From 8d3125453ca3148053b2cd63ddfd5f9129eccd7c Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Wed, 25 Oct 2023 12:30:14 +0000 Subject: [PATCH] Refresh intakes documentation --- .../bae128bb-98c6-45f7-9763-aad3451821e5.md | 634 ++++++++++++++++++ .../ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md | 86 +++ 2 files changed, 720 insertions(+) create mode 100644 _shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md create mode 100644 _shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md diff --git a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md new file mode 100644 index 0000000000..58a45ab0cc --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md @@ -0,0 +1,634 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | Trellix Network Security provide many information like the connected client, the requested resource. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "domain_match.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|DM|domain-match|1|src=1.2.3.4 spt=48255 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=53 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=93000001 cn3Label=cncPort cn3=53 cs1Label=sname cs1=DTI:Bot.Mariposa.DNS cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612 cs5Label=cncHost cs5=butterfly.bigmoney.biz proto=udp rt=Sep 05 2023 16:47:48 UTC externalId=20967020 act=notified devicePayloadId=cd467397-8c43-4e03-acaa-398cf2e8c612 start=Sep 05 2023 16:47:48 UTC dvcmac=e3:e9:d0:5e:ba:8e", + "event": { + "kind": "event", + "dataset": "domain-match", + "severity": 1, + "start": "2023-09-05T16:47:48Z", + "action": "notified", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-05T16:47:48Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "network": { + "transport": "udp" + }, + "trellix": { + "nx": { + "sname": "DTI:Bot.Mariposa.DNS", + "cnc_port": "53", + "cnc_host": "butterfly.bigmoney.biz" + } + }, + "destination": { + "port": 53, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 48255, + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "address": "1.2.3.4" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ] + } + } + + ``` + + +=== "infection_match.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|IM|infection-match|1|spt=1046 smac=6c:af:1a:fb:fe:a7 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=607378 cn3Label=cncPort cn3=80 cs1Label=sname cs1=Local.Infection cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 cs5Label=cncHost cs5=2011::1:6377:90aa cs6Label=channel cs6=GET /m/web.php HTTP/1.1::~~Host: zebrabel1.co.cc::~~User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5::~~Accept: text/html,application/xhtml+xml,application/xml;q\\=0.9,*/*;q\\=0.8::~~Accept-Language: en-us,en;q\\=0.5::~~Accept-Encoding: gzip,deflate::~~Accept-Charset: ISO-8859-1,utf-8;q\\=0.7,*;q\\=0.7::~~Keep-Alive: 300::~~Connection: keep-alive::~~Referer: http://zebrabel1.co.cc/m/::~~::~~ proto=tcp rt=Sep 05 2023 16:28:55 UTC externalId=20966332 act=notified c6a3=1c83:125e:807c:d317:d732:d30b:6af0:d34f c6a3Label=Attacker IP c6a2=decc:4ab1:133a:f9ce:18d2:7c83:2142:601e c6a2Label=Victim IP requestMethod=GET requestClientApplication=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 requestContext=http://zebrabel1.co.cc/m/ devicePayloadId=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 start=Sep 05 2023 16:28:55 UTC dvcmac=e3:e9:d0:5e:ba:8e", + "event": { + "kind": "event", + "dataset": "infection-match", + "severity": 1, + "start": "2023-09-05T16:28:55Z", + "action": "notified", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-05T16:28:55Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "network": { + "transport": "tcp" + }, + "http": { + "request": { + "method": "GET" + } + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5", + "device": { + "name": "Other" + }, + "name": "Firefox Beta", + "version": "3.0.b5", + "os": { + "name": "Windows", + "version": "XP" + } + }, + "trellix": { + "nx": { + "sname": "Local.Infection", + "cnc_port": "80", + "cnc_host": "2011::1:6377:90aa" + } + }, + "destination": { + "port": 80, + "mac": "00:78:db:db:96:f6", + "ip": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", + "address": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" + }, + "source": { + "port": 1046, + "mac": "6c:af:1a:fb:fe:a7", + "ip": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "address": "1c83:125e:807c:d317:d732:d30b:6af0:d34f" + }, + "related": { + "ip": [ + "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "3.4.5.6", + "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ] + } + } + + ``` + + +=== "ips_events.