Skip to content

Commit

Permalink
Merge pull request #1745 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Apr 22, 2024
2 parents 6a65e0b + e51e4b8 commit cc3f512
Show file tree
Hide file tree
Showing 8 changed files with 4,084 additions and 208 deletions.
166 changes: 166 additions & 0 deletions ...perations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,170 @@ The following table lists the data source offered by this integration.



## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "https_traffic.json"

```json

{
"message": "time=16:58:13 log_id=30001000 msg_id=000669319381 device_id=FVVM010000207514 vd=\"root\" timezone=\"(GMT+1:00)Brussels,Copenhagen,Madrid,Paris\" timezone_dayst=\"GMTc-2\" type=traffic subtype=\"https\" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy=extranet original_src=192.168.36.2 src=192.168.36.2 src_port=48152 dst=172.26.8.20 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=549 http_response_bytes=11272 http_method=get http_url=\"/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN\" http_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36\" http_retcode=200 msg=\"HTTPS get request from 192.168.36.2:48152 to 172.26.8.20:80\" original_srccountry=\"Reserved\" srccountry=\"Reserved\" content_switch_name=\"none\" server_pool_name=\"extranet.sns-security.fr\" http_host=\"api.sns-security.fr\" user_name=\"Unknown\" http_refer=\"https://technet.sns-security.fr/\" http_version=\"1.x\" dev_id=none cipher_suite=\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\"",
"event": {
"category": "https",
"kind": "traffic",
"message": "HTTPS get request from 192.168.36.2:48152 to 172.26.8.20:80",
"outcome": "success"
},
"action": {
"outcome": "success",
"outcome_reason": "none",
"properties": {
"device_id": "FVVM010000207514",
"log_id": "30001000"
}
},
"destination": {
"address": "172.26.8.20",
"ip": "172.26.8.20",
"port": 80
},
"host": {
"name": "tyR4LrYORLPlEIBp"
},
"http": {
"request": {
"bytes": 549,
"method": "get",
"referrer": "https://technet.sns-security.fr/"
},
"response": {
"bytes": 11272,
"status_code": 200
},
"version": "1.x"
},
"log": {
"hostname": "tyR4LrYORLPlEIBp",
"level": "notice"
},
"network": {
"protocol": "tcp"
},
"related": {
"ip": [
"172.26.8.20",
"192.168.36.2"
]
},
"rule": {
"ruleset": "extranet"
},
"source": {
"address": "192.168.36.2",
"geo": {
"name": "Reserved"
},
"ip": "192.168.36.2",
"port": 48152
},
"tls": {
"cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
},
"url": {
"path": "/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN",
"username": "Unknown"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Chromium",
"original": "Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36",
"os": {
"name": "Linux"
},
"version": "72.0.3626"
}
}
```


=== "system_event.json"

```json

{
"message": "time=10:48:07 log_id=11005607 msg_id=000669559376 device_id=FVVM010000207514 vd=\"root\" timezone=\"(GMT+1:00)Brussels,Copenhagen,Madrid,Paris\" timezone_dayst=\"GMTc-2\" type=event subtype=\"system\" pri=notice trigger_policy=\"\" user=daemon ui=daemon action=check-resource status=success msg=\"The logdisk usage is too high\" ",
"event": {
"action": "check-resource",
"category": "system",
"kind": "event",
"message": "The logdisk usage is too high",
"outcome": "success"
},
"action": {
"outcome": "success",
"properties": {
"device_id": "FVVM010000207514",
"log_id": "11005607"
}
},
"host": {
"name": "vnx1hO5mF0pK4IR1"
},
"log": {
"hostname": "vnx1hO5mF0pK4IR1",
"level": "notice"
},
"related": {
"user": [
"daemon"
]
},
"user": {
"name": "daemon"
}
}
```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`action.properties.device_id` | `keyword` | |
|`action.properties.log_id` | `keyword` | |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). |
|`http.request.method` | `keyword` | HTTP request method. |
|`http.request.referrer` | `keyword` | Referrer for this HTTP request. |
|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). |
|`http.response.status_code` | `long` | HTTP response status code. |
|`http.version` | `keyword` | HTTP version. |
|`log.level` | `keyword` | Log level of the log event. |
|`network.protocol` | `keyword` | Application protocol name. |
|`rule.ruleset` | `keyword` | Rule ruleset |
|`source.geo.name` | `keyword` | User-defined description of a location. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`url.username` | `keyword` | Username of the request. |
|`user.name` | `keyword` | Short name or login of the user. |
|`user_agent.original` | `keyword` | Unparsed user_agent string. |

7 changes: 1 addition & 6 deletions ...perations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Kind | `` |
| Category | `network` |
| Type | `allowed`, `denied` |

Expand All @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"kind": "event",
"outcome": "success",
"start": "2024-03-18T13:21:42.625922Z",
"type": [
Expand Down Expand Up @@ -109,7 +108,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"kind": "event",
"outcome": "success",
"start": "2020-12-14T22:16:46.352816Z",
"type": [
Expand Down Expand Up @@ -172,7 +170,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"kind": "event",
"outcome": "success",
"start": "2020-12-14T22:16:46.352816Z",
"type": [
Expand Down Expand Up @@ -239,7 +236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"kind": "event",
"outcome": "success",
"start": "2021-03-24T10:55:03.068074Z",
"type": [
Expand Down Expand Up @@ -310,7 +306,6 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.code` | `keyword` | Identification code for this event. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.name` | `keyword` | Name of the host. |
Expand Down
8 changes: 4 additions & 4 deletions ...perations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
"message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
"event": {
"kind": "alert",
"outcome": "success"
Expand Down Expand Up @@ -366,7 +366,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"",
"message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"",
"event": {
"kind": "alert",
"outcome": "success"
Expand Down Expand Up @@ -409,7 +409,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"",
"message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"",
"event": {
"kind": "alert",
"outcome": "success"
Expand Down Expand Up @@ -455,7 +455,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
"message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
"event": {
"kind": "alert",
"outcome": "success"
Expand Down
6 changes: 3 additions & 3 deletions ...perations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 1.1.1.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico ",
"message": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 1.1.1.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico",
"event": {
"category": [
"web"
Expand Down Expand Up @@ -367,7 +367,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " [Thu Feb 29 11:47:27.072780 2024] [ssl:info] [pid 12596] [client 1.1.1.1:57535] AH01964: Connection to child 114 established (server app.corp.com:443)\n",
"message": "[Thu Feb 29 11:47:27.072780 2024] [ssl:info] [pid 12596] [client 1.1.1.1:57535] AH01964: Connection to child 114 established (server app.corp.com:443)",
"event": {
"category": [
"web"
Expand Down Expand Up @@ -405,7 +405,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": " [Thu Feb 29 14:23:43.643358 2024] [ssl:info] [pid 24237] (70014)End of file found: [client 1.1.1.1 :42114] AH01991: SSL input filter read failed.",
"message": "[Thu Feb 29 14:23:43.643358 2024] [ssl:info] [pid 24237] (70014)End of file found: [client 1.1.1.1 :42114] AH01991: SSL input filter read failed.",
"event": {
"category": [
"web"
Expand Down
Loading

0 comments on commit cc3f512

Please sign in to comment.