From f8adf38c58f9018d302142c7cf0e6d6a2340c773 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Thu, 12 Oct 2023 07:41:19 +0000 Subject: [PATCH] Refresh intakes documentation --- .../20876735-c423-4bbc-9d19-67edc91fb063.md | 174 +++++++++++++++++- 1 file changed, 173 insertions(+), 1 deletion(-) diff --git a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md index 4c61f7225b..2743c00811 100644 --- a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md +++ b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md @@ -61,6 +61,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "firstname": "Admin", "lastname": "Admin" }, + "event": { + "outcome": "SUCCESS" + }, "class": " audit.admin.com.rsa.ims.admin.impl.PrincipalAdministrationImpl", "action": { "name": "UPDATE_PRINCIPAL" @@ -144,6 +147,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "firstname": "Admin", "lastname": "Admin" }, + "event": { + "outcome": "SUCCESS" + }, "class": " audit.admin.com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl", "action": { "name": "AM_UNLINK_TOKEN_PRINCIPAL" @@ -184,6 +190,160 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_audit_admin_event3.json" + + ```json + + { + "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_METHOD_FAILED_SYNTAX_ERROR,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n", + "event": { + "code": "23008", + "reason": "AUTHN_METHOD_FAILED_SYNTAX_ERROR", + "category": [ + "authentication" + ], + "type": [ + "start" + ] + }, + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + }, + "source": { + "ip": "5.6.7.8", + "address": "5.6.7.8" + }, + "log": { + "level": "ERROR" + }, + "destination": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "agent": { + "id": "09f1f5fc30e947ce9e564d5a91745091", + "name": "source.hostname" + }, + "rsa": { + "securid": { + "event": { + "outcome": "FAIL" + }, + "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", + "action": { + "name": "AUTHN_LOGIN_EVENT" + }, + "agent": { + "ip": "1.2.3.4", + "domain": { + "id": "000000000000000000001000e0011000" + } + }, + "policy": { + "method": { + "id": "1" + } + } + } + }, + "user": { + "name": "admin" + }, + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] + } + } + + ``` + + +=== "test_audit_admin_event4.json" + + ```json + + { + "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_PRINCIPAL_LOCKED,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n", + "event": { + "code": "23008", + "reason": "AUTHN_PRINCIPAL_LOCKED", + "category": [ + "authentication" + ], + "type": [ + "start" + ] + }, + "observer": { + "hostname": " example.intranet", + "serial_number": "0e34d92f7c6549b19ed28471c02a049b" + }, + "source": { + "ip": "5.6.7.8", + "address": "5.6.7.8" + }, + "log": { + "level": "ERROR" + }, + "destination": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "agent": { + "id": "09f1f5fc30e947ce9e564d5a91745091", + "name": "source.hostname" + }, + "rsa": { + "securid": { + "event": { + "outcome": "FAIL" + }, + "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", + "action": { + "name": "AUTHN_LOGIN_EVENT" + }, + "agent": { + "ip": "1.2.3.4", + "domain": { + "id": "000000000000000000001000e0011000" + } + }, + "policy": { + "method": { + "id": "1" + } + } + } + }, + "user": { + "name": "admin" + }, + "related": { + "hosts": [ + " example.intranet" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "admin" + ] + } + } + + ``` + + === "test_audit_runtime_event.json" ```json @@ -221,6 +381,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "rsa": { "securid": { + "event": { + "outcome": "FAIL" + }, "class": " audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler", "action": { "name": "AUTH_PRINCIPAL_RESOLUTION" @@ -298,6 +461,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "firstname": "HDTCO04" }, + "event": { + "outcome": "SUCCESS" + }, "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl", "action": { "name": "AUTHN_LOGIN_EVENT" @@ -382,6 +548,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "firstname": "Admin", "lastname": "Admin" }, + "event": { + "outcome": "SUCCESS" + }, "class": " audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl", "action": { "name": "AUTHN_LOGOUT_EVENT" @@ -519,6 +688,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "rsa": { "securid": { + "event": { + "outcome": "SUCCESS" + }, "class": " system.com.rsa.ims.configuration.impl.ConfigurationServiceImpl", "action": { "name": "CONF_VALUE_UPDATED" @@ -551,7 +723,6 @@ The following table lists the fields that are extracted, normalized under the EC |`agent.name` | `keyword` | Custom name of the agent. | |`destination.ip` | `ip` | IP address of the destination. | |`event.code` | `keyword` | Identification code for this event. | -|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`log.level` | `keyword` | Log level of the log event. | |`observer.hostname` | `keyword` | Hostname of the observer. | @@ -563,6 +734,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rsa.securid.agent.ip` | `keywords` | This field represents the IP address of the agent (server or application) that generated the SecureID event. | |`rsa.securid.class` | `keywords` | represents the class or category of an RSA SecureID event. It is a keyword field, which means it can be used to group and filter events based on the SecureID class they belong to. | |`rsa.securid.domain.id` | `keywords` | represents the unique ID of the domain or realm associated with a SecureID event. | +|`rsa.securid.event.outcome` | `keywords` | The outcome of the event | |`rsa.securid.objects.id` | `keywords` | represents the unique ID of the object associated with a SecureID event. | |`rsa.securid.objects.name` | `keywords` | represents the name of the object associated with a SecureID event. | |`rsa.securid.objects.security.id` | `keywords` | represents the unique ID of the security context associated with the object in a SecureID event. |