitted", - "severity": 1, - "code": "1026", "category": [ "network" ], + "code": "1026", "kind": "event", + "reason": "Category permitted", + "severity": 1, "type": [ "allowed" - ], - "reason": "Category permitted" + ] }, "@timestamp": "2022-05-26T08:58:41Z", - "observer": { - "vendor": "Forcepoint", - "product": "Secure Web Gateway", - "version": "8.5.4" - }, - "host": { - "ip": "9.8.7.6" - }, - "network": { - "protocol": "https" - }, "destination": { - "ip": "5.6.7.8", - "port": 443, + "address": "outlook.office365.com", "domain": "outlook.office365.com", + "ip": "5.6.7.8", "nat": { "port": 47486 }, - "address": "outlook.office365.com", - "top_level_domain": "com", + "port": 443, + "registered_domain": "office365.com", "subdomain": "outlook", - "registered_domain": "office365.com" + "top_level_domain": "com" }, - "source": { - "ip": "1.2.3.4", - "port": 50345, - "address": "1.2.3.4" - }, - "rule": { - "id": "222", - "ruleset": "Collaboration - Office" + "forcepoint": { + "cef": { + "version": "0" + }, + "webgateway": { + "category": "0", + "log": { + "source": "OnPrem" + }, + "policies": [ + "SupAd**1", + "SupAd**2" + ] + } }, - "url": { - "original": "https://outlook.office365.com/", - "domain": "outlook.office365.com", - "top_level_domain": "com", - "subdomain": "outlook", - "registered_domain": "office365.com", - "path": "/", - "scheme": "https", - "port": 443 + "host": { + "ip": "9.8.7.6" }, "http": { "request": { - "method": "POST", "bytes": 3967, + "method": "POST", "mime_type": "application/mapi-http" }, "response": { "bytes": 1038458 } }, + "network": { + "protocol": "https" + }, + "observer": { + "product": "Secure Web Gateway", + "vendor": "Forcepoint", + "version": "8.5.4" + }, + "related": { + "hosts": [ + "outlook.office365.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8", + "9.8.7.6" + ], + "user": [ + "User 1" + ] + }, + "rule": { + "id": "222", + "ruleset": "Collaboration - Office" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50345 + }, + "url": { + "domain": "outlook.office365.com", + "original": "https://outlook.office365.com/", + "path": "/", + "port": 443, + "registered_domain": "office365.com", + "scheme": "https", + "subdomain": "outlook", + "top_level_domain": "com" + }, "user": { "domain": "OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL", - "name": "User 1", - "id": "n_nini" + "id": "n_nini", + "name": "User 1" }, "user_agent": { - "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro)", "device": { "name": "Other" }, "name": "Outlook", - "version": "2016", + "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10386; Pro)", "os": { "name": "Windows", "version": "10" - } - }, - "forcepoint": { - "webgateway": { - "policies": [ - "SupAd**1", - "SupAd**2" - ], - "category": "0", - "log": { - "source": "OnPrem" - } }, - "cef": { - "version": "0" - } - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8", - "9.8.7.6" - ], - "hosts": [ - "outlook.office365.com" - ], - "user": [ - "User 1" - ] + "version": "2016" } } diff --git a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md index ea64630cad..1059fd8828 100644 --- a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md +++ b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md @@ -51,14 +51,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, + "cloudflare": { + "BlockedFileReason": "avscan", + "DownloadedFileNames": [ + "mimikatz_trunk.zip" + ], + "IsIsolated": false, + "RequestID": "184ee7e16800003d0d86472000000001", + "UntrustedCertificateAction": "none", + "file_list": [ + { + "action": "none", + "content_type": "application/octet-stream", + "direction": "download", + "file_name": "mimikatz_trunk.zip", + "file_size": 0 + } + ] + }, "destination": { + "address": "objects.githubusercontent.com", "domain": "objects.githubusercontent.com", "ip": "185.199.109.133", "port": 443, - "address": "objects.githubusercontent.com", - "top_level_domain": "com", + "registered_domain": "githubusercontent.com", "subdomain": "objects", - "registered_domain": "githubusercontent.com" + "top_level_domain": "com" }, "device": { "id": "b72ac397-e5c3-913e-11ed-03face9f2b6b" @@ -90,44 +108,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "proxy", "vendor": "Cloudflare" }, - "source": { - "ip": "15.188.186.81", - "port": 49907, - "address": "15.188.186.81" - }, - "user": { - "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3", - "email": "john.doe@test.com" - }, - "url": { - "original": "https://objects.githubusercontent.com/github-production-release-asset-2e65be/18496166/28e3acb5-ca66-40d5-bc68-f76f5bfabecf?X-Amz-Algorithm=AWS4-HMAC-SHA256&response-content-disposition=attachment%3B%20filename%3Dmimikatz_trunk.zip", - "domain": "objects.githubusercontent.com", - "top_level_domain": "com", - "subdomain": "objects", - "registered_domain": "githubusercontent.com", - "path": "/github-production-release-asset-2e65be/18496166/28e3acb5-ca66-40d5-bc68-f76f5bfabecf", - "query": "X-Amz-Algorithm=AWS4-HMAC-SHA256&response-content-disposition=attachment%3B%20filename%3Dmimikatz_trunk.zip", - "scheme": "https", - "port": 443 - }, - "cloudflare": { - "BlockedFileReason": "avscan", - "DownloadedFileNames": [ - "mimikatz_trunk.zip" - ], - "file_list": [ - { - "direction": "download", - "file_name": "mimikatz_trunk.zip", - "file_size": 0, - "content_type": "application/octet-stream", - "action": "none" - } - ], - "IsIsolated": false, - "RequestID": "184ee7e16800003d0d86472000000001", - "UntrustedCertificateAction": "none" - }, "related": { "hash": [ "7accd179e8a6b2fc907e7e8d087c52a7f48084852724b03d25bebcada1acbca5" @@ -140,6 +120,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "15.188.186.81", "185.199.109.133" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 49907 + }, + "url": { + "domain": "objects.githubusercontent.com", + "original": "https://objects.githubusercontent.com/github-production-release-asset-2e65be/18496166/28e3acb5-ca66-40d5-bc68-f76f5bfabecf?X-Amz-Algorithm=AWS4-HMAC-SHA256&response-content-disposition=attachment%3B%20filename%3Dmimikatz_trunk.zip", + "path": "/github-production-release-asset-2e65be/18496166/28e3acb5-ca66-40d5-bc68-f76f5bfabecf", + "port": 443, + "query": "X-Amz-Algorithm=AWS4-HMAC-SHA256&response-content-disposition=attachment%3B%20filename%3Dmimikatz_trunk.zip", + "registered_domain": "githubusercontent.com", + "scheme": "https", + "subdomain": "objects", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@test.com", + "id": "2c46cdd9-92e3-5e5f-b3cf-67965d7c33e3" } } @@ -160,8 +160,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "gateway_http", "kind": "event", "type": [ - "info", - "allowed" + "allowed", + "info" ] }, "@timestamp": "2023-02-24T16:32:58Z", @@ -170,13 +170,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "1d1e650b3385b95db72bba7cfb1287e9" } }, + "cloudflare": { + "BlockedFileReason": "unknown", + "DownloadedFileNames": [ + "" + ], + "IsIsolated": false, + "RequestID": "1725de5f0b000021551771e400000001", + "UntrustedCertificateAction": "none" + }, "destination": { + "address": "www.facebook.com", "domain": "www.facebook.com", "port": 0, - "address": "www.facebook.com", - "top_level_domain": "com", + "registered_domain": "facebook.com", "subdomain": "www", - "registered_domain": "facebook.com" + "top_level_domain": "com" }, "file": { "size": 0 @@ -194,30 +203,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "proxy", "vendor": "Cloudflare" }, - "source": { - "ip": "15.188.186.81", - "port": 39998, - "address": "15.188.186.81" - }, - "url": { - "original": "https://www.facebook.com/", - "domain": "www.facebook.com", - "top_level_domain": "com", - "subdomain": "www", - "registered_domain": "facebook.com", - "path": "/", - "scheme": "https", - "port": 443 - }, - "cloudflare": { - "BlockedFileReason": "unknown", - "DownloadedFileNames": [ - "" - ], - "IsIsolated": false, - "RequestID": "1725de5f0b000021551771e400000001", - "UntrustedCertificateAction": "none" - }, "related": { "hosts": [ "www.facebook.com" @@ -225,6 +210,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "15.188.186.81" ] + }, + "source": { + "address": "15.188.186.81", + "ip": "15.188.186.81", + "port": 39998 + }, + "url": { + "domain": "www.facebook.com", + "original": "https://www.facebook.com/", + "path": "/", + "port": 443, + "registered_domain": "facebook.com", + "scheme": "https", + "subdomain": "www", + "top_level_domain": "com" } } diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index 924155d3e4..f5dcdbbd7c 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -37,9 +37,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1000,\"TypeComputedMap\":\"LostBuffers\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E997D-0D6B-40A9-81F1-7C21E9B8AAD3}\",\"Timestamp\":\"2023-06-15T06:30:00.0000000+01:00\",\"TimestampRaw\":133232454000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LostBuffersCount\":35}}", "event": { + "code": "LostBuffers", "kind": "event", - "severity": 0, - "code": "LostBuffers" + "severity": 0 }, "@timestamp": "2023-06-15T05:30:00Z", "stormshield": { @@ -59,9 +59,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1001,\"TypeComputedMap\":\"RulesEngCriticalError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD054D09-4231-4A21-8BA1-440AEBAC0CC9}\",\"Timestamp\":\"2023-06-15T06:40:00.0000000+01:00\",\"TimestampRaw\":133232460000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "RulesEngCriticalError", "kind": "event", - "severity": 0, - "code": "RulesEngCriticalError" + "severity": 0 }, "@timestamp": "2023-06-15T05:40:00Z", "stormshield": { @@ -81,9 +81,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1002,\"TypeComputedMap\":\"RulesEngIdentifierCollectionError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD060B75-CD2D-4F29-9E23-8F45C47772BA}\",\"Timestamp\":\"2023-06-15T06:50:00.0000000+01:00\",\"TimestampRaw\":133232466000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "RulesEngIdentifierCollectionError", "kind": "event", - "severity": 0, - "code": "RulesEngIdentifierCollectionError" + "severity": 0 }, "@timestamp": "2023-06-15T05:50:00Z", "stormshield": { @@ -103,9 +103,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1003,\"TypeComputedMap\":\"RulesEngRulesPackageError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0969EB-BA6D-481A-B96D-730EC18FE560}\",\"Timestamp\":\"2023-06-15T07:00:00.0000000+01:00\",\"TimestampRaw\":133232472000000000,\"GenerateIncident\":false,\"SpecificData\":{\"RulesPackageKeyPath\":\"HKLM\\\\TestPath\\\\Here\"}}", "event": { + "code": "RulesEngRulesPackageError", "kind": "event", - "severity": 0, - "code": "RulesEngRulesPackageError" + "severity": 0 }, "@timestamp": "2023-06-15T06:00:00Z", "stormshield": { @@ -125,9 +125,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1004,\"TypeComputedMap\":\"RulesEngInvalidParameter\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD075EE1-778C-4E3E-81E5-A565E4A4FF68}\",\"Timestamp\":\"2023-06-15T07:10:00.0000000+01:00\",\"TimestampRaw\":133232478000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "RulesEngInvalidParameter", "kind": "event", - "severity": 0, - "code": "RulesEngInvalidParameter" + "severity": 0 }, "@timestamp": "2023-06-15T06:10:00Z", "stormshield": { @@ -147,31 +147,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1006,\"TypeComputedMap\":\"TemporaryWebAccessStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07FF6B-417C-4249-B1D6-259FEDD9CFF2}\",\"Timestamp\":\"2023-06-15T07:20:00.0000000+01:00\",\"TimestampRaw\":133232484000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Duration\":50000,\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "TemporaryWebAccessStart", "category": [ "network" ], + "code": "TemporaryWebAccessStart", + "kind": "event", + "severity": 0, "type": [ "start" ] }, "@timestamp": "2023-06-15T06:20:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "1006" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -185,31 +185,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1007,\"TypeComputedMap\":\"TemporaryWebAccessStartFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04C4F9-0196-441F-A772-F54FC0793D41}\",\"Timestamp\":\"2023-06-15T07:30:00.0000000+01:00\",\"TimestampRaw\":133232490000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "TemporaryWebAccessStartFailed", "category": [ "network" ], + "code": "TemporaryWebAccessStartFailed", + "kind": "event", + "severity": 0, "type": [ "end" ] }, "@timestamp": "2023-06-15T06:30:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "1007" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -223,24 +223,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1008,\"TypeComputedMap\":\"TemporaryWebAccessStop\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E045B-4A76-4297-9269-D7DDE4C631FD}\",\"Timestamp\":\"2023-06-15T07:40:00.0000000+01:00\",\"TimestampRaw\":133232496000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "TemporaryWebAccessStop", "category": [ "network" ], + "code": "TemporaryWebAccessStop", + "kind": "event", + "severity": 0, "type": [ "end" ] }, "@timestamp": "2023-06-15T06:40:00Z", - "user": { - "id": "S-1-5-21-2222222-33333333-44444444-555" - }, "stormshield": { "ses": { "type": "1008" } + }, + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555" } } @@ -254,24 +254,24 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1009,\"TypeComputedMap\":\"TemporaryWebAccessStopFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD02A68E-3F78-438B-B64B-79112040192E}\",\"Timestamp\":\"2023-06-15T07:50:00.0000000+01:00\",\"TimestampRaw\":133232502000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "TemporaryWebAccessStopFailed", "category": [ "network" ], + "code": "TemporaryWebAccessStopFailed", + "kind": "event", + "severity": 0, "type": [ "end" ] }, "@timestamp": "2023-06-15T06:50:00Z", - "user": { - "id": "S-1-5-21-2222222-33333333-44444444-555" - }, "stormshield": { "ses": { "type": "1009" } + }, + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555" } } @@ -285,9 +285,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1010,\"TypeComputedMap\":\"AgentInternalLogExceedMaxSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F16E5-852C-4686-9979-AA5A859D50F2}\",\"Timestamp\":\"2023-06-15T08:00:00.0000000+01:00\",\"TimestampRaw\":133232508000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FaultyLogType\":1010,\"FaultyLogTypeComputedMap\":null}}", "event": { + "code": "AgentInternalLogExceedMaxSize", "kind": "event", - "severity": 0, - "code": "AgentInternalLogExceedMaxSize" + "severity": 0 }, "@timestamp": "2023-06-15T07:00:00Z", "stormshield": { @@ -307,31 +307,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":1011,\"TypeComputedMap\":\"TemporaryWebAccessMaxCountReached\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09731F-F853-4815-9DE3-C4B6991F689E}\",\"Timestamp\":\"2023-06-15T08:10:00.0000000+01:00\",\"TimestampRaw\":133232514000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "TemporaryWebAccessMaxCountReached", "category": [ "network" ], + "code": "TemporaryWebAccessMaxCountReached", + "kind": "event", + "severity": 0, "type": [ "denied" ] }, "@timestamp": "2023-06-15T07:10:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "1011" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -345,64 +345,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":103,\"TypeComputedMap\":\"RegistryKeyCreate\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD042F09-DB50-4EDB-8370-DB9A3C37A5EF}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T05:23:57.0238678+02:00\",\"TimestampRaw\":133311362370238678,\"SpecificData\":{\"SourceProcess\":{\"PID\":1832,\"ProcessGuid\":\"{E38CB57F-32F0-4AB4-9581-8CDD6B0E95B1}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe-knetsvcs-p-swlidsvc\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-16384\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiresyst\u00e8me\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":0,\"HashMd5\":\"B7F884C1B74A263F746EE12A5F7C9F6A\",\"HashSha1\":\"1BC5066DDF693FC034D6514618854E26A84FD0D1\",\"HashSha256\":\"ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindowsPublisher\",\"SigningTime\":\"2022-06-18T08:21:06.9540000+02:00\",\"ValidityStart\":\"2022-01-27T21:31:19.0000000+02:00\",\"ValidityEnd\":\"2023-01-26T21:31:19.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T15:17:42.8190445+02:00\",\"ProcessStartTimeRaw\":133311358628190445},\"Action\":{\"PolicyGuid\":\"{621F7A4B-040E-42C2-9B4F-173BA48E067B}\",\"PolicyVersion\":2,\"RuleGuid\":\"{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}\",\"BaseRuleGuid\":\"{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Details\":{\"Options\":1,\"OptionsComputedBitMap\":[\"REG_OPTION_VOLATILE\"],\"DesiredAccess\":131103,\"DesiredAccessComputedBitMap\":[\"KEY_QUERY_VALUE\",\"KEY_SET_VALUE\",\"KEY_CREATE_SUB_KEY\",\"KEY_ENUMERATE_SUB_KEYS\",\"KEY_NOTIFY\",\"READ_CONTROL\"]},\"DetailsType\":0,\"DetailsTypeComputedMap\":\"REGISTRY_KEY_CREATE\",\"Path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\IdentityCRL\\\\ThrottleCache\\\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "RegistryKeyCreate", "category": [ "registry" ], + "code": "RegistryKeyCreate", + "kind": "event", + "severity": 4, "type": [ "creation" ] }, "@timestamp": "2023-06-15T03:23:57.023867Z", - "rule": { - "uuid": "E63B82C5-EC6B-4FBA-B854-94D81A98EAAA" - }, "process": { - "pid": 1832, - "start": "2023-06-13T13:17:42.819044Z", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", "command_line": "C:\\WINDOWS\\system32\\svchost.exe-knetsvcs-p-swlidsvc", + "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { - "sha1": "1BC5066DDF693FC034D6514618854E26A84FD0D1", "md5": "B7F884C1B74A263F746EE12A5F7C9F6A", + "sha1": "1BC5066DDF693FC034D6514618854E26A84FD0D1", "sha256": "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88" }, + "name": "svchost.exe", + "pid": 1832, + "start": "2023-06-13T13:17:42.819044Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}" + }, + "related": { + "hash": [ + "1BC5066DDF693FC034D6514618854E26A84FD0D1", + "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88", + "B7F884C1B74A263F746EE12A5F7C9F6A" + ] + }, + "rule": { + "uuid": "E63B82C5-EC6B-4FBA-B854-94D81A98EAAA" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "103", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "103" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}" - }, - "related": { - "hash": [ - "1BC5066DDF693FC034D6514618854E26A84FD0D1", - "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88", - "B7F884C1B74A263F746EE12A5F7C9F6A" - ] } } @@ -416,64 +416,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":104,\"TypeComputedMap\":\"RegistryKeyRead\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B285F-2E43-4390-823C-73CB7736D0AA}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T05:34:00.8441322+02:00\",\"TimestampRaw\":133311368408441322,\"SpecificData\":{\"SourceProcess\":{\"PID\":6704,\"ProcessGuid\":\"{0E6042A8-0DC3-47A6-9FB4-8936B396C1AC}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"790E65F13ECEB64FE297DF08EB1C953A\",\"HashSha1\":\"5F04BC4911EEBA35EC294B111C57D90808A4C4BD\",\"HashSha256\":\"B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-05-09T10:18:43.9710000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:42.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:42.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T15:32:52.0646809+02:00\",\"ProcessStartTimeRaw\":133311367720646809},\"Action\":{\"PolicyGuid\":\"{621F7A4B-040E-42C2-9B4F-173BA48E067B}\",\"PolicyVersion\":4,\"RuleGuid\":\"{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}\",\"BaseRuleGuid\":\"{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\WindowsNT\\\\CurrentVersion\\\\TimeZones\",\"InformationClass\":0,\"InformationClassComputedMap\":\"KeyBasicInformation\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "RegistryKeyRead", "category": [ "registry" ], + "code": "RegistryKeyRead", + "kind": "event", + "severity": 4, "type": [ "access" ] }, "@timestamp": "2023-06-15T03:34:00.844132Z", - "rule": { - "uuid": "E63B82C5-EC6B-4FBA-B854-94D81A98EAAA" - }, "process": { - "pid": 6704, - "start": "2023-06-13T13:32:52.064680Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "5F04BC4911EEBA35EC294B111C57D90808A4C4BD", "md5": "790E65F13ECEB64FE297DF08EB1C953A", + "sha1": "5F04BC4911EEBA35EC294B111C57D90808A4C4BD", "sha256": "B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237" }, + "name": "explorer.exe", + "pid": 6704, + "start": "2023-06-13T13:32:52.064680Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones" + }, + "related": { + "hash": [ + "5F04BC4911EEBA35EC294B111C57D90808A4C4BD", + "790E65F13ECEB64FE297DF08EB1C953A", + "B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237" + ] + }, + "rule": { + "uuid": "E63B82C5-EC6B-4FBA-B854-94D81A98EAAA" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "104", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "104" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones" - }, - "related": { - "hash": [ - "5F04BC4911EEBA35EC294B111C57D90808A4C4BD", - "790E65F13ECEB64FE297DF08EB1C953A", - "B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237" - ] } } @@ -487,64 +487,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":109,\"TypeComputedMap\":\"RegistryKeyWrite\",\"Category\":1,\"CategoryComputedMap\":\"Registry\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0D1A3F-D034-4FE6-BE01-10DB9C0F6C4E}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:07:58.8191262+01:00\",\"TimestampRaw\":133225888788191262,\"SpecificData\":{\"SourceProcess\":{\"PID\":1196,\"ProcessGuid\":\"{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}\",\"ProcessImageName\":\"C:\\\\Windows\\\\regedit.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\WINDOWS\\\\regedit.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"999A30979F6195BF562068639FFC4426\",\"HashSha1\":\"D4F2663AABC03478975382B3C69F24B3C6BD2AA9\",\"HashSha256\":\"92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-18T02:58:33.2360000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:14.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:14.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-06T16:04:21.8793902+01:00\",\"ProcessStartTimeRaw\":133225886618793902},\"Action\":{\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersion\":3,\"RuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}\",\"BaseRuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Details\":{\"Options\":0,\"OptionsComputedBitMap\":[],\"DesiredAccess\":33554432,\"DesiredAccessComputedBitMap\":[\"MAXIMUM_ALLOWED\"],\"SubkeyName\":\"NewKey#1\"},\"DetailsType\":0,\"DetailsTypeComputedMap\":\"REGISTRY_KEY_CREATE_SUBKEY\",\"Path\":\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\TEST_ADE\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "RegistryKeyWrite", "category": [ "registry" ], + "code": "RegistryKeyWrite", + "kind": "event", + "severity": 4, "type": [ "change" ] }, "@timestamp": "2023-06-15T05:07:58.819126Z", - "rule": { - "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" - }, "process": { - "pid": 1196, - "start": "2023-03-06T15:04:21.879390Z", - "executable": "C:\\Windows\\regedit.exe", - "name": "regedit.exe", "command_line": "\"C:\\WINDOWS\\regedit.exe\"", + "executable": "C:\\Windows\\regedit.exe", "hash": { - "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "md5": "999A30979F6195BF562068639FFC4426", + "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "sha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170" }, + "name": "regedit.exe", + "pid": 1196, + "start": "2023-03-06T15:04:21.879390Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_CURRENT_USER", + "key": "SOFTWARE\\TEST_ADE", + "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE" + }, + "related": { + "hash": [ + "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", + "999A30979F6195BF562068639FFC4426", + "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" + ] + }, + "rule": { + "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "109", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "109" } - }, - "registry": { - "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE", - "hive": "HKEY_CURRENT_USER", - "key": "SOFTWARE\\TEST_ADE" - }, - "related": { - "hash": [ - "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", - "999A30979F6195BF562068639FFC4426", - "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" - ] } } @@ -558,32 +558,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":11,\"TypeComputedMap\":\"ProcessExecution\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":2,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD066513-E7B5-4F79-AE62-0885C51EA629}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:08:53.7673622+01:00\",\"TimestampRaw\":133209473337673622,\"SpecificData\":{\"SourceProcess\":{\"PID\":5496,\"ProcessGuid\":\"{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"DEEEE5E9267B65A9A82BE24BE2693365\",\"HashSha1\":\"FC924E1BBEC021CB5685B05728618EB421AD3FBE\",\"HashSha256\":\"0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-06T12:01:50.2850000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:15.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:15.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T11:35:02.4495876+01:00\",\"ProcessStartTimeRaw\":133209309024495876},\"Action\":{\"PolicyGuid\":\"{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}\",\"PolicyVersion\":3,\"RuleGuid\":\"{4DE7AEC5-BACF-46F8-9B78-2203A14D1562}\",\"BaseRuleGuid\":\"{4DE7AEC5-BACF-46F8-9B78-2203A14D1561}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false},\"CreatedProcess\":{\"PID\":5280,\"ProcessGuid\":\"{2E91C661-4ACA-4CDB-84D1-CCD98308B120}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"Test\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"27F71B12CB585541885A31BE22F61C83\",\"HashSha1\":\"D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5\",\"HashSha256\":\"F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2022-07-21T02:36:42.3560000+01:00\",\"ValidityStart\":\"2021-09-02T19:23:41.0000000+01:00\",\"ValidityEnd\":\"2022-09-01T19:23:41.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T16:08:53.7602140+01:00\",\"ProcessStartTimeRaw\":133209473337602140},\"ParentProcess\":{\"PID\":5496,\"ProcessGuid\":\"{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"Test\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"DEEEE5E9267B65A9A82BE24BE2693365\",\"HashSha1\":\"FC924E1BBEC021CB5685B05728618EB421AD3FBE\",\"HashSha256\":\"0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-06T12:01:50.2850000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:15.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:15.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T11:35:02.4495876+01:00\",\"ProcessStartTimeRaw\":133209309024495876}}}", "event": { - "kind": "event", - "severity": 2, - "code": "ProcessExecution", "category": [ "process" ], + "code": "ProcessExecution", + "kind": "event", + "severity": 2, "type": [ "start" ] }, "@timestamp": "2023-06-15T05:08:53.767362Z", - "rule": { - "uuid": "4DE7AEC5-BACF-46F8-9B78-2203A14D1562" - }, "process": { - "parent": { - "pid": 5496, - "start": "2023-02-15T10:35:02.449587Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", + "command_line": "\"C:\\Windows\\system32\\notepad.exe\"", + "executable": "C:\\Windows\\System32\\notepad.exe", + "hash": { + "md5": "27F71B12CB585541885A31BE22F61C83", + "sha1": "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5", + "sha256": "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01" + }, + "name": "notepad.exe", + "parent": { "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE", "md5": "DEEEE5E9267B65A9A82BE24BE2693365", + "sha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE", "sha256": "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13" }, + "name": "explorer.exe", + "pid": 5496, + "start": "2023-02-15T10:35:02.449587Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" @@ -591,50 +596,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "pid": 5280, "start": "2023-02-15T15:08:53.760214Z", - "executable": "C:\\Windows\\System32\\notepad.exe", - "name": "notepad.exe", - "command_line": "\"C:\\Windows\\system32\\notepad.exe\"", - "hash": { - "sha1": "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5", - "md5": "27F71B12CB585541885A31BE22F61C83", - "sha256": "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01" - }, "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13", + "27F71B12CB585541885A31BE22F61C83", + "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5", + "DEEEE5E9267B65A9A82BE24BE2693365", + "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01", + "FC924E1BBEC021CB5685B05728618EB421AD3FBE" + ] + }, + "rule": { + "uuid": "4DE7AEC5-BACF-46F8-9B78-2203A14D1562" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { - "user": { - "domain": "Test" - }, "parent": { "user": { "domain": "Test" } + }, + "user": { + "domain": "Test" } }, - "type": "11", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "11" } - }, - "related": { - "hash": [ - "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13", - "27F71B12CB585541885A31BE22F61C83", - "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5", - "DEEEE5E9267B65A9A82BE24BE2693365", - "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01", - "FC924E1BBEC021CB5685B05728618EB421AD3FBE" - ] } } @@ -648,64 +648,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":112,\"TypeComputedMap\":\"RegistryKeyDelete\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DBC09-BED9-4335-B645-643B9CAB885C}\",\"Timestamp\":\"2023-06-15T02:50:00.0000000+01:00\",\"TimestampRaw\":133232322000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Details\":null,\"Path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Test\",\"SourceProcess\":{\"PID\":8,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"f0fbb584-bc08-41d1-93a2-a04f8fc65c32\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD8FAFB111\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":5,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUntrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "RegistryKeyDelete", "category": [ "registry" ], + "code": "RegistryKeyDelete", + "kind": "event", + "severity": 0, "type": [ "deletion" ] }, "@timestamp": "2023-06-15T01:50:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 8, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "name": "OUTLOOK.