diff --git a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md index 7a5d8cc524..072edc6a0c 100644 --- a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md +++ b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md @@ -878,7 +878,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "device": "00:00", "inode": "25973", "mode": "0644", - "uid": "0" + "uid": "0", + "name": "oom_score_adj", + "directory": "/proc/1" }, "host": { "name": "xps-housetodd", diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 0d21983fd6..ffa6cb6820 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -469,7 +469,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2022-04-11T07:18:34.090547Z", "file": { - "path": "C:\\Windows\\system32\\diskshadow.exe" + "path": "C:\\Windows\\system32\\diskshadow.exe", + "name": "diskshadow.exe", + "directory": "C:\\Windows\\system32" }, "related": { "user": [ diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 2091d5fd2b..d941c28509 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -366,7 +366,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "111111111111111" }, "file": { - "path": "dal_0234.dll" + "path": "dal_0234.dll", + "name": "dal_0234.dll", + "directory": "" }, "crowdstrike": { "customer_id": "222222222222222222222" @@ -747,7 +749,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "111111111111111" }, "file": { - "path": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500\\Preferences" + "path": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500\\Preferences", + "name": "Preferences", + "directory": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Group Policy\\Users\\S-1-5-21-1111111111-2222222222-3333333333-27500\\History\\{7330D718-94E9-43DB-8BCB-1F2D0C2FB34E}\\S-1-5-21-1111111111-2222222222-3333333333-27500" }, "crowdstrike": { "customer_id": "222222222222222222222" @@ -1097,7 +1101,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "111111111111111" }, "file": { - "path": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_010051" + "path": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_010051", + "name": "f_010051", + "directory": "\\Device\\HarddiskVolume3\\Users\\j.doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data" }, "crowdstrike": { "customer_id": "222222222222222222222" @@ -1145,7 +1151,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "111111111111111" }, "file": { - "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082\\WebView2Loader.dll" + "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082\\WebView2Loader.dll", + "name": "WebView2Loader.dll", + "directory": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\Microsoft.Edge_123082" }, "crowdstrike": { "customer_id": "222222222222222222222" diff --git a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md index 2d5b64145d..cf77df94dc 100644 --- a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md +++ b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md @@ -34,7 +34,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "severity": 5, "action": "DELIVERED", - "reason": "'\\=?ISO-8859-15?Q?foo\\=20bar\\=20baz\\=20-\\=123456789?\\='\n\n", + "reason": "'\\=?ISO-8859-15?Q?foo\\=20bar\\=20baz\\=20-\\=123456789?\\='", "end": "2022-08-01T03:34:23Z", "start": "2022-08-01T03:30:36Z" }, @@ -766,7 +766,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|SEKOIA.IO|SIC|v0.3.12|666|Download|1|msg= sys.log downloaded by john.doe@example.com src=127.0.0.1 cn1=53 cn1Label=seconds cs1Label=type cs1=ssl_download cs2Label=location cs2=home fname=sys.log fsize=666 suser=john.doe@example.com", "event": { "severity": 1, - "reason": " sys.log downloaded by john.doe@example.com" + "reason": "sys.log downloaded by john.doe@example.com" }, "observer": { "vendor": "SEKOIA.IO", @@ -988,7 +988,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "inode": "0", - "path": "page-icon.png" + "path": "page-icon.png", + "name": "page-icon.png", + "directory": "" }, "cef": { "externalId": "xxxxxxxxxxxxx", diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index aef6c9934f..3a8629cd60 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -647,7 +647,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"user\":{\"target\":{\"id\":\"S-1-5-18\",\"name\":\"Syst\u00e8me\",\"domain\":\"AUTORITE NT\"},\"id\":\"S-1-5-18\",\"name\":\"SRV-FOO\",\"domain\":\"MY-DOMAIN\"},\"action\":{\"properties\":{\"AuthenticationPackageName\":\"Negotiate\",\"EventType\":\"AUDIT_SUCCESS\",\"ImpersonationLevel\":\"%%1833\",\"IpAddress\":\"-\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Keywords\":\"0x8020000000000000\",\"LmPackageName\":\"-\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"LogonProcessName\":\"Advapi \",\"LogonType\":\"5\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"SubjectDomainName\":\"MY-DOMAIN\",\"SubjectLogonId\":\"0x3E7\",\"SubjectUserName\":\"SRV-FOO\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetDomainName\":\"AUTORITE NT\",\"TargetLogonId\":\"0x3E7\",\"TargetUserName\":\"Syst\u00e8me\",\"TargetUserSid\":\"S-1-5-18\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"-\"},\"id\":4624},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4624},\"agent\":{\"id\":\"1193b609e262926e284b6076cab8919b8725fa9f576a22c7e0041edeb04f5c76\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"SRV-FOO\"},\"process\":{\"executable\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"name\":\"services.exe\",\"pid\":676},\"@timestamp\":\"2023-06-23T08:15:00.4849617Z\"}\n", "event": { "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "category": [ + "authentication" + ], + "type": [ + "start" + ], + "action": "authentication_service" + }, + "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "SRV-FOO", + "user": { + "name": "SRV-FOO", + "id": "S-1-5-18" + } + }, + "server": { + "name": "SRV-FOO", + "os": { + "type": "windows" + } + } }, "@timestamp": "2023-06-23T08:15:00.484961Z", "action": { @@ -678,7 +703,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TransmittedServices": "-", "WorkstationName": "-" }, - "id": 4624 + "id": 4624, + "outcome": "success" }, "agent": { "id": "1193b609e262926e284b6076cab8919b8725fa9f576a22c7e0041edeb04f5c76", @@ -693,7 +719,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", + "name": "Advapi ", "pid": 676 }, "user": { @@ -727,7 +753,32 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"user\":{\"target\":{\"id\":\"S-1-0-0\",\"name\":\"foo-vm\",\"domain\":\"foo-vm\"},\"id\":\"S-1-0-0\"},\"action\":{\"properties\":{\"AuthenticationPackageName\":\"NTLM\",\"EventType\":\"AUDIT_FAILURE\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"1.1.1.1\",\"IpPort\":\"0\",\"KeyLength\":\"0\",\"Keywords\":\"0x8010000000000000\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":\"3\",\"ProcessName\":\"-\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"Status\":\"0xC000006D\",\"SubStatus\":\"0xC0000064\",\"SubjectDomainName\":\"-\",\"SubjectLogonId\":\"0x0\",\"SubjectUserName\":\"-\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetDomainName\":\"foo-vm\",\"TargetUserName\":\"foo-vm\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"WIN-FOO\"},\"id\":4625},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4625},\"agent\":{\"id\":\"dd4e2378f7208b8b8557a9b7a725b6d551887b868c72b8cb91668d56eca10c6f\",\"version\":\"v1.1.0+5369595aebc1c30ff2c849af30f51e4d9327584f\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"foo-vm\"},\"source\":{\"address\":\"1.1.1.1\",\"ip\":\"1.1.1.1\"},\"@timestamp\":\"2023-06-23T08:13:49.4015618Z\"}\n", "event": { "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "category": [ + "authentication" + ], + "type": [ + "start" + ], + "action": "authentication_network", + "reason": "user_not_exist" + }, + "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "WIN-FOO", + "user": { + "id": "S-1-0-0" + } + }, + "server": { + "name": "foo-vm", + "os": { + "type": "windows" + } + } }, "@timestamp": "2023-06-23T08:13:49.401561Z", "action": { @@ -758,7 +809,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "TransmittedServices": "-", "WorkstationName": "WIN-FOO" }, - "id": 4625 + "id": 4625, + "outcome": "failure" }, "agent": { "id": "dd4e2378f7208b8b8557a9b7a725b6d551887b868c72b8cb91668d56eca10c6f", @@ -790,6 +842,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.1.1.1" ] + }, + "client": { + "ip": "1.1.1.1" + }, + "process": { + "name": "NtLmSsp " } } diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md index 3d1cc0ca5e..335b3a5ac9 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md @@ -125,7 +125,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tIdentification\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1004336348-2052111302-725345543-33053\\r\\n\\tAccount Name:\\t\\tHOSTMON\\r\\n\\tAccount Domain:\\t\\tACME.LOCAL\\r\\n\\tLogon ID:\\t\\t0x6409B67A\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.129.224.1\\r\\n\\tSource Port:\\t\\t55731\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"EventId\":4624,\"Level\":0,\"Opcode\":0,\"Pid\":632,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"4624201254400x80200000000000009999727SecurityAZNTPI-01.acme.localS-1-0-0--0x0S-1-5-21-1004336348-2052111302-725345543-33053HOSTMONACME.LOCAL0x6409b67a3KerberosKerberos-{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}--00x0-10.129.224.155731%%1832---%%18430x0%%1842\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":12544,\"Tid\":904},\"time\":\"2019-07-22T11:20:54.5585776Z\"}", "event": { "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing" + "provider": "Microsoft-Windows-Security-Auditing", + "category": [ + "authentication" + ], + "type": [ + "start" + ] + }, + "sekoiaio": { + "server": { + "os": { + "type": "windows" + } + } }, "os": { "family": "windows", diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index 244631d92e..dec7bfe7c0 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -181,7 +181,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", - "size": 559316722 + "size": 559316722, + "name": "YYYYYYYYYYYYYYYYY.mp4", + "directory": "C:\\Users\\XXXXXXXX\\Downloads" }, "rule": { "name": "Multimedia file" @@ -243,7 +245,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", - "size": 559316722 + "size": 559316722, + "name": "YYYYYYYYYYYYYYYYY.mp4", + "directory": "C:\\Users\\XXXXXXXX\\Downloads" }, "rule": { "name": "Multimedia file" @@ -617,7 +621,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.2.3.4" }, "file": { - "path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc" + "path": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc", + "name": "tempc", + "directory": "C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp" }, "rule": { "name": "Rule Generic PUA" diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index ccaff89e33..25464ef405 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -212,7 +212,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "1966-04-24T06:14:24Z", "code_signature": { "exists": false - } + }, + "name": "TS_DiagnosticHistory.ps1", + "directory": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57" }, "related": { "hash": [ @@ -630,7 +632,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "1966-04-24T06:14:24Z", "code_signature": { "exists": false - } + }, + "name": "IndirectKmd.sys", + "directory": "C:\\Windows\\System32\\drivers" }, "related": { "hash": [ @@ -788,7 +792,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "2023-03-20T16:20:31.269000Z", "code_signature": { "exists": false - } + }, + "name": "TEST FILE ARY_2", + "directory": "C:\\Users\\john.doe\\Desktop" }, "related": { "hash": [ @@ -1006,7 +1012,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "2023-03-30T13:41:05.718000Z", "code_signature": { "exists": false - } + }, + "name": "4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp", + "directory": "C:\\Users\\john.doe\\AppData\\Local\\Temp" }, "related": { "hash": [ @@ -1167,7 +1175,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "1966-04-24T06:14:24Z", "code_signature": { "exists": false - } + }, + "name": "aggregatestatus_20230323132115270.json", + "directory": "C:\\WindowsAzure\\Logs\\AggregateStatus" }, "related": { "hash": [ @@ -4229,7 +4239,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mtime": "1966-04-24T06:14:24Z", "code_signature": { "exists": false - } + }, + "name": "rundll32.exe", + "directory": "C:\\Windows\\System32" }, "related": { "hash": [ diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md index 718065a2de..8cbb098b84 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md @@ -466,7 +466,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe", - "size": 67352 + "size": 67352, + "name": "vtomxvision.exe", + "directory": "c:\\program files (x86)\\visualxxxxxxxxxx" }, "source": { "ip": "1.2.3.4", @@ -627,7 +629,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "C:\\Users\\admin\\Desktop\\test.txt", - "size": 68 + "size": 68, + "name": "test.txt", + "directory": "C:\\Users\\admin\\Desktop" }, "source": { "ip": "1.2.3.4", @@ -731,7 +735,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "/tmp/eicar.txt", - "size": 69 + "size": 69, + "name": "eicar.txt", + "directory": "/tmp" }, "source": { "ip": "1.2.3.4", diff --git a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md index 064157d3a3..4026da72d4 100644 --- a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md +++ b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md @@ -65,7 +65,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "127.0.0.1" }, "file": { - "path": "~/pub.key" + "path": "~/pub.key", + "name": "pub.key", + "directory": "~" }, "source": { "ip": "192.168.0.1", diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index