diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index 1a86177f60..b82dea8338 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -281,7 +281,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"user\":{\"id\":\"1063\",\"name\":\"USER_FOO\"},\"action\":{\"properties\":{\"hostname\":\"1.1.1.1\",\"id\":\"1063\",\"op\":\"login\",\"terminal\":\"ssh\"}},\"event\":{\"action\":\"logged-in\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"authentication\"],\"type\":[\"start\"]},\"agent\":{\"id\":\"2c59eed20c79ccd855d4a9c336ae9e0d2311970d30b87e426ff582032eeef137\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"linux\"},\"hostname\":\"foobar.net\"},\"network\":{\"direction\":\"ingress\"},\"process\":{\"executable\":\"/usr/sbin/sshd\",\"pid\":1750},\"source\":{\"address\":\"1.1.1.1\",\"ip\":\"1.1.1.1\"},\"@timestamp\":\"2023-06-23T07:41:09.858Z\"}\n", + "message": "{\"user\":{\"id\":\"1063\",\"name\":\"USER_FOO\"},\"action\":{\"properties\":{\"hostname\":\"1.1.1.1\",\"id\":\"1063\",\"op\":\"login\",\"terminal\":\"ssh\"}},\"event\":{\"action\":\"logged-in\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"authentication\"],\"type\":[\"start\"], \"start\":\"2023-06-23T07:41:09.858Z\", \"end\":\"2023-06-23T07:46:09.858Z\"},\"agent\":{\"id\":\"2c59eed20c79ccd855d4a9c336ae9e0d2311970d30b87e426ff582032eeef137\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"linux\"},\"hostname\":\"foobar.net\"},\"network\":{\"direction\":\"ingress\"},\"process\":{\"executable\":\"/usr/sbin/sshd\",\"pid\":1750},\"source\":{\"address\":\"1.1.1.1\",\"ip\":\"1.1.1.1\"},\"@timestamp\":\"2023-06-23T07:41:09.858Z\"}\n", "event": { "action": "logged-in", "category": [ @@ -290,7 +290,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "SEKOIA-IO-Endpoint", "type": [ "start" - ] + ], + "start": "2023-06-23T07:41:09.858000Z", + "end": "2023-06-23T07:46:09.858000Z" }, "@timestamp": "2023-06-23T07:41:09.858000Z", "action": { @@ -953,9 +955,11 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.os.type` | `keyword` | Which commercial OS family (one of: linux, macos, unix or windows). | |`process.name` | `keyword` | Process name. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index d9aa968ae2..a765d3960b 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -31,7 +31,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert`, `event` | -| Category | `authentication`, `network`, `process`, `web` | +| Category | `authentication`, `driver`, `network`, `process`, `web` | | Type | `access`, `connection`, `info`, `start` | @@ -42,6 +42,36 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "agentlog.json" + + ```json + + { + "message": "{\"message\": \"Cannot convert \\\\Device\\\\BootPartition\\\\Windows\\\\System32\\\\ntdll.dll - \\\\device\\\\bootpartition\", \"date\": \"2023-11-21T07:38:02.978Z\", \"@version\": \"1\", \"level\": \"ERROR\", \"worker\": false, \"@timestamp\": \"2023-11-21T07:38:25.190667Z\", \"tenant\": \"1111111111111111\", \"@event_create_date\": \"2023-11-21T07:38:02.978Z\", \"hostname\": \"example\", \"object_type\": \"agentlog\", \"log_type\": \"agentlog\", \"agent_id\": \"5028ff9e-d536-4e91-9d5f-1e30c3765672\"}", + "event": { + "dataset": "agentlog", + "kind": "event", + "reason": "Cannot convert \\Device\\BootPartition\\Windows\\System32\\ntdll.dll - \\device\\bootpartition", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-21T07:38:02.978000Z", + "agent": { + "id": "5028ff9e-d536-4e91-9d5f-1e30c3765672", + "name": "harfanglab" + }, + "host": { + "name": "example" + }, + "organization": { + "id": "1111111111111111" + } + } + + ``` + + === "alert.json" ```json @@ -393,6 +423,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "connectionlog.json" + + ```json + + { + "message": "{\"date\": \"2023-11-21T07:52:00+00:00\", \"@version\": \"1\", \"telemetry_sum\": 24692, \"connection_count\": 4, \"@timestamp\": \"2023-11-21T07:52:06.054772Z\", \"tenant\": \"1111111111111111\", \"tags\": [\"_dateparsefailure\"], \"investigation_data_sum\": 0, \"date_received\": \"2023-11-21T07:52:00Z\", \"log_type\": \"connectionlog\", \"object_type\": \"connectionlog\", \"groups\": [], \"agent_id\": \"5028ff9e-d536-4e91-9d5f-1e30c3765672\"}", + "event": { + "category": [ + "network" + ], + "dataset": "connectionlog", + "kind": "event", + "type": [ + "info" + ] + }, + "agent": { + "id": "5028ff9e-d536-4e91-9d5f-1e30c3765672", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "organization": { + "id": "1111111111111111" + } + } + + ``` + + === "dns.json" ```json @@ -465,6 +526,135 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "driverload.json" + + ```json + + { + "message": "{\"pe_info\": {\"file_version\": \"10.0.19041.1 (WinBuild.160101.0800)\", \"product_name\": \"Microsoft\\u00ae Windows\\u00ae Operating System\", \"internal_name\": \"ksthunk.sys\", \"pe_timestamp\": \"1991-04-25T14:23:02.000Z\", \"file_description\": \"Kernel Streaming WOW Thunk Service\", \"company_name\": \"Microsoft Corporation\", \"original_filename\": \"ksthunk.sys\", \"legal_copyright\": \"\\u00a9 Microsoft Corporation. All rights reserved.\", \"product_version\": \"10.0.19041.1\"}, \"pe_timestamp\": \"1991-04-25T14:23:02Z\", \"hashes\": {\"md5\": \"e5304de29bb9666df0e57e5ba71c0e10\", \"sha1\": \"d3935d2e083674b40ff29fa4e078a36cee6589c5\", \"sha256\": \"491802a11f9e563369db69e1d838c6f0f54f69f31bdc14018339cee1b6c9c3ca\"}, \"@version\": \"1\", \"pe_imphash\": \"E7DF5FB173D46E5224E279F12AD83F1A\", \"imagepath\": \"C:\\\\Windows\\\\system32\\\\drivers\\\\ksthunk.sys\", \"signed\": true, \"agent\": {\"osversion\": \"10.0.19042\", \"distroid\": null, \"domain\": null, \"additional_info\": null, \"osproducttype\": \"Windows 10 Pro\", \"agentid\": \"5028ff9e-d536-4e91-9d5f-1e30c3765672\", \"ostype\": \"windows\", \"hostname\": \"VM0001\", \"domainname\": \"EXAMPLE\", \"dnsdomainname\": \"example.org\", \"version\": \"3.0.10-post0\"}, \"signature_info\": {\"signer_info\": {\"display_name\": \"Microsoft Windows\", \"serial_number\": \"3300000266bd1580efa75cd6d3000000000266\", \"thumbprint_sha256\": \"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3\", \"issuer_name\": \"Microsoft Windows Production PCA 2011\", \"thumbprint\": \"a4341b9fd50fb9964283220a36a1ef6f6faa7840\"}, \"signed_catalog\": true, \"root_info\": {\"display_name\": \"Microsoft Root Certificate Authority 2010\", \"serial_number\": \"28cc3a25bfba44ac449a9b586b4339aa\", \"thumbprint_sha256\": \"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e\", \"issuer_name\": \"Microsoft Root Certificate Authority 2010\", \"thumbprint\": \"3b1efd3a66ea28b16697394703a72ca340a05bd5\"}, \"signed_authenticode\": false}, \"@timestamp\": \"2023-11-21T08:05:04.299749Z\", \"tenant\": \"1111111111111111\", \"@event_create_date\": \"2023-11-21T08:04:44.609000+00:00\", \"imagename\": \"ksthunk.sys\", \"size\": 29696, \"tags\": [\"_dateparsefailure\"], \"pe_timestamp_int\": 672589382, \"imagesize\": 61440, \"imagebase\": 18446735290998784000, \"log_type\": \"driverload\", \"groups\": []}", + "event": { + "category": [ + "driver" + ], + "dataset": "driverload", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-21T08:04:44.609000Z", + "agent": { + "id": "5028ff9e-d536-4e91-9d5f-1e30c3765672", + "name": "harfanglab", + "version": "3.0.10-post0" + }, + "file": { + "hash": { + "md5": "e5304de29bb9666df0e57e5ba71c0e10", + "sha1": "d3935d2e083674b40ff29fa4e078a36cee6589c5", + "sha256": "491802a11f9e563369db69e1d838c6f0f54f69f31bdc14018339cee1b6c9c3ca" + }, + "name": "ksthunk.sys", + "path": "C:\\Windows\\system32\\drivers\\ksthunk.sys", + "pe": { + "company": "Microsoft Corporation", + "description": "Kernel Streaming WOW Thunk Service", + "file_version": "10.0.19041.1 (WinBuild.160101.0800)", + "imphash": "E7DF5FB173D46E5224E279F12AD83F1A", + "original_file_name": "ksthunk.sys", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + }, + "size": 61440 + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "VM0001", + "name": "VM0001", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19042" + } + }, + "log": { + "hostname": "VM0001" + }, + "organization": { + "id": "1111111111111111" + }, + "related": { + "hash": [ + "491802a11f9e563369db69e1d838c6f0f54f69f31bdc14018339cee1b6c9c3ca", + "d3935d2e083674b40ff29fa4e078a36cee6589c5", + "e5304de29bb9666df0e57e5ba71c0e10" + ], + "hosts": [ + "VM0001" + ] + } + } + + ``` + + +=== "injectedthread.json" + + ```json + + { + "message": "{\"region_state\": 4096, \"region_dump_base\": 2340521771008, \"@event_create_date\": \"2023-11-21T07:48:45.756Z\", \"thread_sha256\": \"7fd7cfe856047297d728b852160b50d3fac5497f308ec02ce549e524d8134bb5\", \"start_address\": 2340521771008, \"process_guid\": \"9ab629f0-1353-49c9-b81c-00170847637f\", \"region_dump\": \"c8500000e81d020000480522020000488945c8654c8b0425600000004d8b40184d8d48304d8b403041544d8d6038e8ab0100003d5391bfc57508498b5010488955c03de517ee8c7508498b5010488955f84d8b004d3bc175d1415c535657488b5df88b733c488d7433188b7e704803fb8b4f188b77204803f38b47244803d8fc4c8b4df8ad4903c14c8bc0e82e0100003df2dd1a337509e879010000488945f03d3d79a6a67509e869010000488945e03d157a42767509e859010000488945d83d9055c9997509e849010000488945b84883c302e2ae488b5dc08b733c488d7433188b7e704803fb8b4f188b77204803f38b47244803d8fc4c8b4dc0ad4903c14c8bc0e8b60000003d5a726be57509e801010000488945e84883c302e2de5f5e4883ec28488b5dc8488b0b4885c9745aff55d8488bc8488b53084c8d43204c8b0b488d45d04889442420ff55e0488d4b2048030bff55f04885c07422488bc848c7c202000000ff55b84885c07410488b4b10488b53084883c4285bc9ffe0488b43084883c4285bc9ffe0488d4b20ff55f04885c07421488bc848c7c202000000ff55b84885c0740f488b4b104833d24883c4285bc9ffe04833c9ff55e8cc4833c04833d2410fb60049ffc0c1c20503d0410fb60049ffc085c075f08bc2c34833d24833c0490fb70c244885c974244d8b642408410fb6042449ffc448ffc9c1c20524df03d0410fb6042449ffc448ffc975ec8bc2c3480fb7038b571c4903d18b04824903c1c3488b0424c3000000000000000000000000000000000000f8f120020000ff0200000000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c0046002d005300650063007500720065005c0043006c00690065006e0074002000530065006300750072006900740079005c0055006c007400720061006c0069006700680074005c0075006c0063006f00720065005c0031003600390039003400340033003300380032005c006600730068006f006f006b00360034002e0064006c006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\", \"start_address_string\": \"0x220f1f80000\", \"log_type\": \"injectedthread\", \"thread_uid\": \"d608a782184dfab78c1014a7e8e4c97eb9cd2a235a1a183ad3e7504090ac462b\", \"region_allocation_protect\": 64, \"region_allocation_size\": 4096, \"groups\": [], \"thread_dump\": \"c8500000e81d020000480522020000488945c8654c8b0425600000004d8b40184d8d48304d8b403041544d8d6038e8ab0100003d5391bfc57508498b5010488955c03de517ee8c7508498b5010488955f84d8b004d3bc175d1415c535657488b5df88b733c488d7433188b7e704803fb8b4f188b77204803f38b47244803d8fc4c8b4df8ad4903c14c8bc0e82e0100003df2dd1a337509e879010000488945f03d3d79a6a67509e869010000488945e03d157a42767509e859010000488945d83d9055c9997509e849010000488945b84883c302e2ae488b5dc08b733c488d7433188b7e704803fb8b4f188b77204803f38b47244803d8fc4c8b4dc0ad4903c14c8bc0e8b60000003d5a726be57509e801010000488945e84883c302e2de5f5e4883ec28488b5dc8488b0b4885c9745aff55d8488bc8488b53084c8d43204c8b0b488d45d04889442420ff55e0488d4b2048030bff55f04885c07422488bc848c7c202000000ff55b84885c07410488b4b10488b53084883c4285bc9ffe0488b43084883c4285bc9ffe0488d4b20ff55f04885c07421488bc848c7c202000000ff55b84885c0740f488b4b104833d24883c4285bc9ffe04833c9ff55e8cc4833c04833d2410fb60049ffc0c1c20503d0410fb60049ffc085c075f08bc2c34833d24833c0490fb70c244885c974244d8b642408410fb6042449ffc448ffc9c1c20524df03d0410fb6042449ffc448ffc975ec8bc2c3480fb7038b571c4903d18b04824903c1c3488b0424c3000000000000000000000000000000000000f8f120020000ff0200000000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c0046002d005300650063007500720065005c0043006c00690065006e0074002000530065006300750072006900740079005c0055006c007400720061006c0069006700680074005c0075006c0063006f00720065005c0031003600390039003400340033003300380032005c006600730068006f006f006b00360034002e0064006c006c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\", \"@version\": \"1\", \"agent\": {\"osversion\": \"10.0.19045\", \"distroid\": null, \"domain\": null, \"additional_info\": null, \"osproducttype\": \"Windows 10 Pro\", \"agentid\": \"5028ff9e-d536-4e91-9d5f-1e30c3765672\", \"ostype\": \"windows\", \"hostname\": \"VM0001\", \"domainname\": \"EXAMPLE\", \"dnsdomainname\": \"example.org\", \"version\": \"3.0.10-post0\"}, \"process_image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"region_protect\": 32, \"@timestamp\": \"2023-11-21T07:48:45.740479Z\", \"tenant\": \"1111111111111111\", \"process_id\": 7352, \"region_allocation_base\": 2340521771008, \"thread_id\": 8928, \"region_type\": 131072, \"region_size\": 4096, \"region_base_address\": 2340521771008}", + "event": { + "category": [ + "process" + ], + "dataset": "injectedthread", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-21T07:48:45.756000Z", + "agent": { + "id": "5028ff9e-d536-4e91-9d5f-1e30c3765672", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "VM0001", + "name": "VM0001", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "VM0001" + }, + "organization": { + "id": "1111111111111111" + }, + "process": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7352, + "thread": { + "id": 8928 + } + }, + "related": { + "hosts": [ + "VM0001" + ] + } + } + + ``` + + === "investigation.json" ```json @@ -1548,6 +1738,7 @@ The following table lists the fields that are extracted, normalized under the EC |`file.pe.imphash` | `keyword` | A hash of the imports in a PE file. | |`file.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | |`file.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | +|`file.size` | `long` | File size in bytes. | |`harfanglab.aggregation_key` | `keyword` | The key to the events aggregation | |`harfanglab.alert_subtype` | `keyword` | The subtype of the alert | |`harfanglab.alert_time` | `keyword` | The timestamp of the alert | @@ -1559,6 +1750,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.status` | `keyword` | The status of the alert | |`host.domain` | `keyword` | Name of the directory the group is a member of. | |`host.hostname` | `keyword` | Hostname of the host. | +|`host.name` | `keyword` | Name of the host. | |`host.os.full` | `keyword` | Operating system name, including the version or code name. | |`host.os.version` | `keyword` | Operating system version as a raw string. | |`http.request.method` | `keyword` | HTTP request method. | @@ -1577,6 +1769,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.pe.original_file_name` | `keyword` | Internal name of the file, provided at compile-time. | |`process.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | |`process.pid` | `long` | Process id. | +|`process.thread.id` | `long` | Thread ID. | |`process.working_directory` | `keyword` | The working directory of the process. | |`registry.hive` | `keyword` | Abbreviated name for the hive. | |`registry.key` | `keyword` | Hive-relative path of keys. | diff --git a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md new file mode 100644 index 0000000000..48e0dbdf7f --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md @@ -0,0 +1,104 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | Microsoft IIS logs site activity | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `web` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "sample.json" + + ```json + + { + "message": "::1, -, 11/20/2023, 15:44:03, W3SVC1, IIS-server, ::1, 2, 769, 143, 304, 0, GET, /, -,", + "event": { + "category": [ + "web" + ], + "duration": 2000, + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2023-11-20T15:44:03Z", + "client": { + "address": "::1", + "bytes": 769, + "ip": "::1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 304 + } + }, + "observer": { + "name": "IIS-server" + }, + "related": { + "ip": [ + "::1" + ] + }, + "server": { + "bytes": 143, + "ip": "::1" + }, + "url": { + "path": "/" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`client.bytes` | `long` | Bytes sent from the client to the server. | +|`client.ip` | `ip` | IP address of the client. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.duration` | `long` | Duration of the event in nanoseconds. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`server.bytes` | `long` | Bytes sent from the server to the client. | +|`server.ip` | `ip` | IP address of the server. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 32edda77c5..07a2def631 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -15,7 +15,1141 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `authentication`, `network`, `process` | +| Type | `alert`, `info`, `start` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_afm_1.json" + + ```json + + { + "message": "CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 8, + "type": [ + "info" + ] + }, + "@timestamp": "2012-10-04T13:15:29Z", + "action": { + "name": "Accept", + "target": "network-traffic" + }, + "destination": { + "address": "10.3.1.200", + "ip": "10.3.1.200", + "port": 443 + }, + "f5": { + "bigip": { + "afm": { + "route_domain": "0", + "virtual_name": "/Common/topaz3-all3", + "vlan": "/Common/external" + } + } + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "bigip-3.pme-ds.f5.com", + "ip": "192.168.73.33", + "product": "Advanced Firewall Module", + "vendor": "F5", + "version": "11.3.0.2095.