From ea6ec642fe522e80c71dc0b41fbb9ccc0f7aa394 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 16:12:45 +0000 Subject: [PATCH] Refresh intakes documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 9 + .../59991ced-c2a0-4fb0-91f3-49e3993c16f5.md | 241 ++++++++++++++++++ 2 files changed, 250 insertions(+) diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 3a06f0d6ad..3d21d0f1b2 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -1088,6 +1088,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "2b684979d6174bad69d895c7d8a852e7b206b95f", "4d5b7b6c06159d6b967f2c2c73f10145" ], + "hosts": [ + "www.example.org" + ], "ip": [ "1.2.3.4", "5.6.7.8" @@ -1097,6 +1100,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "address": "1.2.3.4", "ip": "1.2.3.4", "port": 59985 + }, + "url": { + "domain": "www.example.org", + "registered_domain": "example.org", + "subdomain": "www", + "top_level_domain": "org" } } diff --git a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md index fab818e586..b2049011ed 100644 --- a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md +++ b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md @@ -26,7 +26,248 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `file`, `network`, `process`, `registry` | +| Type | `allowed`, `change`, `creation`, `deletion`, `end`, `info`, `start` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "tanium_file_open.json" + + ```json + + { + "message": "{\"event\":\"file_open\",\"hostname\":\"2256269043\",\"host\":\"172.16.2.1\",\"fields\":{\"tanium_process_id\":\"-6966335309415971179\",\"read_flag\":true,\"full_path\":\"/var/lib/rrdcached/db/pve2-vm/115\",\"process__login__user_id\":4294967295,\"process__login__user_name\":null,\"process__pid\":1685,\"process__user__group\":\"root\",\"process__file__full_path\":\"/usr/bin/rrdcached\",\"process__user__name\":\"root\"}}", + "event": { + "action": "file-open", + "category": [ + "file" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "file": { + "directory": "/var/lib/rrdcached/db/pve2-vm", + "name": "115", + "path": "/var/lib/rrdcached/db/pve2-vm/115" + }, + "group": { + "name": "root" + }, + "host": { + "hostname": "2256269043", + "ip": [ + "172.16.2.1" + ], + "name": "2256269043" + }, + "observer": { + "name": "2256269043", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "executable": "/usr/bin/rrdcached", + "name": "rrdcached", + "pid": 1685 + }, + "related": { + "hosts": [ + "2256269043" + ], + "ip": [ + "172.16.2.1" + ] + }, + "user": { + "id": "4294967295" + } + } + + ``` + + +=== "tanium_network_connect.json" + + ```json + + { + "message": "{\"event\":\"network_connect\",\"hostname\":\"2421864415\",\"host\":\"172.16.2.1\",\"fields\":{\"remote_port\":80,\"process__login__user_name\":null,\"process__pid\":2540,\"process__user__group\":\"NT AUTHORITY\",\"local_ip\":\"172.16.4.1\",\"local_port\":53671,\"process__file__full_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"tanium_process_id\":\"-4314545011392247632\",\"process__login__user_id\":0,\"remote_ip\":\"184.25.50.65\",\"process__user__name\":\"NETWORK SERVICE\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "destination": { + "address": "184.25.50.65", + "ip": "184.25.50.65", + "port": 80 + }, + "group": { + "name": "NT AUTHORITY" + }, + "host": { + "hostname": "2421864415", + "ip": [ + "172.16.2.1" + ], + "name": "2421864415" + }, + "observer": { + "name": "2421864415", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 2540 + }, + "related": { + "hosts": [ + "2421864415" + ], + "ip": [ + "172.16.2.1", + "172.16.4.1", + "184.25.50.65" + ] + }, + "source": { + "address": "172.16.4.1", + "ip": "172.16.4.1", + "port": 53671 + }, + "user": { + "id": "0" + } + } + + ``` + + +=== "tanium_process_start.json" + + ```json + + { + "message": "{\"event\":\"process_start\",\"hostname\":\"1345671024\",\"host\":\"172.16.2.1\",\"fields\":{\"file__md5\":\"8ed54b7dcf043252441bca716b8c461f\",\"tanium_parent_process_id\":\"-6966498655612172786\",\"create_time\":\"2021-07-15T13:47:13.084000+00:00\",\"parent__command_line\":\"pve-firewall\",\"file__full_path\":\"/usr/sbin/ipset\",\"tanium_process_id\":\"-6166594163916654264\",\"pid\":14664,\"login__user_name\":null,\"command_line\":\"ipset save\",\"login__user_id\":4294967295,\"parent__file__full_path\":\"/usr/bin/perl\",\"user__name\":\"root\",\"parent_pid\":1550,\"user__group\":\"root\"}}", + "event": { + "category": [ + "process" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "file": { + "directory": "/usr/sbin", + "name": "ipset", + "path": "/usr/sbin/ipset" + }, + "host": { + "hostname": "1345671024", + "ip": [ + "172.16.2.1" + ], + "name": "1345671024" + }, + "observer": { + "name": "1345671024", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "command_line": "ipset save", + "executable": "/usr/sbin/ipset", + "hash": { + "md5": "8ed54b7dcf043252441bca716b8c461f" + }, + "parent": { + "command_line": "pve-firewall", + "executable": "/usr/bin/perl", + "name": "perl", + "pid": 1550 + }, + "start": "2021-07-15T13:47:13.084000Z" + }, + "related": { + "hash": [ + "8ed54b7dcf043252441bca716b8c461f" + ], + "hosts": [ + "1345671024" + ], + "ip": [ + "172.16.2.1" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers` | `object` | Array of DNS answers. | +|`dns.question.name` | `keyword` | The name being queried. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.directory` | `keyword` | Directory where the file is located. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`group.name` | `keyword` | Name of the group. | +|`host.hostname` | `keyword` | Hostname of the host. | +|`host.ip` | `ip` | Host ip addresses. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.hash.md5` | `keyword` | MD5 hash. | +|`process.name` | `keyword` | Process name. | +|`process.parent.command_line` | `wildcard` | Full command line that started the process. | +|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.name` | `keyword` | Process name. | +|`process.parent.pid` | `long` | Process id. | +|`process.pid` | `long` | Process id. | +|`process.start` | `date` | The time the process started. | +|`registry.path` | `keyword` | Full path, including hive, key and value | +|`registry.value` | `keyword` | Name of the value written. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | +