From 3f705418c8e012cba4ebc168c35744527ba37bbe Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 28 Nov 2023 12:53:04 +0000 Subject: [PATCH] Refresh intakes documentation --- .../021e9def-5a55-4369-941e-af269b45bef1.md | 10 + .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 10 + .../2815eaab-2425-4eff-8038-3f7d5a3b8b11.md | 7 + .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 30 +- .../79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md | 914 +++++++++++++++++- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 126 +-- .../f95fea50-533c-4897-9272-2f8361e63644.md | 20 +- 7 files changed, 974 insertions(+), 143 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md index 1b2775dfa0..72147ac701 100644 --- a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md +++ b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md @@ -247,6 +247,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "sshd" + } + }, "server": { "name": "ext-rp", "os": { @@ -362,6 +367,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "sshd" + } + }, "server": { "name": "SRVFOOBAR", "os": { diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index 8f83d5aa6f..1a86177f60 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -341,6 +341,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "sshd" + } + }, "server": { "name": "foobar.net", "os": { @@ -505,6 +510,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "sshd" + } + }, "server": { "name": "PC-FOO", "os": { diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md index 98d5e0428a..e2658392e7 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md @@ -111,6 +111,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "os": { "family": "windows", "platform": "windows" + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } } } diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 6d88eb1aa7..d9aa968ae2 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -364,6 +364,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "C:\\Windows\\System32\\svchost.exe" + } + }, "server": { "os": { "type": "windows" @@ -1154,22 +1159,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "sfreort" }, - "process": { - "name": "Kerbe" - }, "related": { "hosts": [ "sfreort" ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "Kerbe" + } + }, "client": { "name": "sfreort", "os": { "type": "windows" - }, - "user": { - "id": "S-1-0-0" } }, "server": { @@ -1183,6 +1187,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "domain": "EXAMPLE" }, "user": { + "id": "S-1-0-0", "roles": "Group1,Group2", "target": { "domain": "example.org", @@ -1259,6 +1264,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "eventlog", "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", + "reason": "bad_password", "type": [ "info", "start" @@ -1310,22 +1316,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "REDACTED" }, - "process": { - "name": "NtLmSsp " - }, "related": { "hosts": [ "REDACTED" ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp " + } + }, "client": { "name": "REDACTED", "os": { "type": "windows" - }, - "user": { - "id": "S-1-0-0" } }, "server": { @@ -1339,6 +1344,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "domain": "WORKGROUP" }, "user": { + "id": "S-1-0-0", "target": { "id": "S-1-0-0", "name": "ADMINISTRATOR" diff --git a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md index 8a6f869481..8154a4c1ca 100644 --- a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md +++ b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md @@ -19,9 +19,9 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | -| Category | `network` | -| Type | `connection` | +| Kind | `alert`, `event` | +| Category | `authentication`, `configuration`, `network`, `process`, `web` | +| Type | `connection`, `info` | @@ -31,16 +31,306 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "alarm1.json" + + ```json + + { + "message": "time=\"2023-11-23 06:49:20\" fw=\"SN12345678912345\" tz=+0100 startime=\"2023-11-23 06:49:20\" pri=4 confid=00 srcif=\"Ethernet4\" srcifname=\"wan-interface\" ipproto=tcp proto=unknown src=11.22.33.44 srcport=1234 srcmac=aa:bb:cc:dd:ee:ff dst=55.66.77.88 dstport=5678 dstportname=ephemeral_fw_tcp dstname=host_55.66.77.88 ipv=4 action=block msg=\"Protocole TCP invalide (packet too short)\" class=protocol classification=0 alarmid=98 target=dst sensible=1 logtype=\"alarm\"", + "event": { + "category": [ + "intrusion_detection" + ], + "dataset": "alarm", + "kind": "alert", + "risk_score": 4, + "start": "2023-11-23T05:49:20Z", + "timezone": "+0100", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-23T05:49:20Z", + "action": { + "outcome": "failure", + "outcome_reason": "Protocole TCP invalide (packet too short)" + }, + "destination": { + "address": "55.66.77.88", + "ip": "55.66.77.88", + "nat": { + "ip": "11.22.33.44", + "port": 1234 + }, + "port": 5678 + }, + "log": { + "priority": 4 + }, + "network": { + "protocol": "unknown", + "transport": "tcp", + "type": "4" + }, + "observer": { + "hostname": "SN12345678912345", + "ingress": { + "interface": { + "alias": "wan-interface", + "name": "Ethernet4" + } + }, + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "11.22.33.44", + "55.66.77.88" + ] + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44", + "mac": "aa:bb:cc:dd:ee:ff", + "port": 1234 + }, + "stormshield": { + "destination": { + "name": "host_55.66.77.88", + "port_name": "ephemeral_fw_tcp" + }, + "filter": { + "action": "block" + }, + "ids": { + "alarmid": "98", + "classification": "0", + "type": "protocol" + }, + "target": "dst" + } + } + + ``` + + +=== "alarm2.json" + + ```json + + { + "message": "time=\"2023-11-23 09:20:13\" fw=\"SN12345678912345\" tz=+0100 startime=\"2023-11-23 09:19:43\" pri=4 msg=\"CRL download failed\" class=system alarmid=56 repeat=3 logtype=\"alarm\"", + "event": { + "category": [ + "process" + ], + "dataset": "alarm", + "kind": "alert", + "risk_score": 4, + "start": "2023-11-23T08:19:43Z", + "timezone": "+0100", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-23T08:20:13Z", + "action": { + "outcome": "failure", + "outcome_reason": "CRL download failed" + }, + "log": { + "priority": 4 + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ] + }, + "stormshield": { + "filter": { + "action": "log" + }, + "ids": { + "alarmid": "56", + "occurs": "3", + "risklevel": "3", + "type": "system" + } + } + } + + ``` + + +=== "auth.json" + + ```json + + { + "message": "time=\"2023-11-14 16:27:30\" fw=\"SN12345678912345\" tz=+0100 startime=\"2023-11-14 16:27:30\" user=\"john.doe\" src=172.16.0.42 domain=\"sekoia.io\" confid=0 ruleid=0 method=\"\" totp=\"yes\" error=0 msg=\"totp enrolment: user TOTP request registered\" logtype=\"auth\"", + "event": { + "action": "authentication", + "category": [ + "authentication" + ], + "dataset": "auth", + "kind": "event", + "start": "2023-11-14T15:27:30Z", + "timezone": "+0100", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-14T15:27:30Z", + "action": { + "outcome": "success", + "outcome_reason": "totp enrolment: user TOTP request registered" + }, + "error": { + "message": "0" + }, + "network": { + "protocol": "https" + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "172.16.0.42" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "0" + }, + "source": { + "address": "172.16.0.42", + "ip": "172.16.0.42" + }, + "stormshield": { + "auth": { + "configid": "0", + "ruleid": "0", + "totpused": "yes" + }, + "filter": { + "action": "log" + } + }, + "user": { + "domain": "sekoia.io", + "name": "john.doe" + } + } + + ``` + + +=== "auth_failed.json" + + ```json + + { + "message": "id=firewall time=\"2023-09-28 16:37:39\" fw=\"SN12345678912345\" tz=+0200 startime=\"2023-09-28 16:37:39\" user=\"john.doe\" src=11.22.33.44 domain=\"sekoia.io\" confid=1 ruleid=0 method=\"OPENVPN\" error=3 msg=\"Authentication Failed\" logtype=\"auth\"", + "event": { + "action": "authentication", + "category": [ + "authentication" + ], + "dataset": "auth", + "kind": "event", + "start": "2023-09-28T14:37:39Z", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-28T14:37:39Z", + "action": { + "outcome": "failure", + "outcome_reason": "Authentication Failed" + }, + "error": { + "message": "3" + }, + "network": { + "protocol": "https" + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "type": "firewall", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "11.22.33.44" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "0" + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44" + }, + "stormshield": { + "auth": { + "configid": "1", + "method": "OPENVPN", + "ruleid": "0" + }, + "filter": { + "action": "log" + } + }, + "user": { + "domain": "sekoia.io", + "name": "john.doe" + } + } + + ``` + + === "empty_action.json" ```json { - "message": "time=\"2022-03-17 14:49:51\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-17 14:49:51\" pri=5 confid=01 slotlevel=5 ruleid=48 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=55.66.77.88 srcport=39618 srcportname=ephemeral_fw_tcp srcname=MGDFS-Proxy-02 srcmac=00:00:00:00:00:00 dst=11.22.33.44 dstport=443 dstportname=https dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=0.00 logtype=\"filter\"", + "message": "time=\"2022-03-17 14:49:51\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-17 14:49:51\" pri=5 confid=01 slotlevel=5 ruleid=48 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=55.66.77.88 srcport=39618 srcportname=ephemeral_fw_tcp srcname=WebProxy