Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app @github-actions
sekoia-io-cross-repo-comm-app[bot] authored and github-actions[bot] committed Oct 1, 2024
1 parent 3c7763f commit b7d8ab7
Show file tree
Hide file tree
Showing 22 changed files with 3,936 additions and 14 deletions.
70 changes: 70 additions & 0 deletions ...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "84:fa:b1:70:bf:8e",
"port": 56468
},
"host": {
Expand Down Expand Up @@ -452,6 +453,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "80:95:bb:71:95:aa",
"port": 443
}
}
Expand Down Expand Up @@ -481,6 +483,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "b0:df:72:9d:29:9b",
"port": 7680
},
"host": {
Expand Down Expand Up @@ -512,6 +515,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "10:9f:4b:3c:50:d7",
"port": 56499
}
}
Expand Down Expand Up @@ -1121,6 +1125,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "test_device_network_connection.json"

```json

{
"message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n",
"event": {
"category": [
"network"
],
"dataset": "device_network_events",
"type": [
"info"
]
},
"@timestamp": "2024-09-30T14:00:41.934118Z",
"action": {
"type": "ConnectionAttempt"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "0a:ac:f5:b4:e6:37",
"port": 7680
},
"host": {
"id": "dbe5c34434fb4792bea6874dd0b1f107",
"name": "ml022"
},
"microsoft": {
"defender": {
"report": {
"id": "21118"
}
}
},
"network": {
"protocol": "TcpV4"
},
"process": {
"parent": {
"pid": 0
},
"pid": 0
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "18:e8:f8:74:c9:0d",
"port": 57410
}
}
```


=== "test_device_network_events.json"

```json
Expand Down Expand Up @@ -2135,6 +2201,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "0a:ac:f5:b4:e6:37",
"port": 443
},
"host": {
Expand Down Expand Up @@ -2166,6 +2233,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "18:e8:f8:74:c9:0d",
"port": 46112
}
}
Expand Down Expand Up @@ -2367,6 +2435,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`container.id` | `keyword` | Unique container id. |
|`container.runtime` | `keyword` | Runtime managing this container. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.mac` | `keyword` | MAC address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`email.attachments` | `nested` | List of objects describing the attachments. |
|`email.from.address` | `keyword` | The email address of the sender, typically from the RFC 5322 From: header field |
Expand Down Expand Up @@ -2473,6 +2542,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.geo.city_name` | `keyword` | City name. |
|`source.geo.country_iso_code` | `keyword` | Country ISO code. |
|`source.ip` | `ip` | IP address of the source. |
|`source.mac` | `keyword` | MAC address of the source. |
|`source.port` | `long` | Port of the source. |
|`threat.technique.name` | `keyword` | Threat technique name. |
|`url.domain` | `keyword` | Domain of the url. |
Expand Down
63 changes: 63 additions & 0 deletions ...ns_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -861,6 +861,69 @@ In this section, you will find examples of raw logs as generated natively by the



=== "test_device_network_connection"


```json
{
"time": "2024-09-30T14:02:12.4790551Z",
"tenantId": "d9eae684-f70a-4ac1-b304-53de40a8db56",
"operationName": "Publish",
"category": "AdvancedHunting-DeviceNetworkEvents",
"_TimeReceivedBySvc": "2024-09-30T14:01:00.5234998Z",
"properties": {
"DeviceName": "ml022",
"DeviceId": "dbe5c34434fb4792bea6874dd0b1f107",
"ReportId": 21118,
"RemoteIP": "1.2.3.4",
"RemotePort": 57410,
"LocalIP": "5.6.7.8",
"LocalPort": 7680,
"Protocol": "TcpV4",
"RemoteUrl": null,
"InitiatingProcessCreationTime": null,
"InitiatingProcessId": 0,
"InitiatingProcessCommandLine": null,
"InitiatingProcessParentCreationTime": null,
"InitiatingProcessParentId": 0,
"InitiatingProcessParentFileName": null,
"InitiatingProcessSHA1": null,
"InitiatingProcessMD5": null,
"InitiatingProcessFolderPath": null,
"InitiatingProcessAccountName": null,
"InitiatingProcessAccountDomain": null,
"InitiatingProcessAccountSid": null,
"InitiatingProcessFileName": null,
"InitiatingProcessIntegrityLevel": null,
"InitiatingProcessTokenElevation": "None",
"AppGuardContainerId": "",
"LocalIPType": null,
"RemoteIPType": null,
"ActionType": "ConnectionAttempt",
"InitiatingProcessSHA256": null,
"InitiatingProcessAccountUpn": null,
"InitiatingProcessAccountObjectId": null,
"AdditionalFields": "{\"direction\":\"In\",\"Source Mac\":\"0a:ac:f5:b4:e6:37\",\"Destination Mac\":\"18:e8:f8:74:c9:0d\",\"Tcp Flags\":2,\"Packet Size\":66}",
"InitiatingProcessFileSize": null,
"InitiatingProcessVersionInfoCompanyName": null,
"InitiatingProcessVersionInfoProductName": null,
"InitiatingProcessVersionInfoProductVersion": null,
"InitiatingProcessVersionInfoInternalFileName": null,
"InitiatingProcessVersionInfoOriginalFileName": null,
"InitiatingProcessVersionInfoFileDescription": null,
"InitiatingProcessSessionId": null,
"IsInitiatingProcessRemoteSession": false,
"InitiatingProcessRemoteSessionDeviceName": null,
"InitiatingProcessRemoteSessionIP": null,
"Timestamp": "2024-09-30T14:00:41.9341182Z",
"MachineGroup": "Windows 10/11 - remediate threats automatically"
},
"Tenant": "DefaultTenant"
}
```



=== "test_device_network_events"


Expand Down
12 changes: 12 additions & 0 deletions ...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2340,11 +2340,15 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.CallerProcessName` | `keyword` | |
|`action.properties.CategoryID` | `keyword` | |
|`action.properties.CategoryName` | `keyword` | |
|`action.properties.CertIssuerName` | `keyword` | |
|`action.properties.CertSerialNumber` | `keyword` | |
|`action.properties.CertThumbprint` | `keyword` | |
|`action.properties.ClientProcessId` | `keyword` | |
|`action.properties.ClientProcessStartKey` | `keyword` | |
|`action.properties.DetectionID` | `keyword` | |
|`action.properties.DetectionTime` | `keyword` | |
|`action.properties.DetectionUser` | `keyword` | |
|`action.properties.Domain` | `keyword` | |
|`action.properties.ElevatedToken` | `keyword` | |
|`action.properties.EngineVersion` | `keyword` | |
|`action.properties.Engineup-to-date` | `keyword` | |
Expand Down Expand Up @@ -2386,6 +2390,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.LogonGuid` | `keyword` | |
|`action.properties.LogonProcessName` | `keyword` | |
|`action.properties.LogonType` | `keyword` | |
|`action.properties.MemberName` | `keyword` | |
|`action.properties.NRIengineversion` | `keyword` | |
|`action.properties.NRIsecurityintelligenceversion` | `keyword` | |
|`action.properties.NotValidAfter` | `keyword` | |
Expand All @@ -2401,7 +2406,9 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.Platformversion` | `keyword` | |
|`action.properties.PolicyBits` | `keyword` | |
|`action.properties.PostCleanStatus` | `keyword` | |
|`action.properties.PreAuthType` | `keyword` | |
|`action.properties.PreExecutionStatus` | `keyword` | |
|`action.properties.PrivilegeList` | `keyword` | |
|`action.properties.ProcessId` | `keyword` | |
|`action.properties.ProcessName` | `keyword` | |
|`action.properties.ProcessNameBuffer` | `keyword` | |
Expand All @@ -2426,6 +2433,8 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.ScriptBlockText` | `keyword` | |
|`action.properties.SecureRequired` | `keyword` | |
|`action.properties.SecurityintelligenceVersion` | `keyword` | |
|`action.properties.ServiceName` | `keyword` | |
|`action.properties.ServiceSid` | `keyword` | |
|`action.properties.SeverityID` | `keyword` | |
|`action.properties.SeverityName` | `keyword` | |
|`action.properties.ShareLocalPath` | `keyword` | |
Expand Down Expand Up @@ -2460,6 +2469,8 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.TaskName` | `keyword` | |
|`action.properties.ThreatID` | `keyword` | |
|`action.properties.ThreatName` | `keyword` | |
|`action.properties.TicketEncryptionType` | `keyword` | |
|`action.properties.TicketOptions` | `keyword` | |
|`action.properties.TotalSignatureCount` | `keyword` | |
|`action.properties.TransmittedServices` | `keyword` | |
|`action.properties.TypeID` | `keyword` | |
Expand All @@ -2470,6 +2481,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.Unused4` | `keyword` | |
|`action.properties.Unused5` | `keyword` | |
|`action.properties.Unused6` | `keyword` | |
|`action.properties.User` | `keyword` | |
|`action.properties.ValidatedPolicy` | `keyword` | |
|`action.properties.ValidatedSigningLevel` | `keyword` | |
|`action.properties.VerificationError` | `keyword` | |
Expand Down
Loading

0 comments on commit b7d8ab7

Please sign in to comment.