Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh intakes documentation #1400

Merged
merged 1 commit into from
Oct 24, 2023
Merged

Refresh intakes documentation #1400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 16 additions & 16 deletions ...perations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "09/29/2023:07:40:56 GMT ADC-WEB1 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"event": {
"category": [
"network"
Expand All @@ -49,7 +49,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"@timestamp": "2023-09-29T07:40:56Z",
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
}
}

Expand Down Expand Up @@ -124,7 +124,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:46 ADC-WEB1 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1",
"message": "2023/07/04:09:03:46 ADC 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1",
"event": {
"category": [
"network"
Expand All @@ -150,7 +150,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -172,7 +172,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1",
"message": "2023/07/04:09:03:46 ADC 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1",
"event": {
"category": [
"network"
Expand All @@ -198,7 +198,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -220,7 +220,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:45 ADC-WEB1 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762",
"message": "2023/07/04:09:03:45 ADC 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762",
"event": {
"category": [
"network"
Expand Down Expand Up @@ -250,7 +250,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
},
"related": {
"ip": [
Expand Down Expand Up @@ -339,7 +339,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:41 ADC-WEB1 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"",
"message": "\"2023/07/04:09:03:41 ADC 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"",
"event": {
"category": [
"network"
Expand All @@ -354,7 +354,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"@timestamp": "2023-07-04T09:03:41Z",
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
}
}

Expand All @@ -366,7 +366,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"",
"message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"",
"event": {
"category": [
"network"
Expand All @@ -388,7 +388,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -414,7 +414,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
"message": "\"2023/07/04:09:03:46 ADC 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
"event": {
"category": [
"network"
Expand All @@ -437,7 +437,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -462,7 +462,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context [email protected] - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"",
"message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context [email protected] - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"",
"event": {
"category": [
"network"
Expand All @@ -488,7 +488,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand Down
239 changes: 239 additions & 0 deletions ...perations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,239 @@

## Event Categories


The following table lists the data source offered by this integration.

| Data Source | Description |
| ----------- | ------------------------------------ |
| `Email gateway` | Trend Micro Email Security generates various types of logs such as mail tracking logs. |





In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `email` |
| Type | `info` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "test_bounced.json"

```json

{
"message": "{\"size\": 8245, \"action\": \"Bounced\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"details\": \"mail for example.org loops back to myself\", \"genTime\": \"2023-09-28T13:55:45Z\", \"subject\": \"My subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: None\", \"headerTo\": [\"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<22222222222222222222222222222222222222222222222222222222@EXAMPLE>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:55:33Z\", \"headerFrom\": \"[email protected]\", \"deliveredTo\": \"none\", \"deliveryTime\": \"2023-09-28T13:55:33Z\"}",
"event": {
"action": "Bounced",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:55:33Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "22222222222222222222222222222222222222222222222222222222@EXAMPLE",
"sender": {
"address": "[email protected]"
},
"subject": "My subject",
"to": {
"address": [
"[email protected]"
]
}
}
}

```


=== "test_delivered.json"

```json

{
"message": "{\"size\": 2538013, \"action\": \"Delivered\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"details\": \"250 2.0.0 1z3r022fdx-1 Message accepted for delivery\", \"genTime\": \"2023-09-28T13:51:23Z\", \"subject\": \"Automn is coming\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: TLS 1.2\", \"headerTo\": [\"[email protected]\", \"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<[email protected]>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:51:13Z\", \"headerFrom\": \"[email protected]\", \"attachments\": [{\"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"fileName\": \"attachment.pdf\"}], \"deliveredTo\": \"antispam.example.org[5.6.7.8]:25\", \"deliveryTime\": \"2023-09-28T13:51:18Z\", \"embeddedUrls\": [\"https://aws.amazon.com\", \"https://cloud.google.com\", \"https://www.azure.com\"]}",
"event": {
"action": "Delivered",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:51:13Z",
"email": {
"attachments": [
{
"file": {
"hash": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"name": "attachment.pdf"
}
}
],
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "[email protected]",
"sender": {
"address": "[email protected]"
},
"subject": "Automn is coming",
"to": {
"address": [
"[email protected]",
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"https://aws.amazon.com",
"https://cloud.google.com",
"https://www.azure.com"
]
}
}
}

```


=== "test_quarantined.json"

```json

{
"message": "{\"size\": 51149, \"action\": \"Quarantined\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"genTime\": \"2023-09-28T13:47:18Z\", \"subject\": \"My beautiful subject\", \"headerTo\": [\"[email protected]\"], \"direction\": \"in\", \"messageID\": \"<11111111111111111111111111111111111111111111111111111111111111111@example.org>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:45:59Z\", \"headerFrom\": \"[email protected]\", \"embeddedUrls\": [\"https://sekoia.io\", \"https://www.nytimes.com\"]}",
"event": {
"action": "Quarantined",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:45:59Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "11111111111111111111111111111111111111111111111111111111111111111@example.org",
"sender": {
"address": "[email protected]"
},
"subject": "My beautiful subject",
"to": {
"address": [
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"https://sekoia.io",
"https://www.nytimes.com"
]
}
}
}

```


=== "test_scanned.json"

```json

{
"message": "{\"size\": 48984, \"action\": \"Scanning in sandbox\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"genTime\": \"2023-09-28T13:55:53Z\", \"subject\": \"My beautiful subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.3\", \"headerTo\": [\"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"in\", \"messageID\": \"<[email protected]>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:55:44Z\", \"headerFrom\": \"[email protected]\", \"embeddedUrls\": [\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\", \"https://lemonde.fr\"]}",
"event": {
"action": "Scanning in sandbox",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:55:44Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "[email protected]",
"sender": {
"address": "[email protected]"
},
"subject": "My beautiful subject",
"to": {
"address": [
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd",
"https://lemonde.fr"
]
}
}
}

```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`email.attachments` | `nested` | List of objects describing the attachments. |
|`email.from.address` | `keyword` | The sender's email address. |
|`email.local_id` | `keyword` | Unique identifier given by the source. |
|`email.message_id` | `wildcard` | Value from the Message-ID header. |
|`email.sender.address` | `keyword` | Address of the message sender. |
|`email.subject` | `keyword` | The subject of the email message. |
|`email.to.address` | `keyword` | Email address of recipient |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`trendmicro.email.embedded_urls` | `array` | |

Loading