Skip to content

Commit

Permalink
Merge pull request #1677 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Mar 7, 2024
2 parents 7a24d13 + ff87ada commit f0d938e
Show file tree
Hide file tree
Showing 8 changed files with 826 additions and 19 deletions.
19 changes: 2 additions & 17 deletions ...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_internally"
}
Expand Down Expand Up @@ -109,13 +106,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"owner": "[email protected]",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
}
}
},
"network": {
"application": "drive"
},
Expand Down Expand Up @@ -166,9 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "people_within_domain_with_link"
}
Expand All @@ -190,6 +177,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "1.2.3.4"
},
"user": {
"email": "[email protected]",
"id": "111111111"
}
}
Expand Down Expand Up @@ -222,9 +210,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_externally"
}
Expand All @@ -246,6 +231,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "0.0.0.0"
},
"user": {
"email": "[email protected]",
"id": "XXXXXX",
"target": {
"email": "[email protected]"
Expand Down Expand Up @@ -275,7 +261,6 @@ The following table lists the fields that are extracted, normalized under the EC
|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
|`file.owner` | `keyword` | File owner's username. |
|`file.type` | `keyword` | File type (file, dir, or symlink). |
|`google.report.actor.email` | `keyword` | Drive actor email |
|`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity |
|`network.application` | `keyword` | Application level protocol name. |
|`source.ip` | `ip` | IP address of the source. |
Expand Down
194 changes: 194 additions & 0 deletions ...perations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,200 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "process_start.json"

```json

{
"message": "{\"action\":{\"properties\":{\"ApplicationId\":\"\",\"DirectoryTableBase\":\"0x1B3C1E000\",\"ExitStatus\":\"259\",\"Flags\":\"0\",\"ImageFileName\":\"powershell.exe\",\"Keywords\":\"0x0\",\"PackageFullName\":\"\",\"ProviderGuid\":\"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}\",\"SessionId\":\"2\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Kernel-Process\",\"UniqueProcessKey\":\"0xFFFF9C0E86EEA080\",\"UserSID\":\"\\\\\\\\Windows-Desktop\\\\Maurice.Moss\"},\"id\":1,\"name\":\"process-created\"},\"event\":{\"action\":\"process-created\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"process\"],\"type\":[\"creation\"],\"code\":1},\"agent\":{\"id\":\"00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879\",\"version\":\"v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"Windows-Desktop\",\"ip\":[\"fe80::faea:b73f:ce5:62b3\",\"10.0.0.13\"]},\"process\":{\"parent\":{\"command_line\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \",\"executable\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"name\":\"powershell.exe\",\"args\":[\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"],\"pid\":8088},\"command_line\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" /c \\\"C:\\\\Windows\\\\system32\\\\net.exe view /all\\\"\",\"executable\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"name\":\"cmd.exe\",\"args\":[\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"/c\",\"C:\\\\Windows\\\\system32\\\\net.exe view /all\"],\"pid\":8432},\"sekoiaio\":{\"process\":{\"guid\":\"6788547a-3faf-5a84-87d9-319fb114f065\",\"parent_guid\":\"c76178fe-d387-5248-a1e5-cb385c842fec\"}},\"@timestamp\":\"2024-01-02T13:51:48.1394289Z\"}",
"event": {
"action": "process-created",
"category": [
"process"
],
"code": "1",
"outcome": "success",
"provider": "SEKOIA-IO-Endpoint",
"type": [
"creation"
]
},
"@timestamp": "2024-01-02T13:51:48.139428Z",
"action": {
"id": 1,
"name": "process-created",
"outcome": "success",
"properties": {
"ApplicationId": "",
"DirectoryTableBase": "0x1B3C1E000",
"ExitStatus": "259",
"Flags": "0",
"ImageFileName": "powershell.exe",
"Keywords": "0x0",
"PackageFullName": "",
"ProviderGuid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}",
"SessionId": "2",
"Severity": "LOG_ALWAYS",
"SourceName": "Kernel-Process",
"UniqueProcessKey": "0xFFFF9C0E86EEA080",
"UserSID": "\\\\Windows-Desktop\\Maurice.Moss"
}
},
"agent": {
"id": "00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879",
"version": "v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd"
},
"host": {
"hostname": "Windows-Desktop",
"ip": [
"10.0.0.13",
"fe80::faea:b73f:ce5:62b3"
],
"name": "Windows-Desktop",
"os": {
"type": "windows"
}
},
"process": {
"args": [
"/c",
"C:\\Windows\\system32\\cmd.exe",
"C:\\Windows\\system32\\net.exe view /all"
],
"command_line": "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\system32\\net.exe view /all\"",
"executable": "C:\\Windows\\system32\\cmd.exe",
"name": "cmd.exe",
"parent": {
"args": [
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
],
"command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"name": "powershell.exe",
"pid": 8088
},
"pid": 8432
},
"related": {
"hosts": [
"Windows-Desktop"
],
"ip": [
"10.0.0.13",
"fe80::faea:b73f:ce5:62b3"
]
},
"sekoiaio": {
"process": {
"guid": "6788547a-3faf-5a84-87d9-319fb114f065",
"parent_guid": "c76178fe-d387-5248-a1e5-cb385c842fec"
}
}
}
```


=== "process_start_user_name.json"

```json

{
"message": "{\"user\":{\"name\":\"Maurice.Moss\",\"domain\":\"Windows-Desktop\"},\"action\":{\"properties\":{\"ApplicationId\":\"\",\"DirectoryTableBase\":\"0x1B3DEE000\",\"ExitStatus\":\"259\",\"Flags\":\"0\",\"ImageFileName\":\"cmd.exe\",\"Keywords\":\"0x0\",\"PackageFullName\":\"\",\"ProviderGuid\":\"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}\",\"SessionId\":\"3\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Kernel-Process\",\"UniqueProcessKey\":\"0xFFFF9001AA8C4080\"},\"id\":1,\"name\":\"process-created\"},\"event\":{\"action\":\"process-created\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"process\"],\"type\":[\"creation\"],\"code\":1},\"agent\":{\"id\":\"00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879\",\"version\":\"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"Windows-Desktop\",\"ip\":[\"fe80::faea:b73f:ce5:62b3\",\"10.0.0.13\"]},\"process\":{\"parent\":{\"command_line\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \",\"executable\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"name\":\"powershell.exe\",\"args\":[\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"],\"pid\":8088},\"command_line\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" /c \\\"C:\\\\Windows\\\\system32\\\\net.exe view /all\\\"\",\"executable\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"name\":\"cmd.exe\",\"args\":[\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"/c\",\"C:\\\\Windows\\\\system32\\\\net.exe view /all\"],\"pid\":8432},\"sekoiaio\":{\"process\":{\"guid\":\"417f3e0f-c982-55f7-91b1-da72e895fb49\",\"parent_guid\":\"b9b6af11-3c85-5050-9128-b95723266e37\"}},\"@timestamp\":\"2024-03-06T07:34:35.5316596Z\"}",
"event": {
"action": "process-created",
"category": [
"process"
],
"code": "1",
"outcome": "success",
"provider": "SEKOIA-IO-Endpoint",
"type": [
"creation"
]
},
"@timestamp": "2024-03-06T07:34:35.531659Z",
"action": {
"id": 1,
"name": "process-created",
"outcome": "success",
"properties": {
"ApplicationId": "",
"DirectoryTableBase": "0x1B3DEE000",
"ExitStatus": "259",
"Flags": "0",
"ImageFileName": "cmd.exe",
"Keywords": "0x0",
"PackageFullName": "",
"ProviderGuid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}",
"SessionId": "3",
"Severity": "LOG_ALWAYS",
"SourceName": "Kernel-Process",
"UniqueProcessKey": "0xFFFF9001AA8C4080"
}
},
"agent": {
"id": "00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879",
"version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db"
},
"host": {
"hostname": "Windows-Desktop",
"ip": [
"10.0.0.13",
"fe80::faea:b73f:ce5:62b3"
],
"name": "Windows-Desktop",
"os": {
"type": "windows"
}
},
"process": {
"args": [
"/c",
"C:\\Windows\\system32\\cmd.exe",
"C:\\Windows\\system32\\net.exe view /all"
],
"command_line": "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\system32\\net.exe view /all\"",
"executable": "C:\\Windows\\system32\\cmd.exe",
"name": "cmd.exe",
"parent": {
"args": [
"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
],
"command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"name": "powershell.exe",
"pid": 8088
},
"pid": 8432
},
"related": {
"hosts": [
"Windows-Desktop"
],
"ip": [
"10.0.0.13",
"fe80::faea:b73f:ce5:62b3"
],
"user": [
"Maurice.Moss"
]
},
"sekoiaio": {
"process": {
"guid": "417f3e0f-c982-55f7-91b1-da72e895fb49",
"parent_guid": "b9b6af11-3c85-5050-9128-b95723266e37"
}
},
"user": {
"domain": "Windows-Desktop",
"name": "Maurice.Moss"
}
}
```


=== "remote_thread.json"

```json
Expand Down
Loading

0 comments on commit f0d938e

Please sign in to comment.