diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 6448687c8f..4d4978455d 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -728,6 +728,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_suspend_user.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}", + "event": { + "action": "SUSPEND_USER", + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "type": [] + }, + "@timestamp": "2024-07-09T14:05:42.528000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.fr" + }, + "parameters": { + "name": "USER_EMAIL", + "value": "jdoe@test.fr" + } + } + }, + "network": { + "application": "admin" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "test.fr", + "email": "john.doe@test.fr", + "id": "102788027662650927386", + "name": "john.doe" + } + } + + ``` + + === "test_target_user.json" ```json @@ -956,6 +1013,8 @@ The following table lists the fields that are extracted, normalized under the EC |`google.report.chat.message.id` | `keyword` | Message id | |`google.report.chat.room.name` | `keyword` | Room name | |`google.report.meet.code` | `keyword` | Meet code | +|`google.report.parameters.name` | `keyword` | Name of the item associated with the activity | +|`google.report.parameters.value` | `keyword` | Value of the item associated with the activity | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | |`google.report.token.app_name` | `keyword` | Token authorization application name | |`google.report.token.type` | `keyword` | Token type | diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 475ca7ef0c..a34c342080 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -769,7 +769,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "eventType": "connected", "fullScopeDetails": "Group Default Group in Site CORP-Users of Account CORP", "fullScopeDetailsPath": "Global / CORP / CORP-Users / Default Group", - "groupId": 1083054176758610128, + "group": { + "id": "1083054176758610128" + }, "groupName": "Default Group", "interface": "USB", "lastLoggedInUserName": "user.name", @@ -782,7 +784,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "scopeLevel": "Group", "scopeName": "Default Group", "siteName": "CORP-Users", - "vendorId": "8A87", "version": "N/A" }, "eventid": 1387019684138751044, @@ -2639,7 +2640,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.current` | `keyword` | | |`sentinelone.data.deactivatedEngines` | `keyword` | | |`sentinelone.data.deactivationPeriodInDays` | `keyword` | | -|`sentinelone.data.detectedat` | `long` | | +|`sentinelone.data.detectedat` | `date` | | |`sentinelone.data.deviceClass` | `keyword` | | |`sentinelone.data.deviceInformationServiceInfoKey` | `keyword` | | |`sentinelone.data.deviceInformationServiceInfoValue` | `keyword` | | @@ -2667,7 +2668,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.fullScopeDetailsPath` | `keyword` | | |`sentinelone.data.gattService` | `keyword` | | |`sentinelone.data.globalStatus` | `keyword` | | -|`sentinelone.data.groupId` | `long` | | +|`sentinelone.data.group.id` | `keyword` | | |`sentinelone.data.groupName` | `keyword` | | |`sentinelone.data.indicatorcategory` | `keyword` | | |`sentinelone.data.indicatordescription` | `keyword` | | @@ -2823,7 +2824,6 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.userScope` | `keyword` | | |`sentinelone.data.userscope` | `keyword` | | |`sentinelone.data.uuid` | `keyword` | | -|`sentinelone.data.vendorId` | `keyword` | | |`sentinelone.data.version` | `keyword` | | |`sentinelone.description` | `keyword` | | |`sentinelone.eventid` | `long` | | diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index dbfe3a24bd..aaeb07e197 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -783,9 +783,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": "network-traffic" }, "destination": { - "address": "47.241.116.84", - "ip": "47.241.116.84", - "port": 10800 + "address": "10.11.0.2", + "ip": "10.11.0.2", + "port": 0 }, "network": { "direction": "inbound", @@ -802,8 +802,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "source": { - "address": "10.11.0.2", - "ip": "10.11.0.2" + "address": "47.241.116.84", + "ip": "47.241.116.84", + "port": 10800 } } @@ -833,9 +834,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { - "address": "1.2.3.4", - "ip": "1.2.3.4", - "port": 1 + "address": "1.2.3.5", + "ip": "1.2.3.5", + "port": 0 }, "network": { "direction": "inbound", @@ -855,8 +856,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "source": { - "address": "1.2.3.5", - "ip": "1.2.3.5" + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 }, "user": { "domain": "LOCAL", @@ -884,9 +886,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": "network-traffic" }, "destination": { - "address": "172.16.10.208", - "ip": "172.16.10.208", - "port": 2189 + "address": "172.16.19.90", + "ip": "172.16.19.90", + "port": 0 }, "network": { "transport": "icmp" @@ -905,8 +907,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "source": { - "address": "172.16.19.90", - "ip": "172.16.19.90" + "address": "172.16.10.208", + "ip": "172.16.10.208", + "port": 2189 }, "user": { "name": "karibou" @@ -939,11 +942,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "destination": { + "address": "1.2.4.3", + "ip": "1.2.4.3", + "port": 0 + }, + "network": { + "transport": "icmp" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "1.2.4.3" + ] + }, + "source": { "address": "1.2.3.4", "ip": "1.2.3.4", "port": 25481 + } + } + + ``` + + +=== "test_ASA_302021_3.json" + + ```json + + { + "message": "%ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0", + "event": { + "category": [ + "network" + ], + "code": "302020" + }, + "action": { + "name": "built", + "target": "network-traffic" + }, + "cisco": { + "ftd": { + "icmp_code": "0", + "icmp_type": "8" + } + }, + "destination": { + "address": "172.1.1.2", + "ip": "172.1.1.2", + "port": 0 }, "network": { + "direction": "inbound", "transport": "icmp" }, "observer": { @@ -953,12 +1007,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "ip": [ "1.2.3.4", - "1.2.4.3" + "172.1.1.2" ] }, "source": { - "address": "1.2.4.3", - "ip": "1.2.4.3" + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 14 + } + } + + ``` + + +=== "test_ASA_302021_4.json" + + ```json + + { + "message": "%ASA-6-302021: Teardown ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0", + "event": { + "category": [ + "network" + ], + "code": "302021" + }, + "action": { + "name": "teardown", + "target": "network-traffic" + }, + "cisco": { + "ftd": { + "icmp_code": "0", + "icmp_type": "8" + } + }, + "destination": { + "address": "172.1.1.2", + "ip": "172.1.1.2", + "port": 0 + }, + "network": { + "transport": "icmp" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "172.1.1.2" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 14 } } diff --git a/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md new file mode 100644 index 0000000000..4fcd78e677 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md @@ -0,0 +1,272 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web application firewall logs` | Azure Application Gateway protect web application with its web application firewall | +| `Web logs` | Web logs coming from Azure Application Gateway | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `network` | +| Type | `access`, `connection` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_accesslog_1.json" + + ```json + + { + "message": "{\n\t\"resourceId\": \"/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/\",\n\t\"operationName\": \"ApplicationGatewayAccess\",\n\t\"time\": \"2016-04-11T04:24:37Z\",\n\t\"category\": \"ApplicationGatewayAccessLog\",\n\t\"properties\": {\n\t\t\"instanceId\":\"ApplicationGatewayRole_IN_0\",\n\t\t\"clientIP\":\"37.186.113.170\",\n\t\t\"clientPort\":\"12345\",\n\t\t\"httpMethod\":\"HEAD\",\n\t\t\"requestUri\":\"/xyz/portal\",\n\t\t\"requestQuery\":\"\",\n\t\t\"userAgent\":\"-\",\n\t\t\"httpStatus\":\"200\",\n\t\t\"httpVersion\":\"HTTP/1.0\",\n\t\t\"receivedBytes\":\"27\",\n\t\t\"sentBytes\":\"202\",\n\t\t\"timeTaken\":\"359\",\n\t\t\"sslEnabled\":\"off\"\n\t}\n}", + "event": { + "category": [ + "network" + ], + "dataset": "ApplicationGatewayAccess", + "type": [ + "access", + "connection" + ] + }, + "cloud": { + "instance": { + "id": "ApplicationGatewayRole_IN_0" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "bytes": 202 + }, + "http": { + "request": { + "method": "HEAD" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "bytes": 27202 + }, + "related": { + "ip": [ + "37.186.113.170" + ] + }, + "source": { + "address": "37.186.113.170", + "bytes": 27, + "ip": "37.186.113.170", + "port": 12345 + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "-", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_accesslog_2.json" + + ```json + + { + "message": "{\n \"timeStamp\": \"2021-10-14T22:17:11+00:00\",\n \"resourceId\": \"/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}\",\n \"listenerName\": \"HTTP-Listener\",\n \"ruleName\": \"Storage-Static-Rule\",\n \"backendPoolName\": \"StaticStorageAccount\",\n \"backendSettingName\": \"StorageStatic-HTTPS-Setting\",\n \"operationName\": \"ApplicationGatewayAccess\",\n \"category\": \"ApplicationGatewayAccessLog\",\n \"properties\": {\n \"instanceId\": \"appgw_2\",\n \"clientIP\": \"185.42.129.24\",\n \"clientPort\": 45057,\n \"httpMethod\": \"GET\",\n \"originalRequestUriWithArgs\": \"\\/\",\n \"requestUri\": \"\\/\",\n \"requestQuery\": \"\",\n \"userAgent\": \"Mozilla\\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/52.0.2743.116 Safari\\/537.36\",\n \"httpStatus\": 200,\n \"httpVersion\": \"HTTP\\/1.1\",\n \"receivedBytes\": 184,\n \"sentBytes\": 466,\n \"clientResponseTime\": 0,\n \"timeTaken\": 0.034,\n \"WAFEvaluationTime\": \"0.000\",\n \"WAFMode\": \"Detection\",\n \"transactionId\": \"592d1649f75a8d480a3c4dc6a975309d\",\n \"sslEnabled\": \"on\",\n \"sslCipher\": \"ECDHE-RSA-AES256-GCM-SHA384\",\n \"sslProtocol\": \"TLSv1.2\",\n \"sslClientVerify\": \"NONE\",\n \"sslClientCertificateFingerprint\": \"\",\n \"sslClientCertificateIssuerName\": \"\",\n \"serverRouted\": \"52.239.221.65:443\",\n \"serverStatus\": \"200\",\n \"serverResponseLatency\": \"0.028\",\n \"upstreamSourcePort\": \"21564\",\n \"originalHost\": \"20.110.30.194\",\n \"host\": \"20.110.30.194\",\n \"error_info\":\"ERRORINFO_NO_ERROR\",\n \"contentType\":\"application/json\"\n }\n}", + "event": { + "category": [ + "network" + ], + "dataset": "ApplicationGatewayAccess", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2021-10-14T22:17:11Z", + "azure": { + "application_gateway": { + "error_info": "ERRORINFO_NO_ERROR", + "serverStatus": "200", + "sslClientVerify": "NONE", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d" + } + }, + "cloud": { + "instance": { + "id": "appgw_2" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "bytes": 466 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "bytes": 650 + }, + "related": { + "ip": [ + "185.42.129.24" + ] + }, + "source": { + "address": "185.42.129.24", + "bytes": 184, + "ip": "185.42.129.24", + "port": 45057 + }, + "url": { + "original": "/", + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "52.0.2743" + } + } + + ``` + + +=== "test_fwlog_1.json" + + ```json + + { + "message": "{\n \"timeStamp\": \"2021-10-14T22:17:11+00:00\",\n \"resourceId\": \"/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}\",\n \"operationName\": \"ApplicationGatewayFirewall\",\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"properties\": {\n \"instanceId\": \"appgw_2\",\n \"clientIp\": \"185.42.129.24\",\n \"clientPort\": \"\",\n \"requestUri\": \"\\/\",\n \"ruleSetType\": \"OWASP_CRS\",\n \"ruleSetVersion\": \"3.0.0\",\n \"ruleId\": \"920350\",\n \"message\": \"Host header is a numeric IP address\",\n \"action\": \"Matched\",\n \"site\": \"Global\",\n \"details\": {\n \"message\": \"Warning. Pattern match \\\\\\\"^[\\\\\\\\d.:]+$\\\\\\\" at REQUEST_HEADERS:Host .... \",\n \"data\": \"20.110.30.194:80\",\n \"file\": \"rules\\/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\n \"line\": \"791\"\n },\n \"hostname\": \"20.110.30.194:80\",\n \"transactionId\": \"592d1649f75a8d480a3c4dc6a975309d\",\n \"policyId\": \"default\",\n \"policyScope\": \"Global\",\n \"policyScopeName\": \"Global\"\n }\n}", + "event": { + "action": "Matched", + "category": [ + "network" + ], + "dataset": "ApplicationGatewayFirewall", + "reason": "Host header is a numeric IP address", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2021-10-14T22:17:11Z", + "azure": { + "application_gateway": { + "details": { + "message": "Warning. Pattern match \\\"^[\\\\d.:]+$\\\" at REQUEST_HEADERS:Host .... " + }, + "message": "Host header is a numeric IP address", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d" + } + }, + "cloud": { + "instance": { + "id": "appgw_2" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "address": "20.110.30.194", + "ip": "20.110.30.194", + "port": 80 + }, + "network": { + "bytes": 0 + }, + "related": { + "ip": [ + "185.42.129.24", + "20.110.30.194" + ] + }, + "source": { + "address": "185.42.129.24", + "ip": "185.42.129.24" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`azure.application_gateway.details.message` | `keyword` | The details message. | +|`azure.application_gateway.error_info` | `keyword` | The error information. | +|`azure.application_gateway.message` | `keyword` | The application gateway message. | +|`azure.application_gateway.serverStatus` | `keyword` | The status of the