Refresh intakes documentation

_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md

@@ -20,6 +20,86 @@ The following table lists the data source offered by this integration.
 Find below few samples of events and how they are normalized by Sekoia.io.
 
 
+=== "attack.json"
+
+    ```json
+
+    {
+        "message": "cat=attack date_time=2023-12-08T02:34:17+01:00 user_id=9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf [email protected] login_user=\"Unknown\" ep_id=5446331978 app_name=\"Staging\" ep_region=europe-west3 ep_domain=staging.example.org src_ip=1.2.3.4 src_port=45344 backend_service=unknown dst_port=443 srccountry=\"Ireland\" service=https/tls1.3 action=Block main_type=\"Known Bots Detection\" sub_type=\"Crawler\" threat_level=Moderate threat_weight=25 http_host=staging.example.org http_url=/ http_version=1.x http_method=GET http_agent=\"Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])\" http_refer=none length=1546 signature_id=N/A signature_cve_id=N/A owasp_top10=\"N/A\" msg=\"Known Bots: Malicious Bot Netcraft in category Crawler Violation\" log_id=20000213 msg_id=001415055359",
+        "event": {
+            "action": "Block",
+            "message": "Known Bots: Malicious Bot Netcraft in category Crawler Violation"
+        },
+        "action": {
+            "properties": {
+                "cat": "attack",
+                "log_id": "20000213"
+            }
+        },
+        "destination": {
+            "port": 443
+        },
+        "host": {
+            "name": "tyR4LrYORLPlEIBp"
+        },
+        "http": {
+            "request": {
+                "method": "GET",
+                "referrer": "none"
+            },
+            "version": "1.x"
+        },
+        "log": {
+            "hostname": "tyR4LrYORLPlEIBp"
+        },
+        "related": {
+            "hosts": [
+                "staging.example.org"
+            ],
+            "ip": [
+                "1.2.3.4"
+            ],
+            "user": [
+                "jdoe"
+            ]
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "geo": {
+                "name": "Ireland"
+            },
+            "ip": "1.2.3.4",
+            "port": 45344
+        },
+        "url": {
+            "domain": "staging.example.org",
+            "path": "/",
+            "registered_domain": "example.org",
+            "subdomain": "staging",
+            "top_level_domain": "org",
+            "username": "[email protected]"
+        },
+        "user": {
+            "domain": "example.org",
+            "email": "[email protected]",
+            "id": "9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf",
+            "name": "jdoe"
+        },
+        "user_agent": {
+            "device": {
+                "name": "Other"
+            },
+            "name": "Other",
+            "original": "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; [email protected])",
+            "os": {
+                "name": "Other"
+            }
+        }
+    }
+    	
+	```
+
+
 === "https_traffic.json"
 
     ```json
@@ -68,9 +148,15 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "protocol": "tcp"
         },
         "related": {
+            "hosts": [
+                "api.sns-security.fr"
+            ],
             "ip": [
                 "172.26.8.20",
                 "192.168.36.2"
+            ],
+            "user": [
+                "Unknown"
             ]
         },
         "rule": {
@@ -88,9 +174,16 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
         },
         "url": {
+            "domain": "api.sns-security.fr",
             "path": "/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN",
+            "registered_domain": "sns-security.fr",
+            "subdomain": "api",
+            "top_level_domain": "fr",
             "username": "Unknown"
         },
+        "user": {
+            "name": "Unknown"
+        },
         "user_agent": {
             "device": {
                 "name": "Other"
@@ -156,6 +249,7 @@ The following table lists the fields that are extracted, normalized under the EC
 
 | Name | Type | Description                |
 | ---- | ---- | ---------------------------|
+|`action.properties.cat` | `keyword` |  |
 |`action.properties.device_id` | `keyword` |  |
 |`action.properties.log_id` | `keyword` |  |
 |`destination.ip` | `ip` | IP address of the destination. |
@@ -177,8 +271,12 @@ The following table lists the fields that are extracted, normalized under the EC
 |`source.ip` | `ip` | IP address of the source. |
 |`source.port` | `long` | Port of the source. |
 |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. |
+|`url.domain` | `keyword` | Domain of the url. |
 |`url.path` | `wildcard` | Path of the request, such as "/search". |
 |`url.username` | `keyword` | Username of the request. |
+|`user.domain` | `keyword` | Name of the directory the user is a member of. |
+|`user.email` | `keyword` | User email address. |
+|`user.id` | `keyword` | Unique identifier of the user. |
 |`user.name` | `keyword` | Short name or login of the user. |
 |`user_agent.original` | `keyword` | Unparsed user_agent string. |
 