srcmac=00:00:00:00:00:00 dst=11.22.33.44 dstport=443 dstportname=https dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=0.00 logtype=\"filter\"", "event": { "category": [ "network" ], + "dataset": "filter", "duration": 0.0, "kind": "event", "risk_score": 5, @@ -51,6 +341,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-03-17T13:49:51Z", + "action": { + "outcome": "failure" + }, "destination": { "address": "11.22.33.44", "geo": { @@ -58,6 +351,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "country_iso_code": "us" }, "ip": "11.22.33.44", + "nat": { + "ip": "55.66.77.88", + "port": 39618 + }, "port": 443 }, "host": { @@ -70,6 +367,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "log": { + "priority": 5 + }, "network": { "bytes": 0, "protocol": "https", @@ -83,15 +383,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Ethernet2" } }, + "hostname": "SN12345678912345", "ingress": { "interface": { "alias": "in", "name": "Ethernet3" } }, - "serial_number": "SN12345678912345" + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" }, "related": { + "hosts": [ + "SN12345678912345" + ], "ip": [ "11.22.33.44", "55.66.77.88" @@ -108,11 +414,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39618 }, "stormshield": { - "confid": 1, - "dstportname": "https", - "logtype": "filter", - "slotlevel": 5, - "srcportname": "ephemeral_fw_tcp" + "destination": { + "port_name": "https" + }, + "filter": { + "action": "log" + }, + "source": { + "name": "WebProxy", + "port_name": "ephemeral_fw_tcp" + } } } @@ -124,11 +435,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "time=\"2022-03-03 14:21:10\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-03 14:21:10\" pri=5 confid=01 slotlevel=2 ruleid=100 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=42.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=DLEM-AMPD02 srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=2.00 action=pass logtype=\"filter\"", + "message": "time=\"2022-03-03 14:21:10\" fw=\"SN12345678912345\" tz=+0100 startime=\"2022-03-03 14:21:10\" pri=5 confid=01 slotlevel=2 ruleid=100 srcif=\"Ethernet3\" srcifname=\"in\" ipproto=tcp dstif=\"Ethernet2\" dstifname=\"out\" proto=https src=42.123.123.123 srcport=60355 srcportname=ad2009-dyn_tcp srcname=ADSERVER srcmac=00:00:00:00:00:00 dst=11.11.11.11 dstport=443 dstportname=https dstname=example_dest dstcontinent=\"na\" dstcountry=\"us\" ipv=4 sent=0 rcvd=0 duration=2.00 action=pass logtype=\"filter\"", "event": { "category": [ "network" ], + "dataset": "filter", "duration": 2000000000.0, "kind": "event", "risk_score": 5, @@ -139,6 +451,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-03-03T13:21:10Z", + "action": { + "outcome": "success" + }, "destination": { "address": "11.11.11.11", "geo": { @@ -146,6 +461,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "country_iso_code": "us" }, "ip": "11.11.11.11", + "nat": { + "ip": "42.123.123.123", + "port": 60355 + }, "port": 443 }, "host": { @@ -158,6 +477,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "log": { + "priority": 5 + }, "network": { "bytes": 0, "protocol": "https", @@ -171,15 +493,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Ethernet2" } }, + "hostname": "SN12345678912345", "ingress": { "interface": { "alias": "in", "name": "Ethernet3" } }, - "serial_number": "SN12345678912345" + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" }, "related": { + "hosts": [ + "SN12345678912345" + ], "ip": [ "11.11.11.11", "42.123.123.123" @@ -196,15 +524,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 60355 }, "stormshield": { - "confid": 1, - "dstname": "example_dest", - "dstportname": "https", + "destination": { + "name": "example_dest", + "port_name": "https" + }, "filter": { "action": "pass" }, - "logtype": "filter", - "slotlevel": 2, - "srcportname": "ad2009-dyn_tcp" + "source": { + "name": "ADSERVER", + "port_name": "ad2009-dyn_tcp" + } } } @@ -221,6 +551,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], + "dataset": "connection", "duration": 107331180000000.0, "kind": "event", "risk_score": 5, @@ -230,6 +561,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2022-03-16T18:36:03Z", + "action": { + "outcome": "success" + }, "destination": { "address": "22.22.22.22", "geo": { @@ -237,6 +571,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "country_iso_code": "be" }, "ip": "22.22.22.22", + "nat": { + "ip": "22.22.22.22", + "port": 443 + }, "port": 443 }, "host": { @@ -249,6 +587,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "log": { + "priority": 5 + }, "network": { "bytes": 5555692, "protocol": "https", @@ -262,15 +603,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Ethernet2" } }, + "hostname": "SN12345678912345", "ingress": { "interface": { "alias": "in", "name": "Ethernet3" } }, - "serial_number": "SN12345678912345" + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" }, "related": { + "hosts": [ + "SN12345678912345" + ], "ip": [ "11.11.11.11", "22.22.22.22" @@ -288,17 +635,459 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": "11.11.11.11", "mac": "00:00:00:00:00:00", + "nat": { + "ip": "11.11.11.11", + "port": 49586 + }, "port": 49586 }, "stormshield": { - "confid": 1, - "dstportname": "https", + "destination": { + "port_name": "https" + }, "filter": { "action": "pass" }, - "logtype": "connection", - "slotlevel": 2, - "srcportname": "ephemeral_fw_tcp" + "source": { + "name": "foo_bar", + "port_name": "ephemeral_fw_tcp" + } + } + } + + ``` + + +=== "plugin.json" + + ```json + + { + "message": "time=\"2023-11-23 09:19:44\" fw=\"SN12345678912345\" tz=+0100 startime=\"2023-11-23 09:19:43\" pri=5 confid=01 slotlevel=2 ruleid=11 rulename=\"18b60ffd8cd_5\" ipproto=tcp dstif=\"Ethernet0\" dstifname=\"wan-interface\" proto=http src=11.22.33.44 srcport=1025 srcportname=dyn_tcp srcname=host_11.22.33.44 dst=55.66.77.88 dstport=80 dstportname=http dstname=www.sekoia.io dstcontinent=\"eu\" dstcountry=\"fr\" modsrc=11.22.33.44 modsrcport=1025 origdst=55.66.77.88 origdstport=80 ipv=4 rtname=\"router\" rt=\"gateway-orange\" sent=98 rcvd=766 duration=0.01 action=pass op=GET result=200 arg=\"/en/integrations-catalog/\" logtype=\"plugin\"", + "event": { + "category": [ + "web" + ], + "dataset": "plugin", + "duration": 10000000.0, + "kind": "event", + "risk_score": 5, + "start": "2023-11-23T08:19:43Z", + "timezone": "+0100", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-23T08:19:44Z", + "action": { + "outcome": "success" + }, + "destination": { + "address": "55.66.77.88", + "geo": { + "continent_name": "eu", + "country_iso_code": "fr" + }, + "ip": "55.66.77.88", + "nat": { + "ip": "55.66.77.88", + "port": 80 + }, + "port": 80 + }, + "host": { + "network": { + "egress": { + "bytes": 98 + }, + "ingress": { + "bytes": 766 + } + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "log": { + "priority": 5 + }, + "network": { + "bytes": 864, + "protocol": "http", + "transport": "tcp", + "type": "4" + }, + "observer": { + "egress": { + "interface": { + "alias": "wan-interface", + "name": "Ethernet0" + } + }, + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345", + "www.sekoia.io" + ], + "ip": [ + "11.22.33.44", + "55.66.77.88" + ] + }, + "rule": { + "category": "2", + "id": "11", + "name": "18b60ffd8cd_5" + }, + "source": { + "address": "11.22.33.44", + "ip": "11.22.33.44", + "nat": { + "ip": "11.22.33.44", + "port": 1025 + }, + "port": 1025 + }, + "stormshield": { + "destination": { + "name": "www.sekoia.io", + "port_name": "http" + }, + "filter": { + "action": "pass" + }, + "plugin": { + "arg": "/en/integrations-catalog/", + "operation": "GET", + "result": "200" + }, + "source": { + "name": "host_11.22.33.44", + "port_name": "dyn_tcp" + } + }, + "url": { + "domain": "www.sekoia.io", + "path": "/en/integrations-catalog/", + "registered_domain": "sekoia.io", + "subdomain": "www", + "top_level_domain": "io" + } + } + + ``` + + +=== "server.json" + + ```json + + { + "message": "id=firewall time=\"2023-07-03 18:26:30\" fw=\"SN12345678912345\" tz=+0200 startime=\"2023-07-03 18:26:30\" error=0 user=\"admin\" address=11.11.11.11 sessionid=5 msg=\"SYSTEM IDENT\" logtype=\"server\"", + "event": { + "category": [ + "configuration" + ], + "dataset": "server", + "kind": "event", + "start": "2023-07-03T16:26:30Z", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-03T16:26:30Z", + "action": { + "outcome": "success", + "outcome_reason": "SYSTEM IDENT" + }, + "client": { + "address": "11.11.11.11", + "ip": "11.11.11.11" + }, + "error": { + "code": "0" + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "type": "firewall", + "vendor": "Stormshield" + }, + "process": { + "command_line": "SYSTEM IDENT" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "11.11.11.11" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "11.11.11.11", + "ip": "11.11.11.11" + }, + "stormshield": { + "filter": { + "action": "log" + }, + "session": { + "id": "5" + } + }, + "user": { + "name": "admin" + } + } + + ``` + + +=== "system.json" + + ```json + + { + "message": "time=\"2023-11-23 09:20:59\" fw=\"SN12345678912345\" tz=+0100 startime=\"2023-11-23 09:20:58\" pri=5 msg=\"Licence Update: (licence1-sns.stormshieldcs.eu) Cannot contact server\" service=sysevent alarmid=70 logtype=\"system\"", + "event": { + "category": [ + "process" + ], + "dataset": "system", + "kind": "event", + "risk_score": 5, + "start": "2023-11-23T08:20:58Z", + "timezone": "+0100", + "type": [ + "info" + ] + }, + "@timestamp": "2023-11-23T08:20:59Z", + "action": { + "outcome_reason": "Licence Update: (licence1-sns.stormshieldcs.eu) Cannot contact server" + }, + "log": { + "priority": 5 + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "vendor": "Stormshield" + }, + "process": { + "name": "sysevent" + }, + "related": { + "hosts": [ + "SN12345678912345" + ] + }, + "stormshield": { + "alarm": { + "id": "70" + }, + "filter": { + "action": "log" + } + } + } + + ``` + + +=== "vpn_phase1.json" + + ```json + + { + "message": "id=firewall time=\"2023-07-04 11:27:09\" fw=\"SN12345678912345\" tz=+0200 startime=\"2023-07-04 11:27:09\" pri=5 src=33.33.33.33 srcname=Firewall_out dst=44.44.44.44 dstname=host_44.44.44.44 ikev=2 ruletype=gateway phase=1 side=initiator cookie_i=0x3b77dce129c457dc cookie_r=0x57dd9eabc5b7f8dd peername=Sekoia_peer msg=\"Local NAT detected, switching to port 4500\" logtype=\"vpn\"", + "event": { + "category": [ + "network" + ], + "dataset": "vpn", + "kind": "event", + "risk_score": 5, + "start": "2023-07-04T09:27:09Z", + "timezone": "+0200", + "type": [ + "connection" + ] + }, + "@timestamp": "2023-07-04T09:27:09Z", + "action": { + "outcome_reason": "Local NAT detected, switching to port 4500" + }, + "destination": { + "address": "44.44.44.44", + "ip": "44.44.44.44" + }, + "log": { + "priority": 5 + }, + "network": { + "type": "ipsec" + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "type": "firewall", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "33.33.33.33", + "44.44.44.44" + ] + }, + "source": { + "address": "33.33.33.33", + "ip": "33.33.33.33" + }, + "stormshield": { + "destination": { + "name": "host_44.44.44.44" + }, + "filter": { + "action": "log" + }, + "ike": { + "initiator": { + "cookie": "0x3b77dce129c457dc" + }, + "peer": { + "cookie": "0x57dd9eabc5b7f8dd", + "name": "Sekoia_peer" + }, + "phase": "1", + "role": "initiator", + "type": "gateway", + "version": "2" + }, + "source": { + "name": "Firewall_out" + } + } + } + + ``` + + +=== "vpn_phase2.json" + + ```json + + { + "message": "id=firewall time=\"2023-07-03 18:20:02\" fw=\"SN12345678912345\" tz=+0200 startime=\"2023-07-03 18:20:02\" pri=5 src=11.11.11.11 srcname=Firewall_out dst=22.22.22.22 dstname=host_22.22.22.22 ikev=2 ruletype=gateway phase=2 side=initiator cookie_i=0x573ebe1ca6e085fc cookie_r=0x8c196f302bdc378b localnet=192.168.10.0/27 remotenet=192.168.10.32/27 spi_in=0xc848d405 spi_out=0xc287574b remoteid=22.22.22.22 rulename=vpn_sekoia msg=\"Sending DELETE for IPSEC SA (ESP)\" logtype=\"vpn\"", + "event": { + "category": [ + "network" + ], + "dataset": "vpn", + "kind": "event", + "risk_score": 5, + "start": "2023-07-03T16:20:02Z", + "timezone": "+0200", + "type": [ + "connection" + ] + }, + "@timestamp": "2023-07-03T16:20:02Z", + "action": { + "outcome_reason": "Sending DELETE for IPSEC SA (ESP)" + }, + "client": { + "address": "192.168.10.32", + "ip": "192.168.10.32" + }, + "destination": { + "address": "22.22.22.22", + "ip": "22.22.22.22" + }, + "log": { + "priority": 5 + }, + "network": { + "type": "ipsec" + }, + "observer": { + "hostname": "SN12345678912345", + "product": "Stormshield Network Security", + "serial_number": "SN12345678912345", + "type": "firewall", + "vendor": "Stormshield" + }, + "related": { + "hosts": [ + "SN12345678912345" + ], + "ip": [ + "11.11.11.11", + "192.168.10.32", + "22.22.22.22" + ] + }, + "rule": { + "name": "vpn_sekoia" + }, + "source": { + "address": "11.11.11.11", + "ip": "11.11.11.11" + }, + "stormshield": { + "destination": { + "name": "host_22.22.22.22" + }, + "filter": { + "action": "log" + }, + "ike": { + "initiator": { + "cookie": "0x573ebe1ca6e085fc" + }, + "local": { + "net": "192.168.10.0/27" + }, + "peer": { + "cookie": "0x8c196f302bdc378b" + }, + "phase": "2", + "remote": { + "id": "22.22.22.22", + "net": "192.168.10.32/27" + }, + "role": "initiator", + "spi": { + "in": "0xc848d405", + "out": "0xc287574b" + }, + "type": "gateway", + "version": "2" + }, + "source": { + "name": "Firewall_out" + } } } @@ -315,11 +1104,18 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`client.ip` | `ip` | IP address of the client. | |`destination.geo.continent_name` | `keyword` | Name of the continent. | |`destination.geo.country_iso_code` | `keyword` | Country ISO code. | |`destination.ip` | `ip` | IP address of the destination. | +|`destination.nat.ip` | `ip` | Destination NAT ip | +|`destination.nat.port` | `long` | Destination NAT Port | |`destination.port` | `long` | Port of the destination. | +|`error.code` | `keyword` | Error code describing the error. | +|`error.message` | `match_only_text` | Error message. | +|`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.risk_score` | `float` | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | @@ -328,21 +1124,91 @@ The following table lists the fields that are extracted, normalized under the EC |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.network.egress.bytes` | `long` | The number of bytes sent on all network interfaces. | |`host.network.ingress.bytes` | `long` | The number of bytes received on all network interfaces. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | |`network.bytes` | `long` | Total bytes transferred in both directions. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | |`observer.egress.interface.alias` | `keyword` | Interface alias | |`observer.egress.interface.name` | `keyword` | Interface name | +|`observer.hostname` | `keyword` | Hostname of the observer. | |`observer.ingress.interface.alias` | `keyword` | Interface alias | |`observer.ingress.interface.name` | `keyword` | Interface name | +|`observer.product` | `keyword` | The product name of the observer. | |`observer.serial_number` | `keyword` | Observer serial number. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.name` | `keyword` | Process name. | |`rule.category` | `keyword` | Rule category | |`rule.id` | `keyword` | Rule ID | +|`rule.name` | `keyword` | Rule name | |`source.geo.continent_name` | `keyword` | Name of the continent. | |`source.geo.country_iso_code` | `keyword` | Country ISO code. | |`source.ip` | `ip` | IP address of the source. | |`source.mac` | `keyword` | MAC address of the source. | +|`source.nat.ip` | `ip` | Source NAT ip | +|`source.nat.port` | `long` | Source NAT port | |`source.port` | `long` | Port of the source. | +|`stormshield.alarm.id` | `keyword` | | +|`stormshield.auth.agentid` | `keyword` | | +|`stormshield.auth.configid` | `keyword` | | +|`stormshield.auth.method` | `keyword` | | +|`stormshield.auth.ruleid` | `keyword` | | +|`stormshield.auth.totpused` | `keyword` | | +|`stormshield.destination.name` | `keyword` | | +|`stormshield.destination.port_name` | `keyword` | | |`stormshield.filter.action` | `keyword` | The action asociated to the filter rule | +|`stormshield.icmp.code` | `keyword` | | +|`stormshield.icmp.type` | `keyword` | | +|`stormshield.ids.alarmid` | `keyword` | | +|`stormshield.ids.classification` | `keyword` | | +|`stormshield.ids.occurs` | `keyword` | | +|`stormshield.ids.pkt.len` | `keyword` | | +|`stormshield.ids.pktcapture.id` | `keyword` | | +|`stormshield.ids.pktcapture.len` | `keyword` | | +|`stormshield.ids.risklevel` | `keyword` | | +|`stormshield.ids.type` | `keyword` | | +|`stormshield.ike.initiator.cookie` | `keyword` | | +|`stormshield.ike.local.net` | `keyword` | | +|`stormshield.ike.peer.cookie` | `keyword` | | +|`stormshield.ike.peer.name` | `keyword` | | +|`stormshield.ike.phase` | `keyword` | | +|`stormshield.ike.remote.id` | `keyword` | | +|`stormshield.ike.remote.net` | `keyword` | | +|`stormshield.ike.role` | `keyword` | | +|`stormshield.ike.spi.in` | `keyword` | | +|`stormshield.ike.spi.out` | `keyword` | | +|`stormshield.ike.type` | `keyword` | | +|`stormshield.ike.version` | `keyword` | | +|`stormshield.ip.dst.rep.score` | `keyword` | | +|`stormshield.ip.dst.rep.type` | `keyword` | | +|`stormshield.ip.src.rep.score` | `keyword` | | +|`stormshield.ip.src.rep.type` | `keyword` | | +|`stormshield.plugin.arg` | `keyword` | | +|`stormshield.plugin.cipclassid` | `keyword` | | +|`stormshield.plugin.cipservicecode` | `keyword` | | +|`stormshield.plugin.clientappid` | `keyword` | | +|`stormshield.plugin.error_class` | `keyword` | | +|`stormshield.plugin.error_code` | `keyword` | | +|`stormshield.plugin.format` | `keyword` | | +|`stormshield.plugin.groupid` | `keyword` | | +|`stormshield.plugin.ntp_req_mode` | `keyword` | | +|`stormshield.plugin.ntp_resp_mode` | `keyword` | | +|`stormshield.plugin.ntp_version` | `keyword` | | +|`stormshield.plugin.operation` | `keyword` | | +|`stormshield.plugin.result` | `keyword` | | +|`stormshield.plugin.serverappid` | `keyword` | | +|`stormshield.plugin.softbus_ui` | `keyword` | | +|`stormshield.plugin.unit_id` | `keyword` | | +|`stormshield.session.id` | `keyword` | | +|`stormshield.source.name` | `keyword` | | +|`stormshield.source.port_name` | `keyword` | | +|`stormshield.target` | `keyword` | | +|`url.domain` | `keyword` | Domain of the url. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.effective.group.name` | `keyword` | Name of the group. | +|`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 4c6c80027c..d9387686c5 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "1117", "provider": "Microsoft-Windows-Windows Defender" }, - "@timestamp": "2023-07-27T12:58:38Z", "action": { "id": 1117, "properties": { @@ -117,7 +116,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Le centre de distribution de cl\u00e9s (KDC) a rencontr\u00e9 un certificat utilisateur valide mais qui n\u2019a pas pu \u00eatre mapp\u00e9 \u00e0 un utilisateur de mani\u00e8re s\u00e9curis\u00e9e (par exemple via un mappage explicite, un mappage d\u2019approbation de cl\u00e9 ou un SID). Ces certificats doivent \u00eatre remplac\u00e9s ou mapp\u00e9s directement \u00e0 l\u2019utilisateur via un mappage explicite. Consultez https://go.microsoft.com/fwlink/?linkid=2189925 pour en savoir plus.\r\n\r\n Utilisateur : JDOE\r\n Sujet du certificat :\u00e9metteur de certificat @@@OID.0.9.2342.19200300.100.1.1=JDOE, CN=JOHN DOE, OU=1111 222222222, O=EXAMPLE, C=FR\r\n :num\u00e9ro de s\u00e9rie du certificat EXAMPLE_ORG_Authentification\r\n :empreinte de certificat 78F88CB45C07B31EC7CF2239\r\n : A519392EE6D0CB8C3C1F9D74F951A4A8299F8889\r\n", "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center" }, - "@timestamp": "2023-08-22T09:46:33Z", "action": { "id": 39, "properties": { @@ -181,7 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tHOSTFOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&e55476b&0&000100\r\n\r\nDevice Name:\tVMware Virtual disk SCSI Disk Device\r\n\r\nClass ID:\t\t{4d36e967-e325-11ce-bfc1-08002be10318}\r\n\r\nClass Name:\tDiskDrive\r\n\r\nVendor IDs:\t\r\n\t\tSCSI\\DiskVMware__Virtual_disk____2.0_\r\n\t\tSCSI\\DiskVMware__Virtual_disk____\r\n\t\tSCSI\\DiskVMware__\r\n\t\tSCSI\\VMware__Virtual_disk____2\r\n\t\tVMware__Virtual_disk____2\r\n\t\tGenDisk\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tSCSI\\Disk\r\n\t\tSCSI\\RAW\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t\r\n\t\tBus Number 0, Target Id 1, LUN 0\r\n\t\t", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2011-01-07T14:09:58Z", "action": { "id": 6416, "name": "A new external device was recognized by the system.", @@ -293,7 +290,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "C:\\Windows\\System32\\lsass.exe", - "name": "Schannel", + "name": "lsass.exe", "working_directory": "C:\\Windows\\System32\\" }, "related": { @@ -305,6 +302,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "Schannel" + } + }, "client": { "name": "vm-foo", "os": { @@ -350,7 +352,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "@timestamp": "2023-10-04T10:24:15Z", "action": { "id": 4625, "name": "An account failed to log on", @@ -402,7 +403,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "id": 704, - "name": "NtLmSsp ", "pid": 704, "thread": { "id": 9992 @@ -414,12 +414,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "ip": [ "1.1.1.1" - ], - "user": [ - "-" ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp " + } + }, "client": { "name": "FOO-AD1", "os": { @@ -438,9 +440,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.1.1.1" }, "user": { - "domain": "-", "id": "S-1-0-0", - "name": "-", "target": { "domain": "FOO", "id": "S-1-0-0", @@ -463,7 +463,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Les autorisations sur un objet ont \u00e9t\u00e9 modifi\u00e9es.\r\n\r\nSujet\u00a0:\r\n\tID de s\u00e9curit\u00e9\u00a0:\t\tS-1-5-18\r\n\tNom du compte\u00a0:\t\tJDOE\r\n\tDomaine du compte\u00a0:\t\tEXAMPLE\r\n\tID d\u2019ouverture de session\u00a0:\t\t0x3E7\r\n\r\nObjet\u00a0:\r\n\tServeur de l\u2019objet\u00a0:\tSecurity\r\n\tType d\u2019objet\u00a0:\tToken\r\n\tNom de l\u2019objet\u00a0:\t-\r\n\tID du handle\u00a0:\t0x2214\r\n\r\nProcessus\u00a0:\r\n\tID du processus\u00a0:\t0x3f8\r\n\tNom du processus\u00a0:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nModification des autorisations\u00a0:\r\n\tDescripteur de s\u00e9curit\u00e9 d\u2019origine\u00a0:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\r\n\tNouveau descripteur de s\u00e9curit\u00e9\u00a0:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-111111111-22222222-3333333333-44444444-5555555555)", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-22T14:40:12Z", "action": { "id": 4670, "name": "Permissions on an object were changed", @@ -543,7 +542,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\r\n\r\nInformations sur le compte\u00a0:\r\n\tNom du compte\u00a0:\t\\JDOE\r\n\tNom du domaine Kerberos fourni\u00a0:\tlocal.example.org\r\n\tID de l\u2019utilisateur\u00a0:\t\t\tS-1-5-21-1111111111-2222222222-3333333333-444444\r\n\r\nInformations sur le service\u00a0:\r\n\tNom du service\u00a0:\t\tkrbtgt\r\n\tID du service\u00a0:\t\tS-1-5-21-1111111111-2222222222-3333333333-555\r\n\r\nInformations sur le r\u00e9seau\u00a0:\r\n\tAdresse du client\u00a0:\t\t::ffff:55.99.99.6\r\n\tPort client\u00a0:\t\t61359\r\n\r\nInformations suppl\u00e9mentaires\u00a0:\r\n\tOptions du ticket\u00a0:\t\t0x40810010\r\n\tCode de r\u00e9sultat\u00a0:\t\t0x0\r\n\tType de chiffrement du ticket\u00a0:\t0x12\r\n\tType de pr\u00e9-authentification\u00a0:\t15\r\n\r\nInformations sur le certificat\u00a0:\r\n\tNom de l\u2019\u00e9metteur du certificat\u00a0:\t\tEXAMPLE_ORG_Authentification\r\n\tNum\u00e9ro de s\u00e9rie du certificat\u00a0:\t78F88CB4AFBAB3AC089E147A\r\n\t Empreinte num\u00e9rique du certificat\u00a0:\t\t32BE1AF04D9E00A97E0A17C6A335CEB5A7B6F60D\r\n\r\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\r\n\r\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-22T09:46:34Z", "action": { "id": 4768, "name": "A Kerberos authentication ticket (TGT) was requested", @@ -628,7 +626,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\r\n\r\nInformations sur le compte :\r\n\tNom du compte :\t\tjdoe\r\n\tNom du domaine Kerberos fourni :\tlocal.example.org\r\n\tID de l\u2019utilisateur :\t\t\tS-1-0-0\r\n\r\nInformations sur le service :\r\n\tNom du service :\t\tkrbtgt/local.example.org\r\n\tID du service :\t\tS-1-0-0\r\n\r\nInformations sur le r\u00e9seau :\r\n\tAdresse du client :\t\t::ffff:10.24.20.7\r\n\tPort client :\t\t49681\r\n\r\nInformations suppl\u00e9mentaires :\r\n\tOptions du ticket :\t\t0x40810010\r\n\tCode de r\u00e9sultat :\t\t0x4B\r\n\tType de chiffrement du ticket :\t0xFFFFFFFF\r\n\tType de pr\u00e9-authentification :\t-\r\n\r\nInformations sur le certificat :\r\n\tNom de l\u2019\u00e9metteur du certificat :\t\tCN=INDSI218\r\n\tNum\u00e9ro de s\u00e9rie du certificat :\t01\r\n\t Empreinte num\u00e9rique du certificat :\t\t4871F03F06CB961643295C961CA999D4AC43A0F9\r\n\r\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\r\n\r\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-30T08:58:21Z", "action": { "id": 4768, "name": "A Kerberos authentication ticket (TGT) was requested", @@ -713,7 +710,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tUSERFOO\r\n\tDomain:\t\tKEY\r\n\tLogon ID:\t0x67D43768\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.1.1.1\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2011-01-29T10:10:59Z", "action": { "id": 4825, "name": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group", @@ -780,7 +776,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "An Active Directory replica source naming context was removed.\r\n\r\nDestination DRA:\tCN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nSource DRA:\t-\r\nSource Address:\t6c073888-8c3b-45a2-8a4e-e57c65a214e9._msdcs.example.org\r\nNaming Context:\tDC=Forest,DC=example,DC=org\r\nOptions:\t\t16640\r\nStatus Code:\t0", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-09-13T09:24:22Z", "action": { "id": 4929, "name": "An Active Directory replica source naming context was removed", @@ -841,7 +836,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "La synchronisation d\u2019un r\u00e9plica d\u2019un contexte de nommage Active Directory a commenc\u00e9.\r\n\r\nDRA de destination\u00a0:\tCN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nDRA source\u00a0:\tCN=NTDS Settings,CN=Nancy,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nContexte de nommage\u00a0:\tCN=NTDS Settings,CN=Nancy,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nOptions\u00a0:\t\t524307\r\nID de la session\u00a0:\t437014\r\nUSN de d\u00e9marrage\u00a0:\t239636074", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-22T09:46:34Z", "action": { "id": 4932, "name": "Synchronization of a replica of an Active Directory naming context has begun", @@ -904,7 +898,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "La synchronisation d\u2019un r\u00e9plica d\u2019un contexte de nommage Active Directory s\u2019est termin\u00e9e.\r\n\r\nDRA de destination\u00a0:\tCN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nDRA source\u00a0:\tCN=NTDS Settings,CN=Nancy,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nContexte de nommage\u00a0:\tDC=bois,DC=example,DC=org\r\nOptions\u00a0:\t\t524307\r\nID de session\u00a0:\t437014\r\nUSN de fin\u00a0:\t239636088\r\nCode d\u2019\u00e9tat\u00a0:\t0", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-22T09:46:34Z", "action": { "id": 4933, "name": "Synchronization of a replica of an Active Directory naming context has ended", @@ -967,7 +960,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Un objet du service d\u2019annuaire a \u00e9t\u00e9 modifi\u00e9.\r\n\t\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tSyst\u00e8me\r\n\tDomaine du compte :\t\tAUTORITE NT\r\n\tID d\u2019ouverture de session :\t\t0x16CDFB96\r\n\r\nService d\u2019annuaire :\r\n\tNom :\texample.org\r\n\tType :\tServices de domaine Active Directory\r\n\t\r\nObjet :\r\n\tDN :\tDC=dhcp,DC=example.org,cn=MicrosoftDNS,cn=System,DC=example,DC=org\r\n\tGUID :\t{2b7f344c-843a-4056-b411-7114b87974a4}\r\n\tClasse :\tdnsNode\r\n\t\r\nAttribut :\r\n\tNom complet LDAP :\tdNSTombstoned\r\n\tSyntaxe (OID) :\t2.5.5.8\r\n\tValeur :\tFALSE\r\n\t\r\nOp\u00e9ration :\r\n\tType :\tFinance\r\n\tID de corr\u00e9lation :\t{0d91bb0f-05ef-470e-9ba3-ecd9be52703c}\r\n\tID de corr\u00e9lation d\u2019application :\t-", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-10-26T12:34:55Z", "action": { "id": 5136, "name": "A directory service object was modified", @@ -1043,7 +1035,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The zone mail.corp.net was updated. The MasterServers setting has been set to 1.1.1.1,2.2.2.2. [virtualization instance: .].", "provider": "Microsoft-Windows-DNSServer" }, - "@timestamp": "2023-08-23T11:20:47Z", "action": { "id": 514, "properties": { @@ -1111,7 +1102,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "5408", "provider": "Microsoft-Windows-FailoverClustering" }, - "@timestamp": "2023-09-25T15:29:18Z", "action": { "id": 5408, "properties": { @@ -1177,7 +1167,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 1.1.1.1.", "provider": "TermDD" }, - "@timestamp": "2011-10-05T23:50:40Z", "action": { "id": 56, "properties": { @@ -1237,7 +1226,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Network Policy Server granted access to a user.\r\n\r\nUser:\r\n\tSecurity ID:\t\t\tS-1-5-21-1111111111-2222222222-3333333333-44444\r\n\tAccount Name:\t\t\thost/l4523.example.org\r\n\tAccount Domain:\t\t\tEX1\r\n\tFully Qualified Account Name:\tEX1\\L4523\r\n\r\nClient Machine:\r\n\tSecurity ID:\t\t\tS-1-0-0\r\n\tAccount Name:\t\t\t-\r\n\tFully Qualified Account Name:\t-\r\n\tCalled Station Identifier:\t\t0c-c2-6d-91-dd-25:Athos\r\n\tCalling Station Identifier:\t\ta9-7c-7d-ac-47-67\r\n\r\nNAS:\r\n\tNAS IPv4 Address:\t\t1.2.3.4\r\n\tNAS IPv6 Address:\t\t-\r\n\tNAS Identifier:\t\t\tELEBEYCOBI\r\n\tNAS Port-Type:\t\t\tWireless - IEEE 802.11\r\n\tNAS Port:\t\t\t8\r\n\r\nRADIUS Client:\r\n\tClient Friendly Name:\t\tELEBEYCOBI\r\n\tClient IP Address:\t\t\t1.2.3.4\r\n\r\nAuthentication Details:\r\n\tConnection Request Policy Name:\tSecure Wireless Connections\r\n\tNetwork Policy Name:\t\tSecure Wifi Computer\r\n\tAuthentication Provider:\t\tWindows\r\n\tAuthentication Server:\t\tauth.example.org\r\n\tAuthentication Type:\t\tPEAP\r\n\tEAP Type:\t\t\tMicrosoft: Secured password (EAP-MSCHAP v2)\r\n\tAccount Session Identifier:\t\t111111111111111111111111111111111111111111111111111111111111111111\r\n\tLogging Results:\t\t\tAccounting information was written to the local log file.\r\n", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-10-26T13:11:01Z", "action": { "id": 6272, "name": "Network Policy Server granted access to a user", @@ -1317,7 +1305,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Network Policy Server denied access to a user.\r\n\r\nContact the Network Policy Server administrator for more information.\r\n\r\nUser:\r\n\tSecurity ID:\t\t\tS-1-5-21-1111111111-2222222222-3333333333-44444\r\n\tAccount Name:\t\t\tjdoe\r\n\tAccount Domain:\t\t\tEX1\r\n\tFully Qualified Account Name:\texample.org/EX1/Users/Standard/John DOE\r\n\r\nClient Machine:\r\n\tSecurity ID:\t\t\tS-1-0-0\r\n\tAccount Name:\t\t\t-\r\n\tFully Qualified Account Name:\t-\r\n\tCalled Station Identifier:\t\t0c-c2-6d-91-dd-25:Athos\r\n\tCalling Station Identifier:\t\ta9-7c-7d-ac-47-67\r\n\r\nNAS:\r\n\tNAS IPv4 Address:\t\t1.2.3.4\r\n\tNAS IPv6 Address:\t\t-\r\n\tNAS Identifier:\t\t\t-\r\n\tNAS Port-Type:\t\t\tWireless - IEEE 802.11\r\n\tNAS Port:\t\t\t29\r\n\r\nRADIUS Client:\r\n\tClient Friendly Name:\t\t1.2.3.4\r\n\tClient IP Address:\t\t\t1.2.3.4\r\n\r\nAuthentication Details:\r\n\tConnection Request Policy Name:\tSecure Wireless Connections\r\n\tNetwork Policy Name:\t\tConnections to other access servers\r\n\tAuthentication Provider:\t\tWindows\r\n\tAuthentication Server:\t\tauth.example.org\r\n\tAuthentication Type:\t\tEAP\r\n\tEAP Type:\t\t\t-\r\n\tAccount Session Identifier:\t\t1111111111111111111111111111111111\r\n\tLogging Results:\t\t\tAccounting information was written to the local log file.\r\n\tReason Code:\t\t\t66\r\n\tReason:\t\t\t\tThe user attempted to use an authentication method that is not enabled on the matching network policy.\r\n", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-10-26T14:42:27Z", "action": { "id": 6273, "name": "Network Policy Server denied access to a user", @@ -1395,8 +1382,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "7", "message": "Image loaded:\r\nRuleName: -\r\nUtcTime: 2023-08-07 15:51:22.721\r\nProcessGuid: {9b7ebdcf-12fa-64d1-5e12-000000009f00}\r\nProcessId: 15368\r\nImage: C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\r\nImageLoaded: C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nHashes: -\r\nSigned: failed: Invalid hash\r\nSignature: -\r\nSignatureStatus: -\r\nUser: myuser", - "provider": "Microsoft-Windows-Sysmon", - "reason": "-" + "provider": "Microsoft-Windows-Sysmon" }, "@timestamp": "2023-08-07T15:51:22.721000Z", "action": { @@ -1426,7 +1412,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Microsoft-Windows-Sysmon/Operational" }, "dll": { - "name": "-", "path": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe" }, "host": { @@ -1574,7 +1559,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The Federation Service failed to issue a valid token. See XML for failure details. \r\n\r\nActivity ID: bc38fffc-f8ab-42f2-b5e3-69fabf2e20e6 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n AppToken\r\n Failure\r\n GenericError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n firstname.lastname@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Extranet\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n 1.1.1.1,1.1.1.1,1.1.1.1\r\n N/A\r\n N/A\r\n proxy-server\r\n Mozilla/5.0 (Linux; Android 11; SM-A217F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.85 Mobile Safari/537.36\r\n /adfs/ls/\r\n \r\n \r\n", "provider": "AD FS Auditing" }, - "@timestamp": "2012-09-13T16:15:44Z", "action": { "id": 1201, "outcome": "failure", @@ -1660,7 +1644,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The Federation Service failed to validate a new credential. See XML for failure details. \r\n\r\nActivity ID: d404fc6c-c19c-40d7-a4fb-e8ebeb1bfc56 \r\n\r\nAdditional Data \r\nXML: \r\n\r\n FreshCredentials\r\n Failure\r\n CredentialValidationError\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n N/A\r\n username@example.org\r\n \r\n \r\n N/A\r\n false\r\n N/A\r\n false\r\n N/A\r\n false\r\n false\r\n NotSet\r\n \r\n \r\n N/A\r\n N/A\r\n \r\n \r\n http://auth.example.org/adfs/services/trust\r\n WSFederation\r\n Intranet\r\n 1.1.1.1\r\n \r\n N/A\r\n N/A\r\n N/A\r\n Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19044\r\n /adfs/ls/\r\n \r\n \r\n", "provider": "AD FS Auditing" }, - "@timestamp": "2012-09-20T15:54:13Z", "action": { "id": 1203, "outcome": "failure", @@ -1670,7 +1653,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Domain": "KEY", "EventType": "AUDIT_FAILURE", "Keywords": "-9182839640208441000", - "ProxyServer": "N/A", "Severity": "ERROR", "SourceName": "AD FS Auditing", "Task": 3 @@ -1746,7 +1728,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", "provider": "Microsoft-Windows-Bits-Client" }, - "@timestamp": "2011-03-02T01:40:47Z", "action": { "id": 61, "properties": { @@ -1835,7 +1816,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "16403", "provider": "Microsoft-Windows-Bits-Client" }, - "@timestamp": "2010-12-29T17:08:37Z", "action": { "id": 16403, "properties": { @@ -1927,7 +1907,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "BITS stopped transferring the sharpbitsTestX.zip transfer job that is associated with the https://codeplexarchive.blob.core.windows.net/archive/projects/sharpbits/sharpbits.zip URL. The status code is 0x0.", "provider": "Microsoft-Windows-Bits-Client" }, - "@timestamp": "2010-12-29T17:08:50Z", "action": { "id": 60, "name": "BITS has stopped transferring the BITS Transfer job", @@ -2019,7 +1998,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Antivirus Windows Defender a d\u00c3\u00a9tect\u00c3\u00a9 un logiciel malveillant ou potentiellement ind\u00c3\u00a9sirable.\r\n Pour plus d\u00e2\u20ac\u2122informations, reportez-vous aux \u00c3\u00a9l\u00c3\u00a9ments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win64/Mikatz!dha&threatid=2147705511&enterprise=0\r\n \tNom : HackTool:Win64/Mikatz!dha\r\n \tID : 2147705511\r\n \tGravit\u00c3\u00a9 : \u00c3\u2030lev\u00c3\u00a9e\r\n \tCat\u00c3\u00a9gorie : Outil\r\n \tChemin : file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys\r\n \tOrigine de la d\u00c3\u00a9tection : Ordinateur local\r\n \tType de d\u00c3\u00a9tection : Concret\r\n \tSource de d\u00c3\u00a9tection : Protection en temps r\u00c3\u00a9el\r\n \tUtilisateur : DESKTOP-FOOBARZ\\r1\r\n \tNom du processus : C:\\Windows\\explorer.exe\r\n \tVersion de la veille de s\u00c3\u00a9curit\u00c3\u00a9 : AV: 1.325.803.0, AS: 1.325.803.0, NIS: 1.325.803.0\r\n \tVersion du moteur : AM: 1.1.17500.4, NIS: 1.1.17500.4", "provider": "Microsoft-Windows-Windows Defender" }, - "@timestamp": "2010-11-05T15:26:31Z", "action": { "id": 1116, "name": "The antimalware platform detected malware or other potentially unwanted software.", @@ -2094,7 +2072,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Rapport d'int\u00e9grit\u00e9 du client Endpoint Protection (heure UTC)\u00a0: \r\n \tVersion de plateforme\u00a0: 4.18.2011.6\r\n \tVersion de moteur\u00a0: 1.1.19900.2\r\n \tVersion du moteur du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.1.19900.2\r\n \tVersion de la veille de s\u00e9curit\u00e9 Antivirus\u00a0: 1.381.814.0\r\n \tVersion de la la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1.381.814.0\r\n \tVersion de la veille de s\u00e9curit\u00e9 du syst\u00e8me d\u2019inspection du r\u00e9seau en temps r\u00e9el\u00a0: 1.381.814.0\r\n \t\u00c9tat RTP\u00a0: Activ\u00e9\r\n \t\u00c9tat OA\u00a0: Activ\u00e9\r\n \t\u00c9tat OAV\u00a0: Activ\u00e9\r\n \t\u00c9tat BM\u00a0: Activ\u00e9\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 1\r\n \t\u00c2ge de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse rapide\u00a0: 1\r\n \t\u00c2ge de la derni\u00e8re analyse compl\u00e8te\u00a0: 4294967295\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 de l'antivirus\u00a0: 21/12/2012 01:50:25\r\n \tHeure de cr\u00e9ation de la veille de s\u00e9curit\u00e9 du logiciel anti-espion\u00a0: 21/12/2012 01:50:26\r\n \tHeure de d\u00e9but la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:30:01\r\n \tHeure de fin de la derni\u00e8re analyse rapide\u00a0: 21/12/2012 10:40:38\r\n \tSource de la derni\u00e8re analyse rapide\u00a0: 2\r\n \tHeure de d\u00e9but de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tHeure de fin de la derni\u00e8re analyse compl\u00e8te\u00a0: 01/01/1601 00:00:00\r\n \tSource de la derni\u00e8re analyse compl\u00e8te\u00a0: 0\r\n \tStatut du produit\u00a0: 0x00080000\r\n", "provider": "Microsoft-Windows-Windows Defender" }, - "@timestamp": "2012-12-22T20:25:26Z", "action": { "id": 1151, "properties": { @@ -2164,7 +2141,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\powershell.exe = 0x0\r\n \tNew value: ", "provider": "Microsoft-Windows-Windows Defender" }, - "@timestamp": "2011-09-13T09:20:39Z", "action": { "id": 5007, "properties": { @@ -2231,7 +2207,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CommandInvocation (Select-Object) : \u00ab Select-Object \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab First \u00bb ; valeur = \u00ab 1 \u00bb\r\nLiaison de param\u00e8tre (Select-Object) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab __AllParameterSets \u00bb\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.19041.906\r\n ID d\u2019h\u00f4te = d480b34d-9bc5-4b03-bef2-0c4642484e60\r\n Application h\u00f4te = C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.19041.906\r\n ID d\u2019instance d\u2019ex\u00e9cution = de38a11e-707d-4cc0-a009-a4af63866bf6\r\n ID de pipeline = 1\r\n Nom de commande = Select-Object\r\n Type de commande = Cmdlet\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 138\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", "provider": "Microsoft-Windows-PowerShell" }, - "@timestamp": "2011-06-02T15:04:18Z", "action": { "id": 4103, "properties": { @@ -2303,7 +2278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x5\r\n \tNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection = 0x4", "provider": "Microsoft-Windows-Windows Defender" }, - "@timestamp": "2022-03-21T09:17:49Z", "action": { "id": 5007, "properties": { @@ -2371,7 +2345,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tFOO$\r\n\tSupplied Realm Name:\tKEY.HOSTFOO.INT\r\n\tUser ID:\t\t\tS-1-5-21-1574594750-1263408776-2012955550-83436\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t65016\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-05-22T15:37:23Z", "action": { "id": 4768, "name": "A Kerberos authentication ticket (TGT) was requested", @@ -2453,7 +2426,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Skipping license manager: PFN Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\r\nFunction: InvokeLicenseManagerRequired\r\nSource: enduser\\winstore\\licensemanager\\apisethost\\activationapis.cpp (205)", "provider": "Microsoft-Windows-Store" }, - "@timestamp": "2019-05-16T11:55:18Z", "action": { "id": 8001, "properties": { @@ -2521,7 +2493,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2019-12-16T15:24:15Z", "action": { "id": 4634, "name": "An account was logged off", @@ -2597,7 +2568,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "@timestamp": "2010-06-18T15:28:23Z", "action": { "id": 4624, "name": "An account was successfully logged on", @@ -2644,7 +2614,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "id": 744, - "name": "NtLmSsp ", "pid": 744, "thread": { "id": 2352 @@ -2653,12 +2622,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "hosts": [ "V-FOO" - ], - "user": [ - "-" ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp " + } + }, "client": { "name": "V-FOO", "os": { @@ -2673,9 +2644,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "user": { - "domain": "-", "id": "S-1-0-0", - "name": "-", "target": { "domain": "KEY", "id": "S-1-5-21-1574594750-1263408776-2012955550-69701", @@ -2705,7 +2674,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "start" ] }, - "@timestamp": "2011-04-12T17:42:04Z", "action": { "id": 4624, "name": "An account was successfully logged on", @@ -2755,7 +2723,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "executable": "C:\\Windows\\CCM\\CcmExec.exe", "id": 996, - "name": "Advapi ", + "name": "CcmExec.exe", "pid": 996, "thread": { "id": 1920 @@ -2771,6 +2739,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "Advapi " + } + }, "client": { "name": "PCFOO.corp.net", "os": { @@ -2810,7 +2783,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1519513455-2607746426-4144247390-71234\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tAD\r\n\tLogon ID:\t\t0x3912391A\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2019-12-16T15:24:15Z", "action": { "id": 4634, "name": "An account was logged off", @@ -2880,7 +2852,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123016\r\n\tAccount Name:\t\tBAZ256$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA62B3A8AE\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t1.1.1.1\r\n\tSource Port:\t\t51042\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\D:\\ActiveDirectory\\SYSVOL\\sysvol\r\n\tRelative Target Name:\tKEY.ACME.COM\\POLICIES\\{C69D840B-35D8-4172-97E2-E54446703FF2}\\MACHINE\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100081\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadData (or ListDirectory):\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-04-24T00:06:15Z", "action": { "id": 5145, "name": "A network share object was checked to see whether client can be granted desired access", @@ -3036,7 +3007,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "source": { - "address": "DESKTOP-FOOBARZ.entreprise.sekoia", + "address": "1.1.1.1", "domain": "DESKTOP-FOOBARZ.entreprise.sekoia", "ip": "1.1.1.1", "port": 49718, @@ -3063,7 +3034,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-122301\r\n\tAccount Name:\t\tadm_FOOBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xF22F28C6\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2bfc\r\n\tNew Process Name:\tC:\\Windows\\System32\\wbem\\WMIC.exe\r\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\r\n\tCreator Process ID:\t0x2a28\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-04-28T08:22:44Z", "action": { "id": 4688, "name": "A new process has been created", @@ -3123,9 +3093,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "S-1-5-21-1574594750-1263408776-2012955550-122301", "name": "adm_FOOBAZ", "target": { - "domain": "-", - "id": "S-1-0-0", - "name": "-" + "id": "S-1-0-0" } } } @@ -3144,7 +3112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "L\u00e2\u0080\u0099abonn\u00c3\u00a9 aux notifications Winlogon n\u00e2\u0080\u0099\u00c3\u00a9tait pas disponible pour traiter un \u00c3\u00a9v\u00c3\u00a9nement de notification.", "provider": "Microsoft-Windows-Winlogon" }, - "@timestamp": "2019-05-16T18:07:37Z", "action": { "id": 6000, "properties": { @@ -3199,7 +3166,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-98189\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x8C042A219\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{e013e2c9-bd38-4fe7-9afc-c50c377cb028}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-04-23T13:28:14Z", "action": { "id": 4662, "name": "An operation was performed on an object", @@ -3278,7 +3244,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Creating Scriptblock text (1 of 1):\r\n{ @('Object') -contains $_ }\r\n\r\nScriptBlock ID: 592078b2-e981-40be-a166-10896495067b\r\nPath: ", "provider": "Microsoft-Windows-PowerShell" }, - "@timestamp": "2010-05-19T12:11:47Z", "action": { "id": 4104, "name": "Creating Scriptblock text", @@ -3349,7 +3314,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CommandInvocation(Write-Verbose): \"Write-Verbose\"\r\nParameterBinding(Write-Verbose): name=\"Message\"; value=\"ParentDisplayName\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14409.1018\r\n Host ID = 6d715a18-8dd8-44ce-889d-67bbbd36962b\r\n Host Application = C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File C:\\ProgramData\\PuppetLabs\\facter\\facts.d\\InstalledSoftware.ps1\r\n Engine Version = 5.1.14409.1018\r\n Runspace ID = 28ef971b-d5e6-46a0-a1eb-275b26023d17\r\n Pipeline ID = 1\r\n Command Name = Write-Verbose\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSSoftware\\1.0.29\\PSSoftware.psm1\r\n Command Path = \r\n Sequence Number = 3930\r\n User = WORKGROUP\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", "provider": "Microsoft-Windows-PowerShell" }, - "@timestamp": "2010-10-02T17:20:14Z", "action": { "id": 4103, "properties": { @@ -3421,7 +3385,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CommandInvocation(Add-Type): \"Add-Type\"\r\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.Core\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.14393.5582\r\n Host ID = 26838e02-12cb-467c-a81a-bb1479f74427\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NonInteractive -NoProfile -Command & {Add-Type -AssemblyName System.Core\nfunction Run-Server() { param([string]$h); $b = New-Object byte[] 8; $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h); if ($p) { $l = $p.Read($b, 0, 8); while ($l -gt 7) { $c = [System.BitConverter]::ToInt32($b, 0); $l = [System.BitConverter]::ToInt32($b, 4); $t = $null; if ($l -gt 0) { $t1 = New-Object byte[] $l; $l = $p.Read($t1, 0, $t1.Length); $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) } if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } $p.Dispose() } } Run-Server -h 1412}\r\n Engine Version = 5.1.14393.5582\r\n Runspace ID = 4185b66b-3f0e-486d-a15e-3d2bc90f39a7\r\n Pipeline ID = 1\r\n Command Name = Add-Type\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 18\r\n User = INTRANET\\SYSTEM\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n", "provider": "Microsoft-Windows-PowerShell" }, - "@timestamp": "2023-08-22T20:12:26Z", "action": { "id": 4103, "properties": { @@ -3493,7 +3456,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CommandInvocation (Out-Default) : \u00ab Out-Default \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=ApplicationFrameHost} \u00bb\r\nLiaison de param\u00e8tre (Out-Default) : nom = \u00ab InputObject \u00bb ; valeur = \u00ab @{ProcessName=armsvc} \u00bb\r\n\r\n\r\n\r\nContexte :\r\n Gravit\u00e9 = Informational\r\n Nom d\u2019h\u00f4te = ConsoleHost\r\n Version de l\u2019h\u00f4te = 5.1.18362.1171\r\n ID d\u2019h\u00f4te = b9b8ea4b-cd03-4f71-86f7-2fd8e89b52a4\r\n Application h\u00f4te = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe get-process | select processname\r\n Version du moteur = 5.1.18362.1171\r\n ID d\u2019instance d\u2019ex\u00e9cution = bad57214-6381-4f0a-a2ea-ad1575bdb55d\r\n ID de pipeline = 1\r\n Nom de commande = \r\n Type de commande = Script\r\n Nom du script = \r\n Chemin de la commande = \r\n Num\u00e9ro de s\u00e9quence = 18\r\n Utilisateur = FOOBAR\\Syst\u00e8me\r\n Utilisateur connect\u00e9 = \r\n ID d\u2019interpr\u00e9teur de commandes = Microsoft.PowerShell\r\n\r\n\r\nDonn\u00e9es utilisateur :\r\n\r\n", "provider": "Microsoft-Windows-PowerShell" }, - "@timestamp": "2011-04-18T14:51:32Z", "action": { "id": 4103, "properties": { @@ -3565,7 +3527,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-73322\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0xA4FA5F41\r\n\r\nObject:\r\n\tObject Server:\t\tWS-Management Listener\r\n\tObject Type:\t\tUnknown\r\n\tObject Name:\t\tUnknown\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x3d4\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tMAX_ALLOWED\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x2000000\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-09-28T18:30:29Z", "action": { "id": 4656, "name": "A handle to an object was requested", @@ -3648,7 +3609,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tFOOBAZ02$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\r\n\tObject Value Name:\tFirmwareUpdatesNotInstalled\r\n\tHandle ID:\t\t0x22cc\r\n\tOperation Type:\t\tNew registry value created\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xac0\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\t-\r\n\tOld Value:\t\t-\r\n\tNew Value Type:\t\tREG_DWORD\r\n\tNew Value:\t\t0", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-09-30T12:01:24Z", "action": { "id": 4657, "name": "A registry value was modified", @@ -3727,7 +3687,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x5c44\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4e58\r\n\tProcess Name:\t\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-09-30T12:32:03Z", "action": { "id": 4658, "name": "The handle to an object was closed", @@ -3803,7 +3762,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x5d4\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-09-30T14:43:13Z", "action": { "id": 4663, "name": "An attempt was made to access an object", @@ -3887,7 +3845,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4670", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-10-01T17:52:46Z", "action": { "id": 4670, "name": "Permissions on an object were changed", @@ -3965,7 +3922,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2012-01-25T18:20:06Z", "action": { "id": 4688, "name": "A new process has been created", @@ -4031,9 +3987,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "S-1-5-18", "name": "REDACTED", "target": { - "domain": "-", - "id": "S-1-0-0", - "name": "-" + "id": "S-1-0-0" } } } @@ -4051,7 +4005,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4689", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2012-01-26T11:33:55Z", "action": { "id": 4689, "name": "A process has exited", @@ -4125,7 +4078,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tsrv-foo$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\CORP-Dump_Installed_Updates\r\n\tTask Content: \t\t\r\n\r\n \r\n KEY\\adm_foo\r\n \\CORP-Dump_Installed_Updates\r\n \r\n \r\n \r\n \r\n PT1H\r\n P1D\r\n true\r\n \r\n 2016-05-02T04:45:00\r\n PT30M\r\n true\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n StopExisting\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT1H\r\n 7\r\n \r\n PT15M\r\n 3\r\n \r\n \r\n \r\n \r\n C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n -NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"\r\n \r\n \r\n\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t28428972647776291\r\n\tClientProcessId: \t\t\t1700\r\n\tParentProcessId: \t\t\t892\r\n\tFQDN: \t\t0\r\n\t", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-08-25T12:13:33Z", "action": { "id": 4698, "name": "A scheduled task was created", @@ -4198,7 +4150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4719", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2011-01-11T13:11:59Z", "action": { "id": 4719, "name": "System audit policy was changed", @@ -4268,7 +4219,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-2746\r\n\tAccount Name:\t\tSVC_sitemanager\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\tLogon ID:\t\t0x8A2F8844\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1595408694-1749029380-1551332766-47859\r\n\tAccount Name:\t\tUSERFOO\r\n\tAccount Domain:\t\tEXTRAWEB\r\n\r\nAttributes:\r\n\tSAM Account Name:\tUSERFOO\r\n\tDisplay Name:\t\tUSERFOO USERLASTNAME\r\n\tUser Principal Name:\\tuserfoo@mycorp.nett\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t\r\n\tAccount Expires:\t\t28/11/2021 00:00:00\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x15\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Password Not Required' - Enabled\r\n\t\t'Normal Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2020-11-27T17:05:18Z", "action": { "id": 4720, "name": "A user account was created", @@ -4353,7 +4303,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tHOSTFOO\r\n\tAccount Domain:\t\tKEY.HOSTFOO\r\n\tLogon GUID:\t\t{25EC3BE0-427C-8A48-FD6F-0EF462F18BEB}\r\n\r\nService Information:\r\n\tService Name:\t\tV-FOO$\r\n\tService ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-74694\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:1.1.1.1\r\n\tClient Port:\t\t54021\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-12-11T16:17:08Z", "action": { "id": 4769, "name": "A Kerberos service ticket was requested", @@ -4434,7 +4383,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A directory service object was modified.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1574594750-1263408776-2012955550-123990\r\n\tAccount Name:\t\tHOSTNAMEBAZ\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x2245EEC18\r\n\r\nDirectory Service:\r\n\tName:\tkey.mycorp.int\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=MYUSER,OU=Ten,OU=MYCORP Computers,OU=MYCORP Data,DC=key,DC=mycorp,DC=int\r\n\tGUID:\t{5E818E06-674B-4D67-8D7C-FD08473C7FD4}\r\n\tClass:\tcomputer\r\n\t\r\nAttribute:\r\n\tLDAP Display Name:\tservicePrincipalName\r\n\tSyntax (OID):\t1.1.1.1\r\n\tValue:\tCmRcService/MYUSER\r\n\t\r\nOperation:\r\n\tType:\tValue Added\r\n\tCorrelation ID:\t{862BB478-DF85-4696-B45A-8C27F04C9377}\r\n\tApplication Correlation ID:\t-", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-11-13T17:25:22Z", "action": { "id": 5136, "name": "A directory service object was modified", @@ -4510,7 +4458,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t10220\r\n\tApplication Name:\t\\device\\harddiskvolume2\\users\\wardog\\appdata\\local\\programs\\python\\python39\\python.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t::\r\n\tSource Port:\t\t8000\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t81935\r\n\tLayer Name:\t\tListen\r\n\tLayer Run-Time ID:\t42", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2011-06-10T08:53:53Z", "action": { "id": 5154, "name": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections", @@ -4566,7 +4513,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "La plateforme WPF (Windows Filtering Platform) a autoris\u00e9 une connexion.