diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 14babeb277..da59d5f079 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -54,9 +54,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "google": { "report": { - "actor": { - "email": "kim@example.com" - }, "parameters": { "visibility": "shared_internally" } @@ -109,13 +106,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "owner": "mary@example.com", "type": "document" }, - "google": { - "report": { - "actor": { - "email": "kim@example.com" - } - } - }, "network": { "application": "drive" }, @@ -166,9 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "google": { "report": { - "actor": { - "email": "john.doe@example.org" - }, "parameters": { "visibility": "people_within_domain_with_link" } @@ -190,6 +177,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.2.3.4" }, "user": { + "email": "john.doe@example.org", "id": "111111111" } } @@ -222,9 +210,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "google": { "report": { - "actor": { - "email": "senduser@test.com" - }, "parameters": { "visibility": "shared_externally" } @@ -246,6 +231,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "0.0.0.0" }, "user": { + "email": "senduser@test.com", "id": "XXXXXX", "target": { "email": "targetuser@test.fr" @@ -275,7 +261,6 @@ The following table lists the fields that are extracted, normalized under the EC |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.owner` | `keyword` | File owner's username. | |`file.type` | `keyword` | File type (file, dir, or symlink). | -|`google.report.actor.email` | `keyword` | Drive actor email | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | |`network.application` | `keyword` | Application level protocol name. | |`source.ip` | `ip` | IP address of the source. | diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index ed5b69a1b5..656658e06c 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -547,6 +547,200 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "process_start.json" + + ```json + + { + "message": "{\"action\":{\"properties\":{\"ApplicationId\":\"\",\"DirectoryTableBase\":\"0x1B3C1E000\",\"ExitStatus\":\"259\",\"Flags\":\"0\",\"ImageFileName\":\"powershell.exe\",\"Keywords\":\"0x0\",\"PackageFullName\":\"\",\"ProviderGuid\":\"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}\",\"SessionId\":\"2\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Kernel-Process\",\"UniqueProcessKey\":\"0xFFFF9C0E86EEA080\",\"UserSID\":\"\\\\\\\\Windows-Desktop\\\\Maurice.Moss\"},\"id\":1,\"name\":\"process-created\"},\"event\":{\"action\":\"process-created\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"process\"],\"type\":[\"creation\"],\"code\":1},\"agent\":{\"id\":\"00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879\",\"version\":\"v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"Windows-Desktop\",\"ip\":[\"fe80::faea:b73f:ce5:62b3\",\"10.0.0.13\"]},\"process\":{\"parent\":{\"command_line\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \",\"executable\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"name\":\"powershell.exe\",\"args\":[\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"],\"pid\":8088},\"command_line\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" /c \\\"C:\\\\Windows\\\\system32\\\\net.exe view /all\\\"\",\"executable\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"name\":\"cmd.exe\",\"args\":[\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"/c\",\"C:\\\\Windows\\\\system32\\\\net.exe view /all\"],\"pid\":8432},\"sekoiaio\":{\"process\":{\"guid\":\"6788547a-3faf-5a84-87d9-319fb114f065\",\"parent_guid\":\"c76178fe-d387-5248-a1e5-cb385c842fec\"}},\"@timestamp\":\"2024-01-02T13:51:48.1394289Z\"}", + "event": { + "action": "process-created", + "category": [ + "process" + ], + "code": "1", + "outcome": "success", + "provider": "SEKOIA-IO-Endpoint", + "type": [ + "creation" + ] + }, + "@timestamp": "2024-01-02T13:51:48.139428Z", + "action": { + "id": 1, + "name": "process-created", + "outcome": "success", + "properties": { + "ApplicationId": "", + "DirectoryTableBase": "0x1B3C1E000", + "ExitStatus": "259", + "Flags": "0", + "ImageFileName": "powershell.exe", + "Keywords": "0x0", + "PackageFullName": "", + "ProviderGuid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}", + "SessionId": "2", + "Severity": "LOG_ALWAYS", + "SourceName": "Kernel-Process", + "UniqueProcessKey": "0xFFFF9C0E86EEA080", + "UserSID": "\\\\Windows-Desktop\\Maurice.Moss" + } + }, + "agent": { + "id": "00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879", + "version": "v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd" + }, + "host": { + "hostname": "Windows-Desktop", + "ip": [ + "10.0.0.13", + "fe80::faea:b73f:ce5:62b3" + ], + "name": "Windows-Desktop", + "os": { + "type": "windows" + } + }, + "process": { + "args": [ + "/c", + "C:\\Windows\\system32\\cmd.exe", + "C:\\Windows\\system32\\net.exe view /all" + ], + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\system32\\net.exe view /all\"", + "executable": "C:\\Windows\\system32\\cmd.exe", + "name": "cmd.exe", + "parent": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + ], + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe", + "pid": 8088 + }, + "pid": 8432 + }, + "related": { + "hosts": [ + "Windows-Desktop" + ], + "ip": [ + "10.0.0.13", + "fe80::faea:b73f:ce5:62b3" + ] + }, + "sekoiaio": { + "process": { + "guid": "6788547a-3faf-5a84-87d9-319fb114f065", + "parent_guid": "c76178fe-d387-5248-a1e5-cb385c842fec" + } + } + } + + ``` + + +=== "process_start_user_name.json" + + ```json + + { + "message": "{\"user\":{\"name\":\"Maurice.Moss\",\"domain\":\"Windows-Desktop\"},\"action\":{\"properties\":{\"ApplicationId\":\"\",\"DirectoryTableBase\":\"0x1B3DEE000\",\"ExitStatus\":\"259\",\"Flags\":\"0\",\"ImageFileName\":\"cmd.exe\",\"Keywords\":\"0x0\",\"PackageFullName\":\"\",\"ProviderGuid\":\"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}\",\"SessionId\":\"3\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Kernel-Process\",\"UniqueProcessKey\":\"0xFFFF9001AA8C4080\"},\"id\":1,\"name\":\"process-created\"},\"event\":{\"action\":\"process-created\",\"provider\":\"SEKOIA-IO-Endpoint\",\"outcome\":\"success\",\"category\":[\"process\"],\"type\":[\"creation\"],\"code\":1},\"agent\":{\"id\":\"00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879\",\"version\":\"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"Windows-Desktop\",\"ip\":[\"fe80::faea:b73f:ce5:62b3\",\"10.0.0.13\"]},\"process\":{\"parent\":{\"command_line\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" \",\"executable\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"name\":\"powershell.exe\",\"args\":[\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"],\"pid\":8088},\"command_line\":\"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\" /c \\\"C:\\\\Windows\\\\system32\\\\net.exe view /all\\\"\",\"executable\":\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"name\":\"cmd.exe\",\"args\":[\"C:\\\\Windows\\\\system32\\\\cmd.exe\",\"/c\",\"C:\\\\Windows\\\\system32\\\\net.exe view /all\"],\"pid\":8432},\"sekoiaio\":{\"process\":{\"guid\":\"417f3e0f-c982-55f7-91b1-da72e895fb49\",\"parent_guid\":\"b9b6af11-3c85-5050-9128-b95723266e37\"}},\"@timestamp\":\"2024-03-06T07:34:35.5316596Z\"}", + "event": { + "action": "process-created", + "category": [ + "process" + ], + "code": "1", + "outcome": "success", + "provider": "SEKOIA-IO-Endpoint", + "type": [ + "creation" + ] + }, + "@timestamp": "2024-03-06T07:34:35.531659Z", + "action": { + "id": 