Refresh intakes documentation

SEKOIA-IO · Jul 19, 2024 · 9de124e · 9de124e
1 parent 1d89ba5
commit 9de124e
Show file tree

Hide file tree

Showing 9 changed files with 960 additions and 36 deletions.
diff --git a/...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
@@ -728,6 +728,63 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "test_suspend_user.json"
+
+    ```json
+
+    {
+        "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"[email protected]\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"[email protected]\"}]}]}",
+        "event": {
+            "action": "SUSPEND_USER",
+            "category": [
+                "configuration"
+            ],
+            "dataset": "admin#reports#activity",
+            "type": []
+        },
+        "@timestamp": "2024-07-09T14:05:42.528000Z",
+        "cloud": {
+            "account": {
+                "id": "C03foh000"
+            }
+        },
+        "google": {
+            "report": {
+                "actor": {
+                    "email": "[email protected]"
+                },
+                "parameters": {
+                    "name": "USER_EMAIL",
+                    "value": "[email protected]"
+                }
+            }
+        },
+        "network": {
+            "application": "admin"
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4"
+            ],
+            "user": [
+                "john.doe"
+            ]
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4"
+        },
+        "user": {
+            "domain": "test.fr",
+            "email": "[email protected]",
+            "id": "102788027662650927386",
+            "name": "john.doe"
+        }
+    }
+    	
+	```
+
+
 === "test_target_user.json"
 
     ```json
@@ -956,6 +1013,8 @@ The following table lists the fields that are extracted, normalized under the EC
 |`google.report.chat.message.id` | `keyword` | Message id |
 |`google.report.chat.room.name` | `keyword` | Room name |
 |`google.report.meet.code` | `keyword` | Meet code |
+|`google.report.parameters.name` | `keyword` | Name of the item associated with the activity |
+|`google.report.parameters.value` | `keyword` | Value of the item associated with the activity |
 |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity |
 |`google.report.token.app_name` | `keyword` | Token authorization application name |
 |`google.report.token.type` | `keyword` | Token type |

diff --git a/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md
@@ -769,7 +769,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 "eventType": "connected",
                 "fullScopeDetails": "Group Default Group in Site CORP-Users of Account CORP",
                 "fullScopeDetailsPath": "Global / CORP / CORP-Users / Default Group",
-                "groupId": 1083054176758610128,
+                "group": {
+                    "id": "1083054176758610128"
+                },
                 "groupName": "Default Group",
                 "interface": "USB",
                 "lastLoggedInUserName": "user.name",
@@ -782,7 +784,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 "scopeLevel": "Group",
                 "scopeName": "Default Group",
                 "siteName": "CORP-Users",
-                "vendorId": "8A87",
                 "version": "N/A"
             },
             "eventid": 1387019684138751044,
@@ -2639,7 +2640,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`sentinelone.data.current` | `keyword` |  |
 |`sentinelone.data.deactivatedEngines` | `keyword` |  |
 |`sentinelone.data.deactivationPeriodInDays` | `keyword` |  |
-|`sentinelone.data.detectedat` | `long` |  |
+|`sentinelone.data.detectedat` | `date` |  |
 |`sentinelone.data.deviceClass` | `keyword` |  |
 |`sentinelone.data.deviceInformationServiceInfoKey` | `keyword` |  |
 |`sentinelone.data.deviceInformationServiceInfoValue` | `keyword` |  |
@@ -2667,7 +2668,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`sentinelone.data.fullScopeDetailsPath` | `keyword` |  |
 |`sentinelone.data.gattService` | `keyword` |  |
 |`sentinelone.data.globalStatus` | `keyword` |  |
-|`sentinelone.data.groupId` | `long` |  |
+|`sentinelone.data.group.id` | `keyword` |  |
 |`sentinelone.data.groupName` | `keyword` |  |
 |`sentinelone.data.indicatorcategory` | `keyword` |  |
 |`sentinelone.data.indicatordescription` | `keyword` |  |
@@ -2823,7 +2824,6 @@ The following table lists the fields that are extracted, normalized under the EC
 |`sentinelone.data.userScope` | `keyword` |  |
 |`sentinelone.data.userscope` | `keyword` |  |
 |`sentinelone.data.uuid` | `keyword` |  |
-|`sentinelone.data.vendorId` | `keyword` |  |
 |`sentinelone.data.version` | `keyword` |  |
 |`sentinelone.description` | `keyword` |  |
 |`sentinelone.eventid` | `long` |  |

diff --git a/...perations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/...perations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md
@@ -783,9 +783,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "target": "network-traffic"
         },
         "destination": {
-            "address": "47.241.116.84",
-            "ip": "47.241.116.84",
-            "port": 10800
+            "address": "10.11.0.2",
+            "ip": "10.11.0.2",
+            "port": 0
         },
         "network": {
             "direction": "inbound",
@@ -802,8 +802,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             ]
         },
         "source": {
-            "address": "10.11.0.2",
-            "ip": "10.11.0.2"
+            "address": "47.241.116.84",
+            "ip": "47.241.116.84",
+            "port": 10800
         }
     }
     	
@@ -833,9 +834,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             }
         },
         "destination": {
-            "address": "1.2.3.4",
-            "ip": "1.2.3.4",
-            "port": 1
+            "address": "1.2.3.5",
+            "ip": "1.2.3.5",
+            "port": 0
         },
         "network": {
             "direction": "inbound",
@@ -855,8 +856,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             ]
         },
         "source": {
-            "address": "1.2.3.5",
-            "ip": "1.2.3.5"
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4",
+            "port": 1
         },
         "user": {
             "domain": "LOCAL",
@@ -884,9 +886,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "target": "network-traffic"
         },
         "destination": {
-            "address": "172.16.10.208",
-            "ip": "172.16.10.208",
-            "port": 2189
+            "address": "172.16.19.90",
+            "ip": "172.16.19.90",
+            "port": 0
         },
         "network": {
             "transport": "icmp"
@@ -905,8 +907,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             ]
         },
         "source": {
-            "address": "172.16.19.90",
-            "ip": "172.16.19.90"
+            "address": "172.16.10.208",
+            "ip": "172.16.10.208",
+            "port": 2189
         },
         "user": {
             "name": "karibou"
@@ -939,11 +942,62 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             }
         },
         "destination": {
+            "address": "1.2.4.3",
+            "ip": "1.2.4.3",
+            "port": 0
+        },
+        "network": {
+            "transport": "icmp"
+        },
+        "observer": {
+            "product": "Adaptive Security Appliance",
+            "vendor": "Cisco"
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4",
+                "1.2.4.3"
+            ]
+        },
+        "source": {
             "address": "1.2.3.4",
             "ip": "1.2.3.4",
             "port": 25481
+        }
+    }
+    	
+	```
+
+
+=== "test_ASA_302021_3.json"
+
+    ```json
+
+    {
+        "message": "%ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0",
+        "event": {
+            "category": [
+                "network"
+            ],
+            "code": "302020"
+        },
+        "action": {
+            "name": "built",
+            "target": "network-traffic"
+        },
+        "cisco": {
+            "ftd": {
+                "icmp_code": "0",
+                "icmp_type": "8"
+            }
+        },
+        "destination": {
+            "address": "172.1.1.2",
+            "ip": "172.1.1.2",
+            "port": 0
         },
         "network": {
+            "direction": "inbound",
             "transport": "icmp"
         },
         "observer": {
@@ -953,12 +1007,63 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "related": {
             "ip": [
                 "1.2.3.4",
-                "1.2.4.3"
+                "172.1.1.2"
             ]
         },
         "source": {
-            "address": "1.2.4.3",
-            "ip": "1.2.4.3"
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4",
+            "port": 14
+        }
+    }
+    	
+	```
+
+
+=== "test_ASA_302021_4.json"
+
+    ```json
+
+    {
+        "message": "%ASA-6-302021: Teardown ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0",
+        "event": {
+            "category": [
+                "network"
+            ],
+            "code": "302021"
+        },
+        "action": {
+            "name": "teardown",
+            "target": "network-traffic"
+        },
+        "cisco": {
+            "ftd": {
+                "icmp_code": "0",
+                "icmp_type": "8"
+            }
+        },
+        "destination": {
+            "address": "172.1.1.2",
+            "ip": "172.1.1.2",
+            "port": 0
+        },
+        "network": {
+            "transport": "icmp"
+        },
+        "observer": {
+            "product": "Adaptive Security Appliance",
+            "vendor": "Cisco"
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4",
+                "172.1.1.2"
+            ]
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4",
+            "port": 14
         }
     }