From e51e4b82952d2d9823f7e014e1fb4400156def7b Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:05:01 +0000 Subject: [PATCH] Refresh intakes documentation --- .../2259adc3-9d93-4150-9c1c-46804e636084.md | 166 ++ .../340e3bc7-2b76-48e4-9833-e971451b2979.md | 7 +- .../44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md | 8 +- .../6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md | 6 +- .../b28db14b-e3a7-463e-8659-9bf0e577944f.md | 707 +++++- .../bf8867ee-43b7-444c-9475-a7f43754ab6d.md | 1372 +++++++++++- .../d0383e87-e054-4a21-8a2c-6a89635d8615.md | 101 + .../eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md | 1925 +++++++++++++++-- 8 files changed, 4084 insertions(+), 208 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md index 519452b4b7..c75a7d4024 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md @@ -15,4 +15,170 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "https_traffic.json" + + ```json + + { + "message": "time=16:58:13 log_id=30001000 msg_id=000669319381 device_id=FVVM010000207514 vd=\"root\" timezone=\"(GMT+1:00)Brussels,Copenhagen,Madrid,Paris\" timezone_dayst=\"GMTc-2\" type=traffic subtype=\"https\" pri=notice proto=tcp service=https/tls1.2 status=success reason=none policy=extranet original_src=192.168.36.2 src=192.168.36.2 src_port=48152 dst=172.26.8.20 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=549 http_response_bytes=11272 http_method=get http_url=\"/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN\" http_agent=\"Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36\" http_retcode=200 msg=\"HTTPS get request from 192.168.36.2:48152 to 172.26.8.20:80\" original_srccountry=\"Reserved\" srccountry=\"Reserved\" content_switch_name=\"none\" server_pool_name=\"extranet.sns-security.fr\" http_host=\"api.sns-security.fr\" user_name=\"Unknown\" http_refer=\"https://technet.sns-security.fr/\" http_version=\"1.x\" dev_id=none cipher_suite=\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\"", + "event": { + "category": "https", + "kind": "traffic", + "message": "HTTPS get request from 192.168.36.2:48152 to 172.26.8.20:80", + "outcome": "success" + }, + "action": { + "outcome": "success", + "outcome_reason": "none", + "properties": { + "device_id": "FVVM010000207514", + "log_id": "30001000" + } + }, + "destination": { + "address": "172.26.8.20", + "ip": "172.26.8.20", + "port": 80 + }, + "host": { + "name": "tyR4LrYORLPlEIBp" + }, + "http": { + "request": { + "bytes": 549, + "method": "get", + "referrer": "https://technet.sns-security.fr/" + }, + "response": { + "bytes": 11272, + "status_code": 200 + }, + "version": "1.x" + }, + "log": { + "hostname": "tyR4LrYORLPlEIBp", + "level": "notice" + }, + "network": { + "protocol": "tcp" + }, + "related": { + "ip": [ + "172.26.8.20", + "192.168.36.2" + ] + }, + "rule": { + "ruleset": "extranet" + }, + "source": { + "address": "192.168.36.2", + "geo": { + "name": "Reserved" + }, + "ip": "192.168.36.2", + "port": 48152 + }, + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + }, + "url": { + "path": "/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN", + "username": "Unknown" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chromium", + "original": "Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "72.0.3626" + } + } + + ``` + + +=== "system_event.json" + + ```json + + { + "message": "time=10:48:07 log_id=11005607 msg_id=000669559376 device_id=FVVM010000207514 vd=\"root\" timezone=\"(GMT+1:00)Brussels,Copenhagen,Madrid,Paris\" timezone_dayst=\"GMTc-2\" type=event subtype=\"system\" pri=notice trigger_policy=\"\" user=daemon ui=daemon action=check-resource status=success msg=\"The logdisk usage is too high\" ", + "event": { + "action": "check-resource", + "category": "system", + "kind": "event", + "message": "The logdisk usage is too high", + "outcome": "success" + }, + "action": { + "outcome": "success", + "properties": { + "device_id": "FVVM010000207514", + "log_id": "11005607" + } + }, + "host": { + "name": "vnx1hO5mF0pK4IR1" + }, + "log": { + "hostname": "vnx1hO5mF0pK4IR1", + "level": "notice" + }, + "related": { + "user": [ + "daemon" + ] + }, + "user": { + "name": "daemon" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.device_id` | `keyword` | | +|`action.properties.log_id` | `keyword` | | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`log.level` | `keyword` | Log level of the log event. | +|`network.protocol` | `keyword` | Application protocol name. | +|`rule.ruleset` | `keyword` | Rule ruleset | +|`source.geo.name` | `keyword` | User-defined description of a location. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`url.username` | `keyword` | Username of the request. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index c5ea866592..bb2f52ca33 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `allowed`, `denied` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", - "kind": "event", "outcome": "success", "start": "2024-03-18T13:21:42.625922Z", "type": [ @@ -109,7 +108,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", - "kind": "event", "outcome": "success", "start": "2020-12-14T22:16:46.352816Z", "type": [ @@ -172,7 +170,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", - "kind": "event", "outcome": "success", "start": "2020-12-14T22:16:46.352816Z", "type": [ @@ -239,7 +236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", - "kind": "event", "outcome": "success", "start": "2021-03-24T10:55:03.068074Z", "type": [ @@ -310,7 +306,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md index 387e04439c..d7165a4388 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md @@ -321,7 +321,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -366,7 +366,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -409,7 +409,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -455,7 +455,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index 378e3f7846..3abbb65bda 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -192,7 +192,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 1.1.1.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico ", + "message": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 1.1.1.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico", "event": { "category": [ "web" @@ -367,7 +367,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " [Thu Feb 29 11:47:27.072780 2024] [ssl:info] [pid 12596] [client 1.1.1.1:57535] AH01964: Connection to child 114 established (server app.corp.com:443)\n", + "message": "[Thu Feb 29 11:47:27.072780 2024] [ssl:info] [pid 12596] [client 1.1.1.1:57535] AH01964: Connection to child 114 established (server app.corp.com:443)", "event": { "category": [ "web" @@ -405,7 +405,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": " [Thu Feb 29 14:23:43.643358 2024] [ssl:info] [pid 24237] (70014)End of file found: [client 1.1.1.1 :42114] AH01991: SSL input filter read failed.", + "message": "[Thu Feb 29 14:23:43.643358 2024] [ssl:info] [pid 24237] (70014)End of file found: [client 1.1.1.1 :42114] AH01991: SSL input filter read failed.", "event": { "category": [ "web" diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md index 61146613f8..6dafddcef4 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md @@ -28,6 +28,59 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "accepted_google_authenticator.json" + + ```json + + { + "message": " Accepted google_authenticator for root", + "event": { + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted google_authenticator for root", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "google_authenticator" + } + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "root" + ] + }, + "source": { + "user": { + "name": "root" + } + }, + "user": { + "name": "root" + } + } + + ``` + + === "accepted_gssapi-with-mic.json" ```json @@ -213,6 +266,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "accepted_publickey_2.json" + + ```json + + { + "message": " Accepted publickey for jdoe@example.local from 1.2.3.4 port 59294 ssh2: ED25519 SHA256:AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=", + "event": { + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted publickey for jdoe@example.local from 1.2.3.4 port 59294 ssh2: ED25519 SHA256:AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=", + "target": "user", + "type": "open" + }, + "file": { + "hash": { + "sha256": "AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=" + } + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "publickey" + } + }, + "process": { + "name": "sshd" + }, + "related": { + "hash": [ + "AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=" + ], + "hosts": [ + "example.local" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "example.local", + "domain": "example.local", + "ip": "1.2.3.4", + "port": 59294, + "subdomain": "example", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "authentication_attempts_exceeded.json" ```json @@ -270,6 +395,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "authentication_attempts_exceeded_2.json" + + ```json + + { + "message": " error: maximum authentication attempts exceeded for root from 1.2.3.4 port 63758 ssh2 [preauth]", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "maximum authentication attempts exceeded", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "root" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63758, + "user": { + "name": "root" + } + }, + "user": { + "name": "root" + } + } + + ``` + + === "authentication_too_many_failures.json" ```json @@ -576,6 +755,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "connection_closed_invalid_without_user.json" + + ```json + + { + "message": " Connection closed by invalid user 1.2.3.4 port 36797 [preauth]", + "event": { + "category": [ + "network" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "Connection closed by invalid user 1.2.3.4 port 36797 [preauth]", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36797 + } + } + + ``` + + +=== "connection_corrupted.json" + + ```json + + { + "message": " ssh_dispatch_run_fatal: Connection from 1.2.3.4 port 49065: Connection corrupted [preauth]", + "event": { + "category": [ + "network" + ], + "outcome": "failure", + "type": [ + "protocol" + ] + }, + "action": { + "name": "negotiate", + "outcome": "failure", + "outcome_reason": "ssh_dispatch_run_fatal:", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49065 + } + } + + ``` + + === "connection_reset.json" ```json @@ -873,27 +1142,175 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` -=== "failed_password.json" +=== "disconnected_user_with_domain.json" ```json { - "message": " Failed password for backup from 1.2.3.4 port 60150 ssh2", + "message": " Disconnected from user jdoe@lexample.local 1.2.3.4 port 33480", "event": { "category": [ - "authentication" + "network" ], - "outcome": "failure", + "outcome": "success", "type": [ "end" ] }, "action": { "name": "connection", - "outcome": "failure", - "outcome_reason": "Failed password", + "outcome": "success", + "outcome_reason": "Disconnected from user jdoe@lexample.local 1.2.3.4 port 33480", "target": "user", - "type": "open" + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "hosts": [ + "lexample.local" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "lexample.local", + "domain": "lexample.local", + "ip": "1.2.3.4", + "port": 33480, + "subdomain": "lexample", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "failed_none.json" + + ```json + + { + "message": "Failed none for invalid user guest from 1.2.3.4 port 15806 ssh2", + "event": { + "category": [ + "authentication" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Failed none", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "guest" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 15806, + "user": { + "name": "guest" + } + }, + "user": { + "name": "guest" + } + } + + ``` + + +=== "failed_packet.json" + + ```json + + { + "message": "fatal: userauth_finish: send failure packet: Broken pipe [preauth]", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "userauth_finish: send failure packet: Broken pipe [preauth]", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + +=== "failed_password.json" + + ```json + + { + "message": " Failed password for backup from 1.2.3.4 port 60150 ssh2", + "event": { + "category": [ + "authentication" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Failed password", + "target": "user", + "type": "open" }, "observer": { "product": "openssh", @@ -927,6 +1344,96 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "failed_password_redacted.json" + + ```json + + { + "message": " Failed password for invalid user ***** from 1.2.3.4 port 51894 ssh2", + "event": { + "category": [ + "authentication" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Failed password", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51894 + } + } + + ``` + + +=== "failure_timeout.json" + + ```json + + { + "message": "fatal: Timeout before authentication for 1.2.3.4 port 52076", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Timeout before authentication", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 52076 + } + } + + ``` + + === "invalid_user.json" ```json @@ -945,7 +1452,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "name": "connection", "outcome": "failure", - "outcome_reason": "Invalid user jdoe from ssh.example.org port 48792", + "outcome_reason": "Invalid user", "target": "user", "type": "open" }, @@ -1032,6 +1539,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "invalid_user_redacted.json" + + ```json + + { + "message": " Invalid user ***** from 1.2.3.4 port 51894", + "event": { + "category": [ + "authentication" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Invalid user", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51894 + } + } + + ``` + + === "kex_exchange_identification.json" ```json @@ -1259,6 +1811,41 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "pam_service_ignoring_max_retries.json" + + ```json + + { + "message": "PAM service(sshd) ignoring max retries; 6 > 3", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "start" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "ignoring max retries; 6 > 3", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + === "pam_session_closed.json" ```json @@ -1355,6 +1942,110 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "pam_session_opened_2.json" + + ```json + + { + "message": " pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "outcome_reason": "pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "jdoe" + ] + }, + "source": { + "user": { + "name": "jdoe" + } + }, + "user": { + "euid": "10357", + "id": "10357", + "name": "jdoe" + } + } + + ``` + + +=== "pam_winbind_granted_access.json" + + ```json + + { + "message": " pam_winbind(sshd:account): user 'jdoe@example.local' granted access", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "outcome_reason": "pam_winbind(sshd:account): user 'jdoe@example.local' granted access", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "hosts": [ + "example.local" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "example.local", + "domain": "example.local", + "subdomain": "example", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "received_disconnect_bye_bye.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md index 45a59d819c..72628c62b2 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md @@ -288,6 +288,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "vectra_host_lockdown.json" + + ```json + + { + "message": "- :{\"type\":\"some-type\",\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"HOST_LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", + "event": { + "action": "some-type", + "url": "https:/198.51.100.94/accounts/522" + }, + "observer": { + "ip": "198.51.100.94", + "version": "6.12" + }, + "related": { + "ip": [ + "198.51.100.94" + ] + }, + "vectra": { + "timestamp": 1633338457 + } + } + + ``` + + === "vectra_host_scoring.json" ```json @@ -452,6 +479,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "vectra_lockdown.json" + + ```json + + { + "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", + "event": { + "action": "LOCKDOWN", + "url": "https:/198.51.100.94/accounts/522" + }, + "observer": { + "ip": "198.51.100.94", + "version": "6.12" + }, + "related": { + "ip": [ + "198.51.100.94" + ] + }, + "vectra": { + "account": { + "id": 123456 + }, + "timestamp": 1633338457 + } + } + + ``` + + === "vectra_threat1.json" ```json @@ -500,6 +557,1316 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "vectra_threat1_10.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Desktop\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious Remote Desktop", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_11.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Execution\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious Remote Execution", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_12.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Internal Stage Loader\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Internal Stage Loader", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_13.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious LDAP Query\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious LDAP Query", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_14.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "RPC Recon", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_15.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RDP Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "RDP Recon", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_16.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Sweep\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Port Sweep", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_17.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Scan\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Port Scan", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_18.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"File Share Enumeration\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "File Share Enumeration", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_19.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"External Remote Access\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "External Remote Access", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_2.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Cryptocurrency Mining\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Cryptocurrency Mining", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_20.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden DNS Tunnel\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Hidden DNS Tunnel", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_21.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"TOR Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "TOR Activity", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_22.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden HTTPS Tunnel\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Hidden HTTPS Tunnel", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_23.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Threat Intelligence Match\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Threat Intelligence Match", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_24.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious HTTP\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious HTTP", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_25.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Relay\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious Relay", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_3.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Dos\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Outbound Dos", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_4.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Port Sweep\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Outbound Port Sweep", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_5.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Brute-Force\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Brute-Force", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_6.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Ransomware File Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Ransomware File Activity", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_7.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Shell Knocker Client\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Shell Knocker Client", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_8.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"SQL Injection Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "SQL Injection Activity", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat1_9.json" + + ```json + + { + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Admin\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://255.255.255.1/detections/1900?detail_id=66777" + }, + "destination": { + "address": "10.43.0.81", + "ip": "10.43.0.81", + "port": 49668 + }, + "host": { + "ip": "192.168.71.1", + "name": "IP-192.168.71.1" + }, + "observer": { + "ip": "255.255.255.1", + "name": "255.255.255.1", + "version": "6.8" + }, + "related": { + "ip": [ + "10.43.0.81", + "192.168.71.1", + "255.255.255.1" + ] + }, + "vectra": { + "certainty": 86, + "detection": { + "id": 1900, + "name": "Suspicious Admin", + "type": "rpc_recon_1to1" + }, + "risk_score_norm": 70, + "severity": 7.0, + "timestamp": 1623742534, + "triaged": false + } + } + + ``` + + +=== "vectra_threat2.json" + + ```json + + { + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Alban\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"EXFILTRATION\\\",\\\"Detection Type\\\":\\\"Smash and Grab\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"dmz.example.org\\\",\\\"label\\\":\\\"dmz.example.org\\\"},{\\\"value\\\":\\\"app.sekoia.io\\\",\\\"label\\\":\\\"app.sekoia.io\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":137,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", + "event": { + "outcome": "success", + "reason": "create triage filter" + }, + "observer": { + "ip": "1.2.3.1", + "name": "1.2.3.254", + "version": "7.6" + }, + "related": { + "ip": [ + "1.2.3.1", + "1.2.3.4" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" + }, + "vectra": { + "audit": { + "message": "create triage filter {\"Type\":\"Alban\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"EXFILTRATION\",\"Detection Type\":\"Smash and Grab\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Destination Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"dmz.example.org\",\"label\":\"dmz.example.org\"},{\"value\":\"app.sekoia.io\",\"label\":\"app.sekoia.io\"}],\"groups\":[]}}]}]},\"ID\":137,\"Hosts\":[\"SOC\"]}" + }, + "detection": { + "category": "EXFILTRATION", + "type": "Smash and Grab" + }, + "health": { + "message": "create triage filter {\"Type\":\"Alban\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"EXFILTRATION\",\"Detection Type\":\"Smash and Grab\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Destination Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"dmz.example.org\",\"label\":\"dmz.example.org\"},{\"value\":\"app.sekoia.io\",\"label\":\"app.sekoia.io\"}],\"groups\":[]}}]}]},\"ID\":137,\"Hosts\":[\"SOC\"]}" + }, + "timestamp": 1683633677, + "user": { + "role": "Super Admin" + } + } + } + + ``` + + +=== "vectra_threat3.json" + + ```json + + { + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Proxy\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"COMMAND & CONTROL\\\",\\\"Detection Type\\\":\\\"Hidden HTTPS Tunnel\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"C&CA Server Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"sedb.example.org\\\",\\\"label\\\":\\\"sedb.example.org\\\"}],\\\"groups\\\":[]}},{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Port\\\",\\\"field\\\":\\\"remote1_port\\\",\\\"values\\\":[{\\\"value\\\":\\\"443\\\",\\\"label\\\":\\\"443\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":136,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", + "event": { + "outcome": "success", + "reason": "create triage filter" + }, + "observer": { + "ip": "1.2.3.1", + "name": "1.2.3.254", + "version": "7.6" + }, + "related": { + "ip": [ + "1.2.3.1", + "1.2.3.4" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" + }, + "vectra": { + "audit": { + "message": "create triage filter {\"Type\":\"Proxy\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"COMMAND & CONTROL\",\"Detection Type\":\"Hidden HTTPS Tunnel\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"C&CA Server Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"sedb.example.org\",\"label\":\"sedb.example.org\"}],\"groups\":[]}},{\"ANY_OF\":{\"label\":\"Destination Port\",\"field\":\"remote1_port\",\"values\":[{\"value\":\"443\",\"label\":\"443\"}],\"groups\":[]}}]}]},\"ID\":136,\"Hosts\":[\"SOC\"]}" + }, + "detection": { + "category": "COMMAND & CONTROL", + "type": "Hidden HTTPS Tunnel" + }, + "health": { + "message": "create triage filter {\"Type\":\"Proxy\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"COMMAND & CONTROL\",\"Detection Type\":\"Hidden HTTPS Tunnel\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"C&CA Server Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"sedb.example.org\",\"label\":\"sedb.example.org\"}],\"groups\":[]}},{\"ANY_OF\":{\"label\":\"Destination Port\",\"field\":\"remote1_port\",\"values\":[{\"value\":\"443\",\"label\":\"443\"}],\"groups\":[]}}]}]},\"ID\":136,\"Hosts\":[\"SOC\"]}" + }, + "timestamp": 1683633677, + "user": { + "role": "Super Admin" + } + } + } + + ``` + + +=== "vectra_threat4.json" + + ```json + + { + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"edit triage filter \\\"Alban\\\" - id 11 Smash and Gab - context changed from \\\"{'host_match_count': 1, 'critical_host_count': 0}\\\" to \\\"{'host_match_count': 2, 'critical_host_count': 0}\\\"\",\"vectra_timestamp\":\"1683633677\"}", + "event": { + "outcome": "success", + "reason": "edit triage filter" + }, + "observer": { + "ip": "1.2.3.1", + "name": "1.2.3.254", + "version": "7.6" + }, + "related": { + "ip": [ + "1.2.3.1", + "1.2.3.4" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "admin" + }, + "vectra": { + "audit": { + "message": "edit triage filter \"Alban\" - id 11 Smash and Gab - context changed from \"{'host_match_count': 1, 'critical_host_count': 0}\" to \"{'host_match_count': 2, 'critical_host_count': 0}\"" + }, + "detection": { + "type": "Smash and Gab" + }, + "filter": { + "type": "Alban" + }, + "health": { + "message": "edit triage filter \"Alban\" - id 11 Smash and Gab - context changed from \"{'host_match_count': 1, 'critical_host_count': 0}\" to \"{'host_match_count': 2, 'critical_host_count': 0}\"" + }, + "timestamp": 1683633677, + "user": { + "role": "Super Admin" + } + } + } + + ``` + + @@ -515,6 +1882,7 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.url` | `keyword` | Event investigation URL | |`host.id` | `keyword` | Unique host id. | |`host.ip` | `ip` | Host ip addresses. | @@ -544,6 +1912,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.detection.base_object` | `keyword` | The base distinguished name. | |`vectra.detection.bytes_received` | `keyword` | The bytes of data received. | |`vectra.detection.bytes_sent` | `keyword` | The bytes of data sent. | +|`vectra.detection.category` | `keyword` | Detection Category. | |`vectra.detection.client_name` | `keyword` | The RDP client name. | |`vectra.detection.client_token` | `keyword` | The RDP client token. | |`vectra.detection.cookie` | `keyword` | The RDP client token. | @@ -575,7 +1944,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.detection.profile` | `object` | The detection profile associated with this host. | |`vectra.detection.protocol` | `keyword` | The external protocol used. | |`vectra.detection.ransom_notes` | `keyword` | Ransome notes found. | -|`vectra.detection.reason` | `keyword` | The event name of the campaign or The reason this is suspicious or The error code or The indicating reason. | +|`vectra.detection.reason` | `keyword` | Event name of the campaign or reason this is suspicious or error code or indicating reason. | |`vectra.detection.received_normal_pattern` | `keyword` | Example received normal pattern. | |`vectra.detection.received_pattern` | `keyword` | The received pattern. | |`vectra.detection.referer` | `keyword` | The referer. | @@ -595,6 +1964,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.detection.type` | `keyword` | keyword | |`vectra.detection.url` | `keyword` | The suspicous URL. | |`vectra.detection.uuid` | `keyword` | The RPC UUID. | +|`vectra.filter.type` | `keyword` | The type of filter | |`vectra.health.message` | `text` | A message explains the cause/nature of the log | |`vectra.history.account_access` | `array` | The account access history associated with this host. | |`vectra.history.host_access` | `object` | The host access history associated with this account. | diff --git a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md new file mode 100644 index 0000000000..7f24a9c810 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md @@ -0,0 +1,101 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web application firewall logs` | Ubika detects and mitigates threats against web applications and APIs | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `intrusion_detection` | +| Type | `` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_detection.json" + + ```json + + { + "message": "{\"application_id\": \"www.some-app.com\", \"id\": \"4.1.4.0\", \"reason\": \"module_name == 'eaccess' and event.SECURITY_URL == '/phpinfo.php' and event.SECURITY_ATTACKID == '10527-0 ' and tokens['http_ea__block_reason'] == 'http_blacklist' and tokens['http_ea__block_part'] == 'uri' and tokens['http_ea_bl__is_custom_rule'] == False and tokens['http_ea_seclist__is_combine_rule'] == False and tokens['http_ea_seclist__is_virtual_patching'] == False\", \"http_method\": \"GET\", \"rule_id\": \"10527-0 \", \"attack_family\": \"Information Disclosure\", \"ip_source\": \"1.2.3.4\", \"traffic_id\": \"ZhVpbQoAQi8AAE2yAksAAAAA\", \"path\": \"/phpinfo.php\", \"timestamp\": 1712679277}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "module_name == 'eaccess' and event.SECURITY_URL == '/phpinfo.php' and event.SECURITY_ATTACKID == '10527-0 ' and tokens['http_ea__block_reason'] == 'http_blacklist' and tokens['http_ea__block_part'] == 'uri' and tokens['http_ea_bl__is_custom_rule'] == False and tokens['http_ea_seclist__is_combine_rule'] == False and tokens['http_ea_seclist__is_virtual_patching'] == False" + }, + "@timestamp": "2024-04-09T16:14:37Z", + "http": { + "request": { + "method": "GET" + } + }, + "observer": { + "product": "Cloud protector", + "vendor": "Ubika" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "id": "10527-0" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "ubika": { + "cloud_protector": { + "application_id": "www.some-app.com" + } + }, + "url": { + "path": "/phpinfo.php" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`http.request.method` | `keyword` | HTTP request method. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`rule.id` | `keyword` | Rule ID | +|`source.ip` | `ip` | IP address of the source. | +|`ubika.cloud_protector.application_id` | `keyword` | | +|`ubika.cloud_protector.attack_id` | `keyword` | | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`url.query` | `keyword` | Query string of the request. | + diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index f24f224324..669e7b90cb 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -43,6 +43,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "log": { + "syslog": { + "appname": "postfix/anvil" + } + }, "network": { "protocol": "smtp" }, @@ -60,12 +65,166 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "appname_postfix_error.json" + + ```json + + { + "message": "2298F5F619: to=, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "admin@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/error" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + +=== "appname_postfix_local.json" + + ```json + + { + "message": "11FDF5F62A: to=, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "sub.corp.com", + "domain": "sub.corp.com", + "registered_domain": "corp.com", + "subdomain": "sub", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "USER@sub.corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/local" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "sub.corp.com" + ] + } + } + + ``` + + +=== "bounced.json" + + ```json + + { + "message": "3D770111AF50: to=, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "bounced", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "username@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + === "cleanup.json" ```json { - "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[52.100.135.105]; from=<> to= proto=ESMTP helo=", + "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to= proto=ESMTP helo=", "event": { "category": [ "email" @@ -74,6 +233,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "destination": { + "address": "exemple.com", + "domain": "exemple.com", + "registered_domain": "exemple.com", + "top_level_domain": "com" + }, "email": { "to": { "address": [ @@ -87,114 +252,162 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "image003.jpg", "size": 26055 }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, "network": { - "protocol": "ESMTP" + "protocol": "smtp" }, "related": { "hosts": [ + "exemple.com", "mail.outbound.protection.outlook.com" + ], + "ip": [ + "1.1.1.1" ] }, "source": { - "address": "52.100.135.105", - "domain": "mail.outbound.protection.outlook.com" + "address": "mail.outbound.protection.outlook.com", + "domain": "mail.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail.outbound.protection", + "top_level_domain": "com" } } ``` -=== "connect.json" +=== "cleanup2.json" ```json { - "message": "disconnect from unknown[170.20.104.2] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4", + "message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from= to= proto=ESMTP helo=", "event": { "category": [ "email" ], - "outcome": "success", "type": [ "info" ] }, - "action": { - "name": "disconnect", - "outcome": "success", - "target": "network-traffic" + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "foo@corp.com" + ] + }, + "to": { + "address": [ + "first.last@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } }, "network": { "protocol": "smtp" }, "related": { + "hosts": [ + "corp.com" + ], "ip": [ - "170.20.104.2" + "10.1.1.1" ] }, "source": { - "address": "170.20.104.2", - "ip": "170.20.104.2" + "address": "corp.com", + "domain": "corp.com", + "ip": "10.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" } } ``` -=== "connection_limited.json" +=== "cleanup3.json" ```json { - "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from= to= proto=ESMTP helo= 279", "event": { "category": [ "email" ], - "outcome": "success", - "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", "type": [ "info" ] }, - "action": { - "outcome": "success", - "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", - "target": "network-traffic", - "type": "end of DATA" - }, "destination": { - "address": "52.97.201.210", - "domain": "smtp.office365.com", - "ip": "52.97.201.210" + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "email@corp.com" + ] + }, + "to": { + "address": [ + "email@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" }, "related": { "hosts": [ - "P212321.PROD.OUTLOOK.COM", - "smtp.office365.com" + "corp.com" ], "ip": [ - "52.97.201.210" + "10.1.1.1" ] }, "source": { - "address": "P212321.PROD.OUTLOOK.COM", - "domain": "P212321.PROD.OUTLOOK.COM", - "registered_domain": "OUTLOOK.COM", - "subdomain": "P212321.PROD", - "top_level_domain": "COM" + "address": "corp.com", + "domain": "corp.com", + "ip": "10.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" } } ``` -=== "dns.json" +=== "cleanup4.json" ```json { - "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org", + "message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from= to= proto=ESMTP helo=", "event": { "category": [ "email" @@ -204,23 +417,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "destination": { - "address": "ns1.example.org", - "domain": "ns1.example.org", - "registered_domain": "example.org", - "subdomain": "ns1", - "top_level_domain": "org" + "address": "office365.eu.vadesecure.com", + "domain": "office365.eu.vadesecure.com", + "registered_domain": "vadesecure.com", + "subdomain": "office365.eu", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "ndr.journaling@corp.com" + ] + }, + "to": { + "address": [ + "corp@office365.eu.vadesecure.com" + ] + } + }, + "file": { + "created": "2024-03-14T10:19:00Z", + "ctime": "2024-03-14T10:19:00Z", + "name": "image001.png", + "size": 8879 + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" }, "related": { "hosts": [ - "ns1.example.org" + "office365.eu.vadesecure.com", + "subdomain.key.corp.com" + ], + "ip": [ + "1.1.1.1" ] + }, + "source": { + "address": "subdomain.key.corp.com", + "domain": "subdomain.key.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "subdomain.key", + "top_level_domain": "com" } } ``` -=== "filename3.json" +=== "cleanup5.json" ```json @@ -234,6 +485,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "destination": { + "address": "lacomte.net", + "domain": "lacomte.net", + "registered_domain": "lacomte.net", + "top_level_domain": "net" + }, "email": { "from": { "address": [ @@ -249,18 +506,1216 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "name": "?iso-8859-2?q?representative_on_migration.pdf?=", "size": 259210 + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "lacomte.net", + "mordor.com" + ] + }, + "source": { + "address": "mordor.com", + "domain": "mordor.com", + "registered_domain": "mordor.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "client.json" + + ```json + + { + "message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "COMPUTER.sub.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "COMPUTER.sub.corp.com", + "domain": "COMPUTER.sub.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "COMPUTER.sub", + "top_level_domain": "com" + } + } + + ``` + + +=== "client_address_field_with_mask.json" + + ```json + + { + "message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client whitelist", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client whitelist", + "target": "network-traffic" + }, + "destination": { + "address": "corp2.fr", + "domain": "corp2.fr", + "registered_domain": "corp2.fr", + "top_level_domain": "fr" + }, + "email": { + "from": { + "address": [ + "firstname.lastname@corp.fr" + ] + }, + "to": { + "address": [ + "firstname.lastname@corp2.fr" + ] + } + }, + "log": { + "syslog": { + "appname": "postgrey" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp2.fr", + "mail-corp123.outbound.protection.outlook.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail-corp123.outbound.protection.outlook.com", + "domain": "mail-corp123.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail-corp123.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "connect.json" + + ```json + + { + "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "connection_limited.json" + + ```json + + { + "message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "1.1.1.1", + "domain": "smtp.office365.com", + "ip": "1.1.1.1" + }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "P212321.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "P212321.PROD.OUTLOOK.COM", + "domain": "P212321.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "P212321.PROD", + "top_level_domain": "COM" + } + } + + ``` + + +=== "counter.json" + + ```json + + { + "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "localhost", + "domain": "localhost", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "counter2.json" + + ```json + + { + "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "localhost", + "domain": "localhost", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "counter3.json" + + ```json + + { + "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "delivered_via_spamfilter.json" + + ```json + + { + "message": "EF0B15F675: to=, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "firstname.lastname@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/pipe" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + +=== "dns.json" + + ```json + + { + "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "ns1.example.org", + "domain": "ns1.example.org", + "registered_domain": "example.org", + "subdomain": "ns1", + "top_level_domain": "org" + }, + "log": { + "syslog": { + "appname": "spamd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "ns1.example.org" + ] + } + } + + ``` + + +=== "message_id.json" + + ```json + + { + "message": "476295F5AD: message-id=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "aaaaaaaaaa=@pm.me" + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "message_id2.json" + + ```json + + { + "message": "123456789: message-id=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "foo@corp.com" + }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "noqueue.json" + + ```json + + { + "message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 294", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "filter", + "outcome": "success", + "target": "network-traffic", + "type": "RCPT" + }, + "destination": { + "address": "othercorp.com", + "domain": "othercorp.com", + "registered_domain": "othercorp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "foo.bar@subdomain.corp.com" + ] + }, + "to": { + "address": [ + "firstname.lastname@othercorp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "foo.key.corp.com", + "othercorp.com" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "foo.key.corp.com", + "domain": "foo.key.corp.com", + "ip": "192.168.1.1", + "registered_domain": "corp.com", + "subdomain": "foo.key", + "top_level_domain": "com" + } + } + + ``` + + +=== "noqueue2.json" + + ```json + + { + "message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 299", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "filter", + "outcome": "success", + "target": "network-traffic", + "type": "RCPT" + }, + "destination": { + "address": "corp2.com", + "domain": "corp2.com", + "registered_domain": "corp2.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "firstname.firstname@subdomain.corp.com" + ] + }, + "to": { + "address": [ + "firstname.lastname@corp2.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "HOSTNAME.key.corp.com", + "corp2.com" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "HOSTNAME.key.corp.com", + "domain": "HOSTNAME.key.corp.com", + "ip": "192.168.1.1", + "registered_domain": "corp.com", + "subdomain": "HOSTNAME.key", + "top_level_domain": "com" + } + } + + ``` + + +=== "nospam.json" + + ```json + + { + "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "1.2.3.4", + "domain": "example.org", + "ip": "1.2.3.4", + "port": 25 + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "pass.json" + + ```json + + { + "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "triplet found", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "triplet found", + "target": "network-traffic" + }, + "destination": { + "address": "lacomte.net", + "domain": "lacomte.net", + "registered_domain": "lacomte.net", + "top_level_domain": "net" + }, + "email": { + "from": { + "address": [ + "mechant@mordor.com" + ] + }, + "to": { + "address": [ + "Pipin.touque@lacomte.net" + ] + } + }, + "log": { + "syslog": { + "appname": "postgrey" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "lacomte.net", + "mordor.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mordor.com", + "domain": "mordor.com", + "ip": "1.1.1.1", + "registered_domain": "mordor.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "pass2.json" + + ```json + + { + "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client AAA", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client AAA", + "target": "network-traffic" + }, + "destination": { + "address": "acme.com", + "domain": "acme.com", + "registered_domain": "acme.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "Coyotte@acme.com" + ] + }, + "to": { + "address": [ + "BIPBIP.NEWMAN@acme.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postgrey" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "acme.com", + "example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.com", + "domain": "example.com", + "ip": "1.2.3.4", + "registered_domain": "example.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "policydspf1.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver= Reject action: 550 5.7.23 210", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "ops@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "corp.com", + "domain": "corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "policydspf2.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "prvs=30447fe13=no-reply@example.com" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.com", + "domain": "mx.example.com", + "ip": "1.2.3.4", + "registered_domain": "example.com", + "subdomain": "mx", + "top_level_domain": "com" + } + } + + ``` + + +=== "policydspf3.json" + + ```json + + { + "message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "doe@newsletter.example.org" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mta-11-22-33-44.example.or" + ], + "ip": [ + "11.22.33.44" + ] + }, + "source": { + "address": "mta-11-22-33-44.example.or", + "domain": "mta-11-22-33-44.example.or", + "ip": "11.22.33.44", + "subdomain": "mta-11-22-33-44.example" + } + } + + ``` + + +=== "policydspf4.json" + + ```json + + { + "message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver= 131", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Pass", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "username@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail.corp.com", + "domain": "mail.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "mail", + "top_level_domain": "com" + } + } + + ``` + + +=== "policydspf5.json" + + ```json + + { + "message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver= 128", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "noreply@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "sub.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "sub.corp.com", + "domain": "sub.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "sub", + "top_level_domain": "com" + } + } + + ``` + + +=== "policydspf6.json" + + ```json + + { + "message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver= 120", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Softfail", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "username@corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "policyd-spf" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "corp.com", + "domain": "corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "qmgr.json" + + ```json + + { + "message": "89BE920002: from=, size=152518, nrcpt=1 (queue active)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "test1@acme.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/qmgr" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "acme.com" + ] + }, + "source": { + "address": "acme.com", + "domain": "acme.com", + "registered_domain": "acme.com", + "top_level_domain": "com" } } ``` -=== "nospam.json" +=== "qmgr2.json" ```json { - "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)", + "message": "074955F67C: from=, size=4303, nrcpt=1 (queue active)", "event": { "category": [ "email" @@ -269,31 +1724,44 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "destination": { - "address": "1.2.3.4", - "domain": "example.org", - "ip": "1.2.3.4", - "port": 25 + "email": { + "from": { + "address": [ + "bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/qmgr" + } + }, + "network": { + "protocol": "smtp" }, "related": { "hosts": [ - "example.org" - ], - "ip": [ - "1.2.3.4" + "hrd.corp.com" ] + }, + "source": { + "address": "hrd.corp.com", + "domain": "hrd.corp.com", + "registered_domain": "corp.com", + "subdomain": "hrd", + "top_level_domain": "com" } } ``` -=== "pass.json" +=== "queued.json" ```json { - "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=193.0.178.186, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net", + "message": "CA9311112C08: to=, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257", "event": { "category": [ "email" @@ -304,47 +1772,51 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "action": { - "name": "pass", + "name": "sent", "outcome": "success", - "outcome_reason": "triplet found", + "outcome_reason": "success", "target": "network-traffic" }, + "destination": { + "address": "1.1.1.1", + "domain": "srv.corp.com", + "ip": "1.1.1.1", + "port": 25 + }, "email": { - "from": { - "address": [ - "mechant@mordor.com" - ] - }, "to": { "address": [ - "Pipin.touque@lacomte.net" + "f.lastname@corp.com" ] } }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "mordor.com" + "srv.corp.com" ], "ip": [ - "193.0.178.186" + "1.1.1.1" ] - }, - "source": { - "address": "193.0.178.186", - "domain": "mordor.com", - "ip": "193.0.178.186" } } ``` -=== "pass2.json" +=== "relay.json" ```json { - "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com", + "message": "56E28C0007: to=, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)", "event": { "category": [ "email" @@ -355,119 +1827,120 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "action": { - "name": "pass", + "name": "sent", "outcome": "success", - "outcome_reason": "client AAA", + "outcome_reason": "success", "target": "network-traffic" }, + "destination": { + "address": "1.1.1.1", + "domain": "1.1.1.1", + "ip": "1.1.1.1", + "port": 10025 + }, "email": { - "from": { - "address": [ - "Coyotte@acme.com" - ] - }, "to": { "address": [ - "BIPBIP.NEWMAN@acme.com" + "rob@exemple.com" ] } }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "example.com" + "1.1.1.1" ], "ip": [ - "1.2.3.4" + "1.1.1.1" ] - }, - "source": { - "address": "1.2.3.4", - "domain": "example.com", - "ip": "1.2.3.4" } } ``` -=== "pass4.json" +=== "replace_header.json" ```json { - "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver= Reject action: 550 5.7.23", + "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", "event": { "category": [ "email" ], - "outcome": "success", "type": [ "info" ] }, - "action": { - "name": "reject", - "outcome": "success", - "outcome_reason": "SPF validation failed", - "target": "network-traffic" - }, "email": { "from": { "address": [ - "prvs=30447fe13=no-reply@example.com" + "hola@example.org" ] } }, + "log": { + "syslog": { + "appname": "postfix/cleanup" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "mx.example.com" - ], - "ip": [ - "1.2.3.4" + "example.org" ] }, "source": { - "address": "1.2.3.4", - "domain": "mx.example.com", - "ip": "1.2.3.4" + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" } } ``` -=== "pass5.json" +=== "sasl_login.json" ```json { - "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=", + "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure", "event": { "category": [ "email" ], + "reason": "SASL LOGIN authentication failed: authentication failure", "type": [ "info" ] }, - "email": { - "from": { - "address": [ - "doe@newsletter.example.org" - ] + "log": { + "syslog": { + "appname": "postfix/cleanup" } }, + "network": { + "protocol": "smtp" + }, "related": { - "hosts": [ - "mta-11-22-33-44.example.or" - ], "ip": [ "11.22.33.44" ] }, "source": { "address": "11.22.33.44", - "domain": "mta-11-22-33-44.example.or", "ip": "11.22.33.44" } } @@ -475,12 +1948,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` -=== "qmgr.json" +=== "smtp_connection3_timed_out.json" ```json { - "message": "89BE920002: from=, size=152518, nrcpt=1 (queue active)", + "message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125", "event": { "category": [ "email" @@ -489,24 +1962,39 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "email": { - "from": { - "address": [ - "test1@acme.com" - ] + "destination": { + "address": "1.1.1.1", + "domain": "mail.corp.com", + "ip": "1.1.1.1", + "port": 25 + }, + "log": { + "syslog": { + "appname": "postfix/smtp" } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.corp.com" + ], + "ip": [ + "1.1.1.1" + ] } } ``` -=== "relay.json" +=== "smtp_relay.json" ```json { - "message": "56E28C0007: to=, relay=174.133.212.30[174.133.212.30]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)", + "message": "96887C0006: to=, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))", "event": { "category": [ "email" @@ -517,16 +2005,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "action": { - "name": "sent", + "name": "deferred", "outcome": "success", - "outcome_reason": "success", + "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition", "target": "network-traffic" }, "destination": { - "address": "174.133.212.30", - "domain": "174.133.212.30", - "ip": "174.133.212.30", - "port": 10025 + "address": "1.1.1.1", + "domain": "exemple.com", + "ip": "1.1.1.1", + "port": 25 }, "email": { "to": { @@ -535,12 +2023,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] } }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "174.133.212.30" + "exemple.com" ], "ip": [ - "174.133.212.30" + "1.1.1.1" ] } } @@ -548,136 +2044,168 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` -=== "replace_header.json" +=== "smtpd_connection.json" ```json { - "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", + "message": "lost connection after AUTH from unknown[1.1.1.1]", "event": { "category": [ "email" ], + "outcome": "success", "type": [ "info" ] }, - "email": { - "from": { - "address": [ - "hola@example.org" - ] + "action": { + "name": "lost connection", + "outcome": "success", + "target": "network-traffic", + "type": "AUTH" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" } } ``` -=== "sasl_login.json" +=== "smtpd_connection2.json" ```json { - "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure", + "message": "connect from unknown[10.1.1.1] 88", "event": { "category": [ "email" ], - "reason": "SASL LOGIN authentication failed: authentication failure", + "outcome": "success", "type": [ "info" ] }, + "action": { + "name": "connect", + "outcome": "success", + "target": "network-traffic" + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "ip": [ - "11.22.33.44" + "10.1.1.1" ] }, "source": { - "address": "11.22.33.44", - "ip": "11.22.33.44" + "address": "10.1.1.1", + "ip": "10.1.1.1" } } ``` -=== "smtp_connection.json" +=== "smtpd_tls.json" ```json { - "message": "lost connection after AUTH from unknown[185.234.219.5]", + "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)", "event": { "category": [ "email" ], - "outcome": "success", "type": [ "info" ] }, - "action": { - "name": "lost connection", - "outcome": "success", - "target": "network-traffic", - "type": "AUTH" + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" }, "related": { + "hosts": [ + "mail.outbound.protection.outlook.com" + ], "ip": [ - "185.234.219.5" + "1.1.1.1" ] }, "source": { - "address": "185.234.219.5", - "ip": "185.234.219.5" + "address": "mail.outbound.protection.outlook.com", + "domain": "mail.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail.outbound.protection", + "top_level_domain": "com" } } ``` -=== "smtp_relay.json" +=== "smtpd_tls2.json" ```json { - "message": "96887C0006: to=, relay=exemple.com[174.133.212.29]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[174.133.212.29] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))", + "message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256", "event": { "category": [ "email" ], - "outcome": "success", "type": [ "info" ] }, - "action": { - "name": "deferred", - "outcome": "success", - "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition", - "target": "network-traffic" - }, "destination": { - "address": "174.133.212.29", - "domain": "exemple.com", - "ip": "174.133.212.29", + "address": "1.1.1.1", + "domain": "mx.corp.com", + "ip": "1.1.1.1", "port": 25 }, - "email": { - "to": { - "address": [ - "rob@exemple.com" - ] + "log": { + "syslog": { + "appname": "postfix/smtpd" } }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "exemple.com" + "mx.corp.com" ], "ip": [ - "174.133.212.29" + "1.1.1.1" ] } } @@ -685,12 +2213,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` -=== "smtpd_tls.json" +=== "smtpd_tls3.json" ```json { - "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[40.107.6.96]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)", + "message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201", "event": { "category": [ "email" @@ -699,18 +2227,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 + }, + "log": { + "syslog": { + "appname": "postfix/smtpd" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ - "mail.outbound.protection.outlook.com" + "127.0.0.1" ], "ip": [ - "40.107.6.96" + "127.0.0.1" ] - }, - "source": { - "address": "40.107.6.96", - "domain": "mail.outbound.protection.outlook.com", - "ip": "40.107.6.96" } } @@ -734,6 +2271,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email": { "message_id": "<11111111111111@uexample.org>" }, + "log": { + "syslog": { + "appname": "spamd" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ "127.0.0.1" @@ -776,6 +2321,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "destination": { "port": 783 }, + "log": { + "syslog": { + "appname": "spamd" + } + }, + "network": { + "protocol": "smtp" + }, "related": { "hosts": [ "example.org"