ae284e3851..65aabc5515 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -251,11 +251,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "Cisco", "product": "Cisco ISE" }, - "source": { - "domain": " servername", - "ip": "1.2.3.4", - "address": " servername" - }, "cisco": { "ise": { "network_calling_station": { @@ -263,9 +258,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "source": { + "domain": "servername", + "ip": "1.2.3.4", + "address": "servername" + }, "related": { "hosts": [ - " servername" + "servername" ], "ip": [ "1.2.3.4" diff --git a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md index 18785bf704..557bb1130b 100644 --- a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md +++ b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md @@ -457,7 +457,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data", "type": "dir", - "created": "2021-08-09T13:28:53.666000Z" + "created": "2021-08-09T13:28:53.666000Z", + "name": "User Data", + "directory": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome" }, "related": { "user": [ @@ -1030,7 +1032,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", "size": 1347, "type": "dir", - "created": "2022-08-29T07:28:39.966000Z" + "created": "2022-08-29T07:28:39.966000Z", + "name": "2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", + "directory": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec" }, "related": { "hash": [ @@ -1133,7 +1137,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "path": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist", - "created": "2022-08-26T08:51:42.152000Z" + "created": "2022-08-26T08:51:42.152000Z", + "name": "ff558ca8ac21977f6850e3a3a719ed4f.plist", + "directory": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy" }, "related": { "hash": [ diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index 03ab3a291c..576989b1c2 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -67,7 +67,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "path": "c:\\System\\kprocesshacker.sys", "hash": { "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" - } + }, + "name": "kprocesshacker.sys", + "directory": "c:\\System" }, "host": { "name": "desktop-aaaaaa" diff --git a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md index 43505361a1..6d10ceb517 100644 --- a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md +++ b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md @@ -83,7 +83,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "md5": "44D88612FEA8A8F36DE82E1278ABB02F" }, "size": 205, - "path": "C:\\Users\\trend\\Desktop\\eicar.exe" + "path": "C:\\Users\\trend\\Desktop\\eicar.exe", + "name": "eicar.exe", + "directory": "C:\\Users\\trend\\Desktop" }, "cef": { "Name": "Eicar_test_file" @@ -203,7 +205,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha1": "0CC9713BA896193A527213D9C94892D41797EB7C", "md5": "7EA8EF10BEB2E9876D4D7F7E5A46CF8D" }, - "path": "/home/user1/Desktop/Directory1//heartbeatSync.sh" + "path": "/home/user1/Desktop/Directory1//heartbeatSync.sh", + "name": "heartbeatSync.sh", + "directory": "/home/user1/Desktop/Directory1/" }, "source": { "user": { @@ -394,7 +398,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "C:\\Windows\\System32\\notepad.exe" }, "file": { - "path": "c:\\windows\\message.dll" + "path": "c:\\windows\\message.dll", + "name": "message.dll", + "directory": "c:\\windows" }, "cef": { "Name": "New Integrity Monitoring Rule" diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index 759670320f..12b6e14af2 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -130,11 +130,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"@timestamp\":\"2023-06-23T08:15:46.358Z\",\"ecs\":{\"version\":\"1.0.0\"},\"type\":\"winlogbeat\",\"tags\":[\"beats_input_codec_plain_applied\"],\"agent\":{\"id\":\"c1e16f64-cfc4-4141-bdc0-71f2a0e45791\",\"ephemeral_id\":\"21a6bd0d-afb5-4e55-827e-5329797579a4\",\"hostname\":\"VM-FOO\",\"version\":\"7.0.0\",\"type\":\"winlogbeat\"},\"host\":{\"os\":{\"build\":\"14393.5921\",\"kernel\":\"10.0.14393.5921 (rs1_release.230504-1649)\",\"version\":\"10.0\",\"name\":\"Windows Server 2016 