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD8FAFB111", + "sha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "OUTLOOK.EXE", + "pid": 8, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE\\Test", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Test" + }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD8FAFB111", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "112", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "112" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Test", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE\\Test" - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D9AFD8FAFB111", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6" - ] } } @@ -719,64 +719,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":113,\"TypeComputedMap\":\"RegistryValueCreate\",\"Category\":1,\"CategoryComputedMap\":\"Registry\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD003007-3EE1-478E-9D07-A3772739A5E6}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:13:20.2600711+01:00\",\"TimestampRaw\":133225892002600711,\"SpecificData\":{\"SourceProcess\":{\"PID\":1196,\"ProcessGuid\":\"{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}\",\"ProcessImageName\":\"C:\\\\Windows\\\\regedit.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\WINDOWS\\\\regedit.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"999A30979F6195BF562068639FFC4426\",\"HashSha1\":\"D4F2663AABC03478975382B3C69F24B3C6BD2AA9\",\"HashSha256\":\"92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-18T02:58:33.2360000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:14.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:14.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-06T16:04:21.8793902+01:00\",\"ProcessStartTimeRaw\":133225886618793902},\"Action\":{\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersion\":4,\"RuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}\",\"BaseRuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Path\":\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\TEST_ADE\",\"ValueName\":\"Valeur_String\",\"ValueDataType\":1,\"ValueDataTypeComputedMap\":\"REG_SZ\",\"ValueData\":\"\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "RegistryValueCreate", "category": [ "registry" ], + "code": "RegistryValueCreate", + "kind": "event", + "severity": 4, "type": [ "creation" ] }, "@timestamp": "2023-06-15T05:13:20.260071Z", - "rule": { - "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" - }, "process": { - "pid": 1196, - "start": "2023-03-06T15:04:21.879390Z", - "executable": "C:\\Windows\\regedit.exe", - "name": "regedit.exe", "command_line": "\"C:\\WINDOWS\\regedit.exe\"", + "executable": "C:\\Windows\\regedit.exe", "hash": { - "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "md5": "999A30979F6195BF562068639FFC4426", + "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "sha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170" }, + "name": "regedit.exe", + "pid": 1196, + "start": "2023-03-06T15:04:21.879390Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_CURRENT_USER", + "key": "SOFTWARE\\TEST_ADE", + "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE" + }, + "related": { + "hash": [ + "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", + "999A30979F6195BF562068639FFC4426", + "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" + ] + }, + "rule": { + "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "113", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "113" } - }, - "registry": { - "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE", - "hive": "HKEY_CURRENT_USER", - "key": "SOFTWARE\\TEST_ADE" - }, - "related": { - "hash": [ - "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", - "999A30979F6195BF562068639FFC4426", - "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" - ] } } @@ -790,64 +790,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":114,\"TypeComputedMap\":\"RegistryValueRead\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F267B-2FBB-4457-99C1-AC4663C7FC93}\",\"Timestamp\":\"2023-06-15T03:10:00.0000000+01:00\",\"TimestampRaw\":133232334000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ValueName\":\"Value2\",\"Path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\",\"SourceProcess\":{\"PID\":1,\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"UserSID\":null,\"SessionID\":2,\"ProcessGuid\":\"92c246ec-0acd-11ea-a38a-00155d099004\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"HashMd5\":\"4E196CEA0C9C46A7D656C67E52E8C7C7\",\"HashSha1\":\"726C9D759C5F02080FA003B50466A3BE0C959865\",\"HashSha256\":\"ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Microsoft Windows Production PCA 2011\",\"SigningTime\":\"2019-10-20T14:09:02.8886192+01:00\",\"ValidityEnd\":\"2020-05-02T22:24:36.0705280+01:00\",\"ValidityStart\":\"2019-05-02T22:24:36.7807872+01:00\",\"SubjectCN\":\"Microsoft Windows\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "RegistryValueRead", "category": [ "registry" ], + "code": "RegistryValueRead", + "kind": "event", + "severity": 0, "type": [ "access" ] }, "@timestamp": "2023-06-15T02:10:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 1, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "726C9D759C5F02080FA003B50466A3BE0C959865", "md5": "4E196CEA0C9C46A7D656C67E52E8C7C7", + "sha1": "726C9D759C5F02080FA003B50466A3BE0C959865", "sha256": "ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28" }, + "name": "explorer.exe", + "pid": 1, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE" + }, + "related": { + "hash": [ + "4E196CEA0C9C46A7D656C67E52E8C7C7", + "726C9D759C5F02080FA003B50466A3BE0C959865", + "ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "114", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "114" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE" - }, - "related": { - "hash": [ - "4E196CEA0C9C46A7D656C67E52E8C7C7", - "726C9D759C5F02080FA003B50466A3BE0C959865", - "ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28" - ] } } @@ -861,57 +861,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":115,\"TypeComputedMap\":\"RegistryValueWrite\",\"Category\":1,\"CategoryComputedMap\":\"Registry\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09D00C-D632-4FB1-9606-AD80E2AB9AF5}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:13:26.1106189+01:00\",\"TimestampRaw\":133225892061106189,\"SpecificData\":{\"SourceProcess\":{\"PID\":1196,\"ProcessGuid\":\"{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}\",\"ProcessImageName\":\"C:\\\\Windows\\\\regedit.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\WINDOWS\\\\regedit.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"999A30979F6195BF562068639FFC4426\",\"HashSha1\":\"D4F2663AABC03478975382B3C69F24B3C6BD2AA9\",\"HashSha256\":\"92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-18T02:58:33.2360000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:14.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:14.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-06T16:04:21.8793902+01:00\",\"ProcessStartTimeRaw\":133225886618793902},\"Action\":{\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersion\":4,\"RuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}\",\"BaseRuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Path\":\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\TEST_ADE\",\"ValueName\":\"Valeur_String\",\"ValueDataType\":1,\"ValueDataTypeComputedMap\":\"REG_SZ\",\"ValueData\":\"lala\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "RegistryValueWrite", "category": [ "registry" ], + "code": "RegistryValueWrite", + "kind": "event", + "severity": 4, "type": [ "change" ] }, "@timestamp": "2023-06-15T05:13:26.110618Z", - "rule": { - "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" - }, "process": { - "pid": 1196, - "start": "2023-03-06T15:04:21.879390Z", - "executable": "C:\\Windows\\regedit.exe", - "name": "regedit.exe", "command_line": "\"C:\\WINDOWS\\regedit.exe\"", + "executable": "C:\\Windows\\regedit.exe", "hash": { - "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "md5": "999A30979F6195BF562068639FFC4426", + "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", "sha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170" }, + "name": "regedit.exe", + "pid": 1196, + "start": "2023-03-06T15:04:21.879390Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, - "stormshield": { - "ses": { - "process": { - "user": { - "domain": "TEST" - } - }, - "type": "115", - "action": { - "blocked": false, - "user_decision": false - }, - "source_process": { - "killed": false - } - } - }, "registry": { - "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE", "hive": "HKEY_CURRENT_USER", - "key": "SOFTWARE\\TEST_ADE" + "key": "SOFTWARE\\TEST_ADE", + "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE" }, "related": { "hash": [ @@ -919,8 +899,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. "999A30979F6195BF562068639FFC4426", "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" ] - } - } + }, + "rule": { + "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "115" + } + } + } ``` @@ -932,64 +932,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":116,\"TypeComputedMap\":\"RegistryValueDelete\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0503D8-60D7-4B07-B649-6F70DE5A1125}\",\"Timestamp\":\"2023-06-15T03:30:00.0000000+01:00\",\"TimestampRaw\":133232346000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ValueName\":\"Value2\",\"Path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\",\"SourceProcess\":{\"PID\":6,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e83-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF44D9AFD9FAFB111\",\"HashSha1\":\"0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6\",\"HashSha256\":\"2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":8,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4765488+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadSignature\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "RegistryValueDelete", "category": [ "registry" ], + "code": "RegistryValueDelete", + "kind": "event", + "severity": 0, "type": [ "deletion" ] }, "@timestamp": "2023-06-15T02:30:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 6, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", - "name": "EsScript.exe", "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe\"", + "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", "hash": { - "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "md5": "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "sha256": "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "EsScript.exe", + "pid": 6, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE" + }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", + "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "116", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "116" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE" - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF44D9AFD9FAFB111", - "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", - "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" - ] } } @@ -1003,64 +1003,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":173,\"TypeComputedMap\":\"FileCreate\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0791A3-DF3A-49CB-922A-38C054779CBC}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:19:30.8012653+02:00\",\"TimestampRaw\":133311395708012653,\"SpecificData\":{\"SourceProcess\":{\"PID\":4816,\"ProcessGuid\":\"{1A83B343-5C5C-4B0E-977A-B20CF86B43A8}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":3,\"VolumeZoneComputedBitMap\":[\"Operating system\",\"Computer Boot\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"81886624735B4F8F019E731A8A2E6E69\",\"HashSha1\":\"A30E4111E183514DEF89D2BC31071231DEABC4DF\",\"HashSha256\":\"385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-04-15T11:56:31.9920000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T14:28:06.6858009+02:00\",\"ProcessStartTimeRaw\":133311328866858009},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":6,\"RuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F9}\",\"BaseRuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F8}\",\"IdentifierGuid\":\"{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"UsbDeviceInfo\":{\"VendorId\":5118,\"ProductId\":25344,\"Class\":0,\"ClassComputedMap\":\"UseclassinformationintheInterfaceDescriptors\",\"SubClass\":0,\"Protocol\":0,\"SerialNumber\":\"072117691198E329\",\"VendorName\":\"\",\"ProductName\":\"USBDISK3.0\",\"Interfaces\":[{\"Class\":8,\"ClassComputedMap\":\"MassStorage\",\"Subclass\":6,\"Protocol\":80}]},\"UsbVolumeTrackingData\":{\"EnrollFileState\":0,\"EnrollFileStateComputedMap\":\"Noenrollfile\",\"FootprintFileState\":0,\"FootprintFileStateComputedMap\":\"Nofootprintfile\",\"VendorId\":0,\"ProductId\":0,\"SerialNumberHashSha256\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"EnrollGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"AccessFromNetwork\":{},\"Details\":{\"SourcePath\":\"F:\\\\NewTextDocument.txt\",\"Flags\":0,\"FlagsComputedBitMap\":[]},\"DetailsType\":2,\"DetailsTypeComputedMap\":\"FILE_RENAME_DESTINATION\",\"Path\":\"F:\\\\cxvbcxvbcxv.txt\",\"MatchingPath\":\"\",\"VolumeZone\":3,\"VolumeZoneComputedBitMap\":[\"Operating system\",\"Computer Boot\"],\"FileObjectType\":0,\"FileObjectTypeComputedMap\":\"FILE\",\"FileOwner\":\"\",\"FileOwnerNameLookup\":\"\",\"FileOwnerDomainLookup\":\"\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "FileCreate", "category": [ "file" ], + "code": "FileCreate", + "kind": "event", + "severity": 1, "type": [ "creation" ] }, "@timestamp": "2023-06-15T04:19:30.801265Z", - "rule": { - "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + "file": { + "directory": "F:", + "name": "cxvbcxvbcxv.txt", + "path": "F:\\cxvbcxvbcxv.txt" }, "process": { - "pid": 4816, - "start": "2023-06-13T12:28:06.685800Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF", "md5": "81886624735B4F8F019E731A8A2E6E69", + "sha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF", "sha256": "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1" }, + "name": "explorer.exe", + "pid": 4816, + "start": "2023-06-13T12:28:06.685800Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1", + "81886624735B4F8F019E731A8A2E6E69", + "A30E4111E183514DEF89D2BC31071231DEABC4DF" + ] + }, + "rule": { + "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "173", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "173" } - }, - "file": { - "path": "F:\\cxvbcxvbcxv.txt", - "name": "cxvbcxvbcxv.txt", - "directory": "F:" - }, - "related": { - "hash": [ - "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1", - "81886624735B4F8F019E731A8A2E6E69", - "A30E4111E183514DEF89D2BC31071231DEABC4DF" - ] } } @@ -1074,68 +1074,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":174,\"TypeComputedMap\":\"FileExecute\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F62D1-43CA-41DE-838D-B80498CB7369}\",\"Timestamp\":\"2023-06-15T03:50:00.0000000+01:00\",\"TimestampRaw\":133232358000000000,\"GenerateIncident\":false,\"SpecificData\":{\"AccessFromNetwork\":{\"ShareName\":\"\\\\\\\\Something\",\"AddressFamily\":2,\"AddressFamilyComputedMap\":\"IPv4\",\"Address\":\"127.0.0.1\",\"Port\":80},\"UsbDeviceInfo\":{\"VendorName\":\"SanDisk\",\"VendorId\":1921,\"ProductName\":\"Ultra\",\"ProductId\":21889,\"SerialNumber\":\"4C530001211017121370\",\"Class\":1,\"SubClass\":220,\"Interfaces\":[{\"Class\":254,\"SubClass\":254},{\"Class\":88,\"SubClass\":13},{\"Class\":224,\"SubClass\":16}]},\"UsbVolumeTrackingData\":{\"EnrollFileState\":5,\"EnrollGuid\":\"6b8a636d-a508-442e-835f-0538392c904e\",\"FootprintFileState\":0},\"FileOwner\":\"S-1-5-21-2222222-33333333-44444444-555\",\"FileObjectType\":1,\"FileObjectTypeComputedMap\":\"DIRECTORY\",\"MatchingPath\":\"c:\\\\tmp\\\\file2.txt\",\"VolumeZone\":1024,\"VolumeZoneComputedBitMap\":[\"Remote Webdav\"],\"Details\":null,\"FileOwnerNameLookup\":\"User1\",\"FileOwnerDomainLookup\":\"sshield1\",\"Path\":\"c:\\\\test\\\\toto.txt\",\"SourceProcess\":{\"PID\":9,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"9d367a6c-04e4-491b-baa8-25b674db96d9\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD8FAFB221\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0FA16F33D12116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "FileExecute", "category": [ "file" ], + "code": "FileExecute", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T02:50:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "file": { + "directory": "c:\\test", + "name": "toto.txt", + "owner": "User1", + "path": "c:\\test\\toto.txt" }, "process": { - "pid": 9, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", - "name": "Excel.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7" }, + "name": "Excel.EXE", + "pid": 9, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" + ], + "user": [ + "User1" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "174", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "174" } - }, - "file": { - "owner": "User1", - "path": "c:\\test\\toto.txt", - "name": "toto.txt", - "directory": "c:\\test" - }, - "related": { - "user": [ - "User1" - ], - "hash": [ - "0470A1A62B3FAA0AF14D9AFD8FAFB221", - "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" - ] } } @@ -1149,64 +1149,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":175,\"TypeComputedMap\":\"FileRead\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0AA946-7DCE-4AB0-BA45-706B84C1F3FC}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:45:11.6239189+02:00\",\"TimestampRaw\":133312167116239189,\"SpecificData\":{\"SourceProcess\":{\"PID\":196,\"ProcessGuid\":\"{FE730151-438E-4EEC-A433-47C5D4E3B8F0}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\SearchIndexer.exe/Embedding\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-16384\",\"IntegrityLevelNameLookup\":\"SystemMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":0,\"HashMd5\":\"38E354B0E48633125C5AE4DF7A86AA27\",\"HashSha1\":\"E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD\",\"HashSha256\":\"FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-03-29T01:48:03.5290000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T11:12:07.0737445+02:00\",\"ProcessStartTimeRaw\":133312075270737445},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":9,\"RuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F9}\",\"BaseRuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F8}\",\"IdentifierGuid\":\"{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"UsbDeviceInfo\":{\"VendorId\":1921,\"ProductId\":21889,\"Class\":0,\"ClassComputedMap\":\"UseclassinformationintheInterfaceDescriptors\",\"SubClass\":0,\"Protocol\":0,\"SerialNumber\":\"04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117\",\"VendorName\":\"USB\",\"ProductName\":\"SanDisk3.2Gen1\",\"Interfaces\":[{\"Class\":8,\"ClassComputedMap\":\"MassStorage\",\"Subclass\":6,\"Protocol\":80}]},\"UsbVolumeTrackingData\":{\"EnrollFileState\":5,\"EnrollFileStateComputedMap\":\"Enrollfileisvalidanditscontentmatches.\",\"FootprintFileState\":5,\"FootprintFileStateComputedMap\":\"Footprintfileisvalidanditscontentmatches\",\"VendorId\":1921,\"ProductId\":21889,\"SerialNumberHashSha256\":\"00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98\",\"EnrollGuid\":\"{2474130E-C1AA-4E37-A63E-88AA950FE3CA}\"},\"AccessFromNetwork\":{},\"Details\":{},\"DetailsType\":1,\"DetailsTypeComputedMap\":\"FILE_READ_DATA\",\"Path\":\"E:\\\\SystemVolumeInformation\\\\IndexerVolumeGuid\",\"MatchingPath\":\"\",\"VolumeZone\":32768,\"VolumeZoneComputedBitMap\":[\"Removableunknown\"],\"FileObjectType\":0,\"FileObjectTypeComputedMap\":\"FILE\",\"FileOwner\":\"\",\"FileOwnerNameLookup\":\"\",\"FileOwnerDomainLookup\":\"\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "FileRead", "category": [ "file" ], + "code": "FileRead", + "kind": "event", + "severity": 1, "type": [ "access" ] }, "@timestamp": "2023-06-15T01:45:11.623918Z", - "rule": { - "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + "file": { + "directory": "E:\\SystemVolumeInformation", + "name": "IndexerVolumeGuid", + "path": "E:\\SystemVolumeInformation\\IndexerVolumeGuid" }, "process": { - "pid": 196, - "start": "2023-06-14T09:12:07.073744Z", - "executable": "C:\\Windows\\System32\\SearchIndexer.exe", - "name": "SearchIndexer.exe", "command_line": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding", + "executable": "C:\\Windows\\System32\\SearchIndexer.exe", "hash": { - "sha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", "md5": "38E354B0E48633125C5AE4DF7A86AA27", + "sha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", "sha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" }, + "name": "SearchIndexer.exe", + "pid": 196, + "start": "2023-06-14T09:12:07.073744Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "38E354B0E48633125C5AE4DF7A86AA27", + "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", + "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" + ] + }, + "rule": { + "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "175", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "175" } - }, - "file": { - "path": "E:\\SystemVolumeInformation\\IndexerVolumeGuid", - "name": "IndexerVolumeGuid", - "directory": "E:\\SystemVolumeInformation" - }, - "related": { - "hash": [ - "38E354B0E48633125C5AE4DF7A86AA27", - "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", - "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" - ] } } @@ -1220,64 +1220,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":176,\"TypeComputedMap\":\"FileWrite\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C1ABD-CE40-4411-AFCB-FB4B8B330BF1}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:45:11.6219776+02:00\",\"TimestampRaw\":133312167116219776,\"SpecificData\":{\"SourceProcess\":{\"PID\":196,\"ProcessGuid\":\"{FE730151-438E-4EEC-A433-47C5D4E3B8F0}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\SearchIndexer.exe/Embedding\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-16384\",\"IntegrityLevelNameLookup\":\"SystemMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":0,\"HashMd5\":\"38E354B0E48633125C5AE4DF7A86AA27\",\"HashSha1\":\"E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD\",\"HashSha256\":\"FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-03-29T01:48:03.5290000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T11:12:07.0737445+02:00\",\"ProcessStartTimeRaw\":133312075270737445},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":9,\"RuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F9}\",\"BaseRuleGuid\":\"{7294769D-86DB-4448-89CB-80A6CF5CB8F8}\",\"IdentifierGuid\":\"{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"UsbDeviceInfo\":{\"VendorId\":1921,\"ProductId\":21889,\"Class\":0,\"ClassComputedMap\":\"UseclassinformationintheInterfaceDescriptors\",\"SubClass\":0,\"Protocol\":0,\"SerialNumber\":\"04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117\",\"VendorName\":\"USB\",\"ProductName\":\"SanDisk3.2Gen1\",\"Interfaces\":[{\"Class\":8,\"ClassComputedMap\":\"MassStorage\",\"Subclass\":6,\"Protocol\":80}]},\"UsbVolumeTrackingData\":{\"EnrollFileState\":5,\"EnrollFileStateComputedMap\":\"Enrollfileisvalidanditscontentmatches.\",\"FootprintFileState\":5,\"FootprintFileStateComputedMap\":\"Footprintfileisvalidanditscontentmatches\",\"VendorId\":1921,\"ProductId\":21889,\"SerialNumberHashSha256\":\"00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98\",\"EnrollGuid\":\"{2474130E-C1AA-4E37-A63E-88AA950FE3CA}\"},\"AccessFromNetwork\":{},\"Details\":{\"SecurityInformation\":5,\"SecurityInformationComputedBitMap\":[\"OWNER_SECURITY_INFORMATION\",\"DACL_SECURITY_INFORMATION\"]},\"DetailsType\":10,\"DetailsTypeComputedMap\":\"FILE_SET_SECURITY\",\"Path\":\"E:\\\\SystemVolumeInformation\",\"MatchingPath\":\"\",\"VolumeZone\":32768,\"VolumeZoneComputedBitMap\":[\"Removableunknown\"],\"FileObjectType\":0,\"FileObjectTypeComputedMap\":\"FILE\",\"FileOwner\":\"\",\"FileOwnerNameLookup\":\"\",\"FileOwnerDomainLookup\":\"\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "FileWrite", "category": [ "file" ], + "code": "FileWrite", + "kind": "event", + "severity": 1, "type": [ "change" ] }, "@timestamp": "2023-06-15T01:45:11.621977Z", - "rule": { - "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + "file": { + "directory": "E:", + "name": "SystemVolumeInformation", + "path": "E:\\SystemVolumeInformation" }, "process": { - "pid": 196, - "start": "2023-06-14T09:12:07.073744Z", - "executable": "C:\\Windows\\System32\\SearchIndexer.exe", - "name": "SearchIndexer.exe", "command_line": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding", + "executable": "C:\\Windows\\System32\\SearchIndexer.exe", "hash": { - "sha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", "md5": "38E354B0E48633125C5AE4DF7A86AA27", + "sha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", "sha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" }, + "name": "SearchIndexer.exe", + "pid": 196, + "start": "2023-06-14T09:12:07.073744Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, - "stormshield": { - "ses": { - "process": { - "user": { - "domain": "TEST" - } - }, - "type": "176", + "related": { + "hash": [ + "38E354B0E48633125C5AE4DF7A86AA27", + "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", + "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" + ] + }, + "rule": { + "uuid": "7294769D-86DB-4448-89CB-80A6CF5CB8F9" + }, + "stormshield": { + "ses": { "action": { "blocked": false, "user_decision": false }, + "process": { + "user": { + "domain": "TEST" + } + }, "source_process": { "killed": false - } + }, + "type": "176" } - }, - "file": { - "path": "E:\\SystemVolumeInformation", - "name": "SystemVolumeInformation", - "directory": "E:" - }, - "related": { - "hash": [ - "38E354B0E48633125C5AE4DF7A86AA27", - "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD", - "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF" - ] } } @@ -1291,68 +1291,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":177,\"TypeComputedMap\":\"FileDelete\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD06EECF-C8D3-4BBE-B98F-A0DC5EDDE0C8}\",\"Timestamp\":\"2023-06-15T04:20:00.0000000+01:00\",\"TimestampRaw\":133232376000000000,\"GenerateIncident\":false,\"SpecificData\":{\"DetailsType\":2,\"DetailsTypeComputedMap\":\"FILE_RENAME_SOURCE\",\"AccessFromNetwork\":{\"ShareName\":\"\\\\\\\\Something\",\"AddressFamily\":23,\"AddressFamilyComputedMap\":\"IPv6\",\"Address\":\"192.168.128.211\",\"Port\":22},\"UsbDeviceInfo\":{\"VendorName\":\"SanDisk\",\"VendorId\":1921,\"ProductName\":\"Ultra\",\"ProductId\":21889,\"SerialNumber\":\"4C530001211017121370\",\"Class\":1,\"SubClass\":3,\"Interfaces\":[{\"Class\":8,\"SubClass\":11},{\"Class\":18,\"SubClass\":9},{\"Class\":11,\"SubClass\":254}]},\"UsbVolumeTrackingData\":{\"EnrollFileState\":1,\"EnrollGuid\":\"bf93de07-e0e0-45c9-bfc1-3dfd4fb68ef2\",\"FootprintFileState\":5},\"FileOwner\":\"S-1-5-21-2222222-33333333-44444444-555\",\"FileObjectType\":0,\"FileObjectTypeComputedMap\":\"FILE\",\"MatchingPath\":\"c:\\\\tmp\\\\file2.txt\",\"VolumeZone\":64,\"VolumeZoneComputedBitMap\":[\"Floppy\"],\"Details\":{\"DesiredAccess\":null,\"Attributes\":null,\"FileName\":null,\"SourcePath\":null,\"DestinationPath\":\"c:\\\\test\\\\file1.txt\",\"Operation\":null,\"NewFileOwner\":null,\"OldFileOwner\":null,\"InformationClass\":null,\"SecurityInformation\":null,\"PageProtection\":null,\"Address\":null,\"Port\":null},\"FileOwnerNameLookup\":\"User1\",\"FileOwnerDomainLookup\":\"sshield1\",\"Path\":\"c:\\\\tmp\\\\file2.txt\",\"SourceProcess\":{\"PID\":8,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"f0fbb584-bc08-41d1-93a2-a04f8fc65c32\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD8FAFB111\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":5,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUntrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "FileDelete", "category": [ "file" ], + "code": "FileDelete", + "kind": "event", + "severity": 0, "type": [ "deletion" ] }, "@timestamp": "2023-06-15T03:20:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "file": { + "directory": "c:\\tmp", + "name": "file2.txt", + "owner": "User1", + "path": "c:\\tmp\\file2.txt" }, "process": { - "pid": 8, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "name": "OUTLOOK.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD8FAFB111", + "sha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "OUTLOOK.EXE", + "pid": 8, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD8FAFB111", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6" + ], + "user": [ + "User1" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "177", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "177" } - }, - "file": { - "owner": "User1", - "path": "c:\\tmp\\file2.txt", - "name": "file2.txt", - "directory": "c:\\tmp" - }, - "related": { - "user": [ - "User1" - ], - "hash": [ - "0470A1A62B3FAA0AF14D9AFD8FAFB111", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6" - ] } } @@ -1366,9 +1366,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20002,\"TypeComputedMap\":\"LostBuffers\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD084103-F26D-49EA-8890-70C7DB7A63A6}\",\"Timestamp\":\"2023-06-15T08:20:00.0000000+01:00\",\"TimestampRaw\":133232520000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LostBuffersCount\":30}}", "event": { + "code": "LostBuffers", "kind": "event", - "severity": 0, - "code": "LostBuffers" + "severity": 0 }, "@timestamp": "2023-06-15T07:20:00Z", "stormshield": { @@ -1388,12 +1388,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20003,\"TypeComputedMap\":\"NewPolicyNotification\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":4,\"AttributesComputedBitMap\":[\"Internal\"],\"EventGuid\":\"{AD093377-53C4-4595-860F-6CD64A4153FB}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:07:54.2839637+01:00\",\"TimestampRaw\":133225888742839637,\"SpecificData\":{\"PolicyName\":\"POL_TEST_ADE\",\"PolicyVersion\":3,\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersionInternal\":4}}", "event": { - "kind": "event", - "severity": 4, - "code": "NewPolicyNotification", "category": [ "configuration" ], + "code": "NewPolicyNotification", + "kind": "event", + "severity": 4, "type": [ "change" ] @@ -1419,9 +1419,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20004,\"TypeComputedMap\":\"ServiceDidNotEndCorrectly\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD021EAE-7C29-4B3F-852E-553B95D26471}\",\"Timestamp\":\"2023-06-15T08:40:00.0000000+01:00\",\"TimestampRaw\":133232532000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ServiceName\":\"EsaAppIdSvc\"}}", "event": { + "code": "ServiceDidNotEndCorrectly", "kind": "event", - "severity": 0, - "code": "ServiceDidNotEndCorrectly" + "severity": 0 }, "@timestamp": "2023-06-15T07:40:00Z", "stormshield": { @@ -1441,9 +1441,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20006,\"TypeComputedMap\":\"EndUpgradeAgentSucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CD620-F5A8-430B-8FA3-BEC8E204DC74}\",\"Timestamp\":\"2023-06-15T08:50:00.0000000+01:00\",\"TimestampRaw\":133232538000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndUpgradeAgentSucceeded", "kind": "event", - "severity": 0, - "code": "EndUpgradeAgentSucceeded" + "severity": 0 }, "@timestamp": "2023-06-15T07:50:00Z", "stormshield": { @@ -1463,9 +1463,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20007,\"TypeComputedMap\":\"EndUpgradeAgentFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD091E59-399B-4A0B-BB1F-7326C55502ED}\",\"Timestamp\":\"2023-06-15T09:00:00.0000000+01:00\",\"TimestampRaw\":133232544000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { + "code": "EndUpgradeAgentFailed", "kind": "event", - "severity": 0, - "code": "EndUpgradeAgentFailed" + "severity": 0 }, "@timestamp": "2023-06-15T08:00:00Z", "stormshield": { @@ -1485,9 +1485,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20008,\"TypeComputedMap\":\"NewPolicyErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD025B90-CBE6-4DF3-8F4B-BFD11E38270C}\",\"Timestamp\":\"2023-06-15T09:10:00.0000000+01:00\",\"TimestampRaw\":133232550000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyName\":null}}", "event": { + "code": "NewPolicyErrorNotification", "kind": "event", - "severity": 0, - "code": "NewPolicyErrorNotification" + "severity": 0 }, "@timestamp": "2023-06-15T08:10:00Z", "stormshield": { @@ -1507,9 +1507,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20009,\"TypeComputedMap\":\"InvalidHivePackage\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0951E4-DF4A-4D4A-A636-ABEB310BB6E0}\",\"Timestamp\":\"2023-06-15T09:20:00.0000000+01:00\",\"TimestampRaw\":133232556000000000,\"GenerateIncident\":false,\"SpecificData\":{\"HivePackageFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\maliviousHive.hive\",\"LoadingOperationStatus\":5}}", "event": { + "code": "InvalidHivePackage", "kind": "event", - "severity": 0, - "code": "InvalidHivePackage" + "severity": 0 }, "@timestamp": "2023-06-15T08:20:00Z", "stormshield": { @@ -1529,12 +1529,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20010,\"TypeComputedMap\":\"StartUninstallAgent\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD042AB6-2DDF-4B8A-A805-9619857ECDFF}\",\"Timestamp\":\"2023-06-15T09:30:00.0000000+01:00\",\"TimestampRaw\":133232562000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { - "kind": "event", - "severity": 0, - "code": "StartUninstallAgent", "category": [ "process" ], + "code": "StartUninstallAgent", + "kind": "event", + "severity": 0, "type": [ "start" ] @@ -1557,9 +1557,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20011,\"TypeComputedMap\":\"EndUninstallAgentSucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DB33A-2194-4800-AB4E-C2BBCCFDE65D}\",\"Timestamp\":\"2023-06-15T09:40:00.0000000+01:00\",\"TimestampRaw\":133232568000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndUninstallAgentSucceeded", "kind": "event", - "severity": 0, - "code": "EndUninstallAgentSucceeded" + "severity": 0 }, "@timestamp": "2023-06-15T08:40:00Z", "stormshield": { @@ -1579,9 +1579,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20012,\"TypeComputedMap\":\"EndUninstallAgentFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD075976-1881-4C1C-AB5F-ABE0E0430C9A}\",\"Timestamp\":\"2023-06-15T09:50:00.0000000+01:00\",\"TimestampRaw\":133232574000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndUninstallAgentFailed", "kind": "event", - "severity": 0, - "code": "EndUninstallAgentFailed" + "severity": 0 }, "@timestamp": "2023-06-15T08:50:00Z", "stormshield": { @@ -1601,9 +1601,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20013,\"TypeComputedMap\":\"InvalidPolicyPackageCab\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B6BB8-6422-478E-93D7-1D9DD7A61EC3}\",\"Timestamp\":\"2023-06-15T00:00:00.0000000+01:00\",\"TimestampRaw\":133232580000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyPackageCabFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\",\"LoadingOperationStatus\":5}}", "event": { + "code": "InvalidPolicyPackageCab", "kind": "event", - "severity": 0, - "code": "InvalidPolicyPackageCab" + "severity": 0 }, "@timestamp": "2023-06-14T23:00:00Z", "stormshield": { @@ -1623,9 +1623,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20014,\"TypeComputedMap\":\"EsScriptHostCreateFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C4A06-F13C-47F1-BF3C-FD7136C519A4}\",\"Timestamp\":\"2023-06-15T00:10:00.0000000+01:00\",\"TimestampRaw\":133232586000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ImplementationType\":0,\"StatusCode\":5}}", "event": { + "code": "EsScriptHostCreateFailure", "kind": "event", - "severity": 0, - "code": "EsScriptHostCreateFailure" + "severity": 0 }, "@timestamp": "2023-06-14T23:10:00Z", "stormshield": { @@ -1645,9 +1645,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20015,\"TypeComputedMap\":\"KernelCorruptionBugcheck\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0AA66F-5A03-4CE9-ABCD-86988444224C}\",\"Timestamp\":\"2023-06-15T00:20:00.0000000+01:00\",\"TimestampRaw\":133232592000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Bugcheck\":\"0x00000109 (0x00000000, 0x00000000, 0x00000000, 0x00000000)\"}}", "event": { + "code": "KernelCorruptionBugcheck", "kind": "event", - "severity": 0, - "code": "KernelCorruptionBugcheck" + "severity": 0 }, "@timestamp": "2023-06-14T23:20:00Z", "stormshield": { @@ -1667,9 +1667,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20016,\"TypeComputedMap\":\"InvalidPolicyPackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CDBE2-1FD9-43B4-80A3-219638B5C585}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232598000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"PolicyPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\"}}", "event": { + "code": "InvalidPolicyPackageSignature", "kind": "event", - "severity": 0, - "code": "InvalidPolicyPackageSignature" + "severity": 0 }, "@timestamp": "2023-06-14T23:30:00Z", "stormshield": { @@ -1689,9 +1689,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20017,\"TypeComputedMap\":\"StartAgentUpgrade\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09E443-8DC7-4315-98A7-1C48312B835E}\",\"Timestamp\":\"2023-06-15T00:40:00.0000000+01:00\",\"TimestampRaw\":133232604000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VersionFrom\":\"1.0.0.0\",\"VersionTo\":\"2.0.0.0\"}}", "event": { + "code": "StartAgentUpgrade", "kind": "event", - "severity": 0, - "code": "StartAgentUpgrade" + "severity": 0 }, "@timestamp": "2023-06-14T23:40:00Z", "stormshield": { @@ -1711,9 +1711,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20018,\"TypeComputedMap\":\"PolicyPackageSignerExpired\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FE5D0-593B-41FA-B642-98F1CC214FB8}\",\"Timestamp\":\"2023-06-15T00:50:00.0000000+01:00\",\"TimestampRaw\":133232610000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\"}}", "event": { + "code": "PolicyPackageSignerExpired", "kind": "event", - "severity": 0, - "code": "PolicyPackageSignerExpired" + "severity": 0 }, "@timestamp": "2023-06-14T23:50:00Z", "stormshield": { @@ -1733,9 +1733,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20019,\"TypeComputedMap\":\"SelfProtectionLrpcFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A7F5A-905E-4E0B-AE2C-F1DA2D610788}\",\"Timestamp\":\"2023-06-15T01:00:00.0000000+01:00\",\"TimestampRaw\":133232616000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ServerServiceName\":\"EsaAppIdSvc\",\"SelfProtectionModuleName\":\"EsaGuardSvc\",\"StatusCode\":5}}", "event": { + "code": "SelfProtectionLrpcFailure", "kind": "event", - "severity": 0, - "code": "SelfProtectionLrpcFailure" + "severity": 0 }, "@timestamp": "2023-06-15T00:00:00Z", "stormshield": { @@ -1755,9 +1755,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20020,\"TypeComputedMap\":\"NewPolicyFromUpdateErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0167A2-3042-453F-8E0C-F0B8BC76C13B}\",\"Timestamp\":\"2023-06-15T01:10:00.0000000+01:00\",\"TimestampRaw\":133232622000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyName\":null}}", "event": { + "code": "NewPolicyFromUpdateErrorNotification", "kind": "event", - "severity": 0, - "code": "NewPolicyFromUpdateErrorNotification" + "severity": 0 }, "@timestamp": "2023-06-15T00:10:00Z", "stormshield": { @@ -1777,9 +1777,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20021,\"TypeComputedMap\":\"NewPolicyFromUpdateNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0AEC3D-BAB1-4680-827B-FAB47FF00C8E}\",\"Timestamp\":\"2023-06-15T01:20:00.0000000+01:00\",\"TimestampRaw\":133232628000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"PolicyName\":null}}", "event": { + "code": "NewPolicyFromUpdateNotification", "kind": "event", - "severity": 0, - "code": "NewPolicyFromUpdateNotification" + "severity": 0 }, "@timestamp": "2023-06-15T00:20:00Z", "stormshield": { @@ -1799,9 +1799,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20022,\"TypeComputedMap\":\"NewConfigurationNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0533A5-A3D3-4F7E-A7B9-000FF784F592}\",\"Timestamp\":\"2023-06-15T01:30:00.0000000+01:00\",\"TimestampRaw\":133232634000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "NewConfigurationNotification", "kind": "event", - "severity": 0, - "code": "NewConfigurationNotification" + "severity": 0 }, "@timestamp": "2023-06-15T00:30:00Z", "stormshield": { @@ -1821,9 +1821,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20023,\"TypeComputedMap\":\"NewConfigurationErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0369FB-ED19-4402-A1E7-900E95350EB8}\",\"Timestamp\":\"2023-06-15T01:40:00.0000000+01:00\",\"TimestampRaw\":133232640000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5}}", "event": { + "code": "NewConfigurationErrorNotification", "kind": "event", - "severity": 0, - "code": "NewConfigurationErrorNotification" + "severity": 0 }, "@timestamp": "2023-06-15T00:40:00Z", "stormshield": { @@ -1843,9 +1843,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20024,\"TypeComputedMap\":\"NewConfigurationFromUpdateErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C916A-4D69-416B-8014-BB8C8E461CFB}\",\"Timestamp\":\"2023-06-15T01:50:00.0000000+01:00\",\"TimestampRaw\":133232646000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "NewConfigurationFromUpdateErrorNotification", "kind": "event", - "severity": 0, - "code": "NewConfigurationFromUpdateErrorNotification" + "severity": 0 }, "@timestamp": "2023-06-15T00:50:00Z", "stormshield": { @@ -1865,9 +1865,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20025,\"TypeComputedMap\":\"NewConfigurationFromUpdateNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A125B-DF69-440B-B388-B1A9477E7D92}\",\"Timestamp\":\"2023-06-15T02:00:00.0000000+01:00\",\"TimestampRaw\":133232652000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "NewConfigurationFromUpdateNotification", "kind": "event", - "severity": 0, - "code": "NewConfigurationFromUpdateNotification" + "severity": 0 }, "@timestamp": "2023-06-15T01:00:00Z", "stormshield": { @@ -1887,9 +1887,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20026,\"TypeComputedMap\":\"InvalidConfigurationPackageCab\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F5A8B-5487-4B22-981A-885363295252}\",\"Timestamp\":\"2023-06-15T02:10:00.0000000+01:00\",\"TimestampRaw\":133232658000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PackageCabFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsConfig.hive\",\"LoadingOperationStatus\":5}}", "event": { + "code": "InvalidConfigurationPackageCab", "kind": "event", - "severity": 0, - "code": "InvalidConfigurationPackageCab" + "severity": 0 }, "@timestamp": "2023-06-15T01:10:00Z", "stormshield": { @@ -1909,9 +1909,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20027,\"TypeComputedMap\":\"DowngradeIsNotAuthorized\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD010390-5326-4D21-9673-CD1B80EF7562}\",\"Timestamp\":\"2023-06-15T02:20:00.0000000+01:00\",\"TimestampRaw\":133232664000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "DowngradeIsNotAuthorized", "kind": "event", - "severity": 0, - "code": "DowngradeIsNotAuthorized" + "severity": 0 }, "@timestamp": "2023-06-15T01:20:00Z", "stormshield": { @@ -1931,9 +1931,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20028,\"TypeComputedMap\":\"SafeModeSessionNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0EF160-1AE3-47C3-8F2C-BA626C3D04C7}\",\"Timestamp\":\"2023-06-15T02:30:00.0000000+01:00\",\"TimestampRaw\":133232670000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LoginName\":\"User1\",\"Timestamp\":\"2023-03-13T10:54:24.6100962+01:00\"}}", "event": { + "code": "SafeModeSessionNotification", "kind": "event", - "severity": 0, - "code": "SafeModeSessionNotification" + "severity": 0 }, "@timestamp": "2023-06-15T01:30:00Z", "stormshield": { @@ -1953,25 +1953,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20030,\"TypeComputedMap\":\"MaintenanceModeStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B53D9-A9FF-4257-8A47-BA73FD9798EE}\",\"Timestamp\":\"2023-06-15T02:40:00.0000000+01:00\",\"TimestampRaw\":133232676000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "MaintenanceModeStart", "kind": "event", - "severity": 0, - "code": "MaintenanceModeStart" + "severity": 0 }, "@timestamp": "2023-06-15T01:40:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20030" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -1985,9 +1985,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20031,\"TypeComputedMap\":\"MaintenanceModeStop\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD067EED-CA85-4D98-8C35-8DC58D0943C3}\",\"Timestamp\":\"2023-06-15T02:50:00.0000000+01:00\",\"TimestampRaw\":133232682000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "MaintenanceModeStop", "kind": "event", - "severity": 0, - "code": "MaintenanceModeStop" + "severity": 0 }, "@timestamp": "2023-06-15T01:50:00Z", "stormshield": { @@ -2007,9 +2007,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20032,\"TypeComputedMap\":\"MaintenanceModeAgentUpgradePostponed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0871CA-224C-4600-A48A-B562DB058C09}\",\"Timestamp\":\"2023-06-15T03:00:00.0000000+01:00\",\"TimestampRaw\":133232688000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "MaintenanceModeAgentUpgradePostponed", "kind": "event", - "severity": 0, - "code": "MaintenanceModeAgentUpgradePostponed" + "severity": 0 }, "@timestamp": "2023-06-15T02:00:00Z", "stormshield": { @@ -2029,9 +2029,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20033,\"TypeComputedMap\":\"BfeIsStoppedNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E7607-D279-4188-BE30-E2A887B80D32}\",\"Timestamp\":\"2023-06-15T03:10:00.0000000+01:00\",\"TimestampRaw\":133232694000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "BfeIsStoppedNotification", "kind": "event", - "severity": 0, - "code": "BfeIsStoppedNotification" + "severity": 0 }, "@timestamp": "2023-06-15T02:10:00Z", "stormshield": { @@ -2051,25 +2051,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20034,\"TypeComputedMap\":\"RepairFailureNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0D4655-336D-4DD9-9532-78433F39364A}\",\"Timestamp\":\"2023-06-15T03:20:00.0000000+01:00\",\"TimestampRaw\":133232700000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"Result\":5}}", "event": { + "code": "RepairFailureNotification", "kind": "event", - "severity": 0, - "code": "RepairFailureNotification" + "severity": 0 }, "@timestamp": "2023-06-15T02:20:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20034" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -2083,25 +2083,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20035,\"TypeComputedMap\":\"RepairSuccessNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0BBCE5-0299-4F04-9858-756036BCBFBC}\",\"Timestamp\":\"2023-06-15T03:30:00.0000000+01:00\",\"TimestampRaw\":133232706000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "RepairSuccessNotification", "kind": "event", - "severity": 0, - "code": "RepairSuccessNotification" + "severity": 0 }, "@timestamp": "2023-06-15T02:30:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20035" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -2115,9 +2115,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20036,\"TypeComputedMap\":\"EndAgentModularityFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD071DC0-58B6-4166-93AC-5E53F025C724}\",\"Timestamp\":\"2023-06-15T03:40:00.0000000+01:00\",\"TimestampRaw\":133232712000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { + "code": "EndAgentModularityFailed", "kind": "event", - "severity": 0, - "code": "EndAgentModularityFailed" + "severity": 0 }, "@timestamp": "2023-06-15T02:40:00Z", "stormshield": { @@ -2137,9 +2137,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20037,\"TypeComputedMap\":\"EndAgentModularitySucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD016C2D-6BA8-4348-BA6D-92FB1CE190A8}\",\"Timestamp\":\"2023-06-15T03:50:00.0000000+01:00\",\"TimestampRaw\":133232718000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndAgentModularitySucceeded", "kind": "event", - "severity": 0, - "code": "EndAgentModularitySucceeded" + "severity": 0 }, "@timestamp": "2023-06-15T02:50:00Z", "stormshield": { @@ -2159,9 +2159,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20038,\"TypeComputedMap\":\"CommFinishFailedState\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD05A0F2-7163-4A09-9F2D-AB6EA6171047}\",\"Timestamp\":\"2023-06-15T04:00:00.0000000+01:00\",\"TimestampRaw\":133232724000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"State\":8,\"StateName\":\"PreviousStateName\"}}", "event": { + "code": "CommFinishFailedState", "kind": "event", - "severity": 0, - "code": "CommFinishFailedState" + "severity": 0 }, "@timestamp": "2023-06-15T03:00:00Z", "stormshield": { @@ -2181,9 +2181,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20039,\"TypeComputedMap\":\"ForcedPatchApplication\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09E4CF-09F4-4E78-A3E9-C4CB48471D46}\",\"Timestamp\":\"2023-06-15T04:10:00.0000000+01:00\",\"TimestampRaw\":133232730000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "ForcedPatchApplication", "kind": "event", - "severity": 0, - "code": "ForcedPatchApplication" + "severity": 0 }, "@timestamp": "2023-06-15T03:10:00Z", "stormshield": { @@ -2203,9 +2203,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20040,\"TypeComputedMap\":\"ChallengeStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04C00F-2052-440A-9E43-E685F60E2ACF}\",\"Timestamp\":\"2023-06-15T04:20:00.0000000+01:00\",\"TimestampRaw\":133232736000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Duration\":0,\"ChallengeAction\":3}}", "event": { + "code": "ChallengeStart", "kind": "event", - "severity": 0, - "code": "ChallengeStart" + "severity": 0 }, "@timestamp": "2023-06-15T03:20:00Z", "stormshield": { @@ -2225,25 +2225,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20041,\"TypeComputedMap\":\"ChallengeStop\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F233B-3CCE-470B-9312-A760E05C5065}\",\"Timestamp\":\"2023-06-15T04:30:00.0000000+01:00\",\"TimestampRaw\":133232742000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Manual\":true,\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ChallengeAction\":0}}", "event": { + "code": "ChallengeStop", "kind": "event", - "severity": 0, - "code": "ChallengeStop" + "severity": 0 }, "@timestamp": "2023-06-15T03:30:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20041" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -2257,9 +2257,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20042,\"TypeComputedMap\":\"ChallengeStopFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01D6E5-6517-4E2C-B029-8A4668B9A2BE}\",\"Timestamp\":\"2023-06-15T04:40:00.0000000+01:00\",\"TimestampRaw\":133232748000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { + "code": "ChallengeStopFailure", "kind": "event", - "severity": 0, - "code": "ChallengeStopFailure" + "severity": 0 }, "@timestamp": "2023-06-15T03:40:00Z", "stormshield": { @@ -2279,9 +2279,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20043,\"TypeComputedMap\":\"WrongCabinetVersion\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD052689-74F5-4E19-A0CE-13246249763C}\",\"Timestamp\":\"2023-06-15T04:50:00.0000000+01:00\",\"TimestampRaw\":133232754000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "WrongCabinetVersion", "kind": "event", - "severity": 0, - "code": "WrongCabinetVersion" + "severity": 0 }, "@timestamp": "2023-06-15T03:50:00Z", "stormshield": { @@ -2301,9 +2301,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20044,\"TypeComputedMap\":\"MultipleNetworkInterfacesMatchingTest\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07AF61-2014-44FF-83D1-FAFDEBA00A20}\",\"Timestamp\":\"2023-06-15T05:00:00.0000000+01:00\",\"TimestampRaw\":133232760000000000,\"GenerateIncident\":false,\"SpecificData\":{\"InterfaceName\":\"DEV\",\"InterfaceDescription\":\"Lorem Iterfacum\"}}", "event": { + "code": "MultipleNetworkInterfacesMatchingTest", "kind": "event", - "severity": 0, - "code": "MultipleNetworkInterfacesMatchingTest" + "severity": 0 }, "@timestamp": "2023-06-15T04:00:00Z", "stormshield": { @@ -2323,9 +2323,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20045,\"TypeComputedMap\":\"ChallengeStartFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04CFB2-80E8-4237-9345-B73E76623445}\",\"Timestamp\":\"2023-06-15T05:10:00.0000000+01:00\",\"TimestampRaw\":133232766000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { + "code": "ChallengeStartFailure", "kind": "event", - "severity": 0, - "code": "ChallengeStartFailure" + "severity": 0 }, "@timestamp": "2023-06-15T04:10:00Z", "stormshield": { @@ -2345,9 +2345,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20048,\"TypeComputedMap\":\"External\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A2E72-1187-4BF6-8773-235285060E82}\",\"Timestamp\":\"2023-06-15T05:20:00.0000000+01:00\",\"TimestampRaw\":133232772000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Description\":\"localized:EventForwarding_WinDefender_MalwareProtectionRealTimeProtectionFeatureConfigured\",\"OriginType\":2,\"ExtraData\":{\"Message\":\"This is a message\",\"_OriginalText\":\"2021 Mar 24 17:54:54 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(5007): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: W102004X64: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\ServiceStartStates = 0x1\\r\\n \\tNew value: Default\\\\ServiceStartStates = 0x0\"},\"Fields\":{\"BaseRuleGuid\":\"64a298f2-c9e8-451f-9637-84254d2d8332\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { + "code": "External", "kind": "event", - "severity": 0, - "code": "External" + "severity": 0 }, "@timestamp": "2023-06-15T04:20:00Z", "rule": { @@ -2355,14 +2355,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20048", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20048" } } } @@ -2377,25 +2377,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20049,\"TypeComputedMap\":\"ChallengeTooManyFailedAttempts\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C6027-57C5-40B8-9A45-34C3259FD352}\",\"Timestamp\":\"2023-06-15T05:30:00.0000000+01:00\",\"TimestampRaw\":133232778000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "ChallengeTooManyFailedAttempts", "kind": "event", - "severity": 0, - "code": "ChallengeTooManyFailedAttempts" + "severity": 0 }, "@timestamp": "2023-06-15T04:30:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20049" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -2409,9 +2409,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20050,\"TypeComputedMap\":\"MaintenanceModeAgentModularityPostponed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0BF97F-A000-4C5E-B2FD-A9673DB49C79}\",\"Timestamp\":\"2023-06-15T05:40:00.0000000+01:00\",\"TimestampRaw\":133232784000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "MaintenanceModeAgentModularityPostponed", "kind": "event", - "severity": 0, - "code": "MaintenanceModeAgentModularityPostponed" + "severity": 0 }, "@timestamp": "2023-06-15T04:40:00Z", "stormshield": { @@ -2431,9 +2431,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20051,\"TypeComputedMap\":\"EndUpgradeAgentNothingToDo\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD077BE1-8717-4796-AA97-4E4684223298}\",\"Timestamp\":\"2023-06-15T05:50:00.0000000+01:00\",\"TimestampRaw\":133232790000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndUpgradeAgentNothingToDo", "kind": "event", - "severity": 0, - "code": "EndUpgradeAgentNothingToDo" + "severity": 0 }, "@timestamp": "2023-06-15T04:50:00Z", "stormshield": { @@ -2453,9 +2453,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20052,\"TypeComputedMap\":\"EndUpgradeAgentGuidUpdated\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD02DCFD-B400-42C2-BE32-B96BB54D4C10}\",\"Timestamp\":\"2023-06-15T06:00:00.0000000+01:00\",\"TimestampRaw\":133232796000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "EndUpgradeAgentGuidUpdated", "kind": "event", - "severity": 0, - "code": "EndUpgradeAgentGuidUpdated" + "severity": 0 }, "@timestamp": "2023-06-15T05:00:00Z", "stormshield": { @@ -2475,9 +2475,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20053,\"TypeComputedMap\":\"MaintenanceModeStopFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07C559-BEF6-40F8-9624-C716A0F37F67}\",\"Timestamp\":\"2023-06-15T06:10:00.0000000+01:00\",\"TimestampRaw\":133232802000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":0}}", "event": { + "code": "MaintenanceModeStopFailed", "kind": "event", - "severity": 0, - "code": "MaintenanceModeStopFailed" + "severity": 0 }, "@timestamp": "2023-06-15T05:10:00Z", "stormshield": { @@ -2497,59 +2497,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20054,\"TypeComputedMap\":\"KerberosPassTheTicket\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F24A3-2C61-4822-89C7-25C274043270}\",\"Timestamp\":\"2023-06-15T06:20:00.0000000+01:00\",\"TimestampRaw\":133232808000000000,\"GenerateIncident\":false,\"SpecificData\":{\"KirbiFileFullPath\":\"C:\\\\mimikatz_trunk\\\\Win32\\\\MyTicket.kirbi\",\"Correlation\":{\"PackageGuid\":\"a0ba8928-f715-4d6f-b43e-5d020e67c030\",\"PackageVersion\":42},\"SourceProcess\":{\"PID\":9,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"9d367a6c-04e4-491b-baa8-25b674db96d9\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD8FAFB221\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0FA16F33D12116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "KerberosPassTheTicket", "category": [ "malware" ], + "code": "KerberosPassTheTicket", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T05:20:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 9, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", - "name": "Excel.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7" }, + "name": "Excel.EXE", + "pid": 9, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20054", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20054" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D9AFD8FAFB221", - "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" - ] } } @@ -2563,12 +2563,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20055,\"TypeComputedMap\":\"ArpSpoofing\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD089472-11D1-45E7-859C-2185C0BC56EB}\",\"Timestamp\":\"2023-06-15T06:30:00.0000000+01:00\",\"TimestampRaw\":133232814000000000,\"GenerateIncident\":false,\"SpecificData\":{\"IPInterface\":\"172.30.225.122\",\"SpoofedIP\":\"172.30.225.121\",\"OldMacAddress\":\"00-ff-b7-1f-9d-10\",\"SpoofedMacAddress\":\"00-ff-b7-1f-9d-11\",\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "ArpSpoofing", "category": [ "malware" ], + "code": "ArpSpoofing", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -2579,14 +2579,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20055", "action": { "blocked": true, "user_decision": false }, "source_process": { "killed": true - } + }, + "type": "20055" } } } @@ -2601,32 +2601,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20056,\"TypeComputedMap\":\"AgentOperationCertutilDecodeMaliciousUsage\",\"Severity\":2,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD06E6EA-AC58-4B9F-96F2-1B4518003441}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:23:39.9571804+02:00\",\"TimestampRaw\":133311398199571804,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{FEFD7270-4013-94B9-0209-DEB987F40E89}\",\"PolicyVersion\":14,\"RuleGuid\":\"{BEA2239E-7249-40A8-90BC-CD2981295600}\",\"BaseRuleGuid\":\"{BEA2239E-7249-40A8-90BC-CD2981295600}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Correlation\":{\"PackageGuid\":\"{06F508DA-1AB4-4A01-977D-2FD6E51C7F97}\",\"PackageVersion\":6},\"SourceProcess\":{\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\certutil.exe\",\"VolumeZone\":1,\"HashSha1\":\"8564027153DCA487ECA613345AB3B2DE0ADD4F26\",\"ProcessStartTime\":\"2023-06-13T16:23:39.2631277+02:00\",\"SessionID\":2,\"UserNameLookup\":\"JOHNDOE\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"HashMd5\":\"018796D4670AC12865BE2F00382BBC8E\",\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"PID\":4904,\"CertificateSignatureState\":1,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ProcessGuid\":\"{10C09418-9E9C-40E2-B7F7-20D70068CB34}\",\"ProcessCommandLine\":\"certutil-decode\\\"C:\\\\Users\\\\Arkoon\\\\Desktop\\\\certutil-decode.cmd\\\"\\\"C:\\\\Users\\\\Arkoon\\\\AppData\\\\Local\\\\Temp\\\\pwned.exe\\\"\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"ProcessStartTimeRaw\":133311398192631277,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"SigningTime\":\"2023-05-18T00:55:31.4620000+02:00\",\"SubjectCN\":\"MicrosoftWindows\",\"ValidityEnd\":\"2024-02-01T02:05:42.0000000+02:00\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"ValidityStart\":\"2023-02-03T02:05:42.0000000+02:00\",\"Algorithm\":\"SHA256\"}],\"IsProtectedOrCritical\":false,\"HashSha256\":\"22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847\"},\"ParentProcess\":{\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"VolumeZone\":1,\"HashSha1\":\"F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D\",\"ProcessStartTime\":\"2023-06-13T16:23:39.0311777+02:00\",\"SessionID\":2,\"UserNameLookup\":\"JOHNDOE\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"HashMd5\":\"8A2122E8162DBEF04694B9C3E0B6CDEE\",\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"PID\":6808,\"CertificateSignatureState\":1,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ProcessGuid\":\"{387F337F-56ED-4924-B1CC-96357B1E27B3}\",\"ProcessCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe/c\\\"\\\"C:\\\\Users\\\\Arkoon\\\\Desktop\\\\certutil-decode.cmd\\\"\\\"\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"ProcessStartTimeRaw\":133311398190311777,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"SigningTime\":\"2023-04-28T03:05:05.3450000+02:00\",\"SubjectCN\":\"MicrosoftWindows\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"Algorithm\":\"SHA256\"}],\"IsProtectedOrCritical\":false,\"HashSha256\":\"B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450\"},\"SourceFilePath\":\"C:\\\\Users\\\\Arkoon\\\\Desktop\\\\certutil-decode.cmd\",\"DestinationFilePath\":\"C:\\\\Users\\\\Arkoon\\\\AppData\\\\Local\\\\Temp\\\\pwned.exe\",\"FileContentType\":0,\"FileContentTypeComputedMap\":\"Unknown\",\"FileContent\":\"406563686F206F66660D0A0D0A0D0A6563686F2E4465636F64696E6720656D6265646465642070726F6772616D2E2E2E0D0A7365742022544D505F46494C455F4E414D453D2554454D50255C70776E65\"}}", "event": { - "kind": "event", - "severity": 2, - "code": "AgentOperationCertutilDecodeMaliciousUsage", "category": [ "malware" ], + "code": "AgentOperationCertutilDecodeMaliciousUsage", + "kind": "event", + "severity": 2, "type": [ "info" ] }, "@timestamp": "2023-06-15T04:23:39.957180Z", - "rule": { - "uuid": "BEA2239E-7249-40A8-90BC-CD2981295600" - }, "process": { + "command_line": "certutil-decode\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe\"", + "executable": "C:\\Windows\\System32\\certutil.exe", + "hash": { + "md5": "018796D4670AC12865BE2F00382BBC8E", + "sha1": "8564027153DCA487ECA613345AB3B2DE0ADD4F26", + "sha256": "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847" + }, + "name": "certutil.exe", "parent": { - "pid": 6808, - "start": "2023-06-13T14:23:39.031177Z", - "executable": "C:\\Windows\\System32\\cmd.exe", - "name": "cmd.exe", "command_line": "C:\\WINDOWS\\system32\\cmd.exe/c\"\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"", + "executable": "C:\\Windows\\System32\\cmd.exe", "hash": { - "sha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D", "md5": "8A2122E8162DBEF04694B9C3E0B6CDEE", + "sha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D", "sha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450" }, + "name": "cmd.exe", + "pid": 6808, + "start": "2023-06-13T14:23:39.031177Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" @@ -2634,50 +2639,45 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "pid": 4904, "start": "2023-06-13T14:23:39.263127Z", - "executable": "C:\\Windows\\System32\\certutil.exe", - "name": "certutil.exe", - "command_line": "certutil-decode\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe\"", - "hash": { - "sha1": "8564027153DCA487ECA613345AB3B2DE0ADD4F26", - "md5": "018796D4670AC12865BE2F00382BBC8E", - "sha256": "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847" - }, "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "018796D4670AC12865BE2F00382BBC8E", + "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847", + "8564027153DCA487ECA613345AB3B2DE0ADD4F26", + "8A2122E8162DBEF04694B9C3E0B6CDEE", + "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450", + "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D" + ] + }, + "rule": { + "uuid": "BEA2239E-7249-40A8-90BC-CD2981295600" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "parent": { "user": { "domain": "TEST" } + }, + "user": { + "domain": "TEST" } }, - "type": "20056", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20056" } - }, - "related": { - "hash": [ - "018796D4670AC12865BE2F00382BBC8E", - "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847", - "8564027153DCA487ECA613345AB3B2DE0ADD4F26", - "8A2122E8162DBEF04694B9C3E0B6CDEE", - "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450", - "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D" - ] } } @@ -2691,32 +2691,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20057,\"TypeComputedMap\":\"AgentOperationCertutilDownloadMaliciousUsage\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CE797-8230-47F1-A98E-2F273D1AF92A}\",\"Timestamp\":\"2023-06-15T06:50:00.0000000+01:00\",\"TimestampRaw\":133232826000000000,\"GenerateIncident\":false,\"SpecificData\":{\"DownloadUrl\":\"http://sample.xyz/malicious.encoded\",\"DestinationFilePath\":\"c:\\\\malicious\\\\malicious.encoded\",\"ParentProcess\":{\"PID\":2,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"UserSID\":null,\"SessionID\":2,\"ProcessGuid\":\"92c248f1-0acd-11ea-a38a-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\NOTEPAD.EXE\\\" C:\\\\Users\\\\arkoon\\\\Desktop\\\\_test\\\\test.totot\",\"HashMd5\":\"F1139811BBF61362915958806AD30211\",\"HashSha1\":\"D487580502354C61808C7180D1A336BEB7AD4624\",\"HashSha256\":\"F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Microsoft Windows Production PCA 2011\",\"SigningTime\":\"2019-11-07T04:32:51.5641056+01:00\",\"ValidityEnd\":\"2020-05-02T22:24:36.0705280+01:00\",\"ValidityStart\":\"2019-05-02T22:24:36.7807872+01:00\",\"SubjectCN\":\"Microsoft Windows\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"Correlation\":{\"PackageGuid\":\"c0d2b0ff-b222-43bb-b134-50e8f4589806\",\"PackageVersion\":42},\"SourceProcess\":{\"PID\":5,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e79-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\\\"\",\"HashMd5\":\"E6224FC8CF2A26B386934DAC0A3495D0\",\"HashSha1\":\"CF970FA39BA72CC531133EC327203EAD801DA846\",\"HashSha256\":\"A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":4,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4965475+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateRevoked\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "AgentOperationCertutilDownloadMaliciousUsage", "category": [ "malware" ], + "code": "AgentOperationCertutilDownloadMaliciousUsage", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T05:50:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { + "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe\"", + "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe", + "hash": { + "md5": "E6224FC8CF2A26B386934DAC0A3495D0", + "sha1": "CF970FA39BA72CC531133EC327203EAD801DA846", + "sha256": "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737" + }, + "name": "EsGuiSrv.exe", "parent": { - "pid": 2, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Windows\\System32\\notepad.exe", - "name": "notepad.exe", "command_line": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\arkoon\\Desktop\\_test\\test.totot", + "executable": "C:\\Windows\\System32\\notepad.exe", "hash": { - "sha1": "D487580502354C61808C7180D1A336BEB7AD4624", "md5": "F1139811BBF61362915958806AD30211", + "sha1": "D487580502354C61808C7180D1A336BEB7AD4624", "sha256": "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" }, + "name": "notepad.exe", + "pid": 2, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" @@ -2724,59 +2729,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "pid": 5, "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe", - "name": "EsGuiSrv.exe", - "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe\"", - "hash": { - "sha1": "CF970FA39BA72CC531133EC327203EAD801DA846", - "md5": "E6224FC8CF2A26B386934DAC0A3495D0", - "sha256": "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737" - }, "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737", + "CF970FA39BA72CC531133EC327203EAD801DA846", + "D487580502354C61808C7180D1A336BEB7AD4624", + "E6224FC8CF2A26B386934DAC0A3495D0", + "F1139811BBF61362915958806AD30211", + "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "parent": { "user": { "domain": "TEST" } + }, + "user": { + "domain": "TEST" } }, - "type": "20057", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "20057" } }, "url": { - "original": "http://sample.xyz/malicious.encoded", "domain": "sample.xyz", - "top_level_domain": "xyz", - "registered_domain": "sample.xyz", + "original": "http://sample.xyz/malicious.encoded", "path": "/malicious.encoded", + "port": 80, + "registered_domain": "sample.xyz", "scheme": "http", - "port": 80 - }, - "related": { - "hash": [ - "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737", - "CF970FA39BA72CC531133EC327203EAD801DA846", - "D487580502354C61808C7180D1A336BEB7AD4624", - "E6224FC8CF2A26B386934DAC0A3495D0", - "F1139811BBF61362915958806AD30211", - "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" - ] + "top_level_domain": "xyz" } } @@ -2790,9 +2790,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20059,\"TypeComputedMap\":\"AgentInternalScriptRuntimeError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09A421-A13C-49BF-AB67-B48A5884C559}\",\"Timestamp\":\"2023-06-15T07:00:00.0000000+01:00\",\"TimestampRaw\":133232832000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ExecutionStatus\":0,\"ScriptGuid\":\"00000000-0000-0000-0000-000000000000\"}}", "event": { + "code": "AgentInternalScriptRuntimeError", "kind": "event", - "severity": 0, - "code": "AgentInternalScriptRuntimeError" + "severity": 0 }, "@timestamp": "2023-06-15T06:00:00Z", "stormshield": { @@ -2812,12 +2812,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20060,\"TypeComputedMap\":\"WmiPersistence\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0903E9-4EEC-4EE0-9CBF-50E00F367470}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T07:02:14.4361240+02:00\",\"TimestampRaw\":133311421344361240,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{FEFD7270-4013-94B9-0209-DEB987F40E89}\",\"PolicyVersion\":14,\"RuleGuid\":\"{D9AC047B-591C-42EA-86AD-0997EE000BEF}\",\"BaseRuleGuid\":\"{D9AC047B-591C-42EA-86AD-0997EE000BEF}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":true,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Correlation\":{\"PackageGuid\":\"{B757A1F5-8658-4567-A380-73F189F507E6}\",\"PackageVersion\":2},\"ConsumerType\":0,\"ConsumerTypeComputedMap\":\"CommandLineEventConsumer\",\"ExecutedAction\":\"cmd.exe/cecho%ProcessId%>>c:\\\\\\\\\\\\\\\\tmp\\\\\\\\\\\\\\\\log.txt\",\"ActionName\":\"Log01\",\"Trigger\":\"Query=\\\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\\\"\",\"Namespace\":\"root/subscription\",\"ESS\":\"Log01\",\"Consumer\":\"CommandLineEventConsumer=\\\"Log01\\\"\",\"PossibleCause\":\"BindingEventFilter:\\ninstanceof__EventFilter\\n{\\n\\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\\n\\tEventNamespace=\\\"root/cimv2\\\";\\n\\tName=\\\"Log01\\\";\\n\\tQuery=\\\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\\\";\\n\\tQueryLanguage=\\\"WQL\\\";\\n};\\nPerm.Consumer:\\ninstanceofCommandLineEventConsumer\\n{\\n\\tCommandLineTemplate=\\\"cmd.exe/cecho%ProcessId%>>c:\\\\\\\\\\\\\\\\tmp\\\\\\\\\\\\\\\\log.txt\\\";\\n\\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\\n\\tName=\\\"Log01\\\";\\n};\\n\",\"TimeCreated\":\"2023-06-13T15:02:08.6658788Z\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "WmiPersistence", "category": [ "malware" ], + "code": "WmiPersistence", + "kind": "event", + "severity": 1, "type": [ "info" ] @@ -2828,14 +2828,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20060", "action": { "blocked": true, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20060" } } } @@ -2850,59 +2850,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20061,\"TypeComputedMap\":\"Discovery\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B6953-1407-4F68-B7BB-0540BD9F32B3}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T08:00:22.3680507+01:00\",\"TimestampRaw\":133203492223680517,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}\",\"PolicyVersion\":1,\"RuleGuid\":\"{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}\",\"BaseRuleGuid\":\"{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true},\"Correlation\":{\"PackageGuid\":\"{9D0A8212-4B3F-4ABA-9548-D5AAB6095E19}\",\"PackageVersion\":4},\"SourceProcess\":{\"VolumeZone\":1,\"IntegrityLevel\":\"S-1-16-8192\",\"UserNameLookup\":\"JOHNDOE\",\"HashSha1\":\"F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D\",\"CertificateSignatureState\":1,\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"ProcessGuid\":\"{9AC2D00F-F8B3-4917-B750-B3DAC7E6DC81}\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"SigningTime\":\"2022-06-09T00:22:44.7850000+01:00\",\"ValidityStart\":\"2021-09-02T19:23:40.0000000+01:00\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"ValidityEnd\":\"2022-09-01T19:23:40.0000000+01:00\"}],\"HashSha256\":\"B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"ProcessStartTimeRaw\":133203492157056139,\"UserDomainLookup\":\"TEST\",\"ProcessStartTime\":\"2023-02-08T18:00:15.7056139+01:00\",\"PID\":5204,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\"IsProtectedOrCritical\":false,\"HashMd5\":\"8A2122E8162DBEF04694B9C3E0B6CDEE\",\"SessionID\":2},\"DiscoveryProcess\":{\"VolumeZone\":1,\"IntegrityLevel\":\"S-1-16-8192\",\"UserNameLookup\":\"JOHNDOE\",\"HashSha1\":\"D9BBB4E4900FF03B0486FAC32768170249DAD82D\",\"CertificateSignatureState\":1,\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"ProcessGuid\":\"{D7235320-A1CF-4151-9451-1DFE77BC0F89}\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"SigningTime\":\"2022-06-09T01:51:05.6030000+01:00\",\"ValidityStart\":\"2021-09-02T19:23:40.0000000+01:00\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"ValidityEnd\":\"2022-09-01T19:23:40.0000000+01:00\"}],\"HashSha256\":\"53E000F5AA9B3A00934319DB8080BB99CB323BF48FC628A64F75D7847C265606\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\ipconfig.exe\",\"ProcessStartTimeRaw\":133203492215762286,\"UserDomainLookup\":\"TEST\",\"ProcessStartTime\":\"2023-02-08T18:00:21.5762286+01:00\",\"PID\":5364,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"ProcessCommandLine\":\"ipconfig\",\"IsProtectedOrCritical\":false,\"HashMd5\":\"62F170FB07FDBB79CEB7147101406EB8\",\"SessionID\":2},\"BeginningTime\":\"2023-02-08T18:00:15.7184398+01:00\",\"TriggerTime\":\"2023-02-08T18:00:21.5797212+01:00\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "Discovery", "category": [ "malware" ], + "code": "Discovery", + "kind": "event", + "severity": 1, "type": [ "info" ] }, "@timestamp": "2023-06-15T07:00:22.368050Z", - "rule": { - "uuid": "468C2651-0EC0-42C5-A1D1-CA89F057DC0A" - }, "process": { - "pid": 5204, - "start": "2023-02-08T17:00:15.705613Z", - "executable": "C:\\Windows\\System32\\cmd.exe", - "name": "cmd.exe", "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "C:\\Windows\\System32\\cmd.exe", "hash": { - "sha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D", "md5": "8A2122E8162DBEF04694B9C3E0B6CDEE", + "sha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D", "sha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450" }, + "name": "cmd.exe", + "pid": 5204, + "start": "2023-02-08T17:00:15.705613Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "8A2122E8162DBEF04694B9C3E0B6CDEE", + "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450", + "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D" + ] + }, + "rule": { + "uuid": "468C2651-0EC0-42C5-A1D1-CA89F057DC0A" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20061", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "20061" } - }, - "related": { - "hash": [ - "8A2122E8162DBEF04694B9C3E0B6CDEE", - "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450", - "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D" - ] } } @@ -2916,25 +2916,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20062,\"TypeComputedMap\":\"AgentInternalUninstallForbidden\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04A57F-EE9F-4D86-AAD5-E7FC20313376}\",\"Timestamp\":\"2023-06-15T07:30:00.0000000+01:00\",\"TimestampRaw\":133232850000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UninstallAttemptDateTime\":\"2020-07-07T09:29:06.066110400Z\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "AgentInternalUninstallForbidden", "kind": "event", - "severity": 0, - "code": "AgentInternalUninstallForbidden" + "severity": 0 }, "@timestamp": "2023-06-15T06:30:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20062" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -2948,9 +2948,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20063,\"TypeComputedMap\":\"AgentInternalLogExceedMaxSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD062E12-865A-4B16-B57B-37205E59277B}\",\"Timestamp\":\"2023-06-15T07:40:00.0000000+01:00\",\"TimestampRaw\":133232856000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FaultyLogType\":1010,\"FaultyLogTypeComputedMap\":null}}", "event": { + "code": "AgentInternalLogExceedMaxSize", "kind": "event", - "severity": 0, - "code": "AgentInternalLogExceedMaxSize" + "severity": 0 }, "@timestamp": "2023-06-15T06:40:00Z", "stormshield": { @@ -2970,9 +2970,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20064,\"TypeComputedMap\":\"StartModularityAgent\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F3A16-4E4E-4790-B3EB-5558D437C77E}\",\"Timestamp\":\"2023-06-15T07:50:00.0000000+01:00\",\"TimestampRaw\":133232862000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "StartModularityAgent", "kind": "event", - "severity": 0, - "code": "StartModularityAgent" + "severity": 0 }, "@timestamp": "2023-06-15T06:50:00Z", "stormshield": { @@ -2992,9 +2992,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20065,\"TypeComputedMap\":\"StartRepairAgent\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD000F33-953C-49B2-9E91-A9D0D16FABFB}\",\"Timestamp\":\"2023-06-15T08:00:00.0000000+01:00\",\"TimestampRaw\":133232868000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "StartRepairAgent", "kind": "event", - "severity": 0, - "code": "StartRepairAgent" + "severity": 0 }, "@timestamp": "2023-06-15T07:00:00Z", "stormshield": { @@ -3014,9 +3014,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20066,\"TypeComputedMap\":\"AgentInternalVolumeWithoutShadowStorage\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07B4CE-114A-42D1-8080-3E10EAAF1F3A}\",\"Timestamp\":\"2023-06-15T08:10:00.0000000+01:00\",\"TimestampRaw\":133232874000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VolumePath\":\"\\\\\\\\?\\\\Volume{3799cd4d-464b-4908-9537-3984827f7c29}\\\\\",\"DriveLetter\":\"C:\\\\\",\"VolumeLabel\":\"some label\"}}", "event": { + "code": "AgentInternalVolumeWithoutShadowStorage", "kind": "event", - "severity": 0, - "code": "AgentInternalVolumeWithoutShadowStorage" + "severity": 0 }, "@timestamp": "2023-06-15T07:10:00Z", "stormshield": { @@ -3036,9 +3036,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20067,\"TypeComputedMap\":\"AgentInternalShadowCopyCreationFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04DBA1-AC27-47D4-ABBF-588CD950C127}\",\"Timestamp\":\"2023-06-15T08:20:00.0000000+01:00\",\"TimestampRaw\":133232880000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VolumePath\":\"\\\\\\\\?\\\\Volume{a14d9f90-5db7-4b3c-8cf1-d9bd2f9f1a64}\\\\\",\"DriveLetter\":\"C:\\\\\",\"VolumeLabel\":\"some label\",\"ErrorCode\":5}}", "event": { + "code": "AgentInternalShadowCopyCreationFailure", "kind": "event", - "severity": 0, - "code": "AgentInternalShadowCopyCreationFailure" + "severity": 0 }, "@timestamp": "2023-06-15T07:20:00Z", "stormshield": { @@ -3058,59 +3058,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20068,\"TypeComputedMap\":\"Ransomware\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C67CC-83EF-4966-8001-10A3B8B13EAC}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T05:23:07.3454198+01:00\",\"TimestampRaw\":133225861873454198,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersion\":2,\"RuleGuid\":\"{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}\",\"BaseRuleGuid\":\"{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true},\"Correlation\":{\"PackageGuid\":\"{C4E948CC-1082-47B9-BE66-10A1B88A3202}\",\"PackageVersion\":4},\"SourceProcess\":{\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"PID\":5816,\"VolumeZone\":1,\"HashMd5\":\"04029E121A0CFA5991749937DD22A1D9\",\"ProcessStartTimeRaw\":133225860434012095,\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"HighMandatoryLevel\",\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"\",\"ProcessStartTime\":\"2023-03-06T15:20:43.4012095+01:00\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"CertificateSignatureState\":1,\"IsProtectedOrCritical\":false,\"SessionID\":2,\"Certificates\":[{\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2022-12-02T00:08:48.1500000+01:00\",\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"ValidityEnd\":\"2023-05-04T20:23:14.0000000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:14.0000000+01:00\"}],\"HashSha1\":\"F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"HashSha256\":\"9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"ProcessGuid\":\"{70FCCA79-9933-4734-8CD6-28AE2E501771}\",\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"UserNameLookup\":\"JOHNDOE\"},\"AlteredFileListFilePath\":\"C:\\\\ProgramData\\\\Stormshield\\\\SESEvolution\\\\Agent\\\\Diagnostics\\\\RansomwareProtection\\\\encrypted_files2023-03-0615-23-07.txt\",\"OverallAlteredFilesCount\":10,\"AlteredFiles\":[{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(1).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(1).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(10).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(10).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(11).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(11).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(12).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(12).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(13).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(13).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(14).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(14).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(15).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(15).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(16).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(16).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(17).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(17).txt.jmBrN\"},{\"SourceFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(18).txt\",\"DestinationFilename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(18).txt.jmBrN\"}]}}", "event": { - "kind": "event", - "severity": 1, - "code": "Ransomware", "category": [ "malware" ], + "code": "Ransomware", + "kind": "event", + "severity": 1, "type": [ "info" ] }, "@timestamp": "2023-06-15T04:23:07.345419Z", - "rule": { - "uuid": "158E5AB3-C2D2-4707-A8B0-9CD58950B8E2" - }, "process": { - "pid": 5816, - "start": "2023-03-06T14:20:43.401209Z", - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "name": "powershell.exe", "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { - "sha1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054", "md5": "04029E121A0CFA5991749937DD22A1D9", + "sha1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054", "sha256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F" }, + "name": "powershell.exe", + "pid": 5816, + "start": "2023-03-06T14:20:43.401209Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "04029E121A0CFA5991749937DD22A1D9", + "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", + "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054" + ] + }, + "rule": { + "uuid": "158E5AB3-C2D2-4707-A8B0-9CD58950B8E2" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20068", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "20068" } - }, - "related": { - "hash": [ - "04029E121A0CFA5991749937DD22A1D9", - "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F", - "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054" - ] } } @@ -3124,9 +3124,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20069,\"TypeComputedMap\":\"AgentInternalResourcePackageDownloadFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09591B-3AF8-4605-96DE-64B269B9173E}\",\"Timestamp\":\"2023-06-15T08:40:00.0000000+01:00\",\"TimestampRaw\":133232892000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"ResourceGuid\":\"28110024-5807-45eb-9b7b-3aed55cb3f04\"}}", "event": { + "code": "AgentInternalResourcePackageDownloadFailed", "kind": "event", - "severity": 0, - "code": "AgentInternalResourcePackageDownloadFailed" + "severity": 0 }, "@timestamp": "2023-06-15T07:40:00Z", "stormshield": { @@ -3146,9 +3146,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20070,\"TypeComputedMap\":\"AgentInternalInvalidResourcePackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD018FE1-B276-4EB6-9E00-9A1CE516E02E}\",\"Timestamp\":\"2023-06-15T08:50:00.0000000+01:00\",\"TimestampRaw\":133232898000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"ResourceGuid\":\"ce78187e-1062-4075-9bce-d8c92ee2b99e\",\"ResourcePackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsResource.cab\"}}", "event": { + "code": "AgentInternalInvalidResourcePackageSignature", "kind": "event", - "severity": 0, - "code": "AgentInternalInvalidResourcePackageSignature" + "severity": 0 }, "@timestamp": "2023-06-15T07:50:00Z", "stormshield": { @@ -3168,9 +3168,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20071,\"TypeComputedMap\":\"AgentInternalSecOpsInvalidPackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B84DD-18EA-4C30-8D5B-91D288F9368A}\",\"Timestamp\":\"2023-06-15T09:00:00.0000000+01:00\",\"TimestampRaw\":133232904000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"SecOpsGuid\":\"b9092244-2249-44bb-ae2d-f9e50a2b0b10\",\"SecOpsPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\SecOpsTask.cab\"}}", "event": { + "code": "AgentInternalSecOpsInvalidPackageSignature", "kind": "event", - "severity": 0, - "code": "AgentInternalSecOpsInvalidPackageSignature" + "severity": 0 }, "@timestamp": "2023-06-15T08:00:00Z", "stormshield": { @@ -3190,9 +3190,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20072,\"TypeComputedMap\":\"AgentInternalSecOpsInvalidJsonSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E2013-BED1-4DC5-95FB-A881DB5F386A}\",\"Timestamp\":\"2023-06-15T09:10:00.0000000+01:00\",\"TimestampRaw\":133232910000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":-1609564141,\"SecOpsGuid\":\"fbba1fb1-efda-4bba-9929-2d5eae03344e\",\"SecOpsPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\SecOpsTask.cab\",\"JsonSize\":10241}}", "event": { + "code": "AgentInternalSecOpsInvalidJsonSize", "kind": "event", - "severity": 0, - "code": "AgentInternalSecOpsInvalidJsonSize" + "severity": 0 }, "@timestamp": "2023-06-15T08:10:00Z", "stormshield": { @@ -3212,9 +3212,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20073,\"TypeComputedMap\":\"AgentInternalDowngradeWithPivotVersion223IsRequired\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD02148D-0FE6-4428-805C-3B1A58BB1E1D}\",\"Timestamp\":\"2023-06-15T09:20:00.0000000+01:00\",\"TimestampRaw\":133232916000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { + "code": "AgentInternalDowngradeWithPivotVersion223IsRequired", "kind": "event", - "severity": 0, - "code": "AgentInternalDowngradeWithPivotVersion223IsRequired" + "severity": 0 }, "@timestamp": "2023-06-15T08:20:00Z", "stormshield": { @@ -3234,53 +3234,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":2,\"Type\":20079,\"TypeComputedMap\":\"AgentOperationYaraProcessAnalysisMatch\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FD776-0C61-4946-BA0C-185518A0361C}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:58:14.4201973+02:00\",\"TimestampRaw\":133300870944201973,\"SpecificData\":{\"SourceProcess\":{\"PID\":5848,\"ProcessGuid\":\"{36C8E9F1-41B8-44FF-B482-FD11D323D5C7}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"C6CD12BF63E9B9B4478E6F975E7C293D\",\"HashSha1\":\"FE02128E2A9AF073DB5D6B3843469CA87391C22A\",\"HashSha256\":\"E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-06T12:27:04.6400000+02:00\",\"ValidityStart\":\"2022-05-05T21:23:15.0000000+02:00\",\"ValidityEnd\":\"2023-05-04T21:23:15.0000000+02:00\"}],\"ProcessStartTime\":\"2023-05-31T13:05:25.0959518+02:00\",\"ProcessStartTimeRaw\":133300047250959518},\"Action\":{\"PolicyGuid\":\"{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}\",\"PolicyVersion\":4,\"RuleGuid\":\"{6D01E214-075E-472C-A56D-3C6042DEA832}\",\"BaseRuleGuid\":\"{CF2EB1A3-0A18-4406-B284-F72A4E21D34F}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{919C4A6A-F381-4D01-A159-34C85152B5DF}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{41FD7022-DCDA-4ECE-983D-C780EC4315CA}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7243}\",\"AssociatedRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7245}\"},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\explorer.exe\",\"FileCreateTime\":\"2023-01-12T10:52:38.2994281+02:00\",\"LastModified\":\"2023-01-12T10:52:38.4088025+02:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"C6CD12BF63E9B9B4478E6F975E7C293D\",\"HashSha1\":\"FE02128E2A9AF073DB5D6B3843469CA87391C22A\",\"HashSha256\":\"E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C\",\"HashSSDeep\":\"49152:JFV7+LB3mKxTLHWBwPvfb0xer5TaNFLGO3LL6Y6IEF98C21rf2JGno/n7w8A7/eE:obULwVw8a0cDl\"},\"MatchedYaraRules\":[{\"MatchedRule\":\"test_yaralib_pe_module_is_pe_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_pe_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]},{\"MatchedRule\":\"test_yaralib_pe_module_is_x64_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_x64_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]}]}}", "event": { + "code": "AgentOperationYaraProcessAnalysisMatch", "kind": "event", - "severity": 1, - "code": "AgentOperationYaraProcessAnalysisMatch" + "severity": 1 }, "@timestamp": "2023-06-14T23:58:14.420197Z", - "rule": { - "uuid": "6D01E214-075E-472C-A56D-3C6042DEA832" - }, "process": { - "pid": 5848, - "start": "2023-05-31T11:05:25.095951Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A", "md5": "C6CD12BF63E9B9B4478E6F975E7C293D", + "sha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A", "sha256": "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C" }, + "name": "explorer.exe", + "pid": 5848, + "start": "2023-05-31T11:05:25.095951Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "C6CD12BF63E9B9B4478E6F975E7C293D", + "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C", + "FE02128E2A9AF073DB5D6B3843469CA87391C22A" + ] + }, + "rule": { + "uuid": "6D01E214-075E-472C-A56D-3C6042DEA832" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20079", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20079" } - }, - "related": { - "hash": [ - "C6CD12BF63E9B9B4478E6F975E7C293D", - "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C", - "FE02128E2A9AF073DB5D6B3843469CA87391C22A" - ] } } @@ -3294,53 +3294,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":2,\"Type\":20080,\"TypeComputedMap\":\"AgentOperationYaraFileAnalysisMatch\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD08DEF4-1B0B-4DA3-8DDE-AAB23C392453}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:43:47.9837872+02:00\",\"TimestampRaw\":133300862279837872,\"SpecificData\":{\"SourceProcess\":{\"PID\":2520,\"ProcessGuid\":\"{A9344FD4-981C-4460-84B3-6649405DAF60}\",\"ProcessImageName\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1\",\"SubjectCN\":\"Notepad++\",\"SigningTime\":\"2023-05-15T06:12:16.0000000+02:00\",\"ValidityStart\":\"2022-05-13T02:00:00.0000000+02:00\",\"ValidityEnd\":\"2025-05-15T01:59:59.0000000+02:00\"}],\"ProcessStartTime\":\"2023-05-31T13:17:23.8002785+02:00\",\"ProcessStartTimeRaw\":133300054438002785},\"Action\":{\"PolicyGuid\":\"{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}\",\"PolicyVersion\":2,\"RuleGuid\":\"{41314BB5-45D2-4878-812A-6ED813D00D0B}\",\"BaseRuleGuid\":\"{5D368004-E074-42FA-8674-B35BA3C1FA89}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{68A0C3B1-05C5-4508-B22C-E87526EB8CB9}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{31BEA723-FB51-4461-A812-F7B379F09E8A}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7243}\",\"AssociatedRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7245}\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"FileCreateTime\":\"2023-05-15T06:12:14.0000000+02:00\",\"LastModified\":\"2023-05-15T06:12:14.0000000+02:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"HashSSDeep\":\"49152:5d9VFXdEK1BPN2efc5bjaMOoDsKEj45gvV+/QFw935Gt4/fDT5dOotDVhJJao0gB:p26UcvVUDDxD2MdpU/KGHiLUiRt/moD\"},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"FileCreateTime\":\"2023-05-15T06:12:14.0000000+02:00\",\"LastModified\":\"2023-05-15T06:12:14.0000000+02:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"HashSSDeep\":\"49152:5d9VFXdEK1BPN2efc5bjaMOoDsKEj45gvV+/QFw935Gt4/fDT5dOotDVhJJao0gB:p26UcvVUDDxD2MdpU/KGHiLUiRt/moD\"},\"MatchedYaraRules\":[{\"MatchedRule\":\"test_yaralib_pe_module_is_pe_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_pe_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]},{\"MatchedRule\":\"test_yaralib_pe_module_is_x64_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_x64_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]}]}}", "event": { + "code": "AgentOperationYaraFileAnalysisMatch", "kind": "event", - "severity": 1, - "code": "AgentOperationYaraFileAnalysisMatch" + "severity": 1 }, "@timestamp": "2023-06-14T23:43:47.983787Z", - "rule": { - "uuid": "41314BB5-45D2-4878-812A-6ED813D00D0B" - }, "process": { - "pid": 2520, - "start": "2023-05-31T11:17:23.800278Z", - "executable": "C:\\ProgramFiles\\Notepad++\\notepad++.exe", - "name": "notepad++.exe", "command_line": "\"C:\\ProgramFiles\\Notepad++\\notepad++.exe\"", + "executable": "C:\\ProgramFiles\\Notepad++\\notepad++.exe", "hash": { - "sha1": "ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0", "md5": "B7E5E966EBB9C302155D6B6E0DA21721", + "sha1": "ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0", "sha256": "31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B" }, + "name": "notepad++.exe", + "pid": 2520, + "start": "2023-05-31T11:17:23.800278Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B", + "B7E5E966EBB9C302155D6B6E0DA21721", + "ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0" + ] + }, + "rule": { + "uuid": "41314BB5-45D2-4878-812A-6ED813D00D0B" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20080", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20080" } - }, - "related": { - "hash": [ - "31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B", - "B7E5E966EBB9C302155D6B6E0DA21721", - "ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0" - ] } } @@ -3354,9 +3354,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20081,\"TypeComputedMap\":\"AgentOperationYaraFileAnalysisMatchNoSourceProcess\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD06C8B7-7883-4C8B-862F-D9F67EA08BE7}\",\"Timestamp\":\"2023-06-15T09:50:00.0000000+01:00\",\"TimestampRaw\":133232934000000000,\"GenerateIncident\":false,\"SpecificData\":{\"MatchedYaraRules\":[{\"MatchedRule\":\"First Yara rule\",\"Tags\":null,\"Metadatas\":[{\"MetadataKey\":\"First metadata key\",\"MetadataValue\":\"First metadata value\"},{\"MetadataKey\":\"Second metadata key\",\"MetadataValue\":\"Second metadata value\"}]},{\"MatchedRule\":\"Second Yara rule\",\"Tags\":[\"First tag\",\"Second tag\",\"Third tag\"],\"Metadatas\":null},{\"MatchedRule\":\"Third Yara rule\",\"Tags\":[\"First tag\",\"Second tag\",\"Third tag\"],\"Metadatas\":[{\"MetadataKey\":\"First metadata key\",\"MetadataValue\":\"First metadata value\"},{\"MetadataKey\":\"Second metadata key\",\"MetadataValue\":\"Second metadata value\"}]}],\"FileDetails\":{\"FileFullPath\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\",\"FileCreateTime\":\"2021-06-05T15:33:12.3858496+01:00\",\"LastModified\":\"2021-06-05T15:33:12.3858496+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"0EB8934F47F01E59CAC3FE0E946EE516\",\"HashSha1\":\"B4CF1A5A6577BA51971B7B7094F0EED281B29223\",\"HashSha256\":\"D36B2DC6907940B9FDBDFEFCDCD49C9F1224922E77F1374C807C961E346239C8\",\"HashSSDeep\":\"384:m7Oi2cWe/2Hnd+GQW6bbA2WinQW6j32UkXLsK6QW6cI2i+eQW6fC26rjNfQW67AV:m7+nSRPXHQS+h9pxvxQfiRW8m1pPBWa\"},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"00000000-0000-0000-0000-000000000000\",\"Triggers\":8,\"AssociatedRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedBaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedEventGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedScheduledTaskGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedSecOpsGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedSecOpsRequestGuid\":\"00000000-0000-0000-0000-000000000000\"}}}", "event": { + "code": "AgentOperationYaraFileAnalysisMatchNoSourceProcess", "kind": "event", - "severity": 0, - "code": "AgentOperationYaraFileAnalysisMatchNoSourceProcess" + "severity": 0 }, "@timestamp": "2023-06-15T08:50:00Z", "stormshield": { @@ -3376,32 +3376,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20082,\"TypeComputedMap\":\"PpidSpoofing\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD073784-5E81-4084-8814-9AC10C3EF1C6}\",\"Timestamp\":\"2023-06-15T00:00:00.0000000+01:00\",\"TimestampRaw\":133232940000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ParentProcess\":{\"PID\":6,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e83-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF44D9AFD9FAFB111\",\"HashSha1\":\"0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6\",\"HashSha256\":\"2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":8,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4765488+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadSignature\"},\"CreatedProcess\":{\"PID\":3,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e1d-0f85-11ea-a38e-806e6f6e6963\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"HashMd5\":\"FAE441A6EC7FD8F55A404797A25C8910\",\"HashSha1\":\"141C964905C4CA2110AD8FBFC3D17C960A9B9A54\",\"HashSha256\":\"70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":null,\"IntegrityLevelNameLookup\":null,\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"Description\":\"Log Test\",\"Correlation\":{\"PackageGuid\":\"9172e535-7180-467a-874a-d92eb7a43d28\",\"PackageVersion\":42},\"SourceProcess\":{\"PID\":10,\"ProcessImageName\":\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"fc36ccb9-c9b6-495e-8ead-26e1536df4ad\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D91238FAFB111\",\"HashSha1\":\"AC9F34399C7C5A6324EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":7,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadContent\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "PpidSpoofing", "category": [ "malware" ], + "code": "PpidSpoofing", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:00:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "action": { + "properties": { + "TargetCommandLine": "C:\\Windows\\system32\\services.exe", + "TargetImage": "C:\\Windows\\System32\\services.exe" + } }, "process": { + "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", + "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", + "hash": { + "md5": "0470A1A62B3FAA0AF14D91238FAFB111", + "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", + "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" + }, + "name": "Balsamiq Mockups 3.exe", "parent": { - "pid": 6, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", - "name": "EsScript.exe", "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe\"", + "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", "hash": { - "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "md5": "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "sha256": "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "EsScript.exe", + "pid": 6, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" @@ -3409,61 +3420,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "pid": 10, "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", - "name": "Balsamiq Mockups 3.exe", - "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", - "hash": { - "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", - "md5": "0470A1A62B3FAA0AF14D91238FAFB111", - "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" - }, "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D91238FAFB111", + "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", + "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "parent": { "user": { "domain": "TEST" } }, "target": { - "executable": "C:\\Windows\\System32\\services.exe", "command_line": "C:\\Windows\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", "pid": "3" + }, + "user": { + "domain": "TEST" } }, - "type": "20082", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\System32\\services.exe", - "TargetCommandLine": "C:\\Windows\\system32\\services.exe" + }, + "type": "20082" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D91238FAFB111", - "0470A1A62B3FAA0AF44D9AFD9FAFB111", - "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", - "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" - ] } } @@ -3477,18 +3477,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20083,\"TypeComputedMap\":\"IntegrityStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DDBD7-BAC9-4F75-932D-8B68A34A6A7F}\",\"Timestamp\":\"2023-06-15T00:10:00.0000000+01:00\",\"TimestampRaw\":133232946000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "IntegrityStart", "kind": "event", - "severity": 0, - "code": "IntegrityStart" + "severity": 0 }, "@timestamp": "2023-06-14T23:10:00Z", - "user": { - "id": "S-1-5-21-2222222-33333333-44444444-555" - }, "stormshield": { "ses": { "type": "20083" } + }, + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555" } } @@ -3502,25 +3502,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20084,\"TypeComputedMap\":\"IntegritySuccessNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0ED49D-9AA5-4470-A585-65B8A8DDAF49}\",\"Timestamp\":\"2023-06-15T00:20:00.0000000+01:00\",\"TimestampRaw\":133232952000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "IntegritySuccessNotification", "kind": "event", - "severity": 0, - "code": "IntegritySuccessNotification" + "severity": 0 }, "@timestamp": "2023-06-14T23:20:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20084" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -3534,18 +3534,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20085,\"TypeComputedMap\":\"RepairSuccessWithRebootNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A53CA-5607-4B5C-A69D-BBE54085E159}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232958000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "RepairSuccessWithRebootNotification", "kind": "event", - "severity": 0, - "code": "RepairSuccessWithRebootNotification" + "severity": 0 }, "@timestamp": "2023-06-14T23:30:00Z", - "user": { - "id": "S-1-5-21-2222222-33333333-44444444-555" - }, "stormshield": { "ses": { "type": "20085" } + }, + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555" } } @@ -3559,25 +3559,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20086,\"TypeComputedMap\":\"RepairSuccessWithoutRebootNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07A96B-A47A-49A7-9430-D87EE24D362B}\",\"Timestamp\":\"2023-06-15T00:40:00.0000000+01:00\",\"TimestampRaw\":133232964000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { + "code": "RepairSuccessWithoutRebootNotification", "kind": "event", - "severity": 0, - "code": "RepairSuccessWithoutRebootNotification" + "severity": 0 }, "@timestamp": "2023-06-14T23:40:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20086" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -3591,25 +3591,25 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20087,\"TypeComputedMap\":\"IntegrityErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FEB10-4AEA-4290-B09D-C89FE4025222}\",\"Timestamp\":\"2023-06-15T00:50:00.0000000+01:00\",\"TimestampRaw\":133232970000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"Result\":5}}", "event": { + "code": "IntegrityErrorNotification", "kind": "event", - "severity": 0, - "code": "IntegrityErrorNotification" + "severity": 0 }, "@timestamp": "2023-06-14T23:50:00Z", - "user": { - "name": "JOHNDOE", - "domain": "TEST", - "id": "S-1-5-21-2222222-33333333-44444444-555" + "related": { + "user": [ + "JOHNDOE" + ] }, "stormshield": { "ses": { "type": "20087" } }, - "related": { - "user": [ - "JOHNDOE" - ] + "user": { + "domain": "TEST", + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" } } @@ -3623,12 +3623,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20089,\"TypeComputedMap\":\"AgentRemediationRemoveFile\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD0EF126-5D36-4566-9A32-8593CC49D14F}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:40:30.8104532+01:00\",\"TimestampRaw\":133222380308104532,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":0,\"ResultComputedMap\":\"Success\",\"StatusCode\":0,\"SecOpsTaskGuid\":\"{C416DCE5-1A8A-41C1-8011-47BD6B5F3BD1}\",\"SecOpsTaskRequestGuid\":\"{FB62B75C-EF25-4CD9-96F3-C0739790C932}\"},\"TargetResourcePath\":\"C:\\\\tmp\\\\Outils\\\\SysInternalTools\\\\AccessEnum.exe\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationRemoveFile", "category": [ "file" ], + "code": "AgentRemediationRemoveFile", + "kind": "event", + "severity": 3, "type": [ "deletion" ] @@ -3651,12 +3651,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20090,\"TypeComputedMap\":\"AgentRemediationKillProcess\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD0EEDAA-A2BD-44D4-8D11-7B04561402E7}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:14:54.4956830+01:00\",\"TimestampRaw\":133222364944956830,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":0,\"ResultComputedMap\":\"Success\",\"StatusCode\":0,\"SecOpsTaskGuid\":\"{31DB74FB-6E97-4B19-A6A5-5AA89DAE89F3}\",\"SecOpsTaskRequestGuid\":\"{75F53708-EF88-47A9-97D7-80860E11CE68}\"},\"TargetResourcePath\":\"C:\\\\ProgramFiles\\\\WindowsNT\\\\Accessories\\\\wordpad.exe\",\"ProcessPID\":6544,\"KillChildren\":true}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationKillProcess", "category": [ "process" ], + "code": "AgentRemediationKillProcess", + "kind": "event", + "severity": 3, "type": [ "end" ] @@ -3679,26 +3679,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20091,\"TypeComputedMap\":\"AgentRemediationRemoveRegistryKey\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD0283A0-17CB-4489-A523-A57F738B0785}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T05:05:45.9777231+01:00\",\"TimestampRaw\":133225851459777231,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":2,\"ResultComputedMap\":\"Error\",\"StatusCode\":-2147024891,\"SecOpsTaskGuid\":\"{B138E2EE-44DF-419F-8DA7-7C545042CD9D}\",\"SecOpsTaskRequestGuid\":\"{2C524176-967B-48B9-986C-133F8CECA476}\"},\"TargetResourcePath\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationRemoveRegistryKey", "category": [ "registry" ], + "code": "AgentRemediationRemoveRegistryKey", + "kind": "event", + "severity": 3, "type": [ "deletion" ] }, "@timestamp": "2023-06-15T04:05:45.977723Z", + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE" + }, "stormshield": { "ses": { "type": "20091" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE" } } @@ -3712,26 +3712,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20092,\"TypeComputedMap\":\"AgentRemediationRemoveRegistryValue\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD0F8E33-E64C-4F46-BF17-D15ED6293319}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:40:51.1314021+01:00\",\"TimestampRaw\":133225836511314021,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":1,\"ResultComputedMap\":\"Ignore\",\"StatusCode\":538247172,\"SecOpsTaskGuid\":\"{8AEA4BCA-5605-4647-880F-2CF9349EAA30}\",\"SecOpsTaskRequestGuid\":\"{B0352589-BF7C-4751-B2BC-02D909FDB5ED}\"},\"TargetResourcePath\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\",\"TargetResourceName\":\"Value2\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationRemoveRegistryValue", "category": [ "registry" ], + "code": "AgentRemediationRemoveRegistryValue", + "kind": "event", + "severity": 3, "type": [ "deletion" ] }, "@timestamp": "2023-06-15T03:40:51.131402Z", + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE" + }, "stormshield": { "ses": { "type": "20092" } - }, - "registry": { - "path": "HKEY_LOCAL_MACHINE\\SOFTWARE", - "hive": "HKEY_LOCAL_MACHINE", - "key": "SOFTWARE" } } @@ -3745,26 +3745,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20093,\"TypeComputedMap\":\"AgentRemediationSetRegistryValue\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD0A780A-CE3F-4AE5-BAB1-12923D5ED0F9}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:19:30.3592781+01:00\",\"TimestampRaw\":133225895703592781,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":0,\"ResultComputedMap\":\"Success\",\"StatusCode\":0,\"SecOpsTaskGuid\":\"{E1BC8B48-5B05-44D5-9840-FBB32EB9EB03}\",\"SecOpsTaskRequestGuid\":\"{B1FFCA74-1971-4EAD-9861-5868C699384A}\"},\"TargetResourcePath\":\"HKEY_USERS\\\\S-1-5-21-2222222-33333333-44444444-555\\\\SOFTWARE\\\\TEST_ADE\",\"TargetResourceName\":\"Valeur_String\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationSetRegistryValue", "category": [ "registry" ], + "code": "AgentRemediationSetRegistryValue", + "kind": "event", + "severity": 3, "type": [ "change" ] }, "@timestamp": "2023-06-15T05:19:30.359278Z", + "registry": { + "hive": "HKEY_USERS", + "key": "S-1-5-21-2222222-33333333-44444444-555\\SOFTWARE\\TEST_ADE", + "path": "HKEY_USERS\\S-1-5-21-2222222-33333333-44444444-555\\SOFTWARE\\TEST_ADE" + }, "stormshield": { "ses": { "type": "20093" } - }, - "registry": { - "path": "HKEY_USERS\\S-1-5-21-2222222-33333333-44444444-555\\SOFTWARE\\TEST_ADE", - "hive": "HKEY_USERS", - "key": "S-1-5-21-2222222-33333333-44444444-555\\SOFTWARE\\TEST_ADE" } } @@ -3778,30 +3778,30 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20094,\"TypeComputedMap\":\"AgentRemediationExecutePowershellScript\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD02781E-45F4-4696-900A-0ACE3D39C133}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:58:15.9040047+01:00\",\"TimestampRaw\":133225846959040047,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":0,\"ResultComputedMap\":\"Success\",\"StatusCode\":0,\"SecOpsTaskGuid\":\"{0ABBCDE4-EF79-4AB5-A1B9-A2B4E45400DD}\",\"SecOpsTaskRequestGuid\":\"{B2893A58-3CC4-41D0-B93A-C7F3FE5A8174}\"},\"ScriptName\":\"Sleep.ps1\",\"ScriptGuid\":\"{2A643516-C835-436C-94BD-9F699819C108}\",\"ScriptExitCode\":0,\"ScriptOutputFilePath\":\"C:\\\\ProgramData\\\\Stormshield\\\\SESEvolution\\\\Agent\\\\Diagnostics\\\\ScriptsLog\\\\Remediation\\\\script_Sleep_2023-03-06T13_57_44_565.log\",\"ScriptOutput\":\"DATA_MAPPING_CONTROL\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationExecutePowershellScript", "category": [ "malware" ], + "code": "AgentRemediationExecutePowershellScript", + "kind": "event", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-06-15T03:58:15.904004Z", - "stormshield": { - "ses": { - "type": "20094" - } + "file": { + "directory": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\ScriptsLog\\Remediation", + "name": "script_Sleep_2023-03-06T13_57_44_565.log", + "path": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\ScriptsLog\\Remediation\\script_Sleep_2023-03-06T13_57_44_565.log" }, "process": { "executable": "Sleep.ps1", "name": "Sleep.ps1" }, - "file": { - "path": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\ScriptsLog\\Remediation\\script_Sleep_2023-03-06T13_57_44_565.log", - "name": "script_Sleep_2023-03-06T13_57_44_565.log", - "directory": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\ScriptsLog\\Remediation" + "stormshield": { + "ses": { + "type": "20094" + } } } @@ -3815,12 +3815,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20095,\"TypeComputedMap\":\"AgentRemediationExtractFilesFromShadowCopy\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":3,\"ServerReserved\":2,\"Attributes\":128,\"AttributesComputedBitMap\":[\"Remediation\"],\"EventGuid\":\"{AD076098-8C76-4FE6-A77D-F68AEDE5CF44}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T05:47:08.7369109+01:00\",\"TimestampRaw\":133225876287369109,\"SpecificData\":{\"RemediationSpecificData\":{\"Result\":0,\"ResultComputedMap\":\"Success\",\"StatusCode\":0,\"SecOpsTaskGuid\":\"{0BE24A51-3A3E-473A-BE36-D251107D7240}\",\"SecOpsTaskRequestGuid\":\"{D6648978-E8CA-49E5-A663-D9D1E16ABE4A}\"},\"TargetResourcePath\":\"C:\\\\ProgramData\\\\Stormshield\\\\SESEvolution\\\\Agent\\\\Diagnostics\\\\RansomwareProtection\\\\Remediation_2023-03-06T14_47_08_321.log\",\"RestoredFilesCount\":10,\"OverallAlteredFilesCount\":10,\"RestoredFiles\":[{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(1).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(10).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(11).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(12).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(13).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(14).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(15).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(16).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(17).txt\"},{\"Filename\":\"C:\\\\tmp\\\\Rans\\\\TXT\\\\Fichier-Copie(18).txt\"}]}}", "event": { - "kind": "event", - "severity": 3, - "code": "AgentRemediationExtractFilesFromShadowCopy", "category": [ "file" ], + "code": "AgentRemediationExtractFilesFromShadowCopy", + "kind": "event", + "severity": 3, "type": [ "info" ] @@ -3843,36 +3843,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20097,\"TypeComputedMap\":\"AgentOperationIocAnalysisNamedObjectMatch\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD072C3D-AB1C-4368-809E-BF2BFF2EFA27}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:07:53.6558208+01:00\",\"TimestampRaw\":133228372736558208,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{6349DD3C-CE0F-4EC0-B47D-588E0C1E6077}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{E8C67A70-F6C2-4F77-96A9-4FB3835AD7B4}\",\"AssociatedSecOpsRequestGuid\":\"{6E0C19BA-6A69-4C3D-AC78-ED53CF5DD85D}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"ObjectType\":12,\"ObjectTypeComputedMap\":\"Mutant\",\"ObjectFullPath\":\"\\\\BaseNamedObjects\\\\TestMutex\",\"MatchedStrings\":[\"TestMutex\"]}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisNamedObjectMatch", "category": [ "malware" ], + "code": "AgentOperationIocAnalysisNamedObjectMatch", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-15T02:07:53.655820Z", + "file": { + "directory": "\\BaseNamedObjects", + "name": "TestMutex", + "path": "\\BaseNamedObjects\\TestMutex" + }, "rule": { "uuid": "00000000-0000-0000-0000-000000000000" }, "stormshield": { "ses": { - "type": "20097", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20097" } - }, - "file": { - "path": "\\BaseNamedObjects\\TestMutex", - "name": "TestMutex", - "directory": "\\BaseNamedObjects" } } @@ -3886,13 +3886,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20098,\"TypeComputedMap\":\"AgentOperationIocAnalysisEventLogMatch\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01BB83-9B82-408C-8939-5F88CF949F3C}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:53:21.4493866+02:00\",\"TimestampRaw\":133294892014493866,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{E9811493-6DC4-48AC-B463-88AD229DEFD3}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{DF270F34-2515-4960-81C1-3A30B5A24F1C}\",\"AssociatedSecOpsRequestGuid\":\"{11E5EDAA-512B-4D3C-8652-81C94C0DB9D7}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"Channel\":\"Security\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventTypeId\":5058,\"EventTimestamp\":\"2023-05-25T00:00:15.6197403+02:00\",\"EventXml\":\"5058101229200x802000000000000011610SecuritySLS-AHandlerSES.test.localS-1-5-20SLS-AHANDLERSES$TEST0x3e426482023-05-24T13:50:07.933149300ZMicrosoftSoftwareKeyStorageProviderUNKNOWN{ACBB9007-7D21-4AF1-982E-8A47B0F2BB63}%%2500C:\\\\Windows\\\\ServiceProfiles\\\\NetworkService\\\\AppData\\\\Roaming\\\\Microsoft\\\\Crypto\\\\Keys\\\\7a93793b6404c4af5e1f6403f45ed59e_6218503d-90d3-45cc-8364-dfa965c89518%%24580x0\",\"EventDetails\":\"Keyfileoperation.\\r\\n\\r\\nSubject:\\r\\n\\tSecurityID:\\t\\tS-1-5-20\\r\\n\\tAccountName:\\t\\tSLS-AHANDLERSES$\\r\\n\\tAccountDomain:\\t\\tTEST\\r\\n\\tLogonID:\\t\\t0x3E4\\r\\n\\r\\nProcessInformation:\\r\\n\\tProcessID:\\t\\t2648\\r\\n\\tProcessCreationTime:\\t\u200e2023\u200e-\u200e05\u200e-\u200e24T13:50:07.933149300Z\\r\\n\\r\\nCryptographicParameters:\\r\\n\\tProviderName:\\tMicrosoftSoftwareKeyStorageProvider\\r\\n\\tAlgorithmName:\\tUNKNOWN\\r\\n\\tKeyName:\\t{ACBB9007-7D21-4AF1-982E-8A47B0F2BB63}\\r\\n\\tKeyType:\\tUserkey.\\r\\n\\r\\nKeyFileOperationInformation:\\r\\n\\tFilePath:\\tC:\\\\Windows\\\\ServiceProfiles\\\\NetworkService\\\\AppData\\\\Roaming\\\\Microsoft\\\\Crypto\\\\Keys\\\\7a93793b6404c4af5e1f6403f45ed59e_6218503d-90d3-45cc-8364-dfa965c89518\\r\\n\\tOperation:\\tReadpersistedkeyfromfile.\\r\\n\\tReturnCode:\\t0x0\",\"MatchedStrings\":[\"Ygg9\"]}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisEventLogMatch", - "provider": "Microsoft-Windows-Security-Auditing", "category": [ "malware" ], + "code": "AgentOperationIocAnalysisEventLogMatch", + "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", + "severity": 4, "type": [ "info" ] @@ -3903,14 +3903,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20098", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20098" } } } @@ -3925,59 +3925,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20099,\"TypeComputedMap\":\"AgentOperationIocAnalysisFilenameMatch\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DD64D-8F6E-4335-96FA-FBB643DDFEDA}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:30:18.9637194+01:00\",\"TimestampRaw\":133228422189637194,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{C59092CF-D526-4C36-915E-03BE46F2D7C1}\",\"PolicyVersion\":1,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{31B00338-D1AC-4350-97A2-3A2E22B4E985}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{84A64211-111D-4B8D-BB81-056DB6033E1E}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{AB5199CE-8818-48F5-B7B8-F81614B0E159}\",\"AssociatedRuleGuid\":\"{AB5199CE-8818-48F5-B7B8-F81614B0E15A}\"},\"SourceProcess\":{\"PID\":7832,\"ProcessGuid\":\"{EDBD8108-81A8-488A-A7AA-9E977FD696CE}\",\"ProcessImageName\":\"C:\\\\Python37\\\\python.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"c:\\\\python37\\\\python.exe\\\"\\\"C:\\\\Python37\\\\Scripts\\\\robot.exe\\\"--loglevelTRACE--debugfiledebug.txt--outputdirC:\\\\frigg_report_level_3\\\\20230309143015[f49af303-d075-419a-966a-4235bf2fb16f]_[AT-10X64PRO]_[AnalysisOnFileACL]--includeScenarioIOCOnDetectionANDAgentANDAnalysisOnFileACL--variableLVL3_TAGFAMILY:ScenarioIOCOnDetectionANDAgentANDAnalysisOnFileACL--variableLVL3_REPORT_LINK:file://///192.168.131.17/frigg_level_3_for_user/20230309143015[f49af303-d075-419a-966a-4235bf2fb16f]_[AT-10X64PRO]_[AnalysisOnFileACL]/log.html--variableLVL1_UUID:SES_v2.4.0_Evolution__2023-03-09_14-24-40--variableLVL2_UUID:f49af303-d075-419a-966a-4235bf2fb16f--variableFRIGG_COMMIT:8d570fe75a2ae31e1553b4d26c78cdd06b980f12--variableINFRASTRUCTURE:primary--pythonpathC:\\\\Frigg\\\\src--suitestatlevel4--variableSECTION_TAG:SECTION_IOCC:\\\\Frigg\\\\src\\\\frigg\\\\poolsrf\\\\Scenarios\\\\IOCOnDetection\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"HighMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"606EA23A6E2CA45D2B601DEE04AA68DB\",\"HashSha1\":\"56ED184B6865F8137885CD1994D18763E8D22B9F\",\"HashSha256\":\"07AE6C5FD655FA9F9D86138B7D8FD6361A2418C359BF0CE55DB9A86CE31575E1\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"DigiCertSHA2AssuredIDCodeSigningCA\",\"SubjectCN\":\"PythonSoftwareFoundation\",\"SigningTime\":\"2019-10-15T01:12:48.0000000+01:00\",\"ValidityStart\":\"2018-12-18T01:00:00.0000000+01:00\",\"ValidityEnd\":\"2021-12-22T13:00:00.