server. | +|`azure.application_gateway.sslClientVerify` | `keyword` | The SSL client verification status. | +|`azure.application_gateway.transactionId` | `keyword` | The unique identifier for the transaction. | +|`cloud.instance.id` | `keyword` | Instance ID of the host machine. | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.bytes` | `long` | Total bytes transferred in both directions. | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 2c4460d82b..e8faf9a54c 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -1076,6 +1076,241 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "network_threat_alert_1.json" + + ```json + + { + "message": "{\"TimeReceived\": \"2024-06-25T21:32:54.000000Z\", \"DeviceSN\": \"000011111112222\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Rule124\", \"SourceUser\": null, \"DestinationUser\": null, \"Application\": \"ssl\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"INSIDE\", \"ToZone\": \"OUTSIDE\", \"InboundInterface\": \"ethernet1/2\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"Panorama_CDL\", \"SessionID\": 155600, \"RepeatCount\": 1, \"SourcePort\": 51501, \"DestinationPort\": 443, \"NATSourcePort\": 63989, \"NATDestinationPort\": 443, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.org\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7353954110769176067, \"SourceLocation\": \"AZURE-EU-WEST-CBS-BELLEM\", \"DestinationLocation\": \"NL\", \"ContentType\": null, \"PacketID\": 0, \"URLCounter\": 0, \"UserAgent\": null, \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 982, \"DGHierarchyLevel2\": 117, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"DN-EUWEST-F2\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"unknown\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \"computer-and-internet-info,low-risk\", \"RuleUUID\": \"cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.103000Z\", \"NSSAINetworkSliceType\": null}", + "event": { + "action": "alert", + "category": [ + "network" + ], + "dataset": "threat", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-25T21:30:00Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_iso_code": "NL" + }, + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "host": { + "name": "DN-EUWEST-F2" + }, + "http": { + "request": { + "method": "unknown" + } + }, + "log": { + "hostname": "DN-EUWEST-F2", + "level": "Informational", + "logger": "threat" + }, + "network": { + "application": "ssl" + }, + "observer": { + "egress": { + "interface": { + "alias": "OUTSIDE" + } + }, + "ingress": { + "interface": { + "alias": "INSIDE" + } + }, + "product": "PAN-OS", + "serial_number": "000011111112222" + }, + "paloalto": { + "DGHierarchyLevel1": "982", + "DGHierarchyLevel2": "117", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "www.example.org" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ] + }, + "rule": { + "name": "Rule124", + "uuid": "cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 63989 + }, + "port": 51501 + }, + "url": { + "domain": "www.example.org", + "registered_domain": "example.org", + "subdomain": "www", + "top_level_domain": "org" + } + } + + ``` + + +=== "network_threat_alert_2.json" + + ```json + + { + "message": "{\"TimeReceived\": \"2024-06-25T21:30:08.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Global_Internet_Network_Awareness_Service\", \"SourceUser\": \"jdoe@example.org\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"ZR-EUWS-1\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.107\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1787364, \"RepeatCount\": 1, \"SourcePort\": 53610, \"DestinationPort\": 80, \"NATSourcePort\": 36160, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.com/connecttest.txt\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7372845116442397960, \"SourceLocation\": \"10.0.0.0-10.255.255.255\", \"DestinationLocation\": \"US\", \"ContentType\": \"text/plain\", \"PacketID\": 0, \"URLCounter\": 1, \"UserAgent\": \"Microsoft NCSI\", \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 525, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"ZR-EUWS-1\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"get\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \".msftconnecttest.com,computer-and-internet-info,low-risk\", \"RuleUUID\": \"481a523a-44c0-4c37-b2d5-b6b541d775c3\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.778000Z\", \"NSSAINetworkSliceType\": null}", + "event": { + "action": "alert", + "category": [ + "network" + ], + "dataset": "threat", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-25T21:30:00Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_iso_code": "US" + }, + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 80 + }, + "port": 80 + }, + "host": { + "name": "ZR-EUWS-1" + }, + "http": { + "request": { + "method": "get" + } + }, + "log": { + "hostname": "ZR-EUWS-1", + "level": "Informational", + "logger": "threat" + }, + "network": { + "application": "web-browsing" + }, + "observer": { + "egress": { + "interface": { + "alias": "untrust" + } + }, + "ingress": { + "interface": { + "alias": "ZR-EUWS-1" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "ContentType": "text/plain", + "DGHierarchyLevel1": "463", + "DGHierarchyLevel2": "525", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "www.example.com" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "rule": { + "name": "Global_Internet_Network_Awareness_Service", + "uuid": "481a523a-44c0-4c37-b2d5-b6b541d775c3" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 36160 + }, + "port": 53610, + "user": { + "name": "jdoe@example.org" + } + }, + "url": { + "domain": "www.example.com", + "path": "connecttest.txt", + "registered_domain": "example.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + }, + "user_agent": { + "name": "Microsoft NCSI" + } + } + + ``` + + === "sctp_cef.json" ```json @@ -1502,6 +1737,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": "5.6.7.8", "nat": { + "ip": "5.6.7.8", "port": 80 }, "port": 80 @@ -1546,9 +1782,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "ip": [ "1.2.3.4", - "5.6.7.8" + "5.6.7.8", + "9.10.11.12" ], "user": [ + "example.com", "john.doe@example.com" ] }, @@ -1560,6 +1798,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "address": "1.2.3.4", "ip": "1.2.3.4", "nat": { + "ip": "9.10.11.12", "port": 22444 }, "port": 53514, @@ -1568,7 +1807,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "user": { - "name": "john.doe@example.com" + "domain": "john.doe", + "email": "john.doe@example.com", + "name": "example.com" } } @@ -4234,6 +4475,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": "5.6.7.8", "nat": { + "ip": "8.7.6.5", "port": 80 }, "port": 80 @@ -4283,9 +4525,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "ip": [ "1.2.3.4", - "5.6.7.8" + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" ], "user": [ + "example.org", "john.doe@example.org" ] }, @@ -4297,6 +4542,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "address": "1.2.3.4", "ip": "1.2.3.4", "nat": { + "ip": "4.3.2.1", "port": 40114 }, "port": 55555, @@ -4305,7 +4551,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "user": { - "name": "john.doe@example.org" + "domain": "john.doe", + "email": "john.doe@example.org", + "name": "example.org" } } @@ -4404,6 +4652,7 @@ The following table lists the fields that are extracted, normalized under the EC |`url.port` | `long` | Port of the request, such as 443. | |`url.query` | `keyword` | Query string of the request. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.email` | `keyword` | User email address. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.name` | `keyword` | Name of the user agent. | |`user_agent.os.name` | `keyword` | Operating system name, without the version. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 976f2bb998..e870d4e76c 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -1002,6 +1002,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Event_4886.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2024-07-10 14:57:48\",\n \"Hostname\": \"FD001.example.org\",\n \"Keywords\": -9214364837600034816,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4886,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"Version\": 0,\n \"Task\": 12805,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 4403229,\n \"ActivityID\": \"{47CB07C4-5532-467D-A89C-724B854B59F7}\",\n \"ProcessID\": 900,\n \"ThreadID\": 8040,\n \"Channel\": \"Security\",\n \"Message\": \"Certificate Services received a certificate request.\\r\\n\\t\\r\\nRequest ID:\\t2715945\\r\\nRequester:\\tEXAMPLE\\\\jdoe\\r\\nAttributes:\\t\\nCertificateTemplate:NDSEClient\\r\\n\\nccm:NDFR10923.example.org\",\n \"Category\": \"Certification Services\",\n \"Opcode\": \"Info\",\n \"RequestId\": \"2715945\",\n \"Requester\": \"EXAMPLE\\\\jdoe\",\n \"Attributes\": \"\\nCertificateTemplate:NDSEClient\\r\\n\\nccm:NDFR10923.example.org\",\n \"EventReceivedTime\": \"2024-07-10 14:57:50\",\n \"SourceModuleName\": \"SecurityLog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}", + "event": { + "code": "4886", + "message": "Certificate Services received a certificate request.