diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 7eb1013f21..14babeb277 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -197,6 +197,65 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_target_user.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}", + "event": { + "action": "edit", + "category": [ + "file" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "change" + ] + }, + "@timestamp": "2024-01-17T11:09:39.840000Z", + "file": { + "name": "Doc Temp", + "owner": "owner@test.com", + "type": "document" + }, + "google": { + "report": { + "actor": { + "email": "senduser@test.com" + }, + "parameters": { + "visibility": "shared_externally" + } + } + }, + "network": { + "application": "drive" + }, + "related": { + "ip": [ + "0.0.0.0" + ], + "user": [ + "owner@test.com" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "user": { + "id": "XXXXXX", + "target": { + "email": "targetuser@test.fr" + } + } + } + + ``` + + @@ -222,4 +281,5 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`user.email` | `keyword` | User email address. | |`user.id` | `keyword` | Unique identifier of the user. | +|`user.target.email` | `keyword` | User email address. | diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md new file mode 100644 index 0000000000..c01664efef --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -0,0 +1,232 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | collect network activities from source | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `web` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "elff_event.json" + + ```json + + { + "message": " {\n \"count\": 1000,\n \"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(user-agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"time-taken\": 500,\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }", + "event": { + "action": "Allow", + "category": [ + "web" + ], + "duration": 500000000, + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2024-01-17T12:34:56Z", + "broadcom": { + "data_leak_detected": "False", + "file_reputation_score": "95", + "forwarded_for": "192.168.0.1", + "threat_risk": { + "certificate_hostname": "Low", + "dns_lvl": "High", + "lvl": "High" + }, + "virus_id": "VirusID1" + }, + "client": { + "address": "192.168.1.1", + "bytes": 1024, + "ip": "192.168.1.1", + "user": { + "name": "user@example.com" + } + }, + "dns": { + "answers": [ + { + "data": "1.2.3.4", + "type": "A" + }, + { + "data": "5.6.7.8", + "type": "A" + }, + { + "data": "cname1.example.com", + "type": "CNAME" + }, + { + "data": "cname2.example.com", + "type": "CNAME" + }, + { + "data": "ptr1.example.com", + "type": "PTR" + }, + { + "data": "ptr2.example.com", + "type": "PTR" + }, + { + "data": "NoError", + "type": "RCODE" + }, + { + "data": "NoError1", + "type": "RCODE" + } + ], + "op_code": "DNSOpcode1", + "question": { + "class": "DNSQClass1", + "name": "DNSName1", + "type": "DNSQType1" + } + }, + "host": { + "os": { + "full": "OS1" + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "application": "App1" + }, + "observer": { + "name": "Computer1", + "product": "Cloud Secure Web Gateway", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "DNSName1", + "example.com" + ], + "ip": [ + "192.168.1.1", + "192.168.2.1" + ], + "user": [ + "user@example.com" + ] + }, + "sekoiaio": { + "repeat": { + "count": "1000" + } + }, + "server": { + "bytes": 2048, + "ip": "192.168.2.1" + }, + "tls": { + "server": { + "x509": { + "alternative_names": [ + "RSHostname1" + ] + } + } + }, + "url": { + "domain": "example.com", + "path": "/path/to/resource", + "port": 80, + "query": "param=value", + "registered_domain": "example.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`broadcom.data_leak_detected` | `keyword` | Broadcom data leak detected | +|`broadcom.file_reputation_score` | `keyword` | Broadcom file reputation score | +|`broadcom.forwarded_for` | `keyword` | Broadcom forwarded for | +|`broadcom.threat_risk.certificate_hostname` | `keyword` | Broadcom threat risk certificate hostname | +|`broadcom.threat_risk.dns_lvl` | `keyword` | Broadcom threat risk dns lvl | +|`broadcom.threat_risk.lvl` | `keyword` | Broadcom threat risk lvl | +|`broadcom.virus_id` | `keyword` | Broadcom virus id | +|`client.bytes` | `long` | Bytes sent from the client to the server. | +|`client.ip` | `ip` | IP address of the client. | +|`client.user.name` | `keyword` | Short name or login of the user. | +|`dns.answers` | `object` | Array of DNS answers. | +|`dns.op_code` | `keyword` | The DNS operation code that specifies the kind of query in the message. | +|`dns.question.class` | `keyword` | The class of records being queried. | +|`dns.question.name` | `keyword` | The name being queried. | +|`dns.question.type` | `keyword` | The type of record being queried. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.duration` | `long` | Duration of the event in nanoseconds. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.os.full` | `keyword` | Operating system name, including the version or code name. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.application` | `keyword` | Application level protocol name. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`server.bytes` | `long` | Bytes sent from the server to the client. | +|`server.ip` | `ip` | IP address of the server. | +|`tls.server.x509.alternative_names` | `keyword` | List of subject alternative names (SAN). | +|`url.domain` | `keyword` | Domain of the url. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`url.port` | `long` | Port of the request, such as 443. | +|`url.query` | `keyword` | Query string of the request. | +|`url.scheme` | `keyword` | Scheme of the url. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | +