Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app @github-actions
sekoia-io-cross-repo-comm-app[bot] authored and github-actions[bot] committed Apr 25, 2024
1 parent 151ea8d commit dce2cc0
Show file tree
Hide file tree
Showing 7 changed files with 1,767 additions and 9 deletions.
78 changes: 74 additions & 4 deletions ...perations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"process": {
"command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc",
"executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"parent": {
"name": "services.exe",
"pid": 11768266
Expand Down Expand Up @@ -319,6 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"process": {
"command_line": "\"gpupdate.exe\" /target:computer",
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe",
"name": "gpupdate.exe",
"parent": {
"name": "svchost.exe",
"pid": 158964342720
Expand Down Expand Up @@ -495,6 +497,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"process": {
"command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0x4",
"executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe",
"name": "conhost.exe",
"parent": {
"pid": 416639351024
},
Expand Down Expand Up @@ -718,7 +721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"command_line": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"",
"executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe"
"executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe",
"name": "cscript.exe"
},
"related": {
"ip": [
Expand Down Expand Up @@ -888,6 +892,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"args": "MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1",
"command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
"executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
"name": "ManagedClient",
"parent": {
"name": "launchd",
"pid": 494714991831837524
Expand Down Expand Up @@ -949,6 +954,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"registry": {
"data": {
"strings": "Interactive User"
},
"hive": "MACHINE",
"key": "SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}",
"path": "MACHINE\\SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\\RunAs",
Expand Down Expand Up @@ -1001,7 +1009,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"command_line": "C:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup",
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe"
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
"name": "svchost.exe"
},
"related": {
"ip": [
Expand Down Expand Up @@ -1227,6 +1236,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"process": {
"command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2",
"executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe",
"name": "AcroCEF.exe",
"parent": {
"name": "AcroCEF.exe",
"pid": 1084277996656
Expand Down Expand Up @@ -1342,7 +1352,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll"
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll",
"name": "shell32.dll"
},
"related": {
"hash": [
Expand Down Expand Up @@ -1779,6 +1790,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"process": {
"command_line": "C:\\WINDOWS\\System32\\rundll32.exe",
"executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe",
"name": "rundll32.exe",
"parent": {
"name": "setup.exe",
"pid": 288633815511
Expand Down Expand Up @@ -1980,7 +1992,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s BITS",
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe"
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
"name": "svchost.exe"
},
"related": {
"ip": [
Expand All @@ -1997,6 +2010,60 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "telemetry_event_40.json"

```json

{
"message": "{\"AsepFlags\": \"5\", \"ContextThreadId\": \"1216191193\", \"aip\": \"45.85.223.11\", \"RegObjectName\": \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\", \"Data1\": \"00\", \"RegOperationType\": \"1\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"TargetCommandLineParameters\": \"\", \"EventOrigin\": \"1\", \"id\": \"6802cffe-a2a5-489f-8e7f-b70331921d65\", \"EffectiveTransmissionClass\": \"3\", \"RegStringValue\": \"Explorer.exe\", \"timestamp\": \"1712663526832\", \"event_simpleName\": \"AsepValueUpdate\", \"ContextTimeStamp\": \"1712663526.308\", \"ConfigStateHash\": \"3318804059\", \"RegType\": \"1\", \"ContextProcessId\": \"235686529\", \"AsepClass\": \"9\", \"AsepIndex\": \"32\", \"AuthenticationId\": \"427985\", \"ConfigBuild\": \"1007.3.0017605.10\", \"RegValueName\": \"Shell\", \"AsepValueType\": \"0\", \"Entitlements\": \"15\", \"name\": \"AsepValueUpdateV7\", \"aid\": \"11111111111111111111111111111111\", \"cid\": \"22222222222222222222222222222222\", \"TargetFileName\": \"\"}",
"event": {
"action": "AsepValueUpdate",
"category": [
"registry"
],
"type": [
"change"
]
},
"@timestamp": "2024-04-09T11:52:06.832000Z",
"agent": {
"id": "11111111111111111111111111111111"
},
"crowdstrike": {
"customer_id": "22222222222222222222222222222222"
},
"host": {
"ip": [
"45.85.223.11"
],
"os": {
"platform": "win"
}
},
"registry": {
"data": {
"strings": "Explorer.exe"
},
"hive": "MACHINE",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"path": "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"value": "Shell"
},
"related": {
"ip": [
"45.85.223.11"
]
},
"source": {
"nat": {
"ip": "45.85.223.11"
}
}
}
```


=== "telemetry_event_5.json"

```json
Expand Down Expand Up @@ -2283,6 +2350,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc",
"end": "2022-08-20T19:06:18.014000Z",
"executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"parent": {
"name": "services.exe",
"pid": 11768266
Expand Down Expand Up @@ -2355,11 +2423,13 @@ The following table lists the fields that are extracted, normalized under the EC
|`process.command_line` | `wildcard` | Full command line that started the process. |
|`process.end` | `date` | The time the process ended. |
|`process.executable` | `keyword` | Absolute path to the process executable. |
|`process.name` | `keyword` | Process name. |
|`process.parent.name` | `keyword` | Process name. |
|`process.parent.pid` | `long` | Process id. |
|`process.pid` | `long` | Process id. |
|`process.start` | `date` | The time the process started. |
|`process.thread.id` | `long` | Thread ID. |
|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. |
|`registry.hive` | `keyword` | Abbreviated name for the hive. |
|`registry.key` | `keyword` | Hive-relative path of keys. |
|`registry.path` | `keyword` | Full path, including hive, key and value |
Expand Down
105 changes: 105 additions & 0 deletions ...perations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1119,6 +1119,110 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"user": {
"email": "[email protected]",
"full_name": "bar foo"
},
"user_agent": {
"device": {
"name": "iPhone"
},
"name": "Mobile Safari UI/WKWebView",
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148",
"os": {
"name": "iOS",
"version": "14.4"
}
}
}
```


=== "user_risk_detection_2.json"

```json

{
"message": "{\"time\": \"3/24/2022 2:42:35 PM\", \"resourceId\": \"/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam\", \"operationName\": \"User Risk Detection\", \"operationVersion\": \"1.0\", \"category\": \"UserRiskEvents\", \"tenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"resultSignature\": \"None\", \"durationMs\": 0, \"callerIpAddress\": \"11.22.33.44\", \"correlationId\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"identity\": \"bar foo\", \"Level\": 4, \"location\": \"fr\", \"properties\": {\"id\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"requestId\": \"d38b6ab7-65b0-419c-b83a-a5787d6fa100\", \"correlationId\": \"325294e4-4026-4cc7-889d-b4be570b3254\", \"riskType\": \"unfamiliarFeatures\", \"riskEventType\": \"unfamiliarFeatures\", \"riskState\": \"atRisk\", \"riskLevel\": \"low\", \"riskDetail\": \"none\", \"source\": \"IdentityProtection\", \"detectionTimingType\": \"realtime\", \"activity\": \"signin\", \"ipAddress\": \"11.22.33.44\", \"location\": {\"city\": \"\", \"state\": \"\", \"countryOrRegion\": \"FR\", \"geoCoordinates\": {\"altitude\": 0, \"latitude\": 46, \"longitude\": 2}}, \"activityDateTime\": \"2023-10-26T5:32:08.107Z\", \"detectedDateTime\": \"2023-10-26T5:32:08.107Z\", \"lastUpdatedDateTime\": \"2023-10-26T5:35:05.938Z\", \"userId\": \"4c64c30a-7a60-4211-bef1-5e4279854e85\", \"userDisplayName\": \"bar foo\", \"userPrincipalName\": \"[email protected]\", \"additionalInfo\": \"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarASN\\\",\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null}]\", \"tokenIssuerType\": \"AzureAD\", \"resourceTenantId\": null, \"homeTenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"userType\": \"member\", \"crossTenantAccessType\": \"none\"}}",
"event": {
"category": [
"iam"
],
"reason": "unfamiliarFeatures",
"type": [
"connection"
]
},
"@timestamp": "2022-03-24T14:42:35Z",
"action": {
"name": "User Risk Detection"
},
"azuread": {
"Level": 4,
"callerIpAddress": "11.22.33.44",
"category": "UserRiskEvents",
"correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
"durationMs": 0,
"identity": "bar foo",
"operationName": "User Risk Detection",
"operationVersion": "1.0",
"properties": {
"activity": "signin",
"correlationId": "325294e4-4026-4cc7-889d-b4be570b3254",
"detectionTimingType": "realtime",
"id": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
"requestId": "d38b6ab7-65b0-419c-b83a-a5787d6fa100",
"riskDetail": "none",
"riskEventType": "unfamiliarFeatures",
"riskLevel": "low",
"riskReasons": [
"UnfamiliarASN",
"UnfamiliarBrowser",
"UnfamiliarDevice",
"UnfamiliarEASId",
"UnfamiliarIP",
"UnfamiliarLocation",
"UnfamiliarTenantIPsubnet"
],
"riskState": "atRisk",
"source": "IdentityProtection"
},
"resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam",
"tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad"
},
"related": {
"ip": [
"11.22.33.44"
]
},
"service": {
"name": "Azure Active Directory",
"type": "ldap"
},
"source": {
"address": "11.22.33.44",
"geo": {
"country_iso_code": "fr",
"location": {
"lat": 46,
"lon": 2
}
},
"ip": "11.22.33.44"
},
"user": {
"email": "[email protected]",
"full_name": "bar foo"
},
"user_agent": {
"device": {
"name": "Oppo CPH2005"
},
"name": "Chrome Mobile WebView",
"original": "Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0",
"os": {
"name": "Android",
"version": "12"
},
"version": "117.0.0"
}
}
Expand Down Expand Up @@ -1178,6 +1282,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`azuread.properties.riskLevel` | `keyword` | |
|`azuread.properties.riskLevelAggregated` | `keyword` | riskLevelAggregated |
|`azuread.properties.riskLevelDuringSignIn` | `keyword` | riskLevelDuringSignIn |
|`azuread.properties.riskReasons` | `array` | |
|`azuread.properties.riskState` | `keyword` | |
|`azuread.properties.source` | `keyword` | |
|`azuread.properties.status.additionalDetails` | `keyword` | |
Expand Down
Loading

0 comments on commit dce2cc0

Please sign in to comment.