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-3.pme-ds.f5.com" + ], + "ip": [ + "10.3.1.101", + "10.3.1.200", + "192.168.73.33" + ] + }, + "rule": { + "name": "allow_https" + }, + "source": { + "address": "10.3.1.101", + "ip": "10.3.1.101", + "port": 39321 + } + } + + ``` + + +=== "test_afm_2.json" + + ```json + + { + "message": "CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 8, + "type": [ + "info" + ] + }, + "@timestamp": "2012-11-08T17:58:02Z", + "action": { + "name": "Drop", + "target": "network-traffic" + }, + "destination": { + "address": "fc55::3", + "port": 80 + }, + "f5": { + "bigip": { + "afm": { + "attack_id": "3083822789", + "attack_status": "Attack Sampled", + "route_domain": "0", + "vlan": "/Common/VLAN10" + } + } + }, + "observer": { + "hostname": "asm176.labt.ts.example.com", + "ip": "192.168.69.176", + "product": "Advanced Firewall Module", + "vendor": "F5", + "version": "11.3.0.2790.300" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "asm176.labt.ts.example.com" + ], + "ip": [ + "192.168.69.176" + ] + }, + "source": { + "address": "fc55::99", + "port": 20 + } + } + + ``` + + +=== "test_afm_3.json" + + ```json + + { + "message": "CEF:0|F5|Advanced Firewall Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 8, + "type": [ + "info" + ] + }, + "@timestamp": "2012-10-12T13:29:24Z", + "action": { + "name": "Drop", + "target": "network-traffic" + }, + "destination": { + "address": "10.3.1.202", + "ip": "10.3.1.202", + "port": 53 + }, + "dns": { + "question": { + "class": "SRV", + "name": "_ldap._tcp.dc._msdcs.siterequest.com", + "registered_domain": "siterequest.com", + "subdomain": "_ldap._tcp.dc._msdcs", + "top_level_domain": "com" + } + }, + "f5": { + "bigip": { + "afm": { + "attack_type": "query opcode", + "virtual_name": "/Common/DNS-3-udp-vs", + "vlan": "/Common/external" + } + } + }, + "observer": { + "hostname": "bigip-3.pme-ds.f5.com", + "ip": "192.68.73.33", + "product": "Advanced Firewall Module", + "vendor": "F5", + "version": "11.3.0.2206.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "_ldap._tcp.dc._msdcs.siterequest.com", + "bigip-3.pme-ds.f5.com" + ], + "ip": [ + "10.3.1.104", + "10.3.1.202", + "192.68.73.33" + ] + }, + "source": { + "address": "10.3.1.104", + "ip": "10.3.1.104", + "port": 54629 + } + } + + ``` + + +=== "test_alert.json" + + ```json + + { + "message": "tmm3[20358]: 01260009:4: 84.14.195.210:53586 -> 10.100.0.5:443: Connection error: ssl_codec_rx:2314: alert(46) received alert", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "ssl_codec_rx:2314: alert(46) received alert", + "type": "alert" + }, + "action": { + "name": "Connection", + "outcome": "error", + "target": "network-traffic", + "type": "tmm3" + }, + "destination": { + "address": "10.100.0.5", + "ip": "10.100.0.5", + "port": 443 + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.100.0.5", + "84.14.195.210" + ] + }, + "source": { + "address": "84.14.195.210", + "ip": "84.14.195.210", + "port": 53586 + } + } + + ``` + + +=== "test_apm_auth_1.json" + + ```json + + { + "message": "/Common/SAML_OCTIME:Common:76220fff: Username 'johndoe'", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "target": "network-traffic" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "user": [ + "johndoe" + ] + }, + "user": { + "name": "johndoe" + } + } + + ``` + + +=== "test_apm_auth_2.json" + + ```json + + { + "message": "/Common/SAML_OCTIME:Common:76220fff: AD agent: Auth (logon attempt:0): authenticate with 'johndoe' successful", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "user": [ + "johndoe" + ] + }, + "user": { + "name": "johndoe" + } + } + + ``` + + +=== "test_apm_auth_3.json" + + ```json + + { + "message": "/Common/SAML_OCTIME:Common:76220fff: AD module: authenticate with 'johndoe@EXAMPLE.ORG' successfully", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "user": [ + "johndoe" + ] + }, + "user": { + "domain": "EXAMPLE.ORG", + "name": "johndoe" + } + } + + ``` + + +=== "test_cron.json" + + ```json + + { + "message": "CROND[1786]: (root) CMD (/usr/bin/diskmonitor)", + "event": { + "category": [ + "process" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "action": { + "name": "CMD" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "process": { + "command_line": "/usr/bin/diskmonitor" + }, + "related": { + "user": [ + "root" + ] + }, + "user": { + "name": "root" + } + } + + ``` + + +=== "test_logger.json" + + ```json + + { + "message": " logger[20978]: [ssl_acc] 51.178.64.112 - - [01/Mar/2021:15:01:50 +0100] \"/ui/vropspluginui/rest/services/uploadova\" 404 238", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "type": "logger" + }, + "http": { + "response": { + "status_code": 404 + } + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "51.178.64.112" + ] + }, + "source": { + "address": "51.178.64.112", + "ip": "51.178.64.112" + }, + "url": { + "original": "/ui/vropspluginui/rest/services/uploadova", + "path": "/ui/vropspluginui/rest/services/uploadova" + } + } + + ``` + + +=== "test_psm_1.json" + + ```json + + { + "message": "PSM:CEF:0|F5|PSM|11.3.0|Active mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "reason": "port/sendport 10,3,0,33,7,223", + "severity": 5, + "type": [ + "info" + ] + }, + "action": { + "name": "alerted", + "target": "network-traffic" + }, + "destination": { + "address": "10.3.1.204", + "ip": "10.3.1.204", + "port": 21 + }, + "network": { + "application": "FTP" + }, + "observer": { + "hostname": "bigip-3.pme-ds.f5.com", + "ip": "192.168.73.33", + "product": "PSM", + "vendor": "F5", + "version": "11.3.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-3.pme-ds.f5.com" + ], + "ip": [ + "10.3.1.104", + "10.3.1.204", + "192.168.73.33" + ] + }, + "rule": { + "ruleset": "ftp_security" + }, + "source": { + "address": "10.3.1.104", + "ip": "10.3.1.104", + "port": 1394 + } + } + + ``` + + +=== "test_psm_2.json" + + ```json + + { + "message": "CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "reason": "nlist/mls", + "severity": 5, + "type": [ + "info" + ] + }, + "action": { + "name": "alerted", + "target": "network-traffic" + }, + "destination": { + "address": "10.3.1.204", + "ip": "10.3.1.204", + "port": 21 + }, + "network": { + "application": "FTP" + }, + "observer": { + "hostname": "bigip-3.pme-ds.f5.com", + "ip": "192.168.73.33", + "product": "PSM", + "vendor": "F5", + "version": "11.3.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-3.pme-ds.f5.com" + ], + "ip": [ + "10.3.1.104", + "10.3.1.204", + "192.168.73.33" + ] + }, + "rule": { + "ruleset": "ftp_security" + }, + "source": { + "address": "10.3.1.104", + "ip": "10.3.1.104", + "port": 1394 + } + } + + ``` + + +=== "test_request.json" + + ```json + + { + "message": "ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 11:38:36 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 2, + "type": [ + "info" + ] + }, + "@timestamp": "2012-09-19T13:35:00Z", + "action": { + "name": "passed", + "target": "network-traffic" + }, + "destination": { + "address": "10.4.1.200", + "ip": "10.4.1.200", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "observer": { + "hostname": "bigip-4.pme-ds.f5.com", + "ip": "172.16.73.34", + "product": "ASM", + "vendor": "F5", + "version": "11.3.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-4.pme-ds.f5.com" + ], + "ip": [ + "10.4.1.101", + "10.4.1.200", + "172.16.73.34" + ] + }, + "rule": { + "ruleset": "topaz4-web4" + }, + "source": { + "address": "10.4.1.101", + "ip": "10.4.1.101", + "port": 52963 + }, + "url": { + "original": "/", + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Wget", + "original": "Wget/1.12 (linux-gnu)", + "os": { + "name": "Linux" + }, + "version": "1.12" + } + } + + ``` + + +=== "test_rule.json" + + ```json + + { + "message": " Rule /Common/ReverseProxy_irule : virtual=/Common/VS_ReverseProxy_https client_ip=84.14.195.210 client_port=65081 lb_server=10.100.8.4:80 host=connectin.acme.net username= /api/datasources/proxy/94/query request=\"POST /api/datasources/proxy/94/query HTTP/1.1\" server_status=200 content_type=application/json; charset=utf-8 content_length=725 resp_time=47 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36]\" referer=https://connectin.acme.net/d/ryXCsaKZk/distillation-column-operation?orgId=84", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "destination": { + "address": "connectin.acme.net", + "domain": "connectin.acme.net", + "ip": "10.100.8.4", + "port": 80, + "registered_domain": "acme.net", + "subdomain": "connectin", + "top_level_domain": "net" + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://connectin.acme.net/d/ryXCsaKZk/distillation-column-operation?" + }, + "response": { + "bytes": 725, + "mime_type": "application/json", + "status_code": 200 + } + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "connectin.acme.net" + ], + "ip": [ + "10.100.8.4", + "84.14.195.210" + ] + }, + "rule": { + "name": "/Common/ReverseProxy_irule" + }, + "source": { + "address": "84.14.195.210", + "ip": "84.14.195.210", + "port": 65081 + }, + "url": { + "original": "/api/datasources/proxy/94/query", + "path": "/api/datasources/proxy/94/query" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36]\"", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "77.0.3865" + } + } + + ``` + + +=== "test_rule2.json" + + ```json + + { + "message": "tmm[20358]: Rule /Common/Log_local : 84.14.195.210:57590: HTTP: 200 response to from 10.100.8.12:443 URL: nifi.acme.local/nifi-api/flow/status in TLSv1.3", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "target": "network-traffic", + "type": "tmm" + }, + "destination": { + "address": "84.14.195.210", + "ip": "84.14.195.210", + "port": 57590 + }, + "http": { + "response": { + "status_code": 200 + } + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.100.8.12", + "84.14.195.210" + ] + }, + "rule": { + "name": "/Common/Log_local" + }, + "source": { + "address": "10.100.8.12", + "ip": "10.100.8.12", + "port": 443 + }, + "tls": { + "version": "1.3", + "version_protocol": "tlsv" + }, + "url": { + "original": "nifi.acme.local/nifi-api/flow/status", + "path": "nifi.acme.local/nifi-api/flow/status" + } + } + + ``` + + +=== "test_rule3.json" + + ```json + + { + "message": "tmm3[20358]: Rule /Common/Log_local : 84.14.195.210:49165: HTTP: 200 response to from 10.100.8.9:443 URL: connectin-new.acme.net/api/datasources/proxy/167/query in TLSv1.3", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "target": "network-traffic", + "type": "tmm3" + }, + "destination": { + "address": "84.14.195.210", + "ip": "84.14.195.210", + "port": 49165 + }, + "http": { + "response": { + "status_code": 200 + } + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.100.8.9", + "84.14.195.210" + ] + }, + "rule": { + "name": "/Common/Log_local" + }, + "source": { + "address": "10.100.8.9", + "ip": "10.100.8.9", + "port": 443 + }, + "tls": { + "version": "1.3", + "version_protocol": "tlsv" + }, + "url": { + "original": "connectin-new.acme.net/api/datasources/proxy/167/query", + "path": "connectin-new.acme.net/api/datasources/proxy/167/query" + } + } + + ``` + + +=== "test_ssl.json" + + ```json + + { + "message": "tmm1[20358]: 01260013:4: SSL Handshake failed for TCP 84.14.195.210:57424 -> 10.100.0.5:443", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "SSL Handshake", + "outcome": "failed", + "target": "network-traffic", + "type": "tmm1" + }, + "destination": { + "address": "10.100.0.5", + "ip": "10.100.0.5", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.100.0.5", + "84.14.195.210" + ] + }, + "source": { + "address": "84.14.195.210", + "ip": "84.14.195.210", + "port": 57424 + } + } + + ``` + + +=== "test_successful_request.json" + + ```json + + { + "message": "CEF:0|F5|ASM|15.1.2|Successful Request|Successful Request|2|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=/Common/Sekoia cs1Label=policy_name cs2=/Common/Sekoia cs2Label=http_class_name deviceCustomDate1=Mar 12 2021 09:26:13 deviceCustomDate1Label=policy_apply_date externalId=16834939746278187265 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=50631 dst=10.4.1.200 dpt=443 requestMethod=GET app=HTTPS cs5=N/A cs5Label=x_forwarded_for_header_value rt=Mar 15 2021 15:21:22 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=FR cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/chronograf/v1/me cs3Label=full_request cs3=GET /chronograf/v1/me HTTP/1.1\\r\\nHost: chronograf.example.org\\r\\nConnection: keep-alive\\r\\nsec-ch-ua: \"Google Chrome\";v\\=\"89\", \"Chromium\";v\\=\"89\", \";Not A Brand\";v\\=\"99\"\\r\\nAccept: application/json, text/plain, */*\\r\\nsec-ch-ua-mobile: ?0\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36\\r\\nContent-Type: application/json;charset\\=utf-8\\r\\nSec-Fetch-Site: same-origin\\r\\nSec-Fetch-Mode: cors\\r\\nSec-Fetch-Dest: empty\\r\\nReferer: https://chronograf.example.org/sources/1/chronograf/data-explorer?query\\=SELECT%20mean%28%22db28482.AP001_10%25%22%29%20AS%20%22mean_db28482.AP001_10%25%22%2C%20mean%28%22MNPZ_FCC_Feed_D86_T10Pct%22%29%20AS%20%22mean_MNPZ_FCC_Feed_D86_T10Pct%22%20FROM%20%22db1000000%22.%22autogen%22.%22centralized_data%22%20WHERE%20time%20%3E%20%3AdashboardTime%3A%20AND%20time%20%3C%20%3AupperDashboardTime%3A%20GROUP%20BY%20time%28%3Ainterval%3A%29%20FILL%28null%29\\r\\nAccept-Encoding: gzip, deflate, br\\r\\nAccept-Language: en-US,en;q\\=0.9,fr-FR;q\\=0.8,fr;q\\=0.7\\r\\nCookie: session\\=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MTU4MTgzNzIsImlhdCI6MTYxNTgxMzA5NSwiaXNzIjoiQXp1cmVBRCIsIm5iZiI6MTYxNTgxMzA5NSwic3ViIjoiSmVhbi1NYXJpZS5NT0NISVpVS0lAYXhlbnMubmV0IiwiZ3JwIjoiYXhlbnMubmV0In0.cFIuUmFugrkyJS-lzHvVubTWC_JeX3V-5Cp1mDoV1YY; TS015d2224\\=0150d78bb10efbed9cc301936874d51988028cd800d698492d10bd681f4587cf95716a2bd0a8dd719e11100d62125432edcc596afdd96dee678a804386c5c71099b1945831\\r\\n\\r\\n#015", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 2, + "type": [ + "info" + ] + }, + "@timestamp": "2021-03-15T15:21:22Z", + "action": { + "name": "passed", + "target": "network-traffic" + }, + "destination": { + "address": "10.4.1.200", + "ip": "10.4.1.200", + "port": 443 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "observer": { + "hostname": "bigip-4.pme-ds.f5.com", + "ip": "172.16.73.34", + "product": "ASM", + "vendor": "F5", + "version": "15.1.2" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-4.pme-ds.f5.com" + ], + "ip": [ + "10.4.1.101", + "10.4.1.200", + "172.16.73.34" + ] + }, + "rule": { + "ruleset": "/Common/Sekoia" + }, + "source": { + "address": "10.4.1.101", + "ip": "10.4.1.101", + "port": 50631 + }, + "url": { + "original": "/chronograf/v1/me", + "path": "/chronograf/v1/me" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "89.0.4389" + } + } + + ``` + + +=== "test_wget.json" + + ```json + + { + "message": "ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access \"wget\"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 5, + "type": [ + "info" + ] + }, + "@timestamp": "2012-09-19T13:53:33Z", + "action": { + "name": "blocked", + "target": "network-traffic" + }, + "destination": { + "address": "10.4.1.200", + "ip": "10.4.1.200", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 0 + } + }, + "observer": { + "hostname": "bigip-4.pme-ds.f5.com", + "ip": "172.16.73.34", + "product": "ASM", + "vendor": "F5", + "version": "11.3.0" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "bigip-4.pme-ds.f5.com" + ], + "ip": [ + "10.4.1.101", + "10.4.1.200", + "172.16.73.34" + ] + }, + "rule": { + "ruleset": "topaz4-web4" + }, + "source": { + "address": "10.4.1.101", + "ip": "10.4.1.101", + "port": 52975 + }, + "url": { + "original": "/", + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Wget", + "original": "Wget/1.12 (linux-gnu)", + "os": { + "name": "Linux" + }, + "version": "1.12" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.target` | `keyword` | | +|`destination.address` | `keyword` | Destination network address. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.question.class` | `keyword` | The class of records being queried. | +|`dns.question.name` | `keyword` | The name being queried. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`f5.bigip.afm.attack_id` | `keyword` | | +|`f5.bigip.afm.attack_status` | `keyword` | | +|`f5.bigip.afm.attack_type` | `keyword` | | +|`f5.bigip.afm.drop_reason` | `keyword` | | +|`f5.bigip.afm.route_domain` | `keyword` | | +|`f5.bigip.afm.virtual_name` | `keyword` | | +|`f5.bigip.afm.vlan` | `keyword` | | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.mime_type` | `keyword` | Mime type of the body of the response. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.application` | `keyword` | Application level protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.ip` | `ip` | IP addresses of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`rule.name` | `keyword` | Rule name | +|`rule.ruleset` | `keyword` | Rule ruleset | +|`source.address` | `keyword` | Source network address. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`tls.version_protocol` | `keyword` | Normalized lowercase protocol name parsed from original string. | +|`url.full` | `wildcard` | Full unparsed URL. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index 6cd5759ee4..fb60ada0e6 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -24,6 +24,14 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `process` | +| Type | `info` | + @@ -201,9 +209,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "level": "information" }, - "process": { - "name": "Kerberos" - }, "related": { "hash": [ "009b8a99fa360981d2f0407a8513d7742fc6a311" @@ -213,6 +218,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "Kerberos" + } + }, "client": { "name": "VM-FOO", "os": { @@ -1046,6 +1056,627 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "powershell_event_0400.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-14T07:00:30.8914235Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Engine Lifecycle\", \"category\": \"process\", \"code\": \"400\", \"ingested\": \"2022-06-08T06:07:25.791038Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"PowerShell\", \"sequence\": 13, \"type\": \"start\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Engine state is changed from None to Available. \\\\n\\\\nDetails: \\\\n\\\\tNewEngineState=Available\\\\n\\\\tPreviousEngineState=None\\\\n\\\\n\\\\tSequenceNumber=13\\\\n\\\\n\\\\tHostName=ServerRemoteHost\\\\n\\\\tHostVersion=1.0.0.0\\\\n\\\\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\\\\n\\\\tHostApplication=C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wsmprovhost.exe -Embedding\\\\n\\\\tEngineVersion=5.1.17763.1007\\\\n\\\\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\\\\n\\\\tPipelineId=\\\\n\\\\tCommandName=\\\\n\\\\tCommandType=\\\\n\\\\tScriptName=\\\\n\\\\tCommandPath=\\\\n\\\\tCommandLine=\", \"powershell\": {\"engine\": {\"new_state\": \"Available\", \"previous_state\": \"None\", \"version\": \"5.1.17763.1007\"}, \"process\": {\"executable_version\": \"1.0.0.0\"}, \"runspace_id\": \"405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\"}, \"process\": {\"args\": [\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wsmprovhost.exe\", \"-Embedding\"], \"args_count\": 2, \"command_line\": \"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wsmprovhost.exe -Embedding\", \"entity_id\": \"2458050c-5e21-47a6-bbdf-41ef2151b519\", \"title\": \"ServerRemoteHost\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Windows PowerShell\", \"computer_name\": \"vagrant\", \"event_id\": \"400\", \"keywords\": [\"Classic\"], \"opcode\": \"Info\", \"provider_name\": \"PowerShell\", \"record_id\": \"1492\", \"task\": \"Engine Lifecycle\"}}", + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "400", + "hash": "ed1f6c4428118ffe87ee69f4feb01862441a9369", + "kind": "event", + "module": "powershell", + "original": "Engine state is changed from None to Available. \\n\\nDetails: \\n\\tNewEngineState=Available\\n\\tPreviousEngineState=None\\n\\n\\tSequenceNumber=13\\n\\n\\tHostName=ServerRemoteHost\\n\\tHostVersion=1.0.0.0\\n\\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\\n\\tHostApplication=C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding\\n\\tEngineVersion=5.1.17763.1007\\n\\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=", + "provider": "PowerShell", + "type": "start" + }, + "@timestamp": "2020-05-14T07:00:30.891423Z", + "action": { + "id": 400 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" + }, + "process": { + "args": [ + "-Embedding", + "C:\\\\Windows\\\\system32\\\\wsmprovhost.exe" + ], + "args_count": 2, + "command_line": "C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding", + "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", + "title": "ServerRemoteHost" + }, + "related": { + "hash": [ + "ed1f6c4428118ffe87ee69f4feb01862441a9369" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1492", + "task": "Engine Lifecycle" + } + } + + ``` + + +=== "powershell_event_0403.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-06-04T07:20:28.6861939Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Engine Lifecycle\", \"category\": \"process\", \"code\": \"403\", \"ingested\": \"2022-06-08T06:07:25.874238900Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"PowerShell\", \"sequence\": 10, \"type\": \"end\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Engine state is changed from Available to Stopped. \\\\n\\\\nDetails: \\\\n\\\\tNewEngineState=Stopped\\\\n\\\\tPreviousEngineState=Available\\\\n\\\\n\\\\tSequenceNumber=10\\\\n\\\\n\\\\tHostName=ConsoleHost\\\\n\\\\tHostVersion=2.0\\\\n\\\\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\\\\n\\\\tEngineVersion=2.0\\\\n\\\\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\\\\n\\\\tPipelineId=\\\\n\\\\tCommandName=\\\\n\\\\tCommandType=\\\\n\\\\tScriptName=\\\\n\\\\tCommandPath=\\\\n\\\\tCommandLine=\", \"powershell\": {\"engine\": {\"new_state\": \"Stopped\", \"previous_state\": \"Available\", \"version\": \"2.0\"}, \"process\": {\"executable_version\": \"2.0\"}, \"runspace_id\": \"6ebeca05-d618-4c66-a0d8-4269d800d099\"}, \"process\": {\"entity_id\": \"7018c049-c75b-4e02-9c0f-6761b97e1657\", \"title\": \"ConsoleHost\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Windows PowerShell\", \"computer_name\": \"vagrant\", \"event_id\": \"403\", \"keywords\": [\"Classic\"], \"opcode\": \"Info\", \"provider_name\": \"PowerShell\", \"record_id\": \"18592\", \"task\": \"Engine Lifecycle\"}}", + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "403", + "hash": "b3749e29369f515b03dac6dfa5344da6e69ec762", + "kind": "event", + "module": "powershell", + "original": "Engine state is changed from Available to Stopped. \\n\\nDetails: \\n\\tNewEngineState=Stopped\\n\\tPreviousEngineState=Available\\n\\n\\tSequenceNumber=10\\n\\n\\tHostName=ConsoleHost\\n\\tHostVersion=2.0\\n\\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\\n\\tEngineVersion=2.0\\n\\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\\n\\tPipelineId=\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=", + "provider": "PowerShell", + "type": "end" + }, + "@timestamp": "2020-06-04T07:20:28.686193Z", + "action": { + "id": 403 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "2.0" + }, + "process": { + "executable_version": "2.0" + }, + "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" + }, + "process": { + "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", + "title": "ConsoleHost" + }, + "related": { + "hash": [ + "b3749e29369f515b03dac6dfa5344da6e69ec762" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "18592", + "task": "Engine Lifecycle" + } + } + + ``` + + +=== "powershell_event_0600.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-13T13:21:43.1831809Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Provider Lifecycle\", \"category\": \"process\", \"code\": \"600\", \"ingested\": \"2022-06-08T06:07:25.978294200Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"PowerShell\", \"sequence\": 35, \"type\": \"info\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Provider \\\"Certificate\\\" is Started. \\\\n\\\\nDetails: \\\\n\\\\tProviderName=Certificate\\\\n\\\\tNewProviderState=Started\\\\n\\\\n\\\\tSequenceNumber=35\\\\n\\\\n\\\\tHostName=Windows PowerShell ISE Host\\\\n\\\\tHostVersion=5.1.17763.1007\\\\n\\\\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\\\\n\\\\tHostApplication=C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell_ise.exe C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\\\\\\\\lateral.ps1\\\\n\\\\tEngineVersion=5.1.17763.1007\\\\n\\\\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\\\\n\\\\tPipelineId=15\\\\n\\\\tCommandName=\\\\n\\\\tCommandType=\\\\n\\\\tScriptName=\\\\n\\\\tCommandPath=\\\\n\\\\tCommandLine=\", \"powershell\": {\"engine\": {\"version\": \"5.1.17763.1007\"}, \"pipeline_id\": \"15\", \"process\": {\"executable_version\": \"5.1.17763.1007\"}, \"provider\": {\"name\": \"Certificate\", \"new_state\": \"Started\"}, \"runspace_id\": \"9d21da0b-e402-40e1-92ff-98c5ab1137a9\"}, \"process\": {\"args\": [\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell_ise.exe\", \"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\\\\\\\\lateral.ps1\"], \"args_count\": 2, \"command_line\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell_ise.exe C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\\\\\\\\lateral.ps1\", \"entity_id\": \"86edc16f-6943-469e-8bd8-ef1857080206\", \"title\": \"Windows PowerShell ISE Host\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Windows PowerShell\", \"computer_name\": \"vagrant\", \"event_id\": \"600\", \"keywords\": [\"Classic\"], \"opcode\": \"Info\", \"provider_name\": \"PowerShell\", \"record_id\": \"1089\", \"task\": \"Provider Lifecycle\"}}", + "event": { + "action": "Provider Lifecycle", + "category": "process", + "code": "600", + "hash": "17cdd4ce457b0512b87ebd1bfd21483db0ff2395", + "kind": "event", + "module": "powershell", + "original": "Provider \"Certificate\" is Started. \\n\\nDetails: \\n\\tProviderName=Certificate\\n\\tNewProviderState=Started\\n\\n\\tSequenceNumber=35\\n\\n\\tHostName=Windows PowerShell ISE Host\\n\\tHostVersion=5.1.17763.1007\\n\\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1\\n\\tEngineVersion=5.1.17763.1007\\n\\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\\n\\tPipelineId=15\\n\\tCommandName=\\n\\tCommandType=\\n\\tScriptName=\\n\\tCommandPath=\\n\\tCommandLine=", + "provider": "PowerShell", + "type": "info" + }, + "@timestamp": "2020-05-13T13:21:43.183180Z", + "action": { + "id": 600 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1", + "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe" + ], + "args_count": 2, + "command_line": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe C:\\\\Users\\\\vagrant\\\\Desktop\\\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "related": { + "hash": [ + "17cdd4ce457b0512b87ebd1bfd21483db0ff2395" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1089", + "task": "Provider Lifecycle" + } + } + + ``` + + +=== "powershell_event_0800.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-15T08:33:26.393089Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Pipeline Execution Details\", \"category\": \"process\", \"code\": \"800\", \"ingested\": \"2022-06-08T06:07:25.991832300Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"PowerShell\", \"sequence\": 141, \"type\": \"info\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"information\"}, \"message\": \"Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\\n. \\n\\nContext Information: \\n\\tDetailSequence=1\\n\\tDetailTotal=1\\n\\n\\tSequenceNumber=141\\n\\n\\tUserId=VAGRANT\\\\vagrant\\n\\tHostName=ConsoleHost\\n\\tHostVersion=5.1.17763.1007\\n\\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\\n\\tHostApplication=C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -noexit -command 'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats'\\n\\tEngineVersion=5.1.17763.1007\\n\\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\\n\\tPipelineId=71\\n\\tScriptName=\\n\\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\\n \\n\\nDetails: \\nCommandInvocation(Import-LocalizedData): \\\"Import-LocalizedData\\\"\\nParameterBinding(Import-LocalizedData): name=\\\"FileName\\\"; value=\\\"ArchiveResources\\\"\\nParameterBinding(Import-LocalizedData): name=\\\"BindingVariable\\\"; value=\\\"LocalizedData\\\"\\nNonTerminatingError(Import-LocalizedData): \\\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats\\\\x-pack\\\\winlogbeat\\\\en-US\\\\', or in any parent culture directories.