Datacenter\",\"family\":\"windows\",\"platform\":\"windows\"},\"id\":\"8ea16272-0ba2-4838-b321-1646a493a128\",\"hostname\":\"VM-FOO\",\"architecture\":\"x86_64\",\"name\":\"VM-FOO\"},\"winlog\":{\"process\":{\"pid\":756,\"thread\":{\"id\":13000}},\"event_data\":{\"TargetLogonId\":\"0x2374a6a43\",\"SubjectLogonId\":\"0x0\",\"TargetUserName\":\"FOO-FARM-ADMIN\",\"TargetUserSid\":\"S-1-5-21-776561741-920026266-725345543-12737\",\"TargetLinkedLogonId\":\"0x0\",\"ProcessId\":\"0x0\",\"AuthenticationPackageName\":\"Kerberos\",\"ImpersonationLevel\":\"%%1833\",\"LogonGuid\":\"{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\",\"LmPackageName\":\"-\",\"RestrictedAdminMode\":\"-\",\"VirtualAccount\":\"%%1843\",\"TransmittedServices\":\"-\",\"WorkstationName\":\"-\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"-\",\"ProcessName\":\"-\",\"TargetDomainName\":\"FOOBAR.NET\",\"KeyLength\":\"0\",\"ElevatedToken\":\"%%1842\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundUserName\":\"-\",\"LogonType\":\"3\",\"SubjectUserName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"SubjectDomainName\":\"-\",\"IpPort\":\"-\"},\"activity_id\":\"{DBC05D38-994B-0003-395D-C0DB4B99D901}\",\"record_id\":131091844,\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"opcode\":\"Info\",\"keywords\":[\"Audit Success\"],\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"Logon\",\"channel\":\"Security\",\"computer_name\":\"VM-FOO.FOOBAR.NET\",\"version\":2,\"event_id\":4624,\"api\":\"wineventlog\"},\"log\":{\"level\":\"information\"},\"event\":{\"code\":4624,\"kind\":\"event\",\"action\":\"Logon\",\"created\":\"2023-06-23T08:15:47.185Z\"},\"@version\":\"1\",\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tYes\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-1-5-21-776561741-920026266-725345543-12737\\n\\tAccount Name:\\t\\tFOO-FARM-ADMIN\\n\\tAccount Domain:\\t\\tFOOBAR.NET\\n\\tLogon ID:\\t\\t0x2374A6A43\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x0\\n\\tProcess Name:\\t\\t-\\n\\nNetwork Information:\\n\\tWorkstation Name:\\t-\\n\\tSource Network Address:\\t-\\n\\tSource Port:\\t\\t-\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tKerberos\\n\\tAuthentication Package:\\tKerberos\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}", "event": { - "action": "Logon", + "action": "authentication_network", "code": "4624", "kind": "event", "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-776561741-920026266-725345543-12737\n\tAccount Name:\t\tFOO-FARM-ADMIN\n\tAccount Domain:\t\tFOOBAR.NET\n\tLogon ID:\t\t0x2374A6A43\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{FBEAEF6D-F1DA-F8AD-A2B2-A3A9AAC706AD}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", - "hash": "009b8a99fa360981d2f0407a8513d7742fc6a311" + "hash": "009b8a99fa360981d2f0407a8513d7742fc6a311", + "category": [ + "authentication" + ], + "type": [ + "start" + ] + }, + "sekoiaio": { + "client": { + "os": { + "type": "windows" + }, + "name": "VM-FOO", + "user": { + "id": "S-1-0-0" + } + }, + "server": { + "name": "VM-FOO", + "os": { + "type": "windows" + } + } }, "@timestamp": "2023-06-23T08:15:46.358000Z", "action": { @@ -167,12 +190,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectDomainName": "-", "IpPort": "-" }, - "id": 4624 + "id": 4624, + "outcome": "success" }, "user": { "target": { "name": "FOO-FARM-ADMIN", - "domain": "FOOBAR.NET" + "domain": "FOOBAR.NET", + "id": "S-1-5-21-776561741-920026266-725345543-12737" } }, "agent": { @@ -227,6 +252,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "VM-FOO" ] + }, + "process": { + "name": "Kerberos" } } diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 66036ba372..5e89fe0b45 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -83,6 +83,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "request_type": "OAuth2:Authorize", "result_status_detail": "Redirect", "keep_me_signed_in": true + }, + "context": { + "correlation": { + "id": "d23dd5d2-ccc8-4928-b7a0-f446a2ca4a90" + } } }, "user_agent": { @@ -1332,6 +1337,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "audit": { "object_id": "aaaa.bbbb@example.org" + }, + "context": { + "correlation": { + "id": "92d46438-1e67-43e3-91ca-039ff39d7217" + } } }, "related": { @@ -1399,6 +1409,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "request_type": "OAuth2:Authorize", "result_status_detail": "Redirect", "keep_me_signed_in": true + }, + "context": { + "correlation": { + "id": "794c9504-66fe-441c-831a-5fc2badfcdc8" + } } }, "user_agent": { @@ -1483,7 +1498,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "result_status_detail": "Success" }, "context": { - "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248" + "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248", + "correlation": { + "id": "d48e6ea0-40c1-5000-5eba-0ee33d13b1ca" + } } }, "user_agent": {