1, + "name": "process-created", + "outcome": "success", + "properties": { + "ApplicationId": "", + "DirectoryTableBase": "0x1B3DEE000", + "ExitStatus": "259", + "Flags": "0", + "ImageFileName": "cmd.exe", + "Keywords": "0x0", + "PackageFullName": "", + "ProviderGuid": "{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}", + "SessionId": "3", + "Severity": "LOG_ALWAYS", + "SourceName": "Kernel-Process", + "UniqueProcessKey": "0xFFFF9001AA8C4080" + } + }, + "agent": { + "id": "00e6e72665d9b4db937d50043df348d0db6e00bbd778df07cf154c0f01748879", + "version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db" + }, + "host": { + "hostname": "Windows-Desktop", + "ip": [ + "10.0.0.13", + "fe80::faea:b73f:ce5:62b3" + ], + "name": "Windows-Desktop", + "os": { + "type": "windows" + } + }, + "process": { + "args": [ + "/c", + "C:\\Windows\\system32\\cmd.exe", + "C:\\Windows\\system32\\net.exe view /all" + ], + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Windows\\system32\\net.exe view /all\"", + "executable": "C:\\Windows\\system32\\cmd.exe", + "name": "cmd.exe", + "parent": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + ], + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe", + "pid": 8088 + }, + "pid": 8432 + }, + "related": { + "hosts": [ + "Windows-Desktop" + ], + "ip": [ + "10.0.0.13", + "fe80::faea:b73f:ce5:62b3" + ], + "user": [ + "Maurice.Moss" + ] + }, + "sekoiaio": { + "process": { + "guid": "417f3e0f-c982-55f7-91b1-da72e895fb49", + "parent_guid": "b9b6af11-3c85-5050-9128-b95723266e37" + } + }, + "user": { + "domain": "Windows-Desktop", + "name": "Maurice.Moss" + } + } + + ``` + + === "remote_thread.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md new file mode 100644 index 0000000000..7ccb49dd45 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md @@ -0,0 +1,138 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | collect activities from the source | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `intrusion_detection`, `vulnerability` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "breach_reported_event.json" + + ```json + + { + "message": "{\"trigger\":{\"type\":\"breach_reported\",\"breach\":{\"domain\":\"example.com\",\"root_cause\":\"hacked\",\"company_name\":\"Example Company\",\"records_lost\":10000,\"date_discovered\":0,\"type_of_breach\":\"\",\"description\":\"Company was breached, exposing authentication details of senior employees. An insider is believed to have helped.\"}},\"created_at\":\"2022-08-09T16:36:42.397Z\",\"execution_id\":\"87b786f3-76c9-4a2e-a44b-985be679ef80\",\"scorecard_id\":\"8e21f4aa-ee49-5f6d-be70-366b95ecc586\",\"domain\":\"example.com\"}", + "event": { + "action": "breach_reported", + "category": [ + "intrusion_detection" + ], + "dataset": "breach", + "kind": "alert", + "reason": "Company was breached, exposing authentication details of senior employees. An insider is believed to have helped.", + "type": [ + "info" + ] + }, + "@timestamp": "2022-08-09T16:36:42.397000Z", + "cloud": { + "account": { + "name": "example.com" + } + }, + "observer": { + "product": "Vulnerability Assessment Scanner", + "vendor": "SecurityScorecard" + }, + "organization": { + "name": "Example Company" + }, + "securityscorecard": { + "vas": { + "breach": { + "root_cause": "hacked" + }, + "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586" + } + } + } + + ``` + + +=== "issue_event.json" + + ```json + + { + "message": "{\"trigger\":{\"type\":\"new_issues\",\"issues\":{\"csp_no_policy_v2\":{\"active\":{\"count\":26},\"departed\":{\"count\":3},\"resolved\":{\"count\":2}},\"domain_missing_https_v2\":{\"active\":{\"count\":15}}},\"selected\":\"by_severity\",\"severity\":\"low\"},\"created_at\":\"2022-08-10T19:49:46.029Z\",\"execution_id\":\"ee08b90e-98fe-45e1-9261-91eb0a80275d\",\"scorecard_id\":\"8e21f4aa-ee49-5f6d-be70-366b95ecc586\",\"domain\":\"example.com\"}", + "event": { + "action": "new_issues", + "category": [ + "vulnerability" + ], + "dataset": "issue", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-08-10T19:49:46.029000Z", + "cloud": { + "account": { + "name": "example.com" + } + }, + "observer": { + "product": "Vulnerability Assessment Scanner", + "vendor": "SecurityScorecard" + }, + "securityscorecard": { + "vas": { + "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586", + "selected": "by_severity", + "severity": "low" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`cloud.account.name` | `keyword` | The cloud account name. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`organization.name` | `keyword` | Organization name. | +|`securityscorecard.vas.breach.root_cause` | `keyword` | Scorecard breach root cause | +|`securityscorecard.vas.id` | `keyword` | Scorecard event id | +|`securityscorecard.vas.selected` | `keyword` | Scorecard event selected | +|`securityscorecard.vas.severity` | `keyword` | Scorecard event severity | + diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 3fd105983c..29246571ba 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -5004,6 +5004,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry": { "hive": "HKU", "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "path": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", "value": "LocalBridge.exe" }, "related": { @@ -5564,6 +5565,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "hive": "HKLM", "key": "System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "path": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", "value": "nolmhash" }, "related": { @@ -5652,6 +5654,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "hive": "HKLM", "key": "System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "path": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", "value": "ImagePath" }, "related": { @@ -7189,6 +7192,7 @@ The following table lists the fields that are extracted, normalized under the EC |`registry.data.type` | `keyword` | Standard registry type for encoding contents | |`registry.hive` | `keyword` | Abbreviated name for the hive. | |`registry.key` | `keyword` | Hive-relative path of keys. | +|`registry.path` | `keyword` | Full path, including hive, key and value | |`registry.value` | `keyword` | Name of the value written. | |`rule.name` | `keyword` | Rule name | |`source.address` | `keyword` | Source network address. | diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 9315ada594..87bbd62b27 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -36,8 +36,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}", "event": { - "category": "network", - "kind": "event", + "category": "threat", + "kind": "alert", "type": [ "info" ] @@ -108,6 +108,93 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_aianalyst_without_log_type.json" + + ```json + + { + "message": "{\"summariser\":\"SaasBruteforceSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1708649003457,\"attackPhases\":[2,4],\"mitreTactics\":[\"credential-access\"],\"title\":\"Possible Distributed Bruteforce of AzureActiveDirectory Account\",\"id\":\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"incidentEventUrl\":\"https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"children\":[\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\"],\"category\":\"suspicious\",\"currentGroup\":\"g7bd28910-7d7d-4971-9a20-48f12b8518e1\",\"groupCategory\":\"suspicious\",\"groupScore\":32.34820100820068,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"6ae71ab6\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":85.47036382887099,\"summary\":\"Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\\n\\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\\n\\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\\n\\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.\",\"periods\":[{\"start\":1708040149000,\"end\":1708648697000}],\"sender\":null,\"breachDevices\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}],\"relatedBreaches\":[{\"modelName\":\"SaaS / Access / Password Spray\",\"pbid\":7130,\"threatScore\":47,\"timestamp\":1708648698000}],\"details\":[[{\"header\":\"SaaS User Details\",\"contents\":[{\"key\":\"SaaS account\",\"type\":\"device\",\"values\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}]},{\"key\":\"Actor\",\"type\":\"string\",\"values\":[\"test@test.fr\"]}]}],[{\"header\":\"Summary of Related Access Attempts\",\"contents\":[{\"key\":\"Attempts grouped by\",\"type\":\"string\",\"values\":[\"same targeted account\"]},{\"key\":\"Number of source ASNs\",\"type\":\"integer\",\"values\":[241]},{\"key\":\"Suspicious properties\",\"type\":\"string\",\"values\":[\"Unusual time for activity\",\"Unusual external source for activity\",\"Large number of login failures\"]}]},{\"header\":\"Details of Access Attempts\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1708040149000,\"end\":1708648697000}]},{\"key\":\"Targeted account\",\"type\":\"string\",\"values\":[\"test@test.fr\"]},{\"key\":\"Total number of login failures\",\"type\":\"integer\",\"values\":[1136]},{\"key\":\"Reasons for login failures\",\"type\":\"string\",\"values\":[\"Sign-in was blocked because it came from an IP address with malicious activity\",\"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\",\"Error validating credentials due to invalid username or password.\"]}]},{\"header\":\"Sources of Access Attempts\",\"contents\":[{\"key\":\"Source ASNs include\",\"type\":\"string\",\"values\":[\"AS4134 Chinanet\",\"AS4837 CHINA UNICOM China169 Backbone\",\"AS4766 Korea Telecom\",\"AS9808 China Mobile Communications Group Co., Ltd.\",\"AS24560 Bharti Airtel Ltd., Telemedia Services\"]},{\"key\":\"Source IPs include\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"122.4.70.38\",\"ip\":\"122.4.70.38\"},{\"hostname\":\"41.207.248.204\",\"ip\":\"41.207.248.204\"},{\"hostname\":\"124.89.116.178\",\"ip\":\"124.89.116.178\"},{\"hostname\":\"121.184.235.17\",\"ip\":\"121.184.235.17\"},{\"hostname\":\"61.153.208.38\",\"ip\":\"61.153.208.38\"}]},{\"key\":\"Countries include\",\"type\":\"string\",\"values\":[\"China\",\"South Korea\",\"India\",\"United States\",\"Brazil\"]},{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"Office 365 Exchange Online\"]}]}]]}\n", + "event": { + "category": "network", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-02-23T00:43:23.457000Z", + "darktrace": { + "threat_visualizer": { + "acknowledged": false, + "activityId": "da39a3ee", + "aiaScore": 85.47036382887099, + "attackPhases": [ + 2, + 4 + ], + "breachDevices": [ + { + "did": 2635, + "hostname": "SaaS::AzureActiveDirectory: test@test.fr", + "identifier": "SaaS::AzureActiveDirectory: test@test.fr", + "ip": null, + "mac": null, + "sid": -9, + "subnet": null + } + ], + "category": "suspicious", + "children": [ + "dc5f69a5-ee78-4702-a999-ed64a9e873dc" + ], + "currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1", + "externalTriggered": false, + "groupCategory": "suspicious", + "groupScore": 32.34820100820068, + "groupingIds": [ + "6ae71ab6" + ], + "mitreTactics": [ + "credential-access" + ], + "periods": [ + { + "end": 1708648697000, + "start": 1708040149000 + } + ], + "relatedBreaches": [ + { + "modelName": "SaaS / Access / Password Spray", + "pbid": 7130, + "threatScore": 47, + "timestamp": 1708648698000 + } + ], + "userTriggered": false + } + }, + "device": { + "id": "2635" + }, + "host": { + "hostname": "SaaS::AzureActiveDirectory: test@test.fr", + "id": "2635", + "name": "SaaS::AzureActiveDirectory: test@test.fr" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "related": { + "hosts": [ + "SaaS::AzureActiveDirectory: test@test.fr" + ] + } + } + + ``` + + === "test_anomalous_file.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md new file mode 100644 index 0000000000..fa3601c8ec --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md @@ -0,0 +1,238 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | activity related to your corp, such as the creation of new users and sites, and activity related to your sites, such as flagged IPs, the creation of new rules, and site configuration changes. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `configuration`, `threat` | +| Type | `` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_corp_audit_log_1.json" + + ```json + + { + "message": "{\"id\": \"65ca37c9a1b93b52ga60bbdf\", \"eventType\": \"accessTokenCreated\", \"msgData\": {\"corpName\": \"corpname\", \"detailLink\": \"https://dashboard.signalsciences.net/corps/corpname/users/john.doe+demo@sample.com\", \"email\": \"john.doe+demo@sample.com\", \"tokenName\": \"Dev Audit log\", \"userAgent\": \"Mozilla/4.0 (X1; Linux x86_64) \"}, \"message\": \"John DOE (john.doe+demo@sample.com) created API Access Token `Dev Audit log`\", \"attachments\": [{\"Title\": \"\", \"Fields\": [{\"Title\": \"Token Name\", \"Value\": \"Dev Audit log\", \"Short\": true}], \"MarkdownFields\": false}], \"created\": \"2024-02-12T15:22:49Z\"}", + "event": { + "action": "accessTokenCreated", + "category": [ + "configuration" + ], + "kind": "event", + "reason": "created API Access Token `Dev Audit log`", + "type": [ + "creation" + ] + }, + "@timestamp": "2024-02-12T15:22:49Z", + "fastly": { + "waf": { + "audit": { + "corp_name": "corpname", + "event_id": "65ca37c9a1b93b52ga60bbdf", + "has_attachments": true, + "message": "John DOE (john.doe+demo@sample.com) created API Access Token `Dev Audit log`", + "token_name": "Dev Audit log" + } + } + }, + "observer": { + "product": "Fastly Audit Logs", + "vendor": "Fastly" + }, + "url": { + "domain": "dashboard.signalsciences.net", + "original": "https://dashboard.signalsciences.net/corps/corpname/users/john.doe+demo@sample.com", + "path": "/corps/corpname/users/john.doe+demo@sample.com", + "port": 443, + "registered_domain": "signalsciences.net", + "scheme": "https", + "subdomain": "dashboard", + "top_level_domain": "net" + }, + "user": { + "email": "john.doe+demo@sample.com", + "full_name": "John DOE" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/4.0 (X1; Linux x86_64) ", + "os": { + "name": "Linux" + } + } + } + + ``` + + +=== "test_site_audit_log_1.json" + + ```json + + { + "message": "{\"id\": \"65cb8bd7b0a762e1af01851e\", \"eventType\": \"testIntegration\", \"msgData\": {\"integrationType\": \"generic\"}, \"message\": \"John DOE (john.doe+demo@sample.com) tested a \\\"generic\\\" integration\", \"attachments\": [], \"created\": \"2024-02-13T15:33:43Z\"}", + "event": { + "action": "testIntegration", + "category": [ + "configuration" + ], + "kind": "event", + "reason": "tested a \"generic\" integration", + "type": [ + "info" + ] + }, + "@timestamp": "2024-02-13T15:33:43Z", + "fastly": { + "waf": { + "audit": { + "event_id": "65cb8bd7b0a762e1af01851e", + "has_attachments": false, + "message": "John DOE (john.doe+demo@sample.com) tested a \"generic\" integration" + } + } + }, + "observer": { + "product": "Fastly Audit Logs", + "vendor": "Fastly" + }, + "user": { + "email": "john.doe+demo@sample.com", + "full_name": "John DOE" + } + } + + ``` + + +=== "test_site_audit_log_2.json" + + ```json + + { + "message": "{\"id\": \"65cb8adc20998c33c75b469a\", \"eventType\": \"loggingModeChanged\", \"msgData\": {\"mode\": \"log\", \"oldMode\": \"block\"}, \"message\": \"John DOE (john.doe+demo@sample.com) changed agent mode from \\\"block\\\" to \\\"log\\\"\", \"attachments\": [], \"created\": \"2024-02-13T15:29:32Z\"}", + "event": { + "action": "loggingModeChanged", + "category": [ + "configuration" + ], + "kind": "event", + "reason": "changed agent mode from \"block\" to \"log\"", + "type": [ + "change" + ] + }, + "@timestamp": "2024-02-13T15:29:32Z", + "fastly": { + "waf": { + "audit": { + "event_id": "65cb8adc20998c33c75b469a", + "has_attachments": false, + "message": "John DOE (john.doe+demo@sample.com) changed agent mode from \"block\" to \"log\"" + } + } + }, + "observer": { + "product": "Fastly Audit Logs", + "vendor": "Fastly" + }, + "user": { + "email": "john.doe+demo@sample.com", + "full_name": "John DOE" + } + } + + ``` + + +=== "test_site_audit_log_3.json" + + ```json + + { + "message": "{\"id\": \"65cb8a386af260edn88be7f7\", \"eventType\": \"createIntegration\", \"msgData\": {\"integrationType\": \"generic\", \"plainSubscribedTo\": \"\\\"all events\\\"\"}, \"message\": \"John DOE (john.doe+demo@sample.com) created a new \\\"generic\\\" integration subscribed to \\\"all events\\\"\", \"attachments\": [], \"created\": \"2024-02-13T15:26:48Z\"}", + "event": { + "action": "createIntegration", + "category": [ + "configuration" + ], + "kind": "event", + "reason": "created a new \"generic\" integration subscribed to \"all events\"", + "type": [ + "creation" + ] + }, + "@timestamp": "2024-02-13T15:26:48Z", + "fastly": { + "waf": { + "audit": { + "event_id": "65cb8a386af260edn88be7f7", + "has_attachments": false, + "message": "John DOE (john.doe+demo@sample.com) created a new \"generic\" integration subscribed to \"all events\"" + } + } + }, + "observer": { + "product": "Fastly Audit Logs", + "vendor": "Fastly" + }, + "user": { + "email": "john.doe+demo@sample.com", + "full_name": "John DOE" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`fastly.waf.audit.corp_name` | `keyword` | Corp name | +|`fastly.waf.audit.event_id` | `keyword` | Fastly event ID | +|`fastly.waf.audit.has_attachments` | `boolean` | Event message has attachments | +|`fastly.waf.audit.message` | `keyword` | Event description | +|`fastly.waf.audit.token_name` | `keyword` | Token name | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.email` | `keyword` | User email address. | +|`user.full_name` | `keyword` | User's full name, if available. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index f205f3e94e..8a6215df2c 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -1677,6 +1677,77 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "mass_download.json" + + ```json + + { + "message": "{\"CreationTime\":\"2024-02-22T09:56:48\",\"Id\":\"0e042318-7c78-4acb-ae00-5ee74465bca3\",\"Operation\":\"AlertUpdated\",\"OrganizationId\":\"2d7585dc-97bc-4494-b98c-79f2a4946931\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"Custom\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"ts\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"te\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"an\\\":\\\"Mass download by a single user\\\",\\\"ad\\\":\\\"Activity policy 'Mass download by a single user' was triggered by 'Anakin SKYWALKER'\\\",\\\"f3u\\\":\\\"anakin.skywalker@gondor.com\\\",\\\"alk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/alerts/79d71811t27fe160149dcd56\\\",\\\"plk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/policy/?id=eq(5f391720dd4e64e3db757c35,)\\\",\\\"mat\\\":\\\"MCAS_ALERT_CABINET_EVENT_MATCH_AUDIT\\\"}\",\"Name\":\"Mass download by a single user\",\"PolicyId\":\"8697dfdc-965d-67f7-bb37-b2551b296c04\",\"Severity\":\"High\",\"Source\":\"Cloud App Security\",\"Status\":\"Active\"}", + "event": { + "action": "AlertUpdated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-02-22T09:56:48Z", + "action": { + "id": 40, + "name": "AlertUpdated", + "outcome": "success", + "target": "user" + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Mass download by a single user", + "severity": "High", + "source": "Cloud App Security", + "status": "Active" + }, + "audit": { + "object_id": "c299a0a0-14da-428a-b08d-481d562298cb" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "2d7585dc-97bc-4494-b98c-79f2a4946931" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "8697dfdc-965d-67f7-bb37-b2551b296c04" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "source": { + "user": { + "email": "anakin.skywalker@gondor.com" + } + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + === "mcas_alert.json" ```json @@ -3003,6 +3074,7 @@ The following table lists the fields that are extracted, normalized under the EC |`service.name` | `keyword` | Name of the service. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`source.user.email` | `keyword` | User email address. | |`url.full` | `wildcard` | Full unparsed URL. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`user.email` | `keyword` | User email address. | diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md index 0ab6433bd8..54f7cb2fb7 100644 --- a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -481,6 +481,95 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "elff_event_3.json" + + ```json + + { + "message": "{\"x-bluecoat-request-tenant-id\":\"111\",\"date\":\"2024-03-04\",\"time\":\"16:55:02\",\"x-bluecoat-appliance-name\":\"test_name\",\"time-taken\":\"28\",\"c-ip\":\"1.2.3.4\",\"cs-userdn\":\"AAAAADASD\\\\123123\",\"sc-filter-result\":\"OBSERVED\",\"cs-categories\":\"Entertainment;Radio/Audio Streams\",\"sc-status\":\"0\",\"cs-method\":\"unknown\",\"cs-uri-scheme\":\"ssl\",\"cs-host\":\"test.test.com\",\"cs-uri-port\":\"443\",\"cs-uri-path\":\"/\",\"s-ip\":\"1.2.3.4\",\"sc-bytes\":\"0\",\"cs-bytes\":\"0\",\"x-bluecoat-location-id\":\"0\",\"x-bluecoat-location-name\":\"client\",\"x-bluecoat-access-type\":\"client_connector\",\"x-bluecoat-application-name\":\"Test\",\"r-ip\":\"1.2.3.4\",\"r-supplier-country\":\"United States\",\"x-rs-certificate-validate-status\":\"CERT_VALID\",\"x-rs-certificate-observed-errors\":\"none\",\"x-rs-connection-negotiated-ssl-version\":\"TLSv1.3\",\"x-rs-connection-negotiated-cipher\":\"TLS_AES_256_GCM_SHA384\",\"x-rs-connection-negotiated-cipher-size\":\"256\",\"x-rs-certificate-hostname\":\"*.test.com\",\"x-rs-certificate-hostname-categories\":\"Entertainment;Radio/Audio Streams\",\"x-cs-connection-negotiated-ssl-version\":\"TLSv1.3\",\"x-cs-connection-negotiated-cipher\":\"TLS_AES_256_GCM_SHA384\",\"x-cs-connection-negotiated-cipher-size\":\"256\",\"cs-icap-status\":\"ICAP_NOT_SCANNED\",\"rs-icap-status\":\"ICAP_NOT_SCANNED\",\"s-supplier-country\":\"United States\",\"s-supplier-failures\":\"%21.2.3.4|United%20States|timeout%22\",\"x-cs-client-ip-country\":\"Sweden\",\"cs-threat-risk\":\"2\",\"x-rs-certificate-hostname-threat-risk\":\"2\",\"x-client-agent-type\":\"wss-agent\",\"x-client-os\":\"architecture=x86_64 name=Windows 10 Enterprise version=1.0.1\",\"x-client-agent-sw\":\"1.2.3.45454\",\"x-client-device-id\":\"7a6f3564-505c-44c4-a079-Fgdgd\",\"x-client-device-name\":\"ieieuer1234\",\"x-sc-connection-issuer-keyring\":\"SSL_Intercept_1\",\"x-random-ipv6\":\"2001:0DB8:1eb4:5150:2222:3333:60c7:3ede\",\"x-bluecoat-transaction-uuid\\r\":\"c6fae686915242c5-000000003e8a7faf-0000000065e5fce6\\r\"}", + "event": { + "category": [ + "web" + ], + "duration": 28000000, + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2024-03-04T16:55:02Z", + "broadcom": { + "threat_risk": { + "certificate_hostname": "2", + "lvl": "2" + } + }, + "client": { + "address": "1.2.3.4", + "bytes": 0, + "ip": "1.2.3.4", + "user": { + "name": "AAAAADASD\\123123" + } + }, + "dns": { + "answers": [] + }, + "host": { + "os": { + "full": "architecture=x86_64 name=Windows 10 Enterprise version=1.0.1" + } + }, + "http": { + "request": { + "method": "unknown" + }, + "response": { + "status_code": 0 + } + }, + "observer": { + "product": "Cloud Secure Web Gateway", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "test.test.com" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "AAAAADASD\\123123" + ] + }, + "server": { + "bytes": 0, + "ip": "1.2.3.4" + }, + "tls": { + "server": { + "x509": { + "alternative_names": [ + "*.test.com" + ] + } + } + }, + "url": { + "domain": "test.test.com", + "path": "/", + "port": 443, + "registered_domain": "test.com", + "scheme": "ssl", + "subdomain": "test", + "top_level_domain": "com" + } + } + + ``` + +