Refresh intakes documentation

SEKOIA-IO · Oct 9, 2024 · ec74f66 · ec74f66
1 parent 7b6387f
commit ec74f66
Show file tree

Hide file tree

Showing 13 changed files with 2,239 additions and 76 deletions.
diff --git a/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
diff --git a/...ns_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/...ns_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md
diff --git a/...perations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md b/...perations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md
@@ -385,7 +385,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "host"
             ],
             "dataset": "administration",
-            "kind": "event",
             "module": "history"
         },
         "@timestamp": "2022-09-01T16:06:51.664000Z",
@@ -684,7 +683,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "network"
             ],
             "dataset": "network_metadata",
-            "kind": "event",
             "module": "sigflow_http"
         },
         "@timestamp": "2024-09-12T13:24:51.231000Z",
@@ -800,7 +798,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "network"
             ],
             "dataset": "network_metadata",
-            "kind": "event",
             "module": "sigflow_file"
         },
         "@timestamp": "2024-09-11T13:56:19.010000Z",

diff --git a/...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
@@ -1742,6 +1742,81 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "test_cn_fields_.json"
+
+    ```json
+
+    {
+        "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",
+        "event": {
+            "code": "4728",
+            "dataset": "eventlog",
+            "provider": "Microsoft-Windows-Security-Auditing",
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2024-09-26T14:38:37.222000Z",
+        "action": {
+            "id": 4728,
+            "properties": {
+                "MemberName": "JONE Doe",
+                "SubjectDomainName": "TEST",
+                "SubjectLogonId": "0x99913777",
+                "SubjectUserName": "testuser",
+                "SubjectUserSid": "S-2-2-22-22227555-9999999999-9999999919-2402",
+                "TargetDomainName": "TEST",
+                "TargetSid": "S-2-2-22-222222229-9999944444-3976126919-4444",
+                "TargetUserName": "test_exception"
+            }
+        },
+        "agent": {
+            "id": "555555555-9999-9999-9999-3e333333cccc",
+            "name": "harfanglab"
+        },
+        "harfanglab": {
+            "groups": [
+                "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_Windows\"}",
+                "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_haute_disponibilit\\u00e9\"}"
+            ]
+        },
+        "host": {
+            "domain": "TEST",
+            "hostname": "srv-test01",
+            "name": "srv-test01",
+            "os": {
+                "full": "Windows Server 2022 Standard",
+                "version": "10.0.20348"
+            }
+        },
+        "log": {
+            "hostname": "srv-test01"
+        },
+        "organization": {
+            "id": "fffffca6b999999"
+        },
+        "related": {
+            "hosts": [
+                "srv-test01"
+            ],
+            "user": [
+                "testuser"
+            ]
+        },
+        "user": {
+            "domain": "TEST",
+            "name": "testuser",
+            "roles": "TEST_Serveurs_Windows,TEST_Serveurs_haute_disponibilit\u00e9",
+            "target": {
+                "domain": "TEST",
+                "name": "test_exception"
+            }
+        }
+    }
+    	
+	```
+
+
 === "test_detection_rules_missing_fields.json"
 
     ```json

diff --git a/...ns_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/...ns_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md
@@ -1675,6 +1675,78 @@ In this section, you will find examples of raw logs as generated natively by the
 
 
 
+=== "test_cn_fields_"
+
+
+    ```json
+	{
+        "process_id": 732,
+        "groups": [
+            {
+                "name": "TEST_Serveurs_Windows",
+                "id": "3a9c8e69-a339-aacc-a444-000000000"
+            },
+            {
+                "name": "TEST_Serveurs_haute_disponibilit\u00e9",
+                "id": "3a9c8e69-a339-aacc-a444-000000000"
+            }
+        ],
+        "@timestamp": "2024-09-26T14:39:01.470648104Z",
+        "event_id": 4728,
+        "@event_create_date": "2024-09-26T14:38:37.222Z",
+        "log_name": "Security",
+        "log_type": "eventlog",
+        "event_data": {
+            "SubjectUserSid": "S-2-2-22-22227555-9999999999-9999999919-2402",
+            "MemberSid": "S-2-2-22-222222229-9999944444-3976126919-4444",
+            "SubjectLogonId": "0x99913777",
+            "SubjectDomainName": "TEST",
+            "SubjectUserName": "testuser",
+            "TargetDomainName": "TEST",
+            "TargetUserName": "test_exception",
+            "PrivilegeList": "-",
+            "TargetSid": "S-2-2-22-222222229-9999944444-3976126919-4444",
+            "MemberName": "cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local"
+        },
+        "computer_name": "srv-test01.test.local",
+        "level": "log_always",
+        "user": {
+            "domain": "",
+            "name": "",
+            "type": "unknown",
+            "identifier": ""
+        },
+        "@version": "1",
+        "source_name": "Microsoft-Windows-Security-Auditing",
+        "type": "wineventlog",
+        "thread_id": 8666,
+        "keywords": [
+            "AuditSuccess",
+            "ReservedKeyword63"
+        ],
+        "destination": "syslog",
+        "provider_guid": "555555555-9999-9999-9999-3e333333cccc",
+        "user_data": {},
+        "agent": {
+            "agentid": "555555555-9999-9999-9999-3e333333cccc",
+            "osproducttype": "Windows Server 2022 Standard",
+            "additional_info": {},
+            "domain": null,
+            "version": "4.0.8",
+            "ostype": "windows",
+            "domainname": "TEST",
+            "osversion": "10.0.20348",
+            "distroid": null,
+            "hostname": "srv-test01",
+            "dnsdomainname": "test.local"
+        },
+        "tenant": "fffffca6b999999",
+        "record_number": 19999999
+    }
+    ```
+
+
+
 === "test_detection_rules_missing_fields"
 