\r\n\t\r\nRequest ID:\t2715945\r\nRequester:\tEXAMPLE\\jdoe\r\nAttributes:\t\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4886, + "name": "Certificate Services received a certificate request", + "outcome": "success", + "properties": { + "Attributes": "\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "Category": "Certification Services", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Requester": "EXAMPLE\\jdoe", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Task": 12805 + }, + "record_id": 4403229, + "type": "Security" + }, + "host": { + "hostname": "FD001.example.org", + "name": "FD001.example.org" + }, + "log": { + "hostname": "FD001.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 900, + "pid": 900, + "thread": { + "id": 8040 + } + }, + "related": { + "hosts": [ + "FD001.example.org" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + === "Event_4929.json" ```json @@ -1962,6 +2029,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "audit_cve.json" + + ```json + + { + "message": "{\"EventTime\":\"2024-07-06 02:20:36\",\"Hostname\":\"srv023.example.com\",\"Keywords\":-9223372036854775808,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Audit-CVE\",\"ProviderGuid\":\"{85A62A0D-7E17-485F-9D4F-749A287193A6}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":606266,\"ProcessID\":2392,\"ThreadID\":2932,\"Channel\":\"Application\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"System\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"D\u00e9tection possible de CVE : [CVE-2020-158] cert chain exceeded limit\\r\\nInformations suppl\u00e9mentaires : Cert: sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\\r\\n\\r\\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une tentative d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 connue ([CVE-2020-158] cert chain exceeded limit) est d\u00e9tect\u00e9e.\\r\\nCet \u00e9v\u00e9nement est d\u00e9clench\u00e9 par un processus en mode utilisateur.\\r\\n\",\"Opcode\":\"Informations\",\"CVEID\":\"[CVE-2020-158] cert chain exceeded limit\",\"AdditionalDetails\":\"Cert: <CS.EXAMPLE.ORG> sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\",\"EventReceivedTime\":\"2024-07-06 02:20:37\",\"SourceModuleName\":\"eventlogs\",\"SourceModuleType\":\"im_msvistalog\"}\n", + "event": { + "code": "1", + "message": "D\u00e9tection possible de CVE : [CVE-2020-158] cert chain exceeded limit\r\nInformations suppl\u00e9mentaires : Cert: sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une tentative d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 connue ([CVE-2020-158] cert chain exceeded limit) est d\u00e9tect\u00e9e.\r\nCet \u00e9v\u00e9nement est d\u00e9clench\u00e9 par un processus en mode utilisateur.\r\n", + "provider": "Microsoft-Windows-Audit-CVE" + }, + "action": { + "id": 1, + "properties": { + "AccountName": "System", + "AccountType": "User", + "CVEID": "[CVE-2020-158] cert chain exceeded limit", + "Domain": "AUTORITE NT", + "EventType": "WARNING", + "Keywords": "-9223372036854775808", + "OpcodeValue": 0, + "ProviderGuid": "{85A62A0D-7E17-485F-9D4F-749A287193A6}", + "Severity": "WARNING", + "SourceName": "Microsoft-Windows-Audit-CVE", + "Task": 0 + }, + "record_id": 606266, + "type": "Application" + }, + "host": { + "hostname": "srv023.example.com", + "name": "srv023.example.com" + }, + "log": { + "hostname": "srv023.example.com", + "level": "warning" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 2392, + "pid": 2392, + "thread": { + "id": 2932 + } + }, + "related": { + "hosts": [ + "srv023.example.com" + ], + "user": [ + "System" + ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "System" + } + } + + ``` + + === "bits-file-transfert.json" ```json @@ -7361,6 +7494,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.Accesses` | `keyword` | | |`action.properties.AdditionalActionsID` | `keyword` | | |`action.properties.AdditionalActionsString` | `keyword` | | +|`action.properties.Attributes` | `keyword` | | |`action.properties.BytesTotal` | `keyword` | | |`action.properties.ConfigurationFile` | `keyword` | | |`action.properties.Content` | `keyword` | | @@ -7390,6 +7524,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.ProcessName` | `keyword` | | |`action.properties.ProxyServer` | `keyword` | | |`action.properties.ReferrerUrl` | `keyword` | | +|`action.properties.Requester` | `keyword` | | |`action.properties.SentUpdateServer` | `keyword` | | |`action.properties.ServiceFileName` | `keyword` | | |`action.properties.StartFunction` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md index 72628c62b2..ae85bc0d44 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md @@ -509,6 +509,114 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "vectra_several_ports_scanned_01.json" + + ```json + + { + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029813\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721184242\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://1.2.3.4/detections/85003?detail_id=2029813" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 0 + }, + "host": { + "ip": "3.4.5.6", + "name": "host" + }, + "network": { + "protocol": "tcp" + }, + "observer": { + "ip": "1.2.3.4", + "name": "1.2.3.4", + "version": "8.5" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] + }, + "vectra": { + "certainty": 0, + "detection": { + "id": 85003, + "name": "Port Scan", + "ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", + "scans": "100", + "successes": "0", + "type": "port_scan" + }, + "risk_score_norm": 0, + "severity": 0, + "timestamp": 1721184242, + "triaged": true + } + } + + ``` + + +=== "vectra_several_ports_scanned_02.json" + + ```json + + { + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029784\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721183706\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://1.2.3.4/detections/85003?detail_id=2029784" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 0 + }, + "host": { + "ip": "3.4.5.6", + "name": "host" + }, + "network": { + "protocol": "tcp" + }, + "observer": { + "ip": "1.2.3.4", + "name": "1.2.3.4", + "version": "8.5" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] + }, + "vectra": { + "certainty": 0, + "detection": { + "id": 85003, + "name": "Port Scan", + "ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", + "scans": "100", + "successes": "0", + "type": "port_scan" + }, + "risk_score_norm": 0, + "severity": 0, + "timestamp": 1721183706, + "triaged": true + } + } + + ``` + + === "vectra_threat1.json" ```json @@ -1939,7 +2047,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.detection.normal_servers` | `keyword` | The normal servers observed. | |`vectra.detection.num_attempts` | `keyword` | The number of attempts | |`vectra.detection.port` | `keyword` | The external port used. | -|`vectra.detection.ports` | `long` | Ports scanned. | +|`vectra.detection.ports` | `keyword` | Ports scanned. | |`vectra.detection.product_id` | `keyword` | The unusual product ID. | |`vectra.detection.profile` | `object` | The detection profile associated with this host. | |`vectra.detection.protocol` | `keyword` | The external protocol used. | diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 261a69b395..ae18df8759 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -348,9 +348,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "domain": "a.et.nytimes.com", - "registered_domain": "nytimes.com", - "subdomain": "a.et", - "top_level_domain": "com" + "original": "a.et.nytimes.com", + "path": "a.et.nytimes.com" }, "user": { "email": "john.doe@example.org", @@ -450,11 +449,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "domain": "ctldl.windowsupdate.com", + "original": "ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9ea4b61fd3501b07", "path": "msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", - "query": "9ea4b61fd3501b07", - "registered_domain": "windowsupdate.com", - "subdomain": "ctldl", - "top_level_domain": "com" + "query": "9ea4b61fd3501b07" }, "user": { "email": "john.doe@example.org", diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index cd487767d6..8547544ccb 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -694,7 +694,6 @@ The following table lists the fields that are extracted, normalized under the EC |`sonicwall.fw.ipscat` | `number` | Displays the IPS category | |`sonicwall.fw.ipspri` | `number` | Displays the IPS priority | |`sonicwall.fw.priority` | `keyword` | Displays the event priority level | -|`sonicwall.fw.reason` | `number` | Blocking code: Indicates the CFS block code | |`sonicwall.fw.sid` | `number` | Provides either IPS or Anti-Spyware signature ID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | |`source.domain` | `keyword` | The domain name of the source. |