\\\"\", \"powershell\": {\"command\": {\"invocation_details\": [{\"related_command\": \"Import-LocalizedData\", \"type\": \"CommandInvocation\", \"value\": \"\\\"Import-LocalizedData\\\"\"}, {\"name\": \"\\\"FileName\\\"\", \"related_command\": \"Import-LocalizedData\", \"type\": \"ParameterBinding\", \"value\": \"\\\"ArchiveResources\\\"\"}, {\"name\": \"\\\"BindingVariable\\\"\", \"related_command\": \"Import-LocalizedData\", \"type\": \"ParameterBinding\", \"value\": \"\\\"LocalizedData\\\"\"}, {\"related_command\": \"Import-LocalizedData\", \"type\": \"NonTerminatingError\", \"value\": \"\\\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats\\\\x-pack\\\\winlogbeat\\\\en-US\\\\', or in any parent culture directories.\\\"\"}], \"value\": \"Import-LocalizedData LocalizedData -filename ArchiveResources\"}, \"engine\": {\"version\": \"5.1.17763.1007\"}, \"pipeline_id\": \"71\", \"process\": {\"executable_version\": \"5.1.17763.1007\"}, \"runspace_id\": \"a87e8389-57c7-4997-95ff-f82f644965bf\", \"sequence\": 1, \"total\": 1}, \"process\": {\"args\": [\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"-noexit\", \"-command\", \"'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats'\"], \"args_count\": 4, \"command_line\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -noexit -command 'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats'\", \"entity_id\": \"aae5217d-054f-435f-9968-4b5bebf12116\", \"title\": \"ConsoleHost\"}, \"related\": {\"user\": [\"vagrant\"]}, \"user\": {\"domain\": \"VAGRANT\", \"name\": \"vagrant\"}, \"winlog\": {\"api\": \"wineventlog\", \"channel\": \"Windows PowerShell\", \"computer_name\": \"vagrant\", \"event_id\": \"800\", \"keywords\": [\"Classic\"], \"opcode\": \"Info\", \"provider_name\": \"PowerShell\", \"record_id\": \"1846\", \"task\": \"Pipeline Execution Details\"}}", + "event": { + "action": "Pipeline Execution Details", + "category": "process", + "code": "800", + "hash": "850eb4ae19e1386624331eb44dc77448f3bc7e74", + "kind": "event", + "module": "powershell", + "original": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", + "provider": "PowerShell", + "type": "info" + }, + "@timestamp": "2020-05-15T08:33:26.393089Z", + "action": { + "id": 800 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + "{\"name\": \"\\\"BindingVariable\\\"\", \"related_command\": \"Import-LocalizedData\", \"type\": \"ParameterBinding\", \"value\": \"\\\"LocalizedData\\\"\"}", + "{\"name\": \"\\\"FileName\\\"\", \"related_command\": \"Import-LocalizedData\", \"type\": \"ParameterBinding\", \"value\": \"\\\"ArchiveResources\\\"\"}", + "{\"related_command\": \"Import-LocalizedData\", \"type\": \"CommandInvocation\", \"value\": \"\\\"Import-LocalizedData\\\"\"}", + "{\"related_command\": \"Import-LocalizedData\", \"type\": \"NonTerminatingError\", \"value\": \"\\\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\\\Gopath\\\\src\\\\github.com\\\\elastic\\\\beats\\\\x-pack\\\\winlogbeat\\\\en-US\\\\', or in any parent culture directories.\\\"\"}" + ], + "value": "Import-LocalizedData LocalizedData -filename ArchiveResources" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "-command", + "-noexit", + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "hash": [ + "850eb4ae19e1386624331eb44dc77448f3bc7e74" + ], + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "800", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1846", + "task": "Pipeline Execution Details" + } + } + + ``` + + +=== "powershell_event_4103.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-15T08:11:47.8979495Z\", \"destination\": {\"user\": {\"domain\": \"VAGRANT\", \"name\": \"vagrant\"}}, \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Executing Pipeline\", \"category\": \"process\", \"code\": \"4103\", \"ingested\": \"2022-06-08T06:07:25.896041700Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"Microsoft-Windows-PowerShell\", \"sequence\": 34, \"type\": \"info\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"information\"}, \"message\": \"CommandInvocation(cmd.exe): \\\"cmd.exe\\\"\\nCommandInvocation(Out-Null): \\\"Out-Null\\\"\\nParameterBinding(Out-Null): name=\\\"InputObject\\\"; value=\\\"symbolic link created for C:\\\\vagrant <<===>> \\\\\\\\vboxsvr\\\\vagrant\\\"\\n\\n\\nContext:\\n Severity = Informational\\n Host Name = ServerRemoteHost\\n Host Version = 1.0.0.0\\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\\n Host Application = C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding\\n Engine Version = 5.1.17763.1007\\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\\n Pipeline ID = 1\\n Command Name = cmd.exe\\n Command Type = Application\\n Script Name = \\n Command Path = C:\\\\Windows\\\\system32\\\\cmd.exe\\n Sequence Number = 34\\n User = VAGRANT\\\\vagrant\\n Connected User = VAGRANT\\\\vagrant\\n Shell ID = Microsoft.PowerShell\\n\\n\\nUser Data:\", \"powershell\": {\"command\": {\"invocation_details\": [{\"related_command\": \"cmd.exe\", \"type\": \"CommandInvocation\", \"value\": \"\\\"cmd.exe\\\"\"}, {\"related_command\": \"Out-Null\", \"type\": \"CommandInvocation\", \"value\": \"\\\"Out-Null\\\"\"}, {\"name\": \"\\\"InputObject\\\"\", \"related_command\": \"Out-Null\", \"type\": \"ParameterBinding\", \"value\": \"\\\"symbolic link created for C:\\\\vagrant <<===>> \\\\\\\\vboxsvr\\\\vagrant\\\"\"}], \"name\": \"cmd.exe\", \"path\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\", \"type\": \"Application\"}, \"engine\": {\"version\": \"5.1.17763.1007\"}, \"id\": \"Microsoft.PowerShell\", \"pipeline_id\": \"1\", \"process\": {\"executable_version\": \"1.0.0.0\"}, \"runspace_id\": \"0729459a-8646-4176-8b02-024421a9632e\"}, \"process\": {\"args\": [\"C:\\\\Windows\\\\system32\\\\wsmprovhost.exe\", \"-Embedding\"], \"args_count\": 2, \"command_line\": \"C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding\", \"entity_id\": \"ed57761b-ba0f-4d11-87d9-fac33820d20e\", \"title\": \"ServerRemoteHost\"}, \"related\": {\"user\": [\"vagrant\"]}, \"source\": {\"user\": {\"domain\": \"VAGRANT\", \"name\": \"vagrant\"}}, \"user\": {\"domain\": \"VAGRANT\", \"id\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\", \"name\": \"vagrant\"}, \"winlog\": {\"activity_id\": \"{1aca0717-2acb-0002-c208-ca1acb2ad601}\", \"api\": \"wineventlog\", \"channel\": \"Microsoft-Windows-PowerShell/Operational\", \"computer_name\": \"vagrant\", \"event_id\": \"4103\", \"opcode\": \"To be used when operation is just executing a method\", \"process\": {\"pid\": 3984, \"thread\": {\"id\": 3616}}, \"provider_guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\", \"provider_name\": \"Microsoft-Windows-PowerShell\", \"record_id\": \"3885\", \"task\": \"Executing Pipeline\", \"user\": {\"identifier\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"version\": 1}}", + "event": { + "action": "Executing Pipeline", + "category": "process", + "code": "4103", + "hash": "4ff7bad19127e6e3f981a2e8e47b96cc8e9d257d", + "kind": "event", + "module": "powershell", + "original": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant <<===>> \\\\vboxsvr\\vagrant\"\n\n\nContext:\n Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "provider": "Microsoft-Windows-PowerShell", + "type": "info" + }, + "@timestamp": "2020-05-15T08:11:47.897949Z", + "action": { + "id": 4103 + }, + "destination": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "command": { + "invocation_details": [ + "{\"name\": \"\\\"InputObject\\\"\", \"related_command\": \"Out-Null\", \"type\": \"ParameterBinding\", \"value\": \"\\\"symbolic link created for C:\\\\vagrant <<===>> \\\\\\\\vboxsvr\\\\vagrant\\\"\"}", + "{\"related_command\": \"Out-Null\", \"type\": \"CommandInvocation\", \"value\": \"\\\"Out-Null\\\"\"}", + "{\"related_command\": \"cmd.exe\", \"type\": \"CommandInvocation\", \"value\": \"\\\"cmd.exe\\\"\"}" + ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", + "type": "Application" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" + }, + "process": { + "args": [ + "-Embedding", + "C:\\Windows\\system32\\wsmprovhost.exe" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" + }, + "related": { + "hash": [ + "4ff7bad19127e6e3f981a2e8e47b96cc8e9d257d" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4103", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 3984, + "thread": { + "id": 3616 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3885", + "task": "Executing Pipeline", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } + + ``` + + +=== "powershell_event_4104.