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-09T14:30:15.1408260+01:00\",\"ProcessStartTimeRaw\":133228422151408260},\"FullPath\":\"C:\\\\tmp\\\\filecreate.txt\",\"MatchedStrings\":[\"filecreate\"]}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisFilenameMatch", "category": [ "malware" ], + "code": "AgentOperationIocAnalysisFilenameMatch", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-15T03:30:18.963719Z", - "rule": { - "uuid": "00000000-0000-0000-0000-000000000000" - }, "process": { - "pid": 7832, - "start": "2023-03-09T13:30:15.140826Z", - "executable": "C:\\Python37\\python.exe", - "name": "python.exe", "command_line": "\"c:\\python37\\python.exe\"\"C:\\Python37\\Scripts\\robot.exe\"--loglevelTRACE--debugfiledebug.txt--outputdirC:\\frigg_report_level_3\\20230309143015[f49af303-d075-419a-966a-4235bf2fb16f]_[AT-10X64PRO]_[AnalysisOnFileACL]--includeScenarioIOCOnDetectionANDAgentANDAnalysisOnFileACL--variableLVL3_TAGFAMILY:ScenarioIOCOnDetectionANDAgentANDAnalysisOnFileACL--variableLVL3_REPORT_LINK:file://///192.168.131.17/frigg_level_3_for_user/20230309143015[f49af303-d075-419a-966a-4235bf2fb16f]_[AT-10X64PRO]_[AnalysisOnFileACL]/log.html--variableLVL1_UUID:SES_v2.4.0_Evolution__2023-03-09_14-24-40--variableLVL2_UUID:f49af303-d075-419a-966a-4235bf2fb16f--variableFRIGG_COMMIT:8d570fe75a2ae31e1553b4d26c78cdd06b980f12--variableINFRASTRUCTURE:primary--pythonpathC:\\Frigg\\src--suitestatlevel4--variableSECTION_TAG:SECTION_IOCC:\\Frigg\\src\\frigg\\poolsrf\\Scenarios\\IOCOnDetection", + "executable": "C:\\Python37\\python.exe", "hash": { - "sha1": "56ED184B6865F8137885CD1994D18763E8D22B9F", "md5": "606EA23A6E2CA45D2B601DEE04AA68DB", + "sha1": "56ED184B6865F8137885CD1994D18763E8D22B9F", "sha256": "07AE6C5FD655FA9F9D86138B7D8FD6361A2418C359BF0CE55DB9A86CE31575E1" }, + "name": "python.exe", + "pid": 7832, + "start": "2023-03-09T13:30:15.140826Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "07AE6C5FD655FA9F9D86138B7D8FD6361A2418C359BF0CE55DB9A86CE31575E1", + "56ED184B6865F8137885CD1994D18763E8D22B9F", + "606EA23A6E2CA45D2B601DEE04AA68DB" + ] + }, + "rule": { + "uuid": "00000000-0000-0000-0000-000000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20099", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20099" } - }, - "related": { - "hash": [ - "07AE6C5FD655FA9F9D86138B7D8FD6361A2418C359BF0CE55DB9A86CE31575E1", - "56ED184B6865F8137885CD1994D18763E8D22B9F", - "606EA23A6E2CA45D2B601DEE04AA68DB" - ] } } @@ -3991,36 +3991,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20100,\"TypeComputedMap\":\"AgentOperationIocAnalysisFilenameMatchNoSourceProcess\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0359AD-F6F6-4600-83DD-80BD350547CD}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:07:53.7120847+01:00\",\"TimestampRaw\":133228372737120847,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{9A8EE5F9-D1D6-4625-972E-211C4F38530C}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{180E7BA4-0D3B-4A80-92C1-AA923CC259C3}\",\"AssociatedSecOpsRequestGuid\":\"{6E0C19BA-6A69-4C3D-AC78-ED53CF5DD85D}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"FullPath\":\"c:\\\\tmp\\\\IOC_filename_type_match.txt\",\"MatchedStrings\":[\"IOC_filename_type\"]}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisFilenameMatchNoSourceProcess", "category": [ "malware" ], + "code": "AgentOperationIocAnalysisFilenameMatchNoSourceProcess", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-15T02:07:53.712084Z", + "file": { + "directory": "c:\\tmp", + "name": "IOC_filename_type_match.txt", + "path": "c:\\tmp\\IOC_filename_type_match.txt" + }, "rule": { "uuid": "00000000-0000-0000-0000-000000000000" }, "stormshield": { "ses": { - "type": "20100", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20100" } - }, - "file": { - "path": "c:\\tmp\\IOC_filename_type_match.txt", - "name": "IOC_filename_type_match.txt", - "directory": "c:\\tmp" } } @@ -4034,12 +4034,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20101,\"TypeComputedMap\":\"AgentOperationIocAnalysisDnsRequestMatch\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01C2C4-99ED-433F-9666-2D26FFE77EE1}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:52:00.1047712+01:00\",\"TimestampRaw\":133231783201047712,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{F741792F-CAF9-48AC-B603-E7E85478D1DE}\",\"Triggers\":64,\"TriggersComputedBitMap\":[\"TRIGGER_SCHEDULED\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{B9219B67-6D7A-4837-9FBB-AC731993E218}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"DnsRequestTimestamp\":\"2023-03-09T14:30:36.6393490+01:00\",\"DnsRequest\":\"LDU-10X64\",\"MatchedStrings\":[\"ldu-10x64\"]}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisDnsRequestMatch", "category": [ "malware" ], + "code": "AgentOperationIocAnalysisDnsRequestMatch", + "kind": "event", + "severity": 4, "type": [ "info" ] @@ -4050,14 +4050,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20101", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20101" } } } @@ -4072,35 +4072,19 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20105,\"TypeComputedMap\":\"AgentOperationIocFileSearchByHashFile\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FF39E-F163-408E-A79F-154924466C24}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:22:46.0645687+01:00\",\"TimestampRaw\":133229137660645687,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{D0F30E76-25C7-4179-B37F-16A6638243ED}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{64E13EFB-DBA5-405E-AA87-52D0E6DC0A8A}\",\"AssociatedSecOpsRequestGuid\":\"{36C30206-83CB-4B22-A80E-F32F55B1B793}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\Dataset\\\\IOC_filename_type_match.txt\",\"FileCreateTime\":\"2023-03-09T14:32:39.0955996+01:00\",\"LastModified\":\"2023-03-09T14:44:10.9444734+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"0369387A3D15EA774708761AC1B15146\",\"HashSha1\":\"CE2C4F63864E3173A9D4C94A88A5061BE890F3D9\",\"HashSha256\":\"0E2D8F90D85A86BA544BDC868CD06F90C49CB3227496ABD3ABC52B0AB83680A9\",\"HashSSDeep\":\"3:S6LnhR:JLnH\"},\"SearchMatchInformation\":{\"HashAlgorithm\":1,\"HashAlgorithmComputedMap\":\"IOC_ALGORITMH_DIGEST_SHA1\",\"SimilarityRate\":100,\"MatchedHash\":\"CE2C4F63864E3173A9D4C94A88A5061BE890F3D9\"}}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocFileSearchByHashFile", "category": [ "malware" ], + "code": "AgentOperationIocFileSearchByHashFile", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:22:46.064568Z", - "rule": { - "uuid": "00000000-0000-0000-0000-000000000000" - }, - "stormshield": { - "ses": { - "type": "20105", - "action": { - "blocked": false, - "user_decision": false - }, - "source_process": { - "killed": false - } - } - }, "file": { - "path": "C:\\tmp\\Dataset\\IOC_filename_type_match.txt", - "owner": "Administrateurs", + "directory": "C:\\tmp\\Dataset", "hash": { "md5": "0369387A3D15EA774708761AC1B15146", "sha1": "CE2C4F63864E3173A9D4C94A88A5061BE890F3D9", @@ -4108,18 +4092,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ssdeep": "3:S6LnhR:JLnH" }, "name": "IOC_filename_type_match.txt", - "directory": "C:\\tmp\\Dataset" + "owner": "Administrateurs", + "path": "C:\\tmp\\Dataset\\IOC_filename_type_match.txt" }, "related": { - "user": [ - "Administrateurs" - ], "hash": [ "0369387A3D15EA774708761AC1B15146", "0E2D8F90D85A86BA544BDC868CD06F90C49CB3227496ABD3ABC52B0AB83680A9", "3:S6LnhR:JLnH", "CE2C4F63864E3173A9D4C94A88A5061BE890F3D9" + ], + "user": [ + "Administrateurs" ] + }, + "rule": { + "uuid": "00000000-0000-0000-0000-000000000000" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "source_process": { + "killed": false + }, + "type": "20105" + } } } @@ -4133,68 +4133,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20106,\"TypeComputedMap\":\"AgentOperationIocFileSearchByHashProcess\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A3870-F4B7-4DB2-BB32-1391F05682E3}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T06:58:31.6633661+01:00\",\"TimestampRaw\":133228511116633661,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{D0F30E76-25C7-4179-B37F-16A6638243ED}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{3D074CE1-6E5D-4EEC-9C54-B0B1CEEBE3DF}\",\"AssociatedSecOpsRequestGuid\":\"{719C335F-EB0F-4A68-8D1D-9683CFB40D31}\",\"AssociatedBaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\qa_custom_dll_caller.exe\",\"FileCreateTime\":\"2023-03-09T14:43:40.4150413+01:00\",\"LastModified\":\"2022-11-16T16:51:01.1796489+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"4942BD5298DC4E4EFDADC95A46C37B56\",\"HashSha1\":\"AAFA7B6F88BDB51202DCB161123C0441D40A5A2B\",\"HashSha256\":\"1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA\",\"HashSSDeep\":\"48:6Mapd6WlAax/6NMPo5g0xminE+kCtaTzxlkssoFjpfbNtm:yrBro5g0xmSei0zNt\"},\"SearchMatchInformation\":{\"HashAlgorithm\":1,\"HashAlgorithmComputedMap\":\"IOC_ALGORITMH_DIGEST_SHA1\",\"SimilarityRate\":100,\"MatchedHash\":\"AAFA7B6F88BDB51202DCB161123C0441D40A5A2B\"},\"SourceProcess\":{\"PID\":2300,\"ProcessGuid\":\"{FF3D97B0-8340-4750-BD82-18792EF11A01}\",\"ProcessImageName\":\"C:\\\\tmp\\\\qa_custom_dll_caller.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\tmp\\\\qa_custom_dll_caller.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"4942BD5298DC4E4EFDADC95A46C37B56\",\"HashSha1\":\"AAFA7B6F88BDB51202DCB161123C0441D40A5A2B\",\"HashSha256\":\"1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":2,\"CertificateSignatureStateComputedMap\":\"SignatureStateNoSignature\",\"Certificates\":[],\"ProcessStartTime\":\"2023-03-09T14:51:13.8781511+01:00\",\"ProcessStartTimeRaw\":133228434738781511}}}", "event": { - "kind": "event", - "severity": 4, - "code": "AgentOperationIocFileSearchByHashProcess", "category": [ "malware" ], + "code": "AgentOperationIocFileSearchByHashProcess", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-15T05:58:31.663366Z", - "rule": { - "uuid": "00000000-0000-0000-0000-000000000000" + "file": { + "hash": { + "md5": "4942BD5298DC4E4EFDADC95A46C37B56", + "sha1": "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B", + "sha256": "1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA", + "ssdeep": "48:6Mapd6WlAax/6NMPo5g0xminE+kCtaTzxlkssoFjpfbNtm:yrBro5g0xmSei0zNt" + } }, "process": { - "pid": 2300, - "start": "2023-03-09T13:51:13.878151Z", - "executable": "C:\\tmp\\qa_custom_dll_caller.exe", - "name": "qa_custom_dll_caller.exe", "command_line": "\"C:\\tmp\\qa_custom_dll_caller.exe\"", + "executable": "C:\\tmp\\qa_custom_dll_caller.exe", "hash": { - "sha1": "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B", "md5": "4942BD5298DC4E4EFDADC95A46C37B56", + "sha1": "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B", "sha256": "1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA" }, + "name": "qa_custom_dll_caller.exe", + "pid": 2300, + "start": "2023-03-09T13:51:13.878151Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA", + "48:6Mapd6WlAax/6NMPo5g0xminE+kCtaTzxlkssoFjpfbNtm:yrBro5g0xmSei0zNt", + "4942BD5298DC4E4EFDADC95A46C37B56", + "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B" + ] + }, + "rule": { + "uuid": "00000000-0000-0000-0000-000000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20106", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20106" } - }, - "file": { - "hash": { - "md5": "4942BD5298DC4E4EFDADC95A46C37B56", - "sha1": "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B", - "sha256": "1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA", - "ssdeep": "48:6Mapd6WlAax/6NMPo5g0xminE+kCtaTzxlkssoFjpfbNtm:yrBro5g0xmSei0zNt" - } - }, - "related": { - "hash": [ - "1C77A55289240221CF110A1AC336D375D4F8E190D6A540F97A610D642CA096DA", - "48:6Mapd6WlAax/6NMPo5g0xminE+kCtaTzxlkssoFjpfbNtm:yrBro5g0xmSei0zNt", - "4942BD5298DC4E4EFDADC95A46C37B56", - "AAFA7B6F88BDB51202DCB161123C0441D40A5A2B" - ] } } @@ -4208,53 +4208,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20107,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchProcessMatch\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01D628-71C0-4432-A358-142306F65E42}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:49:04.5989765+02:00\",\"TimestampRaw\":133311341445989765,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{C6F96B4B-22E1-4F77-B74B-BBB94E7DCEC5}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{D4782D23-E46A-462E-8934-BFDC32920706}\",\"AssociatedSecOpsRequestGuid\":\"{F5B8FBB4-9B35-45E7-80B6-2D6B81BDB126}\",\"AssociatedBaseRuleGuid\":\"{BB1C16CA-8916-4891-9A65-078284B20EA1}\",\"AssociatedRuleGuid\":\"{8CFC6AE9-E111-403E-90AF-1912774CBEC4}\"},\"SourceProcess\":{\"PID\":4032,\"ProcessGuid\":\"{358F6CB9-1326-469E-807D-9742D7799F1F}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"AC4C51EB24AA95B77F705AB159189E24\",\"HashSha1\":\"4583DAF9442880204730FB2C8A060430640494B1\",\"HashSha256\":\"6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA1\",\"IssuerCN\":\"MicrosoftWindowsVerificationPCA\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2010-11-20T21:37:13.0000000+02:00\",\"ValidityStart\":\"2009-12-07T23:57:40.0000000+02:00\",\"ValidityEnd\":\"2011-03-07T23:57:40.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T14:21:19.3323750+02:00\",\"ProcessStartTimeRaw\":133311324793323750},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\explorer.exe\",\"FileCreateTime\":\"2010-11-21T05:24:35.3136502+02:00\",\"LastModified\":\"2010-11-21T05:24:35.3448503+02:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"AC4C51EB24AA95B77F705AB159189E24\",\"HashSha1\":\"4583DAF9442880204730FB2C8A060430640494B1\",\"HashSha256\":\"6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A\",\"HashSSDeep\":\"49152:jxrceI/lIRYraisQhFCUCAvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:FrcPlIWFvYYYYYYYYYYYRYYYYYYYYYY4\"},\"MatchedStrings\":[\"fichiertexte.txt\",\"hello\",\"qa_custom_dll_caller.exe\",\"toto\"]}}", "event": { + "code": "AgentOperationIocAnalysisTextualSearchProcessMatch", "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisTextualSearchProcessMatch" + "severity": 4 }, "@timestamp": "2023-06-15T02:49:04.598976Z", - "rule": { - "uuid": "00000000-0000-0000-0000-000000000000" - }, "process": { - "pid": 4032, - "start": "2023-06-13T12:21:19.332375Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "4583DAF9442880204730FB2C8A060430640494B1", "md5": "AC4C51EB24AA95B77F705AB159189E24", + "sha1": "4583DAF9442880204730FB2C8A060430640494B1", "sha256": "6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A" }, + "name": "explorer.exe", + "pid": 4032, + "start": "2023-06-13T12:21:19.332375Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "4583DAF9442880204730FB2C8A060430640494B1", + "6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A", + "AC4C51EB24AA95B77F705AB159189E24" + ] + }, + "rule": { + "uuid": "00000000-0000-0000-0000-000000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20107", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20107" } - }, - "related": { - "hash": [ - "4583DAF9442880204730FB2C8A060430640494B1", - "6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A", - "AC4C51EB24AA95B77F705AB159189E24" - ] } } @@ -4268,53 +4268,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20108,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchFileMatch\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0882E8-4A4E-4427-BDF6-F93C68BC2CDB}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:31:29.6673890+01:00\",\"TimestampRaw\":133229142896673890,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{ACF0AC80-F5CC-4358-8CF9-3F8656637608}\",\"PolicyVersion\":2,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{4C7AAAF5-7BD4-4390-B43A-482695D9F2C8}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{DCBFD32B-23DA-44DC-A50F-CCC0CFFE36BD}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{488C741A-6311-484B-8B99-2AE642629CA2}\",\"AssociatedRuleGuid\":\"{3A361A3F-BA50-4C5F-94EC-EF57E5ECF5DD}\"},\"SourceProcess\":{\"PID\":1580,\"ProcessGuid\":\"{66722ED3-5C92-49CB-919F-F8F710D2A7F6}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2018-09-15T08:03:08.1030000+01:00\",\"ValidityStart\":\"2018-07-03T21:45:50.0000000+01:00\",\"ValidityEnd\":\"2019-07-26T21:45:50.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-10T10:30:15.9993999+01:00\",\"ProcessStartTimeRaw\":133229142159993999},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"FileCreateTime\":\"2018-09-15T08:14:14.4547673+01:00\",\"LastModified\":\"2018-09-15T08:14:14.4547673+01:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"HashSSDeep\":\"6144:+srKopvMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:BrKopEW2KXzJ4pdd3klnnWosPhnzq\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\testfile1.txt\",\"FileCreateTime\":\"2023-03-10T10:31:28.6944664+01:00\",\"LastModified\":\"2023-03-10T10:31:28.6974654+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"F5A4425F79015B506FD72DEC488FECAA\",\"HashSha1\":\"7AC7F7D77BA681397E6F81E343562F43D315143D\",\"HashSha256\":\"F7ED90A977D853D055AAED809EAF0733C160E60F27461F04A59CE21B0D996A35\",\"HashSSDeep\":\"3:QswlSxuQaal:QswlS5j\"},\"MatchedStrings\":[\"IOC_event_app\"]}}", "event": { + "code": "AgentOperationIocAnalysisTextualSearchFileMatch", "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisTextualSearchFileMatch" + "severity": 4 }, "@timestamp": "2023-06-14T23:31:29.667389Z", - "rule": { - "uuid": "00000000-0000-0000-0000-000000000000" - }, "process": { - "pid": 1580, - "start": "2023-03-10T09:30:15.999399Z", - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "name": "powershell.exe", "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { - "sha1": "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", "md5": "7353F60B1739074EB17C5F4DDDEFE239", + "sha1": "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", "sha256": "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" }, + "name": "powershell.exe", + "pid": 1580, + "start": "2023-03-10T09:30:15.999399Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", + "7353F60B1739074EB17C5F4DDDEFE239", + "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" + ] + }, + "rule": { + "uuid": "00000000-0000-0000-0000-000000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "20108", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "20108" } - }, - "related": { - "hash": [ - "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", - "7353F60B1739074EB17C5F4DDDEFE239", - "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" - ] } } @@ -4328,9 +4328,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":20109,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchFileMatchNoSourceProcess\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C7323-D0B6-492F-B6DC-B503DFE65054}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:22:46.7229516+01:00\",\"TimestampRaw\":133229137667229516,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{8D1643D7-0358-4D5D-B5DE-2FF3A68AE55D}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{C309C9F5-8BAB-42A0-BBE2-A912143FB308}\",\"AssociatedSecOpsRequestGuid\":\"{36C30206-83CB-4B22-A80E-F32F55B1B793}\",\"AssociatedBaseRuleGuid\":\"{73F4E7F0-49CA-42E7-94E7-9CF7B5F07C93}\",\"AssociatedRuleGuid\":\"{8CFC6AE9-E111-403E-90AF-1912774CBEC4}\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\Dataset\\\\IOC_filename_type_match.txt\",\"FileCreateTime\":\"2023-03-09T14:32:39.0955996+01:00\",\"LastModified\":\"2023-03-09T14:44:10.9444734+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"0369387A3D15EA774708761AC1B15146\",\"HashSha1\":\"CE2C4F63864E3173A9D4C94A88A5061BE890F3D9\",\"HashSha256\":\"0E2D8F90D85A86BA544BDC868CD06F90C49CB3227496ABD3ABC52B0AB83680A9\",\"HashSSDeep\":\"3:S6LnhR:JLnH\"},\"MatchedStrings\":[\"IOC_event_app\"]}}", "event": { + "code": "AgentOperationIocAnalysisTextualSearchFileMatchNoSourceProcess", "kind": "event", - "severity": 4, - "code": "AgentOperationIocAnalysisTextualSearchFileMatchNoSourceProcess" + "severity": 4 }, "@timestamp": "2023-06-14T23:22:46.722951Z", "rule": { @@ -4338,14 +4338,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "20109", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "20109" } } } @@ -4360,12 +4360,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":301,\"TypeComputedMap\":\"Floppy\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD093442-0673-4288-9682-089F74158DA4}\",\"Timestamp\":\"2023-06-15T04:30:00.0000000+01:00\",\"TimestampRaw\":133232382000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PnPDeviceInfo\":{\"DeviceDescription\":\"This is a disk drive\",\"Manufacturer\":\"Kingston\",\"ClassName\":\"DiskDrive\",\"FriendlyName\":\"SanDisk\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "Floppy", "category": [ "driver" ], + "code": "Floppy", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4376,17 +4376,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "301", "action": { "blocked": true, "user_decision": false }, + "device": { + "type": "floppy" + }, "source_process": { "killed": false }, - "device": { - "type": "floppy" - } + "type": "301" } } } @@ -4401,12 +4401,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":302,\"TypeComputedMap\":\"CDRom\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD097A02-082C-44A2-87BB-6D6DC511FC45}\",\"Timestamp\":\"2023-06-15T04:40:00.0000000+01:00\",\"TimestampRaw\":133232388000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Operation\":0,\"PnPDeviceInfo\":{\"DeviceDescription\":\"This is a disk drive\",\"Manufacturer\":\"Kingston\",\"ClassName\":\"DiskDrive\",\"FriendlyName\":\"SanDisk\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "CDRom", "category": [ "driver" ], + "code": "CDRom", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4417,17 +4417,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "302", "action": { "blocked": false, "user_decision": false }, + "device": { + "type": "cdrom" + }, "source_process": { "killed": true }, - "device": { - "type": "cdrom" - } + "type": "302" } } } @@ -4442,12 +4442,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":303,\"TypeComputedMap\":\"ComPort\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD087B9D-25F8-42A4-BA9D-ED3D3A87E3F6}\",\"Timestamp\":\"2023-06-15T04:50:00.0000000+01:00\",\"TimestampRaw\":133232394000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "ComPort", "category": [ "driver" ], + "code": "ComPort", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4458,17 +4458,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "303", "action": { "blocked": true, "user_decision": false }, + "device": { + "type": "serial" + }, "source_process": { "killed": true }, - "device": { - "type": "serial" - } + "type": "303" } } } @@ -4483,12 +4483,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":305,\"TypeComputedMap\":\"UsbDevice\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07AA0D-B844-4707-8E84-ED8B03025B17}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:44:36.7982369+02:00\",\"TimestampRaw\":133311338767982369,\"SpecificData\":{\"UsbDeviceInfo\":{\"VendorId\":5118,\"ProductId\":25344,\"Class\":0,\"ClassComputedMap\":\"UseclassinformationintheInterfaceDescriptors\",\"SubClass\":0,\"Protocol\":0,\"SerialNumber\":\"072117691198E329\",\"VendorName\":\"\",\"ProductName\":\"USBDISK3.0\",\"Interfaces\":[{\"Class\":8,\"ClassComputedMap\":\"MassStorage\",\"Subclass\":6,\"Protocol\":80}]},\"PhysicalConsoleSession\":{\"PhysicalConsoleSessionId\":1,\"LoginUserName\":\"TEST\\\\user1\"},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":3,\"RuleGuid\":\"{15FE2620-5AB1-418E-B390-A8519F21EDA3}\",\"BaseRuleGuid\":\"{15FE2620-5AB1-418E-B390-A8519F21EDA2}\",\"IdentifierGuid\":\"{7337F8D7-D797-4A0F-AD46-BF317FFE7900}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false},\"DeviceEventType\":0,\"DeviceEventTypeComputedMap\":\"USBdeviceconnection\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "UsbDevice", "category": [ "driver" ], + "code": "UsbDevice", + "kind": "event", + "severity": 1, "type": [ "info" ] @@ -4499,17 +4499,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "305", "action": { "blocked": true, "user_decision": false }, + "device": { + "type": "usb" + }, "source_process": { "killed": false }, - "device": { - "type": "usb" - } + "type": "305" } } } @@ -4524,12 +4524,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":325,\"TypeComputedMap\":\"UsbVolumeScanSuccess\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":4,\"AttributesComputedBitMap\":[\"Internal\"],\"EventGuid\":\"{AD01376E-B19F-412B-8D84-408FB15947B5}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:27:17.7845217+02:00\",\"TimestampRaw\":133312084377845217,\"SpecificData\":{\"UsbDeviceInfo\":{\"VendorId\":1921,\"ProductId\":21889,\"Class\":0,\"ClassComputedMap\":\"UseclassinformationintheInterfaceDescriptors\",\"SubClass\":0,\"Protocol\":0,\"SerialNumber\":\"04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117\",\"VendorName\":\"USB\",\"ProductName\":\"SanDisk3.2Gen1\",\"Interfaces\":[{\"Class\":8,\"ClassComputedMap\":\"MassStorage\",\"Subclass\":6,\"Protocol\":80}]},\"TrackingData\":{\"EnrollFileState\":1,\"EnrollFileStateComputedMap\":\"Enrollfileisinvalid.\",\"FootprintFileState\":0,\"FootprintFileStateComputedMap\":\"Nofootprintfile\",\"VendorId\":0,\"ProductId\":0,\"SerialNumberHashSha256\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"EnrollGuid\":\"{00000000-0000-0000-0000-000000000000}\"},\"ScannedFileCount\":0,\"QuarantinedFileCount\":0,\"VolumePath\":\"E:\\\\\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "UsbVolumeScanSuccess", "category": [ "driver" ], + "code": "UsbVolumeScanSuccess", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4537,10 +4537,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-06-14T23:27:17.784521Z", "stormshield": { "ses": { - "type": "325", "device": { "type": "usb" - } + }, + "type": "325" } } } @@ -4555,12 +4555,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":326,\"TypeComputedMap\":\"UsbVolumeScanError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09E648-81DB-4F9D-8C4F-A417443FCB63}\",\"Timestamp\":\"2023-06-15T05:40:00.0000000+01:00\",\"TimestampRaw\":133232424000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"UsbDeviceInfo\":{\"VendorName\":\"SanDisk\",\"VendorId\":1921,\"ProductName\":\"Ultra\",\"ProductId\":21889,\"SerialNumber\":\"4C530001211017121370\",\"Class\":88,\"SubClass\":9,\"Interfaces\":[{\"Class\":9,\"SubClass\":255},{\"Class\":9,\"SubClass\":14},{\"Class\":5,\"SubClass\":255}]},\"TrackingData\":{\"EnrollFileState\":1,\"EnrollGuid\":\"936abb9c-1151-4087-be6f-95b59a432830\",\"FootprintFileState\":0},\"VolumePath\":\"E:\\\\\\\\\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "UsbVolumeScanError", "category": [ "driver" ], + "code": "UsbVolumeScanError", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4568,10 +4568,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-06-15T04:40:00Z", "stormshield": { "ses": { - "type": "326", "device": { "type": "usb" - } + }, + "type": "326" } } } @@ -4586,12 +4586,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":327,\"TypeComputedMap\":\"UsbVolumeFootprintComputationError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD075EFB-625D-4664-A6EC-DCED30701CDF}\",\"Timestamp\":\"2023-06-15T05:50:00.0000000+01:00\",\"TimestampRaw\":133232430000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"UsbDeviceInfo\":{\"VendorName\":\"SanDisk\",\"VendorId\":1921,\"ProductName\":\"Ultra\",\"ProductId\":21889,\"SerialNumber\":\"4C530001211017121370\",\"Class\":239,\"SubClass\":224,\"Interfaces\":[{\"Class\":17,\"SubClass\":17},{\"Class\":239,\"SubClass\":7},{\"Class\":255,\"SubClass\":1}]},\"TrackingData\":{\"EnrollFileState\":4,\"EnrollGuid\":\"58cb78b6-510a-4144-8ad9-c120b0513ed9\",\"FootprintFileState\":0},\"VolumePath\":\"E:\\\\\\\\\"}}", "event": { - "kind": "event", - "severity": 0, - "code": "UsbVolumeFootprintComputationError", "category": [ "driver" ], + "code": "UsbVolumeFootprintComputationError", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4599,10 +4599,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2023-06-15T04:50:00Z", "stormshield": { "ses": { - "type": "327", "device": { "type": "usb" - } + }, + "type": "327" } } } @@ -4617,12 +4617,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":361,\"TypeComputedMap\":\"BluetoothAccess\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD004BC1-D189-436D-8F8E-848F2E6ADC7A}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:30:40.7191880+02:00\",\"TimestampRaw\":133311330407191880,\"SpecificData\":{\"ConnectedDeviceInfo\":{\"ClassOfDevice\":5898764,\"DeviceName\":\"S22UltradeAur\u00e9lien\",\"MajorServiceClass\":720,\"MajorServiceClassComputedBitMap\":[\"Networking(LAN,Adhoc,...)\",\"Capturing(Scanner,Microphone,...)\",\"ObjectTransfer(v-Inbox,v-Folder,...)\",\"Telephony(Cordlesstelephony,Modem,Headsetservice,...)\"],\"MajorDeviceClass\":2,\"MajorDeviceClassComputedMap\":\"Phone(cellular,cordless,payphone,modem,...)\",\"MinorDeviceClass\":{\"Info\":3,\"InfoComputedMap\":\"Smartphone\"}},\"LocalRadioDeviceInfo\":{\"ClassOfDevice\":2752780,\"DeviceName\":\"QA-SES-2\",\"MajorServiceClass\":336,\"MajorServiceClassComputedBitMap\":[\"Networking(LAN,Adhoc,...)\",\"Capturing(Scanner,Microphone,...)\",\"Audio(Speaker,Microphone,Headsetservice,...)\"],\"MajorDeviceClass\":1,\"MajorDeviceClassComputedMap\":\"Computer(desktop,notebook,PDA,organizers,....)