_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md

@@ -104,6 +104,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 }
             ],
             "from_header": "user [email protected]",
+            "last_report_date": "0001-01-01T00:00:00Z",
             "overdict": "clean",
             "status": "LOW_SPAM",
             "to_header": "header stuff",
@@ -262,6 +263,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             ],
             "folder": "JunkEmail",
             "from_header": "Test SEKOIA.IO <[email protected]>",
+            "last_report_date": "0001-01-01T00:00:00Z",
             "status": "PHISHING",
             "to_header": "\"[email protected]\" <[email protected]>",
             "whitelist": "false"
@@ -329,6 +331,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 }
             ],
             "from_header": "Test SEKOIA.IO <[email protected]>",
+            "last_report_date": "0001-01-01T00:00:00Z",
             "status": "LEGIT",
             "to_header": "\"[email protected]\" <[email protected]>",
             "whitelist": "true"
@@ -361,6 +364,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                         "action": "MOVE"
                     }
                 ],
+                "actions_labels": [
+                    "MOVE"
+                ],
                 "id": "zekfnzejnf576rge8768",
                 "nb_messages_remediated": 1,
                 "nb_messages_remediated_read": 0,
@@ -398,6 +404,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                         "action": "FAILED"
                     }
                 ],
+                "actions_labels": [
+                    "DELETE",
+                    "FAILED"
+                ],
                 "id": "zekfnzejnf576rge8768",
                 "nb_messages_remediated": 76,
                 "nb_messages_remediated_read": 0,
@@ -431,12 +441,15 @@ The following table lists the fields that are extracted, normalized under the EC
 |`source.ip` | `ip` | IP address of the source. |
 |`vadesecure.attachments` | `array` | vadesecure.to_header |
 |`vadesecure.campaign.actions` | `array` | The actions carried out for the remediation campaign. |
+|`vadesecure.campaign.actions_labels` | `keyword` |  |
 |`vadesecure.campaign.id` | `keyword` | The ID of the campaign |
 |`vadesecure.campaign.nb_messages_remediated` | `long` | The total number of messages involved in the remediation. |
 |`vadesecure.campaign.nb_messages_remediated_read` | `long` | The number of total read messages involved in the remediation. |
 |`vadesecure.campaign.nb_messages_remediated_unread` | `long` | The number of total unread messages involved in the remediation. |
 |`vadesecure.folder` | `keyword` | vadesecure.folder |
 |`vadesecure.from_header` | `keyword` | vadesecure.from_header |
+|`vadesecure.last_report` | `keyword` |  |
+|`vadesecure.last_report_date` | `datetime` |  |
 |`vadesecure.overdict` | `keyword` | vadesecure.overdict |
 |`vadesecure.status` | `keyword` | vadesecure.status |
 |`vadesecure.substatus` | `keyword` | vadesecure.substatus |

_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md

@@ -726,6 +726,73 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "CEF_syslog.json"
+
+    ```json
+
+    {
+        "message": "0|Check Point|SmartDefense|Check Point|IPS|Syslog Message Length Enforcement|Medium|act=Detect cp_severity=Medium cnt=53 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=02syslg_max_msg_len_tab cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Syslog Message Length Enforcement cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=phpFileManager cmd Parameter Command Execution in=0 msg=Syslog Protocol Violation out=0 rt=1705349059000 spt=57789 dpt=514 Signature=CVE-1999-0063, CVE-1999-0381 cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs1Label=Threat Prevention Rule Name layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy ifname=eth5.996 loguid={0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d} origin=3.4.5.6 originsicname=CN\\=DN-EXAMPLE,O\\=alfi.defo.ccse.nl sequencenum=12 version=5 capture_uuid={0x65a58fcb,0x1,0x4d1f8365,0xc5a8726d} description_url=02syslg_max_msg_len_tab_help.html dst=5.6.7.8 lastupdatetime=1705352059 log_id=2 policy=dn policy_time=1705348793 product=SmartDefense proto=17 rule_uid=b16110f0-fc9f-43b1-9f87-a8ad3f995237 session_id={0x65a58fc3,0x3,0x4d1f8365,0xc5a8726d} smartdefense_profile=XXXX_IPS_policy src=1.2.3.4",
+        "event": {
+            "code": "IPS",
+            "message": "Syslog Protocol Violation",
+            "outcome": "success"
+        },
+        "action": {
+            "name": "detect",
+            "outcome": "success",
+            "outcome_reason": "Syslog Protocol Violation",
+            "properties": {
+                "loguid": "{0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d}",
+                "observer_type": "SmartDefense",
+                "origin": "3.4.5.6",
+                "originsicname": "CN=DN-EXAMPLE,O=alfi.defo.ccse.nl",
+                "product": "SmartDefense",
+                "signature": [
+                    "CVE-1999-0063",
+                    "CVE-1999-0381"
+                ]
+            },
+            "target": "network-traffic"
+        },
+        "destination": {
+            "address": "5.6.7.8",
+            "ip": "5.6.7.8",
+            "port": 514
+        },
+        "log": {
+            "level": "Medium"
+        },
+        "network": {
+            "direction": "outbound",
+            "transport": "udp"
+        },
+        "observer": {
+            "ingress": {
+                "interface": {
+                    "name": "eth5.996"
+                }
+            }
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4",
+                "5.6.7.8"
+            ]
+        },
+        "rule": {
+            "uuid": "b16110f0-fc9f-43b1-9f87-a8ad3f995237",
+            "version": "5"
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4",
+            "port": 57789
+        }
+    }
+    	
+	```
+
+
 === "CEF_tcp_accept.json"
 
     ```json
@@ -1345,6 +1412,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`action.properties.product` | `keyword` |  |
 |`action.properties.reject_category` | `keyword` |  |
 |`action.properties.rule_name` | `keyword` |  |
+|`action.properties.signature` | `array` |  |
 |`action.properties.source_key_id` | `keyword` |  |
 |`action.properties.subproduct` | `keyword` |  |
 |`action.properties.vpn_feature_name` | `keyword` |  |
@@ -1362,6 +1430,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`host.hostname` | `keyword` | Hostname of the host. |
 |`host.name` | `keyword` | Name of the host. |
 |`http.request.method` | `keyword` | HTTP request method. |
+|`log.level` | `keyword` | Log level of the log event. |
 |`network.direction` | `keyword` | Direction of the network traffic. |
 |`network.protocol` | `keyword` | Application protocol name. |
 |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. |