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-14T11:33:51.3938848Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Execute a Remote Command\", \"category\": \"process\", \"code\": \"4104\", \"ingested\": \"2022-06-08T06:07:25.944391600Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"Microsoft-Windows-PowerShell\", \"type\": \"info\"}, \"file\": {\"directory\": \"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\", \"extension\": \"ps1\", \"name\": \"patata.ps1\", \"path\": \"C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\\\\\\\\patata.ps1\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"verbose\"}, \"message\": \"Creating Scriptblock text (1 of 1):\\\\n\\\\n\\\\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\\\\nPath: C:\\\\\\\\Users\\\\\\\\vagrant\\\\\\\\Desktop\\\\\\\\patata.ps1\", \"powershell\": {\"file\": {\"script_block_id\": \"f5521cbd-656e-4296-b74d-9ffb4eec23b0\"}, \"sequence\": 1, \"total\": 1}, \"user\": {\"id\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"winlog\": {\"activity_id\": \"{fb13c9de-29f7-0000-79db-13fbf729d601}\", \"api\": \"wineventlog\", \"channel\": \"Microsoft-Windows-PowerShell/Operational\", \"computer_name\": \"vagrant\", \"event_id\": \"4104\", \"opcode\": \"On create calls\", \"process\": {\"pid\": 4844, \"thread\": {\"id\": 4428}}, \"provider_guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\", \"provider_name\": \"Microsoft-Windows-PowerShell\", \"record_id\": \"3582\", \"task\": \"Execute a Remote Command\", \"user\": {\"identifier\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"version\": 1}}", + "event": { + "action": "Execute a Remote Command", + "category": "process", + "code": "4104", + "hash": "ec676c4966f0ac9fc7418a59258eaa46d4f4eb3c", + "kind": "event", + "module": "powershell", + "original": "Creating Scriptblock text (1 of 1):\\n\\n\\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\\nPath: C:\\\\Users\\\\vagrant\\\\Desktop\\\\patata.ps1", + "provider": "Microsoft-Windows-PowerShell", + "type": "info" + }, + "@timestamp": "2020-05-14T11:33:51.393884Z", + "action": { + "id": 4104 + }, + "file": { + "directory": "C:\\\\Users\\\\vagrant\\\\Desktop", + "extension": "ps1", + "name": "patata.ps1", + "path": "C:\\\\Users\\\\vagrant\\\\Desktop\\\\patata.ps1" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f5521cbd-656e-4296-b74d-9ffb4eec23b0" + }, + "sequence": 1, + "total": 1 + }, + "related": { + "hash": [ + "ec676c4966f0ac9fc7418a59258eaa46d4f4eb3c" + ] + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "opcode": "On create calls", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3582", + "task": "Execute a Remote Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } + + ``` + + +=== "powershell_event_4105.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-13T09:04:04.7552325Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Starting Command\", \"category\": \"process\", \"code\": \"4105\", \"ingested\": \"2022-06-08T06:07:25.962029500Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"Microsoft-Windows-PowerShell\", \"type\": \"start\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"verbose\"}, \"message\": \"Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\\\\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623\", \"powershell\": {\"file\": {\"script_block_id\": \"f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\"}, \"runspace_id\": \"9c031e5c-8d5a-4b91-a12e-b3624970b623\"}, \"user\": {\"id\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"winlog\": {\"activity_id\": \"{dd68516a-2930-0000-5962-68dd3029d601}\", \"api\": \"wineventlog\", \"channel\": \"Microsoft-Windows-PowerShell/Operational\", \"computer_name\": \"vagrant\", \"event_id\": \"4105\", \"opcode\": \"On create calls\", \"process\": {\"pid\": 4204, \"thread\": {\"id\": 1476}}, \"provider_guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\", \"provider_name\": \"Microsoft-Windows-PowerShell\", \"record_id\": \"790\", \"task\": \"Starting Command\", \"user\": {\"identifier\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"version\": 1}}", + "event": { + "action": "Starting Command", + "category": "process", + "code": "4105", + "hash": "d638e00e1ffcc58278333d9331db89eeda8d8868", + "kind": "event", + "module": "powershell", + "original": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "@timestamp": "2020-05-13T09:04:04.755232Z", + "action": { + "id": 4105 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "related": { + "hash": [ + "d638e00e1ffcc58278333d9331db89eeda8d8868" + ] + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "opcode": "On create calls", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "task": "Starting Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } + + ``` + + +=== "powershell_event_4106.json" + + ```json + + { + "message": "{\"@timestamp\": \"2020-05-13T10:40:32.5957152Z\", \"ecs\": {\"version\": \"1.12.0\"}, \"event\": {\"action\": \"Stopping Command\", \"category\": \"process\", \"code\": \"4106\", \"ingested\": \"2022-06-08T06:07:25.970830900Z\", \"kind\": \"event\", \"module\": \"powershell\", \"provider\": \"Microsoft-Windows-PowerShell\", \"type\": \"end\"}, \"host\": {\"name\": \"vagrant\"}, \"log\": {\"level\": \"verbose\"}, \"message\": \"Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\\\\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332\", \"powershell\": {\"file\": {\"script_block_id\": \"4c487c13-46f7-4485-925b-34855c7e873c\"}, \"runspace_id\": \"3f1a9181-0523-4645-a42c-2c1868c39332\"}, \"user\": {\"id\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"winlog\": {\"activity_id\": \"{e3200b8a-290e-0002-332a-20e30e29d601}\", \"api\": \"wineventlog\", \"channel\": \"Microsoft-Windows-PowerShell/Operational\", \"computer_name\": \"vagrant\", \"event_id\": \"4106\", \"opcode\": \"On create calls\", \"process\": {\"pid\": 4776, \"thread\": {\"id\": 5092}}, \"provider_guid\": \"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\", \"provider_name\": \"Microsoft-Windows-PowerShell\", \"record_id\": \"933\", \"task\": \"Stopping Command\", \"user\": {\"identifier\": \"S-1-5-21-1350058589-2282154016-2764056528-1000\"}, \"version\": 1}}", + "event": { + "action": "Stopping Command", + "category": "process", + "code": "4106", + "hash": "538da37d31054f0ab63f49cb5d6d90b5f6cd049e", + "kind": "event", + "module": "powershell", + "original": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "@timestamp": "2020-05-13T10:40:32.595715Z", + "action": { + "id": 4106 + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" + }, + "related": { + "hash": [ + "538da37d31054f0ab63f49cb5d6d90b5f6cd049e" + ] + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4106", + "opcode": "On create calls", + "process": { + "pid": 4776, + "thread": { + "id": 5092 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "933", + "task": "Stopping Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } + + ``` + + === "security_event_1100.json" ```json @@ -3768,6 +4399,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.original` | `keyword` | Raw text message of entire event. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.sequence` | `long` | Sequence number of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.code_signature.status` | `keyword` | Additional information about the certificate status. | |`file.code_signature.subject_name` | `keyword` | Subject name of the code signer | @@ -3794,11 +4426,31 @@ The following table lists the fields that are extracted, normalized under the EC |`group.domain` | `keyword` | Name of the directory the group is a member of. | |`group.id` | `keyword` | Unique identifier for the group on the system/platform. | |`group.name` | `keyword` | Name of the group. | +|`log.level` | `keyword` | Log level of the log event. | |`network.direction` | `keyword` | Direction of the network traffic. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | +|`powershell.command.invocation_details` | `keyword` | An array of objects containing detailed information of the executed command | +|`powershell.command.name` | `keyword` | Name of the executed command | +|`powershell.command.path` | `keyword` | Path of the executed command | +|`powershell.command.type` | `keyword` | Type of the executed command | +|`powershell.command.value` | `keyword` | The invoked command | +|`powershell.engine.new_state` | `keyword` | New state of the PowerShell engine | +|`powershell.engine.previous_state` | `keyword` | Previous state of the PowerShell engine | +|`powershell.engine.version` | `keyword` | Version of the PowerShell engine used to execute the command | +|`powershell.file.script_block_id` | `keyword` | Id of the executed script block | +|`powershell.file.script_block_text` | `keyword` | Text of the executed script block | +|`powershell.id` | `keyword` | Shell id | +|`powershell.pipeline_id` | `keyword` | Pipeline id | +|`powershell.process.executable_version` | `keyword` | Version of the engine hosting process executable | +|`powershell.provider.name` | `keyword` | Provider name | +|`powershell.provider.new_state` | `keyword` | New State of the PowerShell provider | +|`powershell.runspace_id` | `keyword` | Runspace id | +|`powershell.sequence` | `long` | Sequence number of the powershell execution | +|`powershell.total` | `long` | Total number of messages in the sequence | |`process.args` | `keyword` | Array of process arguments. | +|`process.args_count` | `long` | Length of the process.args array. | |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.entity_id` | `keyword` | Unique identifier for the process. | |`process.executable` | `keyword` | Absolute path to the process executable. | @@ -3823,6 +4475,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.pe.product` | `keyword` | Internal product name of the file, provided at compile-time. | |`process.pid` | `long` | Process id. | |`process.thread.id` | `long` | Thread ID. | +|`process.title` | `keyword` | Process title. | |`process.working_directory` | `keyword` | The working directory of the process. | |`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | |`registry.hive` | `keyword` | Abbreviated name for the hive. | @@ -3834,6 +4487,8 @@ The following table lists the fields that are extracted, normalized under the EC |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`source.user.domain` | `keyword` | Name of the directory the user is a member of. | +|`source.user.name` | `keyword` | Short name or login of the user. | |`sysmon.dns.status` | `keyword` | Windows status code returned for the DNS query | |`sysmon.file.archived` | `boolean` | Indicates if the deleted file was archived | |`sysmon.file.is_executable` | `boolean` | Indicates if the deleted file was an executable | diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index a8424cb48a..311f8f7d39 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -13,7 +13,831 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `email` | +| Type | `info` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "anvil.json" + + ```json + + { + "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "cleanup.json" + + ```json + + { + "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[52.100.135.105]; from=<> to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "to": { + "address": [ + "john.doe@exemple.com" + ] + } + }, + "file": { + "created": "2019-09-12T12:39:01Z", + "ctime": "2019-09-12T12:40:01Z", + "name": "image003.jpg", + "size": 26055 + }, + "network": { + "protocol": "ESMTP" + }, + "related": { + "hosts": [ + "mail.outbound.protection.outlook.com" + ] + }, + "source": { + "address": "52.100.135.105", + "domain": "mail.outbound.protection.outlook.com" + } + } + + ``` + + +=== "connect.json" + + ```json + + { + "message": "disconnect from unknown[170.20.104.2] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "170.20.104.2" + ] + }, + "source": { + "address": "170.20.104.2", + "ip": "170.20.104.2" + } + } + + ``` + + +=== "connection_limited.json" + + ```json + + { + "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "52.97.201.210", + "domain": "smtp.office365.com", + "ip": "52.97.201.210" + }, + "related": { + "hosts": [ + "P212321.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "52.97.201.210" + ] + }, + "source": { + "address": "P212321.PROD.OUTLOOK.COM", + "domain": "P212321.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "P212321.PROD", + "top_level_domain": "COM" + } + } + + ``` + + +=== "dns.json" + + ```json + + { + "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "destination": { + "address": "ns1.example.org", + "domain": "ns1.example.org", + "registered_domain": "example.org", + "subdomain": "ns1", + "top_level_domain": "org" + }, + "related": { + "hosts": [ + "ns1.example.org" + ] + } + } + + ``` + + +=== "filename3.json" + + ```json + + { + "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from= to=", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "photo@mordor.com" + ] + }, + "to": { + "address": [ + "Pipin.touque@lacomte.net" + ] + } + }, + "file": { + "name": "?iso-8859-2?q?representative_on_migration.pdf?=", + "size": 259210 + } + } + + ``` + + +=== "nospam.json" + + ```json + + { + "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "destination": { + "address": "1.2.3.4", + "domain": "example.org", + "ip": "1.2.3.4", + "port": 25 + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "pass.json" + + ```json + + { + "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=193.0.178.186, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "triplet found", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "mechant@mordor.com" + ] + }, + "to": { + "address": [ + "Pipin.touque@lacomte.net" + ] + } + }, + "related": { + "hosts": [ + "mordor.com" + ], + "ip": [ + "193.0.178.186" + ] + }, + "source": { + "address": "193.0.178.186", + "domain": "mordor.com", + "ip": "193.0.178.186" + } + } + + ``` + + +=== "pass2.json" + + ```json + + { + "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client AAA", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "Coyotte@acme.com" + ] + }, + "to": { + "address": [ + "BIPBIP.NEWMAN@acme.com" + ] + } + }, + "related": { + "hosts": [ + "example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "example.com", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "pass4.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "prvs=30447fe13=no-reply@example.com" + ] + } + }, + "related": { + "hosts": [ + "mx.example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "mx.example.com", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "pass5.json" + + ```json + + { + "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "doe@newsletter.example.org" + ] + } + }, + "related": { + "hosts": [ + "mta-11-22-33-44.example.or" + ], + "ip": [ + "11.22.33.44" + ] + }, + "source": { + "address": "11.22.33.44", + "domain": "mta-11-22-33-44.example.or", + "ip": "11.22.33.44" + } + } + + ``` + + +=== "qmgr.json" + + ```json + + { + "message": "89BE920002: from=, size=152518, nrcpt=1 (queue active)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "test1@acme.com" + ] + } + } + } + + ``` + + +=== "relay.json" + + ```json + + { + "message": "56E28C0007: to=, relay=174.133.212.30[174.133.212.30]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "174.133.212.30", + "domain": "174.133.212.30", + "ip": "174.133.212.30", + "port": 10025 + }, + "email": { + "to": { + "address": [ + "rob@exemple.com" + ] + } + }, + "related": { + "hosts": [ + "174.133.212.30" + ], + "ip": [ + "174.133.212.30" + ] + } + } + + ``` + + +=== "replace_header.json" + + ```json + + { + "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "hola@example.org" + ] + } + } + } + + ``` + + +=== "sasl_login.json" + + ```json + + { + "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure", + "event": { + "category": [ + "email" + ], + "kind": "event", + "reason": "SASL LOGIN authentication failed: authentication failure", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "11.22.33.44" + ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" + } + } + + ``` + + +=== "smtp_connection.json" + + ```json + + { + "message": "lost connection after AUTH from unknown[185.234.219.5]", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "lost connection", + "outcome": "success", + "target": "network-traffic", + "type": "AUTH" + }, + "related": { + "ip": [ + "185.234.219.5" + ] + }, + "source": { + "address": "185.234.219.5", + "ip": "185.234.219.5" + } + } + + ``` + + +=== "smtp_relay.json" + + ```json + + { + "message": "96887C0006: to=, relay=exemple.com[174.133.212.29]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[174.133.212.29] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition", + "target": "network-traffic" + }, + "destination": { + "address": "174.133.212.29", + "domain": "exemple.com", + "ip": "174.133.212.29", + "port": 25 + }, + "email": { + "to": { + "address": [ + "rob@exemple.com" + ] + } + }, + "related": { + "hosts": [ + "exemple.com" + ], + "ip": [ + "174.133.212.29" + ] + } + } + + ``` + + +=== "smtpd_tls.json" + + ```json + + { + "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[40.107.6.96]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "related": { + "hosts": [ + "mail.outbound.protection.outlook.com" + ], + "ip": [ + "40.107.6.96" + ] + }, + "source": { + "address": "40.107.6.96", + "domain": "mail.outbound.protection.outlook.com", + "ip": "40.107.6.96" + } + } + + ``` + + +=== "spamd.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "message_id": "<11111111111111@uexample.org>" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 44944 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "spamd_2.json" + + ```json + + { + "message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5", + "event": { + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "destination": { + "port": 783 + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "ip": "127.0.0.1", + "port": 53684, + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.target` | `keyword` | | +|`destination.address` | `keyword` | Destination network address. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`email.from.address` | `keyword` | The sender's email address. | +|`email.message_id` | `wildcard` | Value from the Message-ID header. | +|`email.to.address` | `keyword` | Email address of recipient | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.created` | `date` | File creation time. | +|`file.ctime` | `date` | Last time the file attributes or metadata changed. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.size` | `long` | File size in bytes. | +|`network.protocol` | `keyword` | Application protocol name. | +|`source.address` | `keyword` | Source network address. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`user.name` | `keyword` | Short name or login of the user. | +