\",\"MinorDeviceClass\":{\"Info\":3,\"InfoComputedMap\":\"Laptop\"}},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":2,\"RuleGuid\":\"{3BF67592-5E87-41C3-8064-ED52A6FD0C9C}\",\"BaseRuleGuid\":\"{3BF67592-5E87-41C3-8064-ED52A6FD0C9B}\",\"IdentifierGuid\":\"{DCA4EA7A-F456-483C-BF17-3A9DFBF7B8CF}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 1, - "code": "BluetoothAccess", "category": [ "network" ], + "code": "BluetoothAccess", + "kind": "event", + "severity": 1, "type": [ "connection" ] @@ -4633,14 +4633,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "361", "action": { "blocked": true, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "361" } } } @@ -4655,64 +4655,64 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":39,\"TypeComputedMap\":\"RawVolumeAccess\",\"Severity\":3,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD078924-C897-4BF5-9EAC-62F34AAE31EB}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T02:12:28.8623750+02:00\",\"TimestampRaw\":133312975488623750,\"SpecificData\":{\"SourceProcess\":{\"PID\":3236,\"ProcessGuid\":\"{2C8AC69F-A395-4589-9C27-3B1BF5672D71}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operatingsystem\"],\"ProcessCommandLine\":\"\\\"powershell.exe\\\"C:\\\\Frigg\\\\src\\\\frigg\\\\tools\\\\PowershellScript\\\\Protection\\\\AccessVolumeRaw\\\\AccessVolumeRaw.ps1C:\\\\Users\\\\Public\\\\20bedfd0-fbde-48e5-ab3b-8e3522b8a61e.jsonC:\\\\Users\\\\Public\\\\8648cd4c-4237-4122-a67e-9216bf42bf62.txt\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"HighMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"A575A7610E5F003CC36DF39E07C4BA7D\",\"HashSha1\":\"88E7CDC0B75364418E11B2C53F772085F1B61D1E\",\"HashSha256\":\"006CEF6EF6488721895D93E4CEF7FA0709C2692D74BDE1E22E2A8719B2A86218\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA1\",\"IssuerCN\":\"MicrosoftWindowsVerificationPCA\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2016-12-10T13:42:48.0000000+02:00\",\"ValidityStart\":\"2016-11-22T20:12:21.0000000+02:00\",\"ValidityEnd\":\"2017-05-22T20:12:21.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-15T12:12:25.7998750+02:00\",\"ProcessStartTimeRaw\":133312975457998750},\"Action\":{\"PolicyGuid\":\"{2AE83DF7-9180-4F10-9AB7-D43801EA60FC}\",\"PolicyVersion\":1,\"RuleGuid\":\"{AD8FA125-A849-47E7-B398-6672D5E40E15}\",\"BaseRuleGuid\":\"{AD8FA125-A849-47E7-B398-6672D5E40E14}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":true,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Path\":\"C:\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operatingsystem\"],\"AccessType\":2,\"AccessTypeComputedMap\":\"Write\",\"DataOffset\":0,\"DataLength\":512}}", "event": { - "kind": "event", - "severity": 3, - "code": "RawVolumeAccess", "category": [ "file" ], + "code": "RawVolumeAccess", + "kind": "event", + "severity": 3, "type": [ "access" ] }, "@timestamp": "2023-06-15T00:12:28.862375Z", - "rule": { - "uuid": "AD8FA125-A849-47E7-B398-6672D5E40E15" + "file": { + "directory": "", + "name": "C:", + "path": "C:" }, "process": { - "pid": 3236, - "start": "2023-06-15T10:12:25.799875Z", - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "name": "powershell.exe", "command_line": "\"powershell.exe\"C:\\Frigg\\src\\frigg\\tools\\PowershellScript\\Protection\\AccessVolumeRaw\\AccessVolumeRaw.ps1C:\\Users\\Public\\20bedfd0-fbde-48e5-ab3b-8e3522b8a61e.jsonC:\\Users\\Public\\8648cd4c-4237-4122-a67e-9216bf42bf62.txt", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { - "sha1": "88E7CDC0B75364418E11B2C53F772085F1B61D1E", "md5": "A575A7610E5F003CC36DF39E07C4BA7D", + "sha1": "88E7CDC0B75364418E11B2C53F772085F1B61D1E", "sha256": "006CEF6EF6488721895D93E4CEF7FA0709C2692D74BDE1E22E2A8719B2A86218" }, + "name": "powershell.exe", + "pid": 3236, + "start": "2023-06-15T10:12:25.799875Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "006CEF6EF6488721895D93E4CEF7FA0709C2692D74BDE1E22E2A8719B2A86218", + "88E7CDC0B75364418E11B2C53F772085F1B61D1E", + "A575A7610E5F003CC36DF39E07C4BA7D" + ] + }, + "rule": { + "uuid": "AD8FA125-A849-47E7-B398-6672D5E40E15" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "39", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "39" } - }, - "file": { - "path": "C:", - "name": "C:", - "directory": "" - }, - "related": { - "hash": [ - "006CEF6EF6488721895D93E4CEF7FA0709C2692D74BDE1E22E2A8719B2A86218", - "88E7CDC0B75364418E11B2C53F772085F1B61D1E", - "A575A7610E5F003CC36DF39E07C4BA7D" - ] } } @@ -4726,58 +4726,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":40,\"TypeComputedMap\":\"NetworkAccessBind\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01AAFD-F6E1-4434-9048-4119FACE3B20}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232238000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Operation\":1,\"AddressFamily\":0,\"Protocol\":6,\"LocalAddress\": \"1.2.3.4\",\"LocalPort\":21,\"SourceProcess\":{\"PID\":10,\"ProcessImageName\":\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"fc36ccb9-c9b6-495e-8ead-26e1536df4ad\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D91238FAFB111\",\"HashSha1\":\"AC9F34399C7C5A6324EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":7,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadContent\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "NetworkAccessBind", "category": [ "network" ], + "code": "NetworkAccessBind", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:30:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, - "source": { - "ip": "1.2.3.4", - "port": 21, - "address": "1.2.3.4" - }, "process": { - "pid": 10, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", - "name": "Balsamiq Mockups 3.exe", "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", + "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", "hash": { - "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D91238FAFB111", + "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" }, + "name": "Balsamiq Mockups 3.exe", + "pid": 10, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, - "stormshield": { - "ses": { - "process": { - "user": { - "domain": "TEST" - } - }, - "type": "40", - "action": { - "blocked": false, - "user_decision": false - }, - "source_process": { - "killed": false - } - } - }, "related": { "hash": [ "0470A1A62B3FAA0AF14D91238FAFB111", @@ -4787,6 +4762,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4" ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 21 + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "40" + } } } @@ -4800,33 +4800,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":400,\"TypeComputedMap\":\"WifiAccessConnectedNetwork\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":8,\"AttributesComputedBitMap\":[\"Audit\"],\"EventGuid\":\"{AD07F7A8-D39A-4AB7-B993-5415D12C1F30}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:59:31.1363444+02:00\",\"TimestampRaw\":133311347711363444,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":6,\"RuleGuid\":\"{FCC06F94-0DBD-4DE6-904A-A267486EC5B8}\",\"BaseRuleGuid\":\"{FCC06F94-0DBD-4DE6-904A-A267486EC5B7}\",\"IdentifierGuid\":\"{68FB25E1-146B-40C2-876B-D72317D39711}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"ConnectionMode\":1,\"ConnectionModeComputedBitMap\":[\"Infrastructure\"],\"AuthAlgo\":2,\"AuthAlgoComputedBitMap\":[\"WPA2personal\"],\"Ssid\":\"AgentMobileS9P\",\"RemoteMacAddress\":\"8E9A69150D8F\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "WifiAccessConnectedNetwork", "category": [ "network" ], + "code": "WifiAccessConnectedNetwork", + "kind": "event", + "severity": 4, "type": [ "connection" ] }, "@timestamp": "2023-06-15T02:59:31.136344Z", - "rule": { - "uuid": "FCC06F94-0DBD-4DE6-904A-A267486EC5B8" - }, "destination": { "mac": "8E9A69150D8F" }, + "rule": { + "uuid": "FCC06F94-0DBD-4DE6-904A-A267486EC5B8" + }, "stormshield": { "ses": { - "type": "400", "action": { "blocked": false, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "400" } } } @@ -4841,12 +4841,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":401,\"TypeComputedMap\":\"WifiAccessFunctionnality\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F7AFA-D4BC-45AC-98E2-46FB56EDE7A2}\",\"Timestamp\":\"2023-06-15T06:20:00.0000000+01:00\",\"TimestampRaw\":133232448000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "WifiAccessFunctionnality", "category": [ "network" ], + "code": "WifiAccessFunctionnality", + "kind": "event", + "severity": 0, "type": [ "info" ] @@ -4857,14 +4857,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "stormshield": { "ses": { - "type": "401", "action": { "blocked": true, "user_decision": false }, "source_process": { "killed": false - } + }, + "type": "401" } } } @@ -4879,68 +4879,43 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":41,\"TypeComputedMap\":\"NetworkAccessAccept\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD08384E-F7B1-4E7E-ABFB-3F62FFD20102}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:21:41.0544635+01:00\",\"TimestampRaw\":133219741010544635,\"SpecificData\":{\"SourceProcess\":{\"PID\":1300,\"ProcessGuid\":\"{9BF8BDA3-3BD6-492E-A1AE-AA4ADCCFA899}\",\"ProcessImageName\":\"C:\\\\tmp\\\\2.4.0_Build_797\\\\SecurityAndTestingTools\\\\x64\\\\NetworkTester\\\\NetworkTesterServer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\".\\\\NetworkTesterServer.exe--tcp--port5001--infinite-lc\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"AB1938E5473CE3CFD04FEDC5250953B7\",\"HashSha1\":\"A37FFBBF38FEB91D98F839F58F17C1420A665D55\",\"HashSha256\":\"BBB03C3F06A9E6A988DB2376DE191712A8767D245151714C6D45D35811C83FA2\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":2,\"CertificateSignatureStateComputedMap\":\"SignatureStateNoSignature\",\"Certificates\":[],\"ProcessStartTime\":\"2023-02-27T13:21:37.0244871+01:00\",\"ProcessStartTimeRaw\":133219740970244871},\"Action\":{\"PolicyGuid\":\"{26CE8F68-454A-4A1C-B6C1-18BF591AD255}\",\"PolicyVersion\":7,\"RuleGuid\":\"{47CFDDF4-8532-45F1-80E3-46D945386D3E}\",\"BaseRuleGuid\":\"{47CFDDF4-8532-45F1-80E3-46D945386D3D}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Protocol\":6,\"ProtocolComputedMap\":\"TCP\",\"Operation\":2,\"OperationComputedMap\":\"Accept\",\"AddressFamily\":2,\"AddressFamilyComputedMap\":\"IPv4\",\"LocalAddress\": \"1.2.3.4\",\"RemoteAddress\":\"5.6.7.8\",\"LocalPort\":5001,\"RemotePort\":49726}}", "event": { - "kind": "event", - "severity": 4, - "code": "NetworkAccessAccept", "action": "Accept", "category": [ "network" ], + "code": "NetworkAccessAccept", + "kind": "event", + "severity": 4, "type": [ "access" ] }, "@timestamp": "2023-06-15T02:21:41.054463Z", - "rule": { - "uuid": "47CFDDF4-8532-45F1-80E3-46D945386D3E" - }, - "source": { - "ip": "1.2.3.4", - "port": 5001, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 49726, - "address": "5.6.7.8" + "port": 49726 }, "network": { "transport": "tcp", "type": "ipv4" }, "process": { - "pid": 1300, - "start": "2023-02-27T12:21:37.024487Z", - "executable": "C:\\tmp\\2.4.0_Build_797\\SecurityAndTestingTools\\x64\\NetworkTester\\NetworkTesterServer.exe", - "name": "NetworkTesterServer.exe", "command_line": ".\\NetworkTesterServer.exe--tcp--port5001--infinite-lc", + "executable": "C:\\tmp\\2.4.0_Build_797\\SecurityAndTestingTools\\x64\\NetworkTester\\NetworkTesterServer.exe", "hash": { - "sha1": "A37FFBBF38FEB91D98F839F58F17C1420A665D55", "md5": "AB1938E5473CE3CFD04FEDC5250953B7", + "sha1": "A37FFBBF38FEB91D98F839F58F17C1420A665D55", "sha256": "BBB03C3F06A9E6A988DB2376DE191712A8767D245151714C6D45D35811C83FA2" }, + "name": "NetworkTesterServer.exe", + "pid": 1300, + "start": "2023-02-27T12:21:37.024487Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, - "stormshield": { - "ses": { - "process": { - "user": { - "domain": "TEST" - } - }, - "type": "41", - "action": { - "blocked": false, - "user_decision": false - }, - "source_process": { - "killed": false - } - } - }, "related": { "hash": [ "A37FFBBF38FEB91D98F839F58F17C1420A665D55", @@ -4951,6 +4926,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "uuid": "47CFDDF4-8532-45F1-80E3-46D945386D3E" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 5001 + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "41" + } } } @@ -4964,63 +4964,38 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":42,\"TypeComputedMap\":\"NetworkAccessConnect\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0950D9-5F4A-4664-B567-591010BB82B6}\",\"Timestamp\":\"2023-06-15T00:50:00.0000000+01:00\",\"TimestampRaw\":133232250000000000,\"GenerateIncident\":false,\"SpecificData\":{\"RemoteAddress\":\"5.6.7.8\",\"RemotePort\":21,\"Operation\":1,\"AddressFamily\":0,\"Protocol\":0,\"LocalAddress\": \"1.2.3.4\",\"LocalPort\":80,\"SourceProcess\":{\"PID\":7,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"277db927-ab05-43ad-aeca-68e5e8f2b934\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD9FAFB111\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "NetworkAccessConnect", "category": [ "network" ], + "code": "NetworkAccessConnect", + "kind": "event", + "severity": 0, "type": [ "denied" ] }, "@timestamp": "2023-06-14T23:50:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, - "source": { - "ip": "1.2.3.4", - "port": 80, - "address": "1.2.3.4" - }, "destination": { + "address": "5.6.7.8", "ip": "5.6.7.8", - "port": 21, - "address": "5.6.7.8" + "port": 21 }, "process": { - "pid": 7, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", - "name": "WINWORD.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD9FAFB111", + "sha1": "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "WINWORD.EXE", + "pid": 7, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, - "stormshield": { - "ses": { - "process": { - "user": { - "domain": "TEST" - } - }, - "type": "42", - "action": { - "blocked": true, - "user_decision": false - }, - "source_process": { - "killed": false - } - } - }, "related": { "hash": [ "0470A1A62B3FAA0AF14D9AFD9FAFB111", @@ -5031,6 +5006,31 @@ Find below few samples of events and how they are normalized by Sekoia.io. "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 80 + }, + "stormshield": { + "ses": { + "action": { + "blocked": true, + "user_decision": false + }, + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "42" + } } } @@ -5044,59 +5044,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":43,\"TypeComputedMap\":\"ProcessHollowing\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0341EF-79A6-4EBC-9D7F-56F60740D4F4}\",\"Timestamp\":\"2023-06-15T00:00:00.0000000+01:00\",\"TimestampRaw\":133232220000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Operation\":6,\"CreatedProcess\":{\"PID\":5,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e79-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\\\"\",\"HashMd5\":\"E6224FC8CF2A26B386934DAC0A3495D0\",\"HashSha1\":\"CF970FA39BA72CC531133EC327203EAD801DA846\",\"HashSha256\":\"A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":4,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4965475+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateRevoked\"},\"SourceProcess\":{\"PID\":5,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e79-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsGuiSrv.exe\\\"\",\"HashMd5\":\"E6224FC8CF2A26B386934DAC0A3495D0\",\"HashSha1\":\"CF970FA39BA72CC531133EC327203EAD801DA846\",\"HashSha256\":\"A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":4,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4965475+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateRevoked\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "ProcessHollowing", "category": [ "malware" ], + "code": "ProcessHollowing", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:00:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 5, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe", - "name": "EsGuiSrv.exe", "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe\"", + "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe", "hash": { - "sha1": "CF970FA39BA72CC531133EC327203EAD801DA846", "md5": "E6224FC8CF2A26B386934DAC0A3495D0", + "sha1": "CF970FA39BA72CC531133EC327203EAD801DA846", "sha256": "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737" }, + "name": "EsGuiSrv.exe", + "pid": 5, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737", + "CF970FA39BA72CC531133EC327203EAD801DA846", + "E6224FC8CF2A26B386934DAC0A3495D0" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "43", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "43" } - }, - "related": { - "hash": [ - "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737", - "CF970FA39BA72CC531133EC327203EAD801DA846", - "E6224FC8CF2A26B386934DAC0A3495D0" - ] } } @@ -5110,59 +5110,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":44,\"TypeComputedMap\":\"StackPivot\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09F16B-4399-4542-B80F-F41E374DD031}\",\"Timestamp\":\"2023-06-15T00:10:00.0000000+01:00\",\"TimestampRaw\":133232226000000000,\"GenerateIncident\":false,\"SpecificData\":{\"SourceProcess\":{\"PID\":10,\"ProcessImageName\":\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"fc36ccb9-c9b6-495e-8ead-26e1536df4ad\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D91238FAFB111\",\"HashSha1\":\"AC9F34399C7C5A6324EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":7,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadContent\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "StackPivot", "category": [ "malware" ], + "code": "StackPivot", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:10:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 10, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", - "name": "Balsamiq Mockups 3.exe", "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", + "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", "hash": { - "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D91238FAFB111", + "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" }, + "name": "Balsamiq Mockups 3.exe", + "pid": 10, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D91238FAFB111", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", + "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "44", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "44" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D91238FAFB111", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", - "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" - ] } } @@ -5176,68 +5176,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":45,\"TypeComputedMap\":\"DriverLoading\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09877A-957B-4A49-9D0D-6ECBD9D39EFD}\",\"Timestamp\":\"2023-06-15T00:20:00.0000000+01:00\",\"TimestampRaw\":133232232000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FileOwnerNameLookup\":\"User1\",\"FileOwnerDomainLookup\":\"sshield1\",\"FileOwner\":\"S-1-5-21-2222222-33333333-44444444-555\",\"Path\":\"C:\\\\Windows\\\\malicious.dll\",\"SourceProcess\":{\"PID\":3,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e1d-0f85-11ea-a38e-806e6f6e6963\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"HashMd5\":\"FAE441A6EC7FD8F55A404797A25C8910\",\"HashSha1\":\"141C964905C4CA2110AD8FBFC3D17C960A9B9A54\",\"HashSha256\":\"70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":null,\"IntegrityLevelNameLookup\":null,\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "DriverLoading", "category": [ "malware" ], + "code": "DriverLoading", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:20:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "file": { + "directory": "C:\\Windows", + "name": "malicious.dll", + "owner": "User1", + "path": "C:\\Windows\\malicious.dll" }, "process": { - "pid": 3, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", "command_line": "C:\\Windows\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", "hash": { - "sha1": "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", "md5": "FAE441A6EC7FD8F55A404797A25C8910", + "sha1": "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", "sha256": "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4" }, + "name": "services.exe", + "pid": 3, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", + "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4", + "FAE441A6EC7FD8F55A404797A25C8910" + ], + "user": [ + "User1" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "45", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "45" } - }, - "file": { - "owner": "User1", - "path": "C:\\Windows\\malicious.dll", - "name": "malicious.dll", - "directory": "C:\\Windows" - }, - "related": { - "user": [ - "User1" - ], - "hash": [ - "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", - "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4", - "FAE441A6EC7FD8F55A404797A25C8910" - ] } } @@ -5251,65 +5251,65 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":46,\"TypeComputedMap\":\"DriverGuard\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD091861-7366-47FA-84A0-A332D12C2C94}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232238000000000,\"GenerateIncident\":false,\"SpecificData\":{\"CorruptedDriverName\":\"CorruptedDriver\",\"CorruptingDriverPath\":\"CorruptingDriver\",\"FileOwnerNameLookup\":\"User1\",\"FileOwnerDomainLookup\":\"sshield1\",\"FileOwner\":\"S-1-5-21-2222222-33333333-44444444-555\",\"SourceProcess\":{\"PID\":3,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e1d-0f85-11ea-a38e-806e6f6e6963\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"HashMd5\":\"FAE441A6EC7FD8F55A404797A25C8910\",\"HashSha1\":\"141C964905C4CA2110AD8FBFC3D17C960A9B9A54\",\"HashSha256\":\"70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":null,\"IntegrityLevelNameLookup\":null,\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "DriverGuard", "category": [ "malware" ], + "code": "DriverGuard", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:30:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "file": { + "owner": "User1" }, "process": { - "pid": 3, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", "command_line": "C:\\Windows\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", "hash": { - "sha1": "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", "md5": "FAE441A6EC7FD8F55A404797A25C8910", + "sha1": "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", "sha256": "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4" }, + "name": "services.exe", + "pid": 3, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", + "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4", + "FAE441A6EC7FD8F55A404797A25C8910" + ], + "user": [ + "User1" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "46", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "46" } - }, - "file": { - "owner": "User1" - }, - "related": { - "user": [ - "User1" - ], - "hash": [ - "141C964905C4CA2110AD8FBFC3D17C960A9B9A54", - "70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4", - "FAE441A6EC7FD8F55A404797A25C8910" - ] } } @@ -5323,59 +5323,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":47,\"TypeComputedMap\":\"HoneyPot\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD00D888-A11D-4C08-91F2-1BAC3808A9B3}\",\"Timestamp\":\"2023-06-15T00:40:00.0000000+01:00\",\"TimestampRaw\":133232244000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FunctionName\":\"MaliciousFunc\",\"CallerModuleFileName\":\"malicious.dll\",\"ExtraParametersInfo\":\"Something something.\",\"SourceProcess\":{\"PID\":7,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"277db927-ab05-43ad-aeca-68e5e8f2b934\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD9FAFB111\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "HoneyPot", "category": [ "malware" ], + "code": "HoneyPot", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:40:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 7, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", - "name": "WINWORD.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD9FAFB111", + "sha1": "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "WINWORD.EXE", + "pid": 7, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD9FAFB111", + "1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "47", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": true - } + }, + "type": "47" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D9AFD9FAFB111", - "1247766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0F6E6F33DA4116016C6" - ] } } @@ -5389,59 +5389,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":50,\"TypeComputedMap\":\"TokenGuard\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD049A47-6754-4C3C-AF7E-B9A9E5D3A448}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:30:44.2577805+02:00\",\"TimestampRaw\":133312194442577805,\"SpecificData\":{\"SourceProcess\":{\"PID\":6600,\"ProcessGuid\":\"{897C964E-15DE-4F9E-B089-DE3A8BB7AD92}\",\"ProcessImageName\":\"C:\\\\tmp\\\\TokenGuardTester\\\\TokenGuardTester.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\".\\\\TokenGuardTester.exetokenmodify\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"HighMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"D23FBD2C75547282289DD9743673ED89\",\"HashSha1\":\"6182272741CB8BAA6AE60C158ED446717784ADFA\",\"HashSha256\":\"356C2AF15AA08027B827DF594CF9976C50EF85A744C10552DA451A353D91FC5F\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1\",\"SubjectCN\":\"StormshieldSAS\",\"SigningTime\":\"2023-04-28T18:23:01.0000000+02:00\",\"ValidityStart\":\"2022-10-05T02:00:00.0000000+02:00\",\"ValidityEnd\":\"2025-12-07T01:59:59.0000000+02:00\"},{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftIDVerifiedCSEOCCA01\",\"SubjectCN\":\"StormshieldSAS\",\"SigningTime\":\"2023-04-28T18:23:36.7530000+02:00\",\"ValidityStart\":\"2023-04-28T17:02:55.0000000+02:00\",\"ValidityEnd\":\"2023-05-01T17:02:55.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T14:30:44.2187460+02:00\",\"ProcessStartTimeRaw\":133312194442187460},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":9,\"RuleGuid\":\"{3E715FA0-4C90-4D29-9D2F-1DF82A43D2A6}\",\"BaseRuleGuid\":\"{3E715FA0-4C90-4D29-9D2F-1DF82A43D2A5}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Details\":{\"PrivilegesLow\":2675965948,\"PrivilegesLowComputedBitMap\":[\"SE_CREATE_TOKEN_PRIVILEGE\",\"SE_ASSIGNPRIMARYTOKEN_PRIVILEGE\",\"SE_LOCK_MEMORY_PRIVILEGE\",\"SE_INCREASE_QUOTA_PRIVILEGE\",\"SE_MACHINE_ACCOUNT_PRIVILEGE\",\"SE_TCB_PRIVILEGE\",\"SE_SECURITY_PRIVILEGE\",\"SE_TAKE_OWNERSHIP_PRIVILEGE\",\"SE_LOAD_DRIVER_PRIVILEGE\",\"SE_SYSTEM_PROFILE_PRIVILEGE\",\"SE_SYSTEMTIME_PRIVILEGE\",\"SE_PROF_SINGLE_PROCESS_PRIVILEGE\",\"SE_INC_BASE_PRIORITY_PRIVILEGE\",\"SE_CREATE_PAGEFILE_PRIVILEGE\",\"SE_CREATE_PERMANENT_PRIVILEGE\",\"SE_BACKUP_PRIVILEGE\",\"SE_RESTORE_PRIVILEGE\",\"SE_SHUTDOWN_PRIVILEGE\",\"SE_DEBUG_PRIVILEGE\",\"SE_AUDIT_PRIVILEGE\",\"SE_SYSTEM_ENVIRONMENT_PRIVILEGE\",\"SE_REMOTE_SHUTDOWN_PRIVILEGE\",\"SE_UNDOCK_PRIVILEGE\",\"SE_SYNC_AGENT_PRIVILEGE\",\"SE_ENABLE_DELEGATION_PRIVILEGE\",\"SE_MANAGE_VOLUME_PRIVILEGE\",\"SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE\"],\"PrivilegesHigh\":15,\"PrivilegesHighComputedBitMap\":[\"SE_RELABEL_PRIVILEGE\",\"SE_INC_WORKING_SET_PRIVILEGE\",\"SE_TIME_ZONE_PRIVILEGE\",\"SE_CREATE_SYMBOLIC_LINK_PRIVILEGE\"]},\"DetailsType\":2,\"DetailsTypeComputedMap\":\"Tokenmodificationoperation\"}}", "event": { - "kind": "event", - "severity": 1, - "code": "TokenGuard", "category": [ "malware" ], + "code": "TokenGuard", + "kind": "event", + "severity": 1, "type": [ "info" ] }, "@timestamp": "2023-06-15T02:30:44.257780Z", - "rule": { - "uuid": "3E715FA0-4C90-4D29-9D2F-1DF82A43D2A6" - }, "process": { - "pid": 6600, - "start": "2023-06-14T12:30:44.218746Z", - "executable": "C:\\tmp\\TokenGuardTester\\TokenGuardTester.exe", - "name": "TokenGuardTester.exe", "command_line": ".