Merge pull request #1494 from SEKOIA-IO/update-intake-documentation

Refresh intakes documentation
SEKOIA-IO · Dec 8, 2023 · c57f691 · c57f691
2 parents 479be0e + 99a3271
commit c57f691
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/...perations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md b/...perations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md
@@ -222,6 +222,61 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "malop_malware.json"
+
+    ```json
+
+    {
+        "message": "CEF:0|Cybereason|Cybereason|1.0|1|Malware Added|5|rt=1695390207947 cs1=536022030.1520074073309787353 cs2=xref_styles.dotm cs3=UnknownMalware cs4=File cs5=pl18de906 cs6=Detected CybereasonCEFgeneratorNeedsAttention=False CybereasonCEFgeneratorReferenceGuid=536022030.1520074073309787353 CybereasonCEFgeneratorReferenceElementType=File CybereasonCEFgeneratorDetectionValue=None CybereasonCEFgeneratorDetectionValueType=None CybereasonCEFgeneratorDetectionEngine=Document flexString1=.DocumentMalwareDataModel flexString2=None reason=['[\"doc_tmpfl\",\"doc_asbt\",\"doc_k32\",\"doc_dfn\",\"doc_gtmpp\",\"doc_crobj\",\"doc_shvr1\",\"doc_vbcmp\",\"doc_swnd\",\"doc_cmdesc\",\"doc_chrclc\",\"doc_shl\",\"doc_gtcrobj\",\"doc_dsh\",\"doc_ht\",\"doc_exdl\",\"doc_dcdl\",\"doc_dcuop\",\"doc_atexc\"]'] filePath=c:\\\\users\\\\jdoe\\\\appdata\\\\roaming\\\\microsoft\\\\word\\\\startup\\\\xref_styles.dotm CybereasonCEFgeneratorSchedulerScan=False cs1Label=MalwareGUID cs2Label=MalwareName cs3Label=MalwareType cs4Label=ElementType cs5Label=MachineName cs6Label=MalwareStatus cfp1Label=Score flexString1Label=MalwareClass flexString2Label=MalwareDataModelType",
+        "event": {
+            "action": "Malware Added",
+            "category": [
+                "malware"
+            ],
+            "code": "1",
+            "kind": "alert",
+            "severity": 5,
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2023-09-22T13:43:27.947000Z",
+        "cybereason": {
+            "cef": {
+                "version": "0"
+            },
+            "malop": {
+                "malware": {
+                    "guid": "536022030.1520074073309787353",
+                    "status": "Detected",
+                    "type": "UnknownMalware"
+                }
+            }
+        },
+        "file": {
+            "directory": "c:\\\\users\\\\jdoe\\\\appdata\\\\roaming\\\\microsoft\\\\word\\\\startup\\",
+            "name": "xref_styles.dotm",
+            "path": "c:\\\\users\\\\jdoe\\\\appdata\\\\roaming\\\\microsoft\\\\word\\\\startup\\\\xref_styles.dotm"
+        },
+        "host": {
+            "name": "pl18de906"
+        },
+        "observer": {
+            "product": "Cybereason",
+            "vendor": "Cybereason",
+            "version": "1.0"
+        },
+        "threat": {
+            "software": {
+                "name": "xref_styles.dotm",
+                "type": "Malware"
+            }
+        }
+    }
+    	
+	```
+
+
 === "malop_process_added.json"
 
     ```json
@@ -359,6 +414,9 @@ The following table lists the fields that are extracted, normalized under the EC
 |`cybereason.malop.host.is_online` | `boolean` | Indicates whether the host is connected to the Cybereason platform |
 |`cybereason.malop.host.is_original_machine` | `boolean` | Indicates whether the host was detected recently |
 |`cybereason.malop.id` | `keyword` | The identifier of the MalOp |
+|`cybereason.malop.malware.guid` | `keyword` | The GUID of the malware |
+|`cybereason.malop.malware.status` | `keyword` | The status of the malware |
+|`cybereason.malop.malware.type` | `keyword` | The type of the malware |
 |`cybereason.malop.modified_at` | `text` | The modification date of the MalOp |
 |`cybereason.malop.status` | `keyword` | The status of the MalOp |
 |`destination.geo.country_name` | `keyword` | Country name. |
@@ -372,9 +430,11 @@ The following table lists the fields that are extracted, normalized under the EC
 |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
 |`event.url` | `keyword` | Event investigation URL |
 |`file.hash.sha1` | `keyword` | SHA1 hash. |
+|`file.path` | `keyword` | Full path to the file, including the file name. |
 |`host.hostname` | `keyword` | Hostname of the host. |
 |`host.id` | `keyword` | Unique host id. |
 |`host.ip` | `ip` | Host ip addresses. |
+|`host.name` | `keyword` | Name of the host. |
 |`host.os.full` | `keyword` | Operating system name, including the version or code name. |
 |`observer.product` | `keyword` | The product name of the observer. |
 |`observer.vendor` | `keyword` | Vendor name of the observer. |
@@ -383,6 +443,8 @@ The following table lists the fields that are extracted, normalized under the EC
 |`process.name` | `keyword` | Process name. |
 |`process.parent.name` | `keyword` | Process name. |
 |`process.start` | `date` | The time the process started. |
+|`threat.software.name` | `keyword` | Name of the software. |
+|`threat.software.type` | `keyword` | Software type. |
 |`user.domain` | `keyword` | Name of the directory the user is a member of. |
 |`user.name` | `keyword` | Short name or login of the user. |