From 85309850d5b3b236c76f2f924c8019f16bd6cbc8 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Mon, 25 Sep 2023 14:00:19 +0000 Subject: [PATCH] Refresh intakes documentation --- .../547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md | 16 +- .../8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md | 18 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 66 +++++ .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 235 +++++++++++++++++- .../f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md | 6 +- 5 files changed, 316 insertions(+), 25 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md index bd6d03b564..09479d060d 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md @@ -6,7 +6,7 @@ The following table lists the data source offered by this integration. | Data Source | Description | | ----------- | ------------------------------------ | -| `Authentication logs` | Cisco Duo Security provides audit logs about authentication sessions | +| `Authentication logs` | Duo Security provides audit logs about authentication sessions | @@ -48,7 +48,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2020-01-23T16:18:58Z", "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" } } @@ -75,7 +75,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2020-01-24T15:09:42Z", "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "user": { "name": "admin" @@ -114,7 +114,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2020-02-13T18:56:20.351346Z", "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "user": { "email": "narroway@example.com", @@ -173,7 +173,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "@timestamp": "2019-08-30T16:10:05Z", "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "duo": { "security": { @@ -226,7 +226,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "duo": { "security": { @@ -260,7 +260,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "duo": { "security": { @@ -294,7 +294,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Duo", - "product": "Cisco Duo Security" + "product": "Duo Security" }, "duo": { "security": { diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index 33a5f3d57b..65aabc5515 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -8,7 +8,7 @@ The following table lists the data source offered by this integration. | ----------- | ------------------------------------ | | `Authentication logs` | There's an authentification audit, control and diagnostic | | `Network device configuration` | Changing conf of devices usually by the admin | -| `Web logs` | Cisco Identity Services Engine (ISE) logs provide information about the connected client and the requested resource | +| `Web logs` | Cisco ISE logs provide information about the connected client and the requested resource | @@ -47,7 +47,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "user": { "name": "john.doe" @@ -86,7 +86,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" } } @@ -111,7 +111,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "cisco": { "ise": { @@ -143,7 +143,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" } } @@ -167,7 +167,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "source": { "domain": "servername", @@ -205,7 +205,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "source": { "domain": "servername", @@ -249,7 +249,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "cisco": { "ise": { @@ -293,7 +293,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "observer": { "vendor": "Cisco", - "product": "Cisco Identity Services Engine (ISE)" + "product": "Cisco ISE" }, "user": { "name": "admin" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index d1a3a15455..557e2f608f 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -324,6 +324,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Event_5408_event_message_is_json.json" + + ```json + + { + "message": "{\"EventTime\":\"2023-09-25 15:29:18\",\"Hostname\":\"foo.net\",\"Keywords\":1152921504606846976,\"EventType\":\"VERBOSE\",\"SeverityValue\":1,\"Severity\":\"DEBUG\",\"EventID\":5408,\"SourceName\":\"Microsoft-Windows-FailoverClustering\",\"ProviderGuid\":\"{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":764816422,\"ActivityID\":\"{D938DD9B-F8EF-4227-A505-1169A1E3873E}\",\"ProcessID\":5440,\"ThreadID\":8428,\"Channel\":\"Microsoft-Windows-FailoverClustering/DiagnosticVerbose\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"{\\\"EventTime\\\":\\\"2023-09-25 15:29:18\\\",\\\"Hostname\\\":\\\"foo.net\\\",\\\"Keywords\\\":1152921504606846976,\\\"EventType\\\":\\\"VERBOSE\\\",\\\"SeverityValue\\\":1,\\\"Severity\\\":\\\"DEBUG\\\",\\\"EventID\\\":5408,\\\"SourceName\\\":\\\"Microsoft-Windows-FailoverClustering\\\",\\\"ProviderGuid\\\":\\\"{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}\\\",\\\"Version\\\":0,\\\"Task\\\":0,\\\"OpcodeValue\\\":0,\\\"RecordNumber\\\":764816422,\\\"ActivityID\\\":\\\"{D938DD9B-F8EF-4227-A505-1169A1E3873E}\\\",\\\"ProcessID\\\":5440,\\\"ThreadID\\\":8428,\\\"Channel\\\":\\\"Microsoft-Windows-FailoverClustering/DiagnosticVerbose\\\",\\\"Domain\\\":\\\"NT AUTHORITY\\\",\\\"AccountName\\\":\\\"SYSTEM\\\",\\\"UserID\\\":\\\"S-1-5-18\\\",\\\"AccountType\\\":\\\"User\\\",\\\"Message\\\":\\\"[RCM] Sending Control Code GET_PRIVATE_PROPERTIES Id 25237136 \\\\r\\\\n\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"LogString\\\":\\\"[RCM] Sending Control Code GET_PRIVATE_PROPERTIES Id 25237136 \\\\r\\\\n\\\",\\\"EventReceivedTime\\\":\\\"2023-09-25 15:29:18\\\",\\\"SourceModuleName\\\":\\\"eventlog\\\",\\\"SourceModuleType\\\":\\\"im_msvistalog\\\"}\",\"Opcode\":\"Info\",\"LogString\":\"[RCM] Sending Control Code GET_PRIVATE_PROPERTIES Id 25237136 \\r\\n\",\"EventReceivedTime\":\"2023-09-25 15:29:18\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}\n", + "event": { + "code": "5408", + "provider": "Microsoft-Windows-FailoverClustering" + }, + "action": { + "record_id": 764816422, + "type": "Microsoft-Windows-FailoverClustering/DiagnosticVerbose", + "id": 5408, + "properties": [ + { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "VERBOSE", + "OpcodeValue": 0, + "ProviderGuid": "{BAF908EA-3421-4CA9-9B84-6689B8C6F85F}", + "Severity": "DEBUG", + "Task": 0, + "SourceName": "Microsoft-Windows-FailoverClustering", + "Keywords": "1152921504606846976" + } + ] + }, + "log": { + "hostname": "foo.net", + "level": "debug" + }, + "host": { + "hostname": "foo.net", + "name": "foo.net" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "thread": { + "id": 8428 + }, + "pid": 5440, + "id": 5440 + }, + "user": { + "id": "S-1-5-18", + "name": "SYSTEM", + "domain": "NT AUTHORITY" + }, + "related": { + "hosts": [ + "foo.net" + ], + "user": [ + "SYSTEM" + ] + } + } + + ``` + + === "Event_56.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 20d432b984..03022b2c99 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -51,8 +51,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "zscaler": { "zia": { "source_type": "zscalernss-audit", - "action": { - "result": "SUCCESS" + "event": { + "outcome": "SUCCESS" }, "category": "Unknown", "sub_category": "Unknown", @@ -97,8 +97,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "zscaler": { "zia": { "source_type": "zscalernss-audit", - "action": { - "result": "SUCCESS" + "event": { + "outcome": "SUCCESS" }, "category": "Unknown", "sub_category": "Unknown", @@ -388,6 +388,223 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_saas_security_event.json" + + ```json + + { + "message": "{\n \"sourcetype\": \"zscalernss-casb\",\n \"event\": {\n \"datetime\": \"Wed Aug 17 15:35:15 2022\",\n \"recordid\": \"7132869149011804161\",\n \"company\": \"Example\",\n \"tenant\": \"example-tenant\",\n \"login\": \"john.doe@example.onmicrosoft.com\",\n \"dept\": \"Financial%20Dept\",\n \"applicationname\": \"SHAREPOINT\",\n \"filename\": \"sanity2022-08-16 14-03.pdf\",\n \"filesource\": \"/sites/tanya/Shared%20Documents/Activity\",\n \"filemd5\": \"01565bf41f1cb993d69334f409835293\",\n \"threatname\": \"malpdf\",\n \"policy\": \"Quarantine Malware\",\n \"dlpdictnames\": null,\n \"dlpdictcount\": null,\n \"dlpenginenames\": null,\n \"fullurl\": \"https://example.org/sites/\",\n \"lastmodtime\": \"Tue Aug 16 14:03:13 2022\",\n \"filescantimems\": \"537\",\n \"filedownloadtimems\": \"435\"\n }\n}\n", + "event": { + "kind": "event", + "dataset": "casb", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2022-08-17T15:35:15Z", + "zscaler": { + "zia": { + "source_type": "zscalernss-casb", + "threat": { + "name": "malpdf" + } + } + }, + "network": { + "application": "SHAREPOINT" + }, + "organization": { + "name": "Example" + }, + "file": { + "name": "sanity2022-08-16 14-03.pdf", + "directory": "/sites/tanya/Shared%20Documents/Activity", + "hash": { + "md5": "01565bf41f1cb993d69334f409835293" + } + }, + "user": { + "email": "john.doe@example.onmicrosoft.com" + }, + "related": { + "hash": [ + "01565bf41f1cb993d69334f409835293" + ] + } + } + + ``` + + +=== "test_tunnel_gre.json" + + ```json + + { + "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"GRE\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"event\": \"PHASE1_ERROR\",\n \"eventreason\": \"TIMEOUT\",\n \"recordid\": \"7112472280601133057\"\n }\n}\n", + "event": { + "kind": "event", + "dataset": "tunnel", + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2022-06-23T16:24:59Z", + "zscaler": { + "zia": { + "source_type": "zscalernss-tunnel", + "tunnel": { + "status": "PHASE1_ERROR" + }, + "event": { + "outcome": "failure" + } + } + }, + "network": { + "type": "GRE" + }, + "user": { + "email": "john.doe@example.org" + }, + "source": { + "ip": "1.2.3.4", + "port": 4535, + "address": "1.2.3.4" + }, + "destination": { + "ip": "5.6.7.8", + "address": "5.6.7.8" + }, + "error": { + "code": "TIMEOUT" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + +=== "test_tunnel_ipsev_ikev1.json" + + ```json + + { + "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"ipsec\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"sourceportstart\": \"10432\",\n \"destinationportstart\": \"23456\",\n \"srcipstart\": \"1.1.5.0\",\n \"srcipend\": \"1.2.123.254\",\n \"destinationipstart\": \"5.2.1.1\",\n \"destinationipend\": \"5.200.123.254\",\n \"lifetime\": \"3600\",\n \"ikeversion\": \"1\",\n \"lifebytes\": \"1560\",\n \"spi\": \"1111111111111111\",\n \"algo\": \"BLOWFISH_CBC\",\n \"authentication\": \"HMAC_SHA256\",\n \"authtype\": \"RSAENC\",\n \"protocol\": \"TCP\",\n \"tunnelprotocol\": \"ESP\",\n \"policydirection\": null,\n \"recordid\": \"7112472280601133057\"\n }\n}\n", + "event": { + "kind": "event", + "dataset": "tunnel", + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2022-06-23T16:24:59Z", + "zscaler": { + "zia": { + "source_type": "zscalernss-tunnel", + "tunnel": { + "ikeversion": "1" + }, + "event": { + "outcome": "success" + } + } + }, + "network": { + "type": "ipsec", + "protocol": "TCP" + }, + "user": { + "email": "john.doe@example.org" + }, + "source": { + "ip": "1.2.3.4", + "port": 4535, + "address": "1.2.3.4" + }, + "destination": { + "ip": "5.6.7.8", + "address": "5.6.7.8" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + +=== "test_tunnel_ipsev_ikev2.json" + + ```json + + { + "message": "{\n \"sourcetype\": \"zscalernss-tunnel\",\n \"event\": {\n \"datetime\": \"Thu Jun 23 16:24:59 2022\",\n \"Recordtype\": \"Tunnel Samples\",\n \"tunneltype\": \"ipsec\",\n \"user\": \"john.doe@example.org\",\n \"location\": \"Road%20Warrior\",\n \"sourceip\": \"1.2.3.4\",\n \"destinationip\": \"5.6.7.8\",\n \"sourceport\": \"4535\",\n \"destinationport\": \"4564\",\n \"lifetime\": \"3600\",\n \"ikeversion\": \"1\",\n \"spi_in\": \"1111111\",\n \"spi_out\": \"22222222\",\n \"algo\": \"BLOWFISH_CBC\",\n \"authentication\": \"HMAC_SHA256\",\n \"authtype\": \"RSAENC\",\n \"recordid\": \"7112472280601133057\"\n }\n}\n", + "event": { + "kind": "event", + "dataset": "tunnel", + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2022-06-23T16:24:59Z", + "zscaler": { + "zia": { + "source_type": "zscalernss-tunnel", + "tunnel": { + "ikeversion": "1" + }, + "event": { + "outcome": "success" + } + } + }, + "network": { + "type": "ipsec" + }, + "user": { + "email": "john.doe@example.org" + }, + "source": { + "ip": "1.2.3.4", + "port": 4535, + "address": "1.2.3.4" + }, + "destination": { + "ip": "5.6.7.8", + "address": "5.6.7.8" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + @@ -405,11 +622,14 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.question.name` | `keyword` | The name being queried. | |`dns.question.type` | `keyword` | The type of record being queried. | |`dns.response_code` | `keyword` | The DNS response code. | +|`error.code` | `keyword` | Error code describing the error. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.directory` | `keyword` | Directory where the file is located. | +|`file.hash.md5` | `keyword` | MD5 hash. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.type` | `keyword` | File type (file, dir, or symlink). | |`host.name` | `keyword` | Name of the host. | @@ -421,20 +641,23 @@ The following table lists the fields that are extracted, normalized under the EC |`http.response.status_code` | `long` | HTTP response status code. | |`network.application` | `keyword` | Application level protocol name. | |`network.protocol` | `keyword` | Application protocol name. | +|`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | +|`organization.name` | `keyword` | Organization name. | |`server.ip` | `ip` | IP address of the server. | |`source.bytes` | `long` | Bytes sent from the source to the destination. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | |`url.domain` | `keyword` | Domain of the url. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`user.email` | `keyword` | User email address. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | -|`zscaler.zia.action.result` | `keyword` | ZScaler action result | |`zscaler.zia.appname` | `keyword` | ZScaler app name | |`zscaler.zia.audit.log_type` | `keyword` | ZScaler audit log type | |`zscaler.zia.avgduration` | `keyword` | ZScaler average duration | |`zscaler.zia.category` | `keyword` | ZScaler category | |`zscaler.zia.department` | `keyword` | ZScaler department | |`zscaler.zia.device.owner` | `keyword` | ZScaler device owner | +|`zscaler.zia.event.outcome` | `keyword` | ZScaler event outcome | |`zscaler.zia.event_id` | `keyword` | ZScaler event ID | |`zscaler.zia.keyprotectiontype` | `keyword` | ZScaler key protection type | |`zscaler.zia.product` | `keyword` | ZScaler product | @@ -444,6 +667,8 @@ The following table lists the fields that are extracted, normalized under the EC |`zscaler.zia.threat.category` | `keyword` | ZScaler threat category | |`zscaler.zia.threat.class` | `keyword` | ZScaler threat class | |`zscaler.zia.threat.name` | `keyword` | ZScaler threat name | +|`zscaler.zia.tunnel.ikeversion` | `keyword` | ZScaler IKE Version of the tunnel | +|`zscaler.zia.tunnel.status` | `keyword` | ZScaler status of the tunnel | |`zscaler.zia.tuntype` | `keyword` | ZScaler tunel type | |`zscaler.zia.vendor` | `keyword` | ZScaler vendor | diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index c985758f1a..924155d3e4 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -6,9 +6,9 @@ The following table lists the data source offered by this integration. | Data Source | Description | | ----------- | ------------------------------------ | -| `Anti-virus` | Stormshield Endpoint Security can be configured to perfom malware analysis. | -| `File monitoring` | Stormshield Endpoint Security can handle the user behavior ( Files included ) | -| `Application logs` | Stormshield Endpoint Security can handle the user behavior ( Applications included ) | +| `Anti-virus` | Stormshield SES can be configured to perfom malware analysis. | +| `File monitoring` | Stormshield SES can handle the user behavior ( Files included ) | +| `Application logs` | Stormshield SES can handle the user behavior ( Applications included ) |