\r\n\r\nInformations sur l\u2019application :\r\n\tID du processus :\t\t1452\r\n\tNom de l\u2019application :\t\\device\\harddiskvolume2\\program files (x86)\\nxlog\\nxlog.exe\r\n\r\nInformations sur le r\u00e9seau :\r\n\tDirection :\t\tEntrant\r\n\tAdresse source :\t\t1.1.1.1\r\n\tPort source :\t\t51845\r\n\tAdresse de destination :\t1.1.1.1\r\n\tPort de destination :\t\t51846\r\n\tProtocole :\t\t6\r\n\r\nInformations sur le filtre :\r\n\tID d\u2019ex\u00e9cution du filtre :\t9\r\n\tNom de la couche :\t\tR\u00e9ception/Acceptation\r\n\tID d\u2019ex\u00e9cution de la couche :\t44", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-10-21T14:10:49Z", "action": { "id": 5156, "name": "The Windows Filtering Platform has allowed a connection", @@ -4643,7 +4589,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A service was installed in the system.\r\n\r\nService Name: MpKslDrv\r\nService File Name: C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{5A27824B-0561-40A5-BA9A-9B3E8B24D58D}\\MpKslDrv.sys\r\nService Type: kernel mode driver\r\nService Start Type: system start\r\nService Account: ", "provider": "Service Control Manager" }, - "@timestamp": "2010-10-26T16:58:35Z", "action": { "id": 7045, "name": "A new service was installed in the system", @@ -4805,7 +4750,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-05-04T12:06:15Z", "action": { "id": 4688, "name": "A new process has been created", @@ -4871,9 +4815,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "S-1-5-18", "name": "HOSTFOOBAR", "target": { - "domain": "-", - "id": "S-1-0-0", - "name": "-" + "id": "S-1-0-0" } } } @@ -4891,7 +4833,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4688", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-08-19T11:37:56Z", "action": { "id": 4688, "name": "A new process has been created", @@ -4957,9 +4898,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "S-1-5-21-1574594750-1263408776-2012955550-78445", "name": "USERFOO", "target": { - "domain": "-", - "id": "S-1-0-0", - "name": "-" + "id": "S-1-0-0" } } } @@ -5062,7 +5001,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "BITS a arr\u00c3\u00aat\u00c3\u00a9 la t\u00c3\u00a2che de transfert Font Download qui est associ\u00c3\u00a9e \u00c3 l\u00e2\u20ac\u2122URL https://fs.microsoft.com/fs/windows/config.json. Le code d\u00e2\u20ac\u2122\u00c3\u00a9tat est 0x80072EE2.", "provider": "Microsoft-Windows-Bits-Client" }, - "@timestamp": "2011-03-02T01:40:47Z", "action": { "id": 61, "properties": { @@ -5152,7 +5090,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Une t\u00e2che planifi\u00e9e a \u00e9t\u00e9 mise \u00e0 jour.\r\n\r\nObjet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom de compte :\t\tSEKADWV01$\r\n\tDomaine du compte :\t\tSEKOPOC\r\n\tID d\u2019ouverture de session :\t\t0x3E7\r\n\r\nInformations sur la t\u00e2che :\r\n\tNom de la t\u00e2che : \t\t\\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n\tNouveau contenu de la t\u00e2che : \t\t\r\n\r\n \r\n \\Microsoft\\Windows\\UpdateOrchestrator\\Backup Scan\r\n \r\n \r\n \r\n 2011-04-15T14:37:06.282Z\r\n true\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n true\r\n true\r\n false\r\n \r\n PT10M\r\n PT1H\r\n true\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n true\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n %systemroot%\\system32\\usoclient.exe\r\n StartScan\r\n \r\n \r\n \r\n \r\n S-1-5-18\r\n LeastPrivilege\r\n \r\n \r\n\r\n\t", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2011-04-01T16:37:06Z", "action": { "id": 4702, "name": "A scheduled task was updated", @@ -5226,7 +5163,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tPPS-VAL-APP$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService:\r\n\tServer:\tNT Local Security Authority / Authentication Service\r\n\tService Name:\tLsaRegisterLogonProcess()\r\n\r\nProcess:\r\n\tProcess ID:\t0x7e0\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-11-16T14:49:29Z", "action": { "id": 4673, "name": "A privileged service was called", @@ -5302,7 +5238,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "4697", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-11-04T16:04:45Z", "action": { "id": 4697, "name": "A service was installed in the system", @@ -6603,7 +6538,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "source": { - "address": "USERNAME01.ACT.CORP.local", + "address": "1.1.1.1", "domain": "USERNAME01.ACT.CORP.local", "ip": "1.1.1.1", "port": 389, @@ -6956,7 +6891,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "Un nouveau processus a \u00e9t\u00e9 cr\u00e9\u00e9.\r\n\r\nSujet :\r\n\tID de s\u00e9curit\u00e9 :\t\tS-1-5-18\r\n\tNom du compte :\t\tUSERNAME01$\r\n\tDomaine du compte :\t\tACT\r\n\tID d\u2019ouverture de session :\t\t0x3e7\r\n\r\nInformations sur le processus :\r\n\tID du nouveau processus :\t\t0x32b4\r\n\tNom du nouveau processus :\tC:\\Windows\\System32\\qwinsta.exe\r\n\tType d\u2019\u00e9l\u00e9vation du jeton :\tType d\u2019\u00e9l\u00e9vation de jeton par d\u00e9faut (1)\r\n\tID du processus cr\u00e9ateur :\t0x2748\r\n\tLigne de commande de processus :\t\r\n\r\nLe type d\u2019\u00e9l\u00e9vation du jeton indique le type de jeton qui a \u00e9t\u00e9 attribu\u00e9 au nouveau processus conform\u00e9ment \u00e0 la strat\u00e9gie de contr\u00f4le du compte d\u2019utilisateur.\r\n\r\nLe type 1 est un jeton complet sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton complet est uniquement utilis\u00e9 si le contr\u00f4le du compte d\u2019utilisateur est d\u00e9sactiv\u00e9, ou si l\u2019utilisateur est le compte d\u2019administrateur int\u00e9gr\u00e9 ou un compte de service.\r\n\r\nLe type 2 est un jeton aux droits \u00e9lev\u00e9s sans aucun privil\u00e8ge supprim\u00e9 ni aucun groupe d\u00e9sactiv\u00e9. Un jeton aux droits \u00e9lev\u00e9s est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019utilisateur est activ\u00e9 et que l\u2019utilisateur choisit de d\u00e9marrer le programme en tant qu\u2019administrateur. Un jeton aux droits \u00e9lev\u00e9s est \u00e9galement utilis\u00e9 lorsqu\u2019une application est configur\u00e9e pour toujours exiger un privil\u00e8ge administratif ou pour toujours exiger les privil\u00e8ges maximum, et que l\u2019utilisateur est membre du groupe Administrateurs.\r\n\r\nLe type 3 est un jeton limit\u00e9 dont les privil\u00e8ges administratifs sont supprim\u00e9s et les groupes administratifs d\u00e9sactiv\u00e9s. Le jeton limit\u00e9 est utilis\u00e9 lorsque le contr\u00f4le de compte d\u2019 utilisateur est activ\u00e9, que l\u2019application n\u2019exige pas le privil\u00e8ge administratif et que l\u2019utilisateur ne choisit pas de d\u00e9marrer le programme en tant qu\u2019administrateur.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-07-29T15:24:16Z", "action": { "id": 4688, "name": "A new process has been created", @@ -7021,7 +6955,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tV-FOO$\r\n\tAccount Domain:\t\tKEY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x111c\r\n\tNew Process Name:\tC:\\Windows\\System32\\conhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x204\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2010-08-05T16:21:20Z", "action": { "id": 4688, "name": "A new process has been created", @@ -7089,7 +7022,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": ":{\n \"EventTime\": \"2023-09-19 12:02:19\",\n \"Hostname\": \"mycorp.net\",\n \"EventReceivedTime\": \"2023-09-19 12:02:20\",\n \"SourceModuleName\": \"eventlog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}\n\n\n", - "@timestamp": "2023-09-19T12:02:19Z", "action": { "properties": {} }, diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md index 9da948e9cc..237e7dee82 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md @@ -43,7 +43,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T13:43:39Z", + "@timestamp": "2023-11-06T13:43:39Z", "client": { "address": "10.242.101.27", "ip": "10.242.101.27" @@ -105,7 +105,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T13:44:56Z", + "@timestamp": "2023-11-06T13:44:56Z", "client": { "address": "10.242.101.27", "ip": "10.242.101.27" @@ -180,7 +180,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-10-03T18:23:27Z", + "@timestamp": "2023-10-03T18:23:27Z", "client": { "address": "37.169.153.147", "ip": "37.169.153.147" @@ -221,7 +221,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-10-03T18:24:28Z", + "@timestamp": "2023-10-03T18:24:28Z", "client": { "address": "37.169.153.147", "ip": "37.169.153.147" @@ -261,7 +261,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T13:43:39Z", + "@timestamp": "2023-11-06T13:43:39Z", "client": { "address": "10.242.101.27", "ip": "10.242.101.27" @@ -322,7 +322,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T13:44:56Z", + "@timestamp": "2023-11-06T13:44:56Z", "client": { "address": "10.242.101.27", "ip": "10.242.101.27" @@ -383,7 +383,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T14:06:24Z", + "@timestamp": "2023-11-06T14:06:24Z", "client": { "address": "10.0.142.4", "ip": "10.0.142.4" @@ -446,7 +446,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T14:08:18Z", + "@timestamp": "2023-11-06T14:08:18Z", "client": { "address": "10.0.142.4", "ip": "10.0.142.4" @@ -510,7 +510,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T14:09:07Z", + "@timestamp": "2023-11-06T14:09:07Z", "client": { "address": "10.0.142.4", "ip": "10.0.142.4" @@ -573,7 +573,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, - "@timestamp": "1900-11-06T14:04:34Z", + "@timestamp": "2023-11-06T14:04:34Z", "client": { "address": "10.0.142.4", "ip": "10.0.142.4"