 

diff --git a/...perations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/...perations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md
@@ -151,6 +151,169 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "access_failure.json"
+
+    ```json
+
+    {
+        "message": "- 1234:567:abcd:890:1234:5678:abcd:9012 - - [01/Oct/2024:10:22:11 +0200] \"GET /test.fr HTTP/1.1\" 404 1450 \"-\" \"-\"",
+        "event": {
+            "category": [
+                "web"
+            ],
+            "outcome": "failure",
+            "type": [
+                "access"
+            ]
+        },
+        "action": {
+            "name": "GET",
+            "outcome": "failure",
+            "properties": {
+                "timestamp": "01/Oct/2024:10:22:11 +0200"
+            }
+        },
+        "http": {
+            "request": {
+                "method": "GET"
+            },
+            "response": {
+                "bytes": 1450,
+                "status_code": 404
+            },
+            "version": "1.1"
+        },
+        "related": {
+            "ip": [
+                "1234:567:abcd:890:1234:5678:abcd:9012"
+            ]
+        },
+        "source": {
+            "address": "1234:567:abcd:890:1234:5678:abcd:9012",
+            "ip": "1234:567:abcd:890:1234:5678:abcd:9012"
+        },
+        "url": {
+            "original": "/test.fr",
+            "path": "/test.fr"
+        }
+    }
+    	
+	```
+
+
+=== "access_redirect.json"
+
+    ```json
+
+    {
+        "message": "- 1.2.3.4 - - [01/Oct/2024:10:22:01 +0200] \"GET / HTTP/1.1\" 302 385 \"-\" \"-\"",
+        "event": {
+            "category": [
+                "web"
+            ],
+            "outcome": "redirect",
+            "type": [
+                "access"
+            ]
+        },
+        "action": {
+            "name": "GET",
+            "outcome": "redirect",
+            "properties": {
+                "timestamp": "01/Oct/2024:10:22:01 +0200"
+            }
+        },
+        "http": {
+            "request": {
+                "method": "GET"
+            },
+            "response": {
+                "bytes": 385,
+                "status_code": 302
+            },
+            "version": "1.1"
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4"
+            ]
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4"
+        },
+        "url": {
+            "original": "/",
+            "path": "/"
+        }
+    }
+    	
+	```
+
+
+=== "access_success.json"
+
+    ```json
+
+    {
+        "message": "1.2.3.4 (-) - - [01/Oct/2024:08:22:45 +0000] \"POST /App/tests HTTP/1.1\" 200 377 \"https://app.testing.fr/App/6\" \"Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\"",
+        "event": {
+            "category": [
+                "web"
+            ],
+            "outcome": "success",
+            "type": [
+                "access"
+            ]
+        },
+        "action": {
+            "name": "POST",
+            "outcome": "success",
+            "properties": {
+                "timestamp": "01/Oct/2024:08:22:45 +0000"
+            }
+        },
+        "http": {
+            "request": {
+                "method": "POST",
+                "referrer": "https://app.testing.fr/App/6"
+            },
+            "response": {
+                "bytes": 377,
+                "status_code": 200
+            },
+            "version": "1.1"
+        },
+        "related": {
+            "ip": [
+                "1.2.3.4"
+            ]
+        },
+        "source": {
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4"
+        },
+        "url": {
+            "original": "/App/tests",
+            "path": "/App/tests"
+        },
+        "user_agent": {
+            "device": {
+                "name": "Other"
+            },
+            "name": "IE",
+            "original": "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko",
+            "os": {
+                "name": "Windows",
+                "version": "8"
+            },
+            "version": "11.0"
+        }
+    }
+    	
+	```
+
+
 === "common_log_format.json"
 
     ```json

diff --git a/...ns_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md b/...ns_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md
@@ -20,6 +20,30 @@ In this section, you will find examples of raw logs as generated natively by the
 
 
 
+=== "access_failure"
+
+    ```
+	- 1234:567:abcd:890:1234:5678:abcd:9012 - - [01/Oct/2024:10:22:11 +0200] "GET /test.fr HTTP/1.1" 404 1450 "-" "-"
+    ```
+
+
+
+=== "access_redirect"
+
+    ```
+	- 1.2.3.4 - - [01/Oct/2024:10:22:01 +0200] "GET / HTTP/1.1" 302 385 "-" "-"
+    ```
+
+
+
+=== "access_success"
+
+    ```
+	1.2.3.4 (-) - - [01/Oct/2024:08:22:45 +0000] "POST /App/tests HTTP/1.1" 200 377 "https://app.testing.fr/App/6" "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko"
+    ```
+
+
+
 === "common_log_format"
 
     ```