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|IE|ips-event|7|externalId=3463232 rt=Sep 05 2023 16:46:51 UTC proto=tcp src=1.2.3.4 spt=80 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=1109 dmac=00:78:db:db:96:f6 cnt=1 cs1Label=sname cs1=Exploit Kit Landing Page act=notified dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 dvcmac=e3:e9:d0:5e:ba:8e cn2=85305161 cn2Label=sid cfp1=12 cfp1Label=signature revision cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd cs4Label=link flexString2=client flexString2Label=attack mode msg=MVX Correlation Status:N/A cn1=0 cn1Label=vlan", + "event": { + "kind": "event", + "dataset": "ips-event", + "severity": 7, + "action": "notified", + "reason": "MVX Correlation Status:N/A", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-05T16:46:51Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "network": { + "transport": "tcp" + }, + "trellix": { + "nx": { + "sname": "Exploit Kit Landing Page" + } + }, + "destination": { + "port": 1109, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 80, + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "address": "1.2.3.4" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ] + } + } + + ``` + + +=== "malware_callback.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|MC|malware-callback|7|src=1.2.3.4 spt=1133 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=443 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=33332506 cn3Label=cncPort cn3=443 cs1Label=sname cs1=Bot.Pushdo.C1 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b cs5Label=cncHost cs5=223.92.214.59 proto=tcp rt=Sep 05 2023 16:28:40 UTC shost=ip-095-223-164-201.um35.pools.vodafone-ip.de externalId=20966324 act=notified devicePayloadId=8a4875e0-195e-436a-b3a1-e2a52c544d4b start=Sep 05 2023 16:28:40 UTC dvcmac=e3:e9:d0:5e:ba:8e", + "event": { + "kind": "event", + "dataset": "malware-callback", + "severity": 7, + "start": "2023-09-05T16:28:40Z", + "action": "notified", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-05T16:28:40Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "network": { + "transport": "tcp" + }, + "trellix": { + "nx": { + "sname": "Bot.Pushdo.C1", + "cnc_port": "443", + "cnc_host": "223.92.214.59" + } + }, + "destination": { + "port": 443, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 1133, + "ip": "1.2.3.4", + "domain": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "mac": "6c:af:1a:fb:fe:a7", + "address": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "top_level_domain": "de", + "subdomain": "ip-095-223-164-201.um35.pools", + "registered_domain": "vodafone-ip.de" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "ip-095-223-164-201.um35.pools.vodafone-ip.de" + ] + } + } + + ``` + + +=== "malware_object.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|MO|malware-object|4|src=1.2.3.4 spt=49207 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=8816733 cs1Label=sname cs1=Exploit.JAVA.CVE-2013-0422.FEC2 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87 filePath=kentuckyautoexchange.com/tsh.jar rt=Sep 05 2023 16:28:42 UTC shost=dynamic-ip-adsl.viettel.vn fileHash=517f9835592fe08912c702c70219b20a externalId=8838994 act=notified devicePayloadId=860e5b30-5a8b-4159-8eb5-148ec3387e87 fileType=jar sproc=Java JDK JRE 7.13 fsize=13676 fname=tsh.jar flexString1Label=sha256sum flexString1=6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2 start=Sep 04 2023 11:26:23 UTC dvcmac=e3:e9:d0:5e:ba:8e", + "event": { + "kind": "event", + "dataset": "malware-object", + "severity": 4, + "start": "2023-09-04T11:26:23Z", + "action": "notified", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87", + "category": [ + "malware" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-04T11:26:23Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "file": { + "path": "kentuckyautoexchange.com/tsh.jar", + "name": "tsh.jar", + "hash": { + "sha256": "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2", + "md5": "517f9835592fe08912c702c70219b20a" + }, + "size": 13676, + "extension": "jar" + }, + "process": { + "parent": { + "title": "Java JDK JRE 7.13" + } + }, + "trellix": { + "nx": { + "sname": "Exploit.JAVA.CVE-2013-0422.FEC2" + } + }, + "destination": { + "port": 80, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 49207, + "ip": "1.2.3.4", + "domain": "dynamic-ip-adsl.viettel.vn", + "mac": "6c:af:1a:fb:fe:a7", + "address": "dynamic-ip-adsl.viettel.vn", + "top_level_domain": "vn", + "subdomain": "dynamic-ip-adsl", + "registered_domain": "viettel.vn" + }, + "related": { + "hash": [ + "517f9835592fe08912c702c70219b20a", + "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2" + ], + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "dynamic-ip-adsl.viettel.vn" + ] + } + } + + ``` + + +=== "riskware_callback.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|RC|riskware-callback|1|rt=Sep 05 2023 16:46:47 UTC start=Sep 05 2023 16:46:47 UTC end=Sep 05 2023 16:46:47 UTC src=1.2.3.4 dst=5.6.7.8 request=hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 cs1Label=sname cs1=Adware.Downloader.Generic act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 spt=1072 dpt=80 cn1Label=vlan cn1=0 externalId=20966952 devicePayloadId=ae490699-29f0-4680-abb1-9db7ff757cad msg=risk ware detected:13436744 proto=tcp cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad cs6Label=channel cs6=GET /abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: stan.mxp2142.com::~~Connection: Keep-Alive::~~::~~", + "event": { + "kind": "event", + "dataset": "riskware-callback", + "severity": 1, + "start": "2023-09-05T16:46:47Z", + "end": "2023-09-05T16:46:47Z", + "action": "notified", + "reason": "risk ware detected:13436744", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad", + "category": [ + "intrusion_detection" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-05T16:46:47Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "network": { + "transport": "tcp" + }, + "url": { + "original": "hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "domain": "stan.mxp2142.com", + "top_level_domain": "com", + "subdomain": "stan", + "registered_domain": "mxp2142.com", + "path": "/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "scheme": "hxxp" + }, + "trellix": { + "nx": { + "sname": "Adware.Downloader.Generic" + } + }, + "destination": { + "port": 80, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 1072, + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "address": "1.2.3.4" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ] + } + } + + ``` + + +=== "riskware_object.json" + + ```json + + { + "message": "CEF:0|Trellix|MPS|10.0.0.992057|RO|riskware-object|1|rt=Sep 05 2023 16:45:08 UTC start=Sep 04 2023 11:27:16 UTC end=Sep 05 2023 16:45:08 UTC src=1.2.3.4 dst=5.6.7.8 request=16.16.16.11/043d611854b9c141a36798ac813ff9f7 fname=043d611854b9c141a36798ac813ff9f7 fileType=dmg cs1Label=sname cs1=PUP.MacOS.Bnodlero.FEC3 act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e fileHash=043d611854b9c141a36798ac813ff9f7 smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 fsize=1315301 spt=37640 dpt=80 cn1Label=vlan cn1=0 requestMethod=GET externalId=8839150 devicePayloadId=c61444e1-64a5-41b3-b31d-3aa4408af602 msg=risk ware detected:13436641 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602 flexString1Label=sha256sum flexString1=b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", + "event": { + "kind": "event", + "dataset": "riskware-object", + "severity": 1, + "start": "2023-09-04T11:27:16Z", + "end": "2023-09-05T16:45:08Z", + "action": "notified", + "reason": "risk ware detected:13436641", + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602", + "category": [ + "malware" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-04T11:27:16Z", + "observer": { + "vendor": "Trellix", + "product": "MPS", + "version": "10.0.0.992057", + "ip": [ + "3.4.5.6" + ], + "hostname": "cms-nx5600-1.eng.fireeye.com", + "mac": [ + "e3:e9:d0:5e:ba:8e" + ] + }, + "url": { + "original": "16.16.16.11/043d611854b9c141a36798ac813ff9f7", + "path": "16.16.16.11/043d611854b9c141a36798ac813ff9f7" + }, + "http": { + "request": { + "method": "GET" + } + }, + "file": { + "name": "043d611854b9c141a36798ac813ff9f7", + "hash": { + "sha256": "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", + "md5": "043d611854b9c141a36798ac813ff9f7" + }, + "size": 1315301, + "extension": "dmg" + }, + "trellix": { + "nx": { + "sname": "PUP.MacOS.Bnodlero.FEC3" + } + }, + "destination": { + "port": 80, + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "address": "5.6.7.8" + }, + "source": { + "port": 37640, + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "address": "1.2.3.4" + }, + "related": { + "hash": [ + "043d611854b9c141a36798ac813ff9f7", + "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c" + ], + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.mac` | `keyword` | MAC address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`event.url` | `keyword` | Event investigation URL | +|`file.extension` | `keyword` | File extension, excluding the leading dot. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`file.size` | `long` | File size in bytes. | +|`http.request.method` | `keyword` | HTTP request method. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.ip` | `ip` | IP addresses of the observer. | +|`observer.mac` | `keyword` | MAC addresses of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`process.parent.title` | `keyword` | Process title. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | +|`source.port` | `long` | Port of the source. | +|`trellix.nx.cnc_host` | `keyword` | Trellinx network security event cnc host. | +|`trellix.nx.cnc_port` | `keyword` | Trellinx network security event cnc port. | +|`trellix.nx.sname` | `keyword` | Trellinx network security event sname. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md new file mode 100644 index 0000000000..6379e70adc --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md @@ -0,0 +1,86 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network device logs` | Check Point can record traffic events flowing through their firewall. | +| `Network protocol analysis` | Check Point firewall does traffic analysis at physical/data/transport layers | +| `Web logs` | Domain names are extracted from HTTP traffic | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `network` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event.json" + + ```json + + { + "message": "{\"attack_vector\":\"NetworkSecurity\",\"backend_last_updated\":\"02/02/202202:22:20\",\"details\":\"Domain:bb[.]caf\u00e9\",\"device_id\":\"2\",\"device_rooted\":false,\"email\":\"Blocked\",\"event\":\"Info\",\"event_timestamp\":\"02/22/202202:22:20\",\"id\":22,\"mdm_uuid\":\"00000000-0000-0000-0000-0000000000\",\"name\":\"TestDevice\",\"number\":\"+13045555555\",\"severity\":\"Critical\",\"threat_factors\":\"Phishing\",\"device_model\":\"Android\",\"client_version\":\"2.73-SNAPSHOT/2,089\"}", + "event": { + "kind": "alert", + "category": "network", + "type": [ + "info" + ], + "reason": "Domain:bb[.]caf\u00e9" + }, + "host": { + "os": { + "type": "Android" + } + }, + "device": { + "id": "2" + }, + "checkpoint": { + "harmony": { + "attack_vector": "NetworkSecurity", + "number": "+13045555555", + "threat_factors": "Phishing", + "mdm_uuid": "00000000-0000-0000-0000-0000000000" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`checkpoint.harmony.attack_vector` | `keyword` | Check Point Harmony attack vector | +|`checkpoint.harmony.mdm_uuid` | `keyword` | Check Point Harmony MDM uuid | +|`checkpoint.harmony.number` | `keyword` | Check Point Harmony number | +|`checkpoint.harmony.threat_factors` | `keyword` | Check Point Harmony threat factors | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.os.type` | `keyword` | Which commercial OS family (one of: linux, macos, unix or windows). | +