\\TokenGuardTester.exetokenmodify", + "executable": "C:\\tmp\\TokenGuardTester\\TokenGuardTester.exe", "hash": { - "sha1": "6182272741CB8BAA6AE60C158ED446717784ADFA", "md5": "D23FBD2C75547282289DD9743673ED89", + "sha1": "6182272741CB8BAA6AE60C158ED446717784ADFA", "sha256": "356C2AF15AA08027B827DF594CF9976C50EF85A744C10552DA451A353D91FC5F" }, + "name": "TokenGuardTester.exe", + "pid": 6600, + "start": "2023-06-14T12:30:44.218746Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "356C2AF15AA08027B827DF594CF9976C50EF85A744C10552DA451A353D91FC5F", + "6182272741CB8BAA6AE60C158ED446717784ADFA", + "D23FBD2C75547282289DD9743673ED89" + ] + }, + "rule": { + "uuid": "3E715FA0-4C90-4D29-9D2F-1DF82A43D2A6" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "50", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "50" } - }, - "related": { - "hash": [ - "356C2AF15AA08027B827DF594CF9976C50EF85A744C10552DA451A353D91FC5F", - "6182272741CB8BAA6AE60C158ED446717784ADFA", - "D23FBD2C75547282289DD9743673ED89" - ] } } @@ -5455,71 +5455,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":51,\"TypeComputedMap\":\"Keylogging\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":9,\"AttributesComputedBitMap\":[\"Audit\",\"SelfProtection\"],\"EventGuid\":\"{AD0C29F8-C747-413F-A084-A5A81196E65A}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:28:42.0857990+02:00\",\"TimestampRaw\":133311185220857990,\"SpecificData\":{\"SourceProcess\":{\"PID\":12096,\"ProcessGuid\":\"{45AD34C1-540C-4F7E-B226-B7387FF2AC0E}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\windows\\\\system32\\\\rundll32.exe\\\"Shell32.dll,Control_RunDLL\\\"C:\\\\Windows\\\\System32\\\\ncpa.cpl\\\",\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":1,\"HashMd5\":\"EF3179D498793BF4234F708D3BE28633\",\"HashSha1\":\"DD399AE46303343F9F0DA189AEE11C67BD868222\",\"HashSha256\":\"B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2022-03-03T02:02:27.0570000+02:00\",\"ValidityStart\":\"2021-09-02T20:23:41.0000000+02:00\",\"ValidityEnd\":\"2022-09-01T20:23:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T10:28:41.5265454+02:00\",\"ProcessStartTimeRaw\":133311185215265454},\"Action\":{\"PolicyGuid\":\"{9CFDF881-2372-4084-A5F6-37ECDF1EECC3}\",\"PolicyVersion\":7,\"RuleGuid\":\"{C4526DEE-B715-455C-A4E6-DD189B13EE08}\",\"BaseRuleGuid\":\"{C4526DEE-B715-455C-A4E6-DD189B13EE07}\",\"IdentifierGuid\":\"{4E509127-2223-4B26-B4EF-076BBC9DCEAC}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false},\"TargetProcess\":{\"PID\":8288,\"ProcessGuid\":\"{7062B9CA-32EA-43C7-9346-F40ABBC63AA8}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":1,\"HashMd5\":\"81886624735B4F8F019E731A8A2E6E69\",\"HashSha1\":\"A30E4111E183514DEF89D2BC31071231DEABC4DF\",\"HashSha256\":\"385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-04-15T11:56:31.9920000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-12T08:58:10.5382640+02:00\",\"ProcessStartTimeRaw\":133310266905382640},\"KeyloggingMethod\":1,\"KeyloggingMethodComputedMap\":\"GET_ASYNC_KEY_STATE\"}}", "event": { - "kind": "event", - "severity": 4, - "code": "Keylogging", "category": [ "process" ], + "code": "Keylogging", + "kind": "event", + "severity": 4, "type": [ "info" ] }, "@timestamp": "2023-06-14T22:28:42.085799Z", - "rule": { - "uuid": "C4526DEE-B715-455C-A4E6-DD189B13EE08" + "action": { + "properties": { + "TargetCommandLine": "C:\\windows\\Explorer.EXE", + "TargetImage": "C:\\Windows\\explorer.exe" + } }, "process": { - "pid": 12096, - "start": "2023-06-13T08:28:41.526545Z", - "executable": "C:\\Windows\\System32\\rundll32.exe", - "name": "rundll32.exe", "command_line": "\"C:\\windows\\system32\\rundll32.exe\"Shell32.dll,Control_RunDLL\"C:\\Windows\\System32\\ncpa.cpl\",", + "executable": "C:\\Windows\\System32\\rundll32.exe", "hash": { - "sha1": "DD399AE46303343F9F0DA189AEE11C67BD868222", "md5": "EF3179D498793BF4234F708D3BE28633", + "sha1": "DD399AE46303343F9F0DA189AEE11C67BD868222", "sha256": "B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA" }, + "name": "rundll32.exe", + "pid": 12096, + "start": "2023-06-13T08:28:41.526545Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA", + "DD399AE46303343F9F0DA189AEE11C67BD868222", + "EF3179D498793BF4234F708D3BE28633" + ] + }, + "rule": { + "uuid": "C4526DEE-B715-455C-A4E6-DD189B13EE08" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "target": { + "command_line": "C:\\windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "name": "explorer.exe", - "command_line": "C:\\windows\\Explorer.EXE", "pid": "8288" + }, + "user": { + "domain": "TEST" } }, - "type": "51", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\explorer.exe", - "TargetCommandLine": "C:\\windows\\Explorer.EXE" + }, + "type": "51" } - }, - "related": { - "hash": [ - "B53F3C0CD32D7F20849850768DA6431E5F876B7BFA61DB0AA0700B02873393FA", - "DD399AE46303343F9F0DA189AEE11C67BD868222", - "EF3179D498793BF4234F708D3BE28633" - ] } } @@ -5533,59 +5533,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":53,\"TypeComputedMap\":\"HeapSpray\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FDAFF-AA1C-4853-9BA1-DF4EE2A9E1CB}\",\"Timestamp\":\"2023-06-15T01:10:00.0000000+01:00\",\"TimestampRaw\":133232262000000000,\"GenerateIncident\":false,\"SpecificData\":{\"SourceProcess\":{\"PID\":10,\"ProcessImageName\":\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"fc36ccb9-c9b6-495e-8ead-26e1536df4ad\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D91238FAFB111\",\"HashSha1\":\"AC9F34399C7C5A6324EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":7,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadContent\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "HeapSpray", "category": [ "malware" ], + "code": "HeapSpray", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T00:10:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 10, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", - "name": "Balsamiq Mockups 3.exe", "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", + "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", "hash": { - "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D91238FAFB111", + "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" }, + "name": "Balsamiq Mockups 3.exe", + "pid": 10, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D91238FAFB111", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", + "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "53", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "53" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D91238FAFB111", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", - "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" - ] } } @@ -5599,59 +5599,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":54,\"TypeComputedMap\":\"LrpcAccess\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0929AA-A847-4C48-A82D-458FC89C8742}\",\"Timestamp\":\"2023-06-15T01:20:00.0000000+01:00\",\"TimestampRaw\":133232268000000000,\"GenerateIncident\":false,\"SpecificData\":{\"CallerModuleName\":\"MaliciousModule\",\"SourceProcess\":{\"PID\":2,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"UserSID\":null,\"SessionID\":2,\"ProcessGuid\":\"92c248f1-0acd-11ea-a38a-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\NOTEPAD.EXE\\\" C:\\\\Users\\\\arkoon\\\\Desktop\\\\_test\\\\test.totot\",\"HashMd5\":\"F1139811BBF61362915958806AD30211\",\"HashSha1\":\"D487580502354C61808C7180D1A336BEB7AD4624\",\"HashSha256\":\"F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Microsoft Windows Production PCA 2011\",\"SigningTime\":\"2019-11-07T04:32:51.5641056+01:00\",\"ValidityEnd\":\"2020-05-02T22:24:36.0705280+01:00\",\"ValidityStart\":\"2019-05-02T22:24:36.7807872+01:00\",\"SubjectCN\":\"Microsoft Windows\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "LrpcAccess", "category": [ "process" ], + "code": "LrpcAccess", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T00:20:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 2, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Windows\\System32\\notepad.exe", - "name": "notepad.exe", "command_line": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\arkoon\\Desktop\\_test\\test.totot", + "executable": "C:\\Windows\\System32\\notepad.exe", "hash": { - "sha1": "D487580502354C61808C7180D1A336BEB7AD4624", "md5": "F1139811BBF61362915958806AD30211", + "sha1": "D487580502354C61808C7180D1A336BEB7AD4624", "sha256": "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" }, + "name": "notepad.exe", + "pid": 2, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "D487580502354C61808C7180D1A336BEB7AD4624", + "F1139811BBF61362915958806AD30211", + "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "54", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "54" } - }, - "related": { - "hash": [ - "D487580502354C61808C7180D1A336BEB7AD4624", - "F1139811BBF61362915958806AD30211", - "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3" - ] } } @@ -5665,71 +5665,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":55,\"TypeComputedMap\":\"CreateRemoteThread\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CF2B4-3CBE-48F3-BF02-9034793AF5CD}\",\"Timestamp\":\"2023-06-15T01:30:00.0000000+01:00\",\"TimestampRaw\":133232274000000000,\"GenerateIncident\":false,\"SpecificData\":{\"TargetProcess\":{\"PID\":3,\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e1d-0f85-11ea-a38e-806e6f6e6963\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"HashMd5\":\"FAE441A6EC7FD8F55A404797A25C8910\",\"HashSha1\":\"141C964905C4CA2110AD8FBFC3D17C960A9B9A54\",\"HashSha256\":\"70D7571253E091F646F78A4DD078CE7FE8D796625BFA3C0A466DF03971175FB4\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":0,\"Certificates\":[],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":null,\"IntegrityLevelNameLookup\":null,\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateUnavailable\"},\"SourceProcess\":{\"PID\":9,\"ProcessImageName\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"9d367a6c-04e4-491b-baa8-25b674db96d9\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\Excel.EXE\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D9AFD8FAFB221\",\"HashSha1\":\"AC9F34399C7C5A9372EFE0FA16F33D12116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "CreateRemoteThread", "category": [ "process" ], + "code": "CreateRemoteThread", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T00:30:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "action": { + "properties": { + "TargetCommandLine": "C:\\Windows\\system32\\services.exe", + "TargetImage": "C:\\Windows\\System32\\services.exe" + } }, "process": { - "pid": 9, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", - "name": "Excel.EXE", "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE", "hash": { - "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "md5": "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "sha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7" }, + "name": "Excel.EXE", + "pid": 9, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D9AFD8FAFB221", + "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", + "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "target": { + "command_line": "C:\\Windows\\system32\\services.exe", "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "command_line": "C:\\Windows\\system32\\services.exe", "pid": "3" + }, + "user": { + "domain": "TEST" } }, - "type": "55", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\System32\\services.exe", - "TargetCommandLine": "C:\\Windows\\system32\\services.exe" + }, + "type": "55" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D9AFD8FAFB221", - "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7", - "AC9F34399C7C5A9372EFE0FA16F33D12116016C6" - ] } } @@ -5743,59 +5743,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":56,\"TypeComputedMap\":\"ProcessExit\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B184E-85BE-48A2-8B4F-C31D5EA86974}\",\"Timestamp\":\"2023-06-15T01:40:00.0000000+01:00\",\"TimestampRaw\":133232280000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ExitStatusCode\":5,\"SourceProcess\":{\"PID\":6,\"ProcessImageName\":\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"bed63e83-0f85-11ea-a38e-00155d099004\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsScript.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF44D9AFD9FAFB111\",\"HashSha1\":\"0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6\",\"HashSha256\":\"2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":8,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Stormshield\",\"SigningTime\":\"2019-11-25T14:15:45.4765488+01:00\",\"ValidityEnd\":\"2040-01-01T00:59:59.1248256+01:00\",\"ValidityStart\":\"2017-04-25T15:21:15.7216000+01:00\",\"SubjectCN\":\"Stormshield\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadSignature\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { - "kind": "event", - "severity": 0, - "code": "ProcessExit", "category": [ "process" ], + "code": "ProcessExit", + "kind": "event", + "severity": 0, "type": [ "end" ] }, "@timestamp": "2023-06-15T00:40:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" - }, "process": { - "pid": 6, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", - "name": "EsScript.exe", "command_line": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe\"", + "executable": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe", "hash": { - "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "md5": "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "sha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", "sha256": "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" }, + "name": "EsScript.exe", + "pid": 6, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF44D9AFD9FAFB111", + "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", + "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "56", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "56" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF44D9AFD9FAFB111", - "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6", - "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7" - ] } } @@ -5809,59 +5809,59 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":57,\"TypeComputedMap\":\"SetWindowsHookExAll\",\"Severity\":3,\"ServerReserved\":0,\"Attributes\":8,\"AttributesComputedBitMap\":[\"Audit\"],\"EventGuid\":\"{AD0A8453-EC3D-4CE6-B337-FD3F3BC40310}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T03:52:19.0004158+02:00\",\"TimestampRaw\":133312171390004158,\"SpecificData\":{\"SourceProcess\":{\"PID\":2948,\"ProcessGuid\":\"{6F14D6D8-D8FF-4BEC-BA64-059BBF184A5B}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"81886624735B4F8F019E731A8A2E6E69\",\"HashSha1\":\"A30E4111E183514DEF89D2BC31071231DEABC4DF\",\"HashSha256\":\"385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-04-15T11:56:31.9920000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T11:25:25.3085133+02:00\",\"ProcessStartTimeRaw\":133312083253085133},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":9,\"RuleGuid\":\"{8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF}\",\"BaseRuleGuid\":\"{8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAE}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"HookId\":13,\"HookIdComputedMap\":\"WH_KEYBOARD_LL\",\"ModuleName\":\"C:\\\\Windows\\\\Explorer.EXE\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "SetWindowsHookExAll", "category": [ "malware" ], + "code": "SetWindowsHookExAll", + "kind": "event", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-06-15T01:52:19.000415Z", - "rule": { - "uuid": "8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF" - }, "process": { - "pid": 2948, - "start": "2023-06-14T09:25:25.308513Z", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", "hash": { - "sha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF", "md5": "81886624735B4F8F019E731A8A2E6E69", + "sha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF", "sha256": "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1" }, + "name": "explorer.exe", + "pid": 2948, + "start": "2023-06-14T09:25:25.308513Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1", + "81886624735B4F8F019E731A8A2E6E69", + "A30E4111E183514DEF89D2BC31071231DEABC4DF" + ] + }, + "rule": { + "uuid": "8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { "user": { "domain": "TEST" } }, - "type": "57", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } + }, + "type": "57" } - }, - "related": { - "hash": [ - "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1", - "81886624735B4F8F019E731A8A2E6E69", - "A30E4111E183514DEF89D2BC31071231DEABC4DF" - ] } } @@ -5875,71 +5875,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":58,\"TypeComputedMap\":\"SetWindowsHookEx\",\"Severity\":3,\"ServerReserved\":0,\"Attributes\":8,\"AttributesComputedBitMap\":[\"Audit\"],\"EventGuid\":\"{AD08E493-2A70-4D6D-AFB5-80240A5E780A}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:25:28.8124881+02:00\",\"TimestampRaw\":133312083288124881,\"SpecificData\":{\"SourceProcess\":{\"PID\":7512,\"ProcessGuid\":\"{E321E2D1-260B-4CDE-A41E-0D32BF0DDF58}\",\"ProcessImageName\":\"C:\\\\ProgramFiles\\\\Apoint2K\\\\Apoint.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\ProgramFiles\\\\Apoint2K\\\\Apoint.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"1C51D884DEFB0E948FBA909D730E3D59\",\"HashSha1\":\"F55CD206D052A2683BAC53F3A3662292B23FE123\",\"HashSha256\":\"1991F6D0AED0CB298017C2CA7C12DF6C473027FBDB6F9F334C4BDA0E1718AD00\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA1\",\"IssuerCN\":\"DigiCertEVCodeSigningCA\",\"SubjectCN\":\"ALPSELECTRICCO.,LTD.\",\"SigningTime\":\"2019-02-19T11:00:30.0000000+02:00\",\"ValidityStart\":\"2018-01-30T02:00:00.0000000+02:00\",\"ValidityEnd\":\"2019-03-29T14:00:00.0000000+02:00\"},{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsThirdPartyComponentCA2012\",\"SubjectCN\":\"MicrosoftWindowsHardwareCompatibilityPublisher\",\"SigningTime\":\"2020-03-30T03:34:44.8600000+02:00\",\"ValidityStart\":\"2019-06-05T20:06:32.0000000+02:00\",\"ValidityEnd\":\"2020-06-03T20:06:32.0000000+02:00\"},{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"DigiCertEVCodeSigningCA(SHA2)\",\"SubjectCN\":\"ALPSELECTRICCO.,LTD.\",\"SigningTime\":\"2019-02-19T11:00:33.0000000+02:00\",\"ValidityStart\":\"2018-01-30T02:00:00.0000000+02:00\",\"ValidityEnd\":\"2019-03-29T14:00:00.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T11:25:24.4278630+02:00\",\"ProcessStartTimeRaw\":133312083244278630},\"Action\":{\"PolicyGuid\":\"{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}\",\"PolicyVersion\":8,\"RuleGuid\":\"{8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF}\",\"BaseRuleGuid\":\"{8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAE}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"TargetProcess\":{\"PID\":2948,\"ProcessGuid\":\"{6F14D6D8-D8FF-4BEC-BA64-059BBF184A5B}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":1,\"HashMd5\":\"81886624735B4F8F019E731A8A2E6E69\",\"HashSha1\":\"A30E4111E183514DEF89D2BC31071231DEABC4DF\",\"HashSha256\":\"385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-04-15T11:56:31.9920000+02:00\",\"ValidityStart\":\"2023-02-03T02:05:41.0000000+02:00\",\"ValidityEnd\":\"2024-02-01T02:05:41.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-14T11:25:25.3085133+02:00\",\"ProcessStartTimeRaw\":133312083253085133},\"HookId\":3,\"HookIdComputedMap\":\"WH_GETMESSAGE\",\"ModuleName\":\"C:\\\\ProgramFiles\\\\Apoint2K\\\\Apoint.DLL\"}}", "event": { - "kind": "event", - "severity": 3, - "code": "SetWindowsHookEx", "category": [ "malware" ], + "code": "SetWindowsHookEx", + "kind": "event", + "severity": 3, "type": [ "info" ] }, "@timestamp": "2023-06-14T23:25:28.812488Z", - "rule": { - "uuid": "8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF" + "action": { + "properties": { + "TargetCommandLine": "C:\\Windows\\Explorer.EXE", + "TargetImage": "C:\\Windows\\explorer.exe" + } }, "process": { - "pid": 7512, - "start": "2023-06-14T09:25:24.427863Z", - "executable": "C:\\ProgramFiles\\Apoint2K\\Apoint.exe", - "name": "Apoint.exe", "command_line": "\"C:\\ProgramFiles\\Apoint2K\\Apoint.exe\"", + "executable": "C:\\ProgramFiles\\Apoint2K\\Apoint.exe", "hash": { - "sha1": "F55CD206D052A2683BAC53F3A3662292B23FE123", "md5": "1C51D884DEFB0E948FBA909D730E3D59", + "sha1": "F55CD206D052A2683BAC53F3A3662292B23FE123", "sha256": "1991F6D0AED0CB298017C2CA7C12DF6C473027FBDB6F9F334C4BDA0E1718AD00" }, + "name": "Apoint.exe", + "pid": 7512, + "start": "2023-06-14T09:25:24.427863Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "1991F6D0AED0CB298017C2CA7C12DF6C473027FBDB6F9F334C4BDA0E1718AD00", + "1C51D884DEFB0E948FBA909D730E3D59", + "F55CD206D052A2683BAC53F3A3662292B23FE123" + ] + }, + "rule": { + "uuid": "8D2EF1D8-670B-4AE4-ABDC-9316DAD15AAF" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "target": { + "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "name": "explorer.exe", - "command_line": "C:\\Windows\\Explorer.EXE", "pid": "2948" + }, + "user": { + "domain": "TEST" } }, - "type": "58", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": false - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\explorer.exe", - "TargetCommandLine": "C:\\Windows\\Explorer.EXE" + }, + "type": "58" } - }, - "related": { - "hash": [ - "1991F6D0AED0CB298017C2CA7C12DF6C473027FBDB6F9F334C4BDA0E1718AD00", - "1C51D884DEFB0E948FBA909D730E3D59", - "F55CD206D052A2683BAC53F3A3662292B23FE123" - ] } } @@ -5953,71 +5953,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":59,\"TypeComputedMap\":\"ProcessAccessWithPrivilegeEscalation\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD078DA9-0D79-4995-BD8B-5BA2605C48D1}\",\"Timestamp\":\"2023-06-15T02:10:00.0000000+01:00\",\"TimestampRaw\":133232298000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Details\":null,\"ObjectType\":0,\"TargetProcess\":{\"PID\":1,\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"UserSID\":null,\"SessionID\":2,\"ProcessGuid\":\"92c246ec-0acd-11ea-a38a-00155d099004\",\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"HashMd5\":\"4E196CEA0C9C46A7D656C67E52E8C7C7\",\"HashSha1\":\"726C9D759C5F02080FA003B50466A3BE0C959865\",\"HashSha256\":\"ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":1,\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"Microsoft Windows Production PCA 2011\",\"SigningTime\":\"2019-10-20T14:09:02.8886192+01:00\",\"ValidityEnd\":\"2020-05-02T22:24:36.0705280+01:00\",\"ValidityStart\":\"2019-05-02T22:24:36.7807872+01:00\",\"SubjectCN\":\"Microsoft Windows\"}],\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\"},\"SourceProcess\":{\"PID\":10,\"ProcessImageName\":\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\",\"UserSID\":null,\"SessionID\":0,\"ProcessGuid\":\"fc36ccb9-c9b6-495e-8ead-26e1536df4ad\",\"ProcessCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\Balsamiq Mockups 3\\\\Balsamiq Mockups 3.exe\\\"\",\"HashMd5\":\"0470A1A62B3FAA0AF14D91238FAFB111\",\"HashSha1\":\"AC9F34399C7C5A6324EFE0FA16F33DA4116016C6\",\"HashSha256\":\"1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7\",\"UserNameLookup\":\"JOHNDOE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserDomainLookup\":\"TEST\",\"CertificateSignatureState\":7,\"Certificates\":null,\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Medium\",\"IntegrityLevelDomainLookup\":\"Mandatory Label\",\"IsProtectedOrCritical\":false,\"ProcessStartTimeRaw\":133204190354018719,\"ProcessStartTime\":\"2023-02-09T13:23:55.4018719+01:00\",\"CertificateSignatureStateComputedMap\":\"SignatureStateBadContent\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":true}}}", "event": { - "kind": "event", - "severity": 0, - "code": "ProcessAccessWithPrivilegeEscalation", "category": [ "malware" ], + "code": "ProcessAccessWithPrivilegeEscalation", + "kind": "event", + "severity": 0, "type": [ "info" ] }, "@timestamp": "2023-06-15T01:10:00Z", - "rule": { - "uuid": "0000000-0000-0000-0000-00000000000" + "action": { + "properties": { + "TargetCommandLine": "C:\\Windows\\Explorer.EXE", + "TargetImage": "C:\\Windows\\explorer.exe" + } }, "process": { - "pid": 10, - "start": "2023-02-09T12:23:55.401871Z", - "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", - "name": "Balsamiq Mockups 3.exe", "command_line": "\"C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe\"", + "executable": "C:\\Program Files (x86)\\Balsamiq Mockups 3\\Balsamiq Mockups 3.exe", "hash": { - "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "md5": "0470A1A62B3FAA0AF14D91238FAFB111", + "sha1": "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6", "sha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7" }, + "name": "Balsamiq Mockups 3.exe", + "pid": 10, + "start": "2023-02-09T12:23:55.401871Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "0470A1A62B3FAA0AF14D91238FAFB111", + "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", + "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" + ] + }, + "rule": { + "uuid": "0000000-0000-0000-0000-00000000000" + }, "stormshield": { "ses": { + "action": { + "blocked": false, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "target": { + "command_line": "C:\\Windows\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", "name": "explorer.exe", - "command_line": "C:\\Windows\\Explorer.EXE", "pid": "1" + }, + "user": { + "domain": "TEST" } }, - "type": "59", - "action": { - "blocked": false, - "user_decision": false - }, "source_process": { "killed": true - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\explorer.exe", - "TargetCommandLine": "C:\\Windows\\Explorer.EXE" + }, + "type": "59" } - }, - "related": { - "hash": [ - "0470A1A62B3FAA0AF14D91238FAFB111", - "1247766F6B5AD11E5C97167B5A452374E22876136FC7A23F79BE14AD9A7FA3E7", - "AC9F34399C7C5A6324EFE0FA16F33DA4116016C6" - ] } } @@ -6031,72 +6031,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"Version\":1,\"Type\":7,\"TypeComputedMap\":\"ProcessAccess\",\"Category\":0,\"CategoryComputedMap\":\"ProcessAccess\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD081172-EC3A-4C44-B5BF-81D61A2C8A7F}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T07:24:56.3526431+01:00\",\"TimestampRaw\":133209518963526431,\"SpecificData\":{\"SourceProcess\":{\"PID\":464,\"ProcessGuid\":\"{A8E8DCB5-B340-4417-89A6-893B299DD5F1}\",\"ProcessImageName\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\ps_ReadOnly.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\ps_ReadOnly.exe\\\"-ExecutionPolicyUnrestricted-File\\\"C:\\\\tmp\\\\ProcessAccess\\\\Duplicate\\\\Attacker.ps1\\\"-OutputFileLog\\\"c:\\\\tmp\\\\a.jsonAttackerReadOnly\\\"-OutputExr\\\"c:\\\\tmp\\\\a.txtReadOnly\\\"-TargetProcessHandleValue2388-TargetThreadHandleValue2540-TargetProcessHandle3980-SASAT\\\"c:\\\\tmp\\\\ProcessAccess\\\\WSASA\\\\NtObjectManager\\\\NtObjectManager.psd1\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2018-09-15T08:03:08.1030000+01:00\",\"ValidityStart\":\"2018-07-03T21:45:50.0000000+01:00\",\"ValidityEnd\":\"2019-07-26T21:45:50.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T17:24:55.4703759+01:00\",\"ProcessStartTimeRaw\":133209518954703759},\"Action\":{\"PolicyGuid\":\"{DECD92C6-A814-4DD5-8BF1-32022D5EBE58}\",\"PolicyVersion\":3,\"RuleGuid\":\"{0BDCB8A4-532E-446A-BD5B-5E163539A529}\",\"BaseRuleGuid\":\"{0BDCB8A4-532E-446A-BD5B-5E163539A528}\",\"IdentifierGuid\":\"{E2AA0DB7-90A0-4913-AA1A-F89225A3B197}\",\"Blocked\":true,\"UserDecision\":false,\"SourceProcessKilled\":false},\"TargetProcess\":{\"PID\":6032,\"ProcessGuid\":\"{45B56BF8-4E3A-41B6-995D-FA6D3480D6A8}\",\"ProcessImageName\":\"C:\\\\Windows\\\\Temp\\\\ps_Target.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\TEMP\\\\ps_Target.exe\\\"-ExecutionPolicyUnrestricted-File\\\"C:\\\\tmp\\\\ProcessAccess\\\\Duplicate\\\\Target.ps1\\\"-OutputFileLog\\\"c:\\\\tmp\\\\a.jsonTarget\\\"-SASAT\\\"c:\\\\tmp\\\\ProcessAccess\\\\WSASA\\\\NtObjectManager\\\\NtObjectManager.psd1\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2018-09-15T08:03:08.1030000+01:00\",\"ValidityStart\":\"2018-07-03T21:45:50.0000000+01:00\",\"ValidityEnd\":\"2019-07-26T21:45:50.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T17:24:53.2107914+01:00\",\"ProcessStartTimeRaw\":133209518932107914},\"Details\":{\"DesiredAccess\":2097151,\"DesiredAccessComputedBitMap\":[\"THREAD_TERMINATE\",\"THREAD_SUSPEND_RESUME\",\"THREAD_ALERT\",\"THREAD_GET_CONTEXT\",\"THREAD_SET_CONTEXT\",\"THREAD_SET_INFORMATION\",\"THREAD_QUERY_INFORMATION\",\"THREAD_SET_THREAD_TOKEN\",\"THREAD_IMPERSONATE\",\"THREAD_DIRECT_IMPERSONATION\",\"THREAD_SET_LIMITED_INFORMATION\",\"THREAD_QUERY_LIMITED_INFORMATION\",\"THREAD_RESUME\",\"DELETE\",\"READ_CONTROL\",\"WRITE_DAC\",\"WRITE_OWNER\",\"SYNCHRONIZE\"],\"MatchingAccess\":852915,\"MatchingAccessComputedBitMap\":[\"THREAD_TERMINATE\",\"THREAD_SUSPEND_RESUME\",\"THREAD_SET_CONTEXT\",\"THREAD_SET_INFORMATION\",\"THREAD_SET_THREAD_TOKEN\",\"THREAD_IMPERSONATE\",\"THREAD_DIRECT_IMPERSONATION\",\"DELETE\",\"WRITE_DAC\",\"WRITE_OWNER\"]},\"ObjectType\":2,\"ObjectTypeComputedMap\":\"Thread\",\"Operation\":2,\"OperationComputedMap\":\"Duplicate\",\"DuplicatingProcess\":{\"PID\":464,\"ProcessGuid\":\"{A8E8DCB5-B340-4417-89A6-893B299DD5F1}\",\"ProcessImageName\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\ps_ReadOnly.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\ps_ReadOnly.exe\\\"-ExecutionPolicyUnrestricted-File\\\"C:\\\\tmp\\\\ProcessAccess\\\\Duplicate\\\\Attacker.ps1\\\"-OutputFileLog\\\"c:\\\\tmp\\\\a.jsonAttackerReadOnly\\\"-OutputExr\\\"c:\\\\tmp\\\\a.txtReadOnly\\\"-TargetProcessHandleValue2388-TargetThreadHandleValue2540-TargetProcessHandle3980-SASAT\\\"c:\\\\tmp\\\\ProcessAccess\\\\WSASA\\\\NtObjectManager\\\\NtObjectManager.psd1\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2018-09-15T08:03:08.1030000+01:00\",\"ValidityStart\":\"2018-07-03T21:45:50.0000000+01:00\",\"ValidityEnd\":\"2019-07-26T21:45:50.0000000+01:00\"}],\"ProcessStartTime\":\"2023-02-15T17:24:55.4703759+01:00\",\"ProcessStartTimeRaw\":133209518954703759}}}", "event": { - "kind": "event", - "severity": 4, - "code": "ProcessAccess", "action": "Duplicate", "category": [ "process" ], + "code": "ProcessAccess", + "kind": "event", + "severity": 4, "type": [ "access" ] }, "@timestamp": "2023-06-15T06:24:56.352643Z", - "rule": { - "uuid": "0BDCB8A4-532E-446A-BD5B-5E163539A529" + "action": { + "properties": { + "TargetCommandLine": "\"C:\\Windows\\TEMP\\ps_Target.exe\"-ExecutionPolicyUnrestricted-File\"C:\\tmp\\ProcessAccess\\Duplicate\\Target.ps1\"-OutputFileLog\"c:\\tmp\\a.jsonTarget\"-SASAT\"c:\\tmp\\ProcessAccess\\WSASA\\NtObjectManager\\NtObjectManager.psd1\"", + "TargetImage": "C:\\Windows\\Temp\\ps_Target.exe" + } }, "process": { - "pid": 464, - "start": "2023-02-15T16:24:55.470375Z", - "executable": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\ps_ReadOnly.exe", - "name": "ps_ReadOnly.exe", "command_line": "\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\ps_ReadOnly.exe\"-ExecutionPolicyUnrestricted-File\"C:\\tmp\\ProcessAccess\\Duplicate\\Attacker.ps1\"-OutputFileLog\"c:\\tmp\\a.jsonAttackerReadOnly\"-OutputExr\"c:\\tmp\\a.txtReadOnly\"-TargetProcessHandleValue2388-TargetThreadHandleValue2540-TargetProcessHandle3980-SASAT\"c:\\tmp\\ProcessAccess\\WSASA\\NtObjectManager\\NtObjectManager.psd1\"", + "executable": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\ps_ReadOnly.exe", "hash": { - "sha1": "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", "md5": "7353F60B1739074EB17C5F4DDDEFE239", + "sha1": "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", "sha256": "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" }, + "name": "ps_ReadOnly.exe", + "pid": 464, + "start": "2023-02-15T16:24:55.470375Z", "user": { "id": "S-1-5-21-2222222-33333333-44444444-555", "name": "JOHNDOE" } }, + "related": { + "hash": [ + "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", + "7353F60B1739074EB17C5F4DDDEFE239", + "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" + ] + }, + "rule": { + "uuid": "0BDCB8A4-532E-446A-BD5B-5E163539A529" + }, "stormshield": { "ses": { + "action": { + "blocked": true, + "user_decision": false + }, "process": { - "user": { - "domain": "TEST" - }, "target": { + "command_line": "\"C:\\Windows\\TEMP\\ps_Target.exe\"-ExecutionPolicyUnrestricted-File\"C:\\tmp\\ProcessAccess\\Duplicate\\Target.ps1\"-OutputFileLog\"c:\\tmp\\a.jsonTarget\"-SASAT\"c:\\tmp\\ProcessAccess\\WSASA\\NtObjectManager\\NtObjectManager.psd1\"", "executable": "C:\\Windows\\Temp\\ps_Target.exe", "name": "ps_Target.exe", - "command_line": "\"C:\\Windows\\TEMP\\ps_Target.exe\"-ExecutionPolicyUnrestricted-File\"C:\\tmp\\ProcessAccess\\Duplicate\\Target.ps1\"-OutputFileLog\"c:\\tmp\\a.jsonTarget\"-SASAT\"c:\\tmp\\ProcessAccess\\WSASA\\NtObjectManager\\NtObjectManager.psd1\"", "pid": "6032" + }, + "user": { + "domain": "TEST" } }, - "type": "7", - "action": { - "blocked": true, - "user_decision": false - }, "source_process": { "killed": false - } - } - }, - "action": { - "properties": { - "TargetImage": "C:\\Windows\\Temp\\ps_Target.exe", - "TargetCommandLine": "\"C:\\Windows\\TEMP\\ps_Target.exe\"-ExecutionPolicyUnrestricted-File\"C:\\tmp\\ProcessAccess\\Duplicate\\Target.ps1\"-OutputFileLog\"c:\\tmp\\a.jsonTarget\"-SASAT\"c:\\tmp\\ProcessAccess\\WSASA\\NtObjectManager\\NtObjectManager.psd1\"" + }, + "type": "7" } - }, - "related": { - "hash": [ - "6CBCE4A295C163791B60FC23D285E6D84F28EE4C", - "7353F60B1739074EB17C5F4DDDEFE239", - "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" - ] } }