Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh intakes documentation #1570

Merged
merged 1 commit into from
Jan 22, 2024
Merged

Refresh intakes documentation #1570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions ...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,65 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_target_user.json"

```json

{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"[email protected]\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"[email protected]\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"[email protected]\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"[email protected]\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}",
"event": {
"action": "edit",
"category": [
"file"
],
"dataset": "admin#reports#activity",
"kind": "event",
"type": [
"change"
]
},
"@timestamp": "2024-01-17T11:09:39.840000Z",
"file": {
"name": "Doc Temp",
"owner": "[email protected]",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_externally"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"0.0.0.0"
],
"user": [
"[email protected]"
]
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0"
},
"user": {
"id": "XXXXXX",
"target": {
"email": "[email protected]"
}
}
}

```





Expand All @@ -222,4 +281,5 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.ip` | `ip` | IP address of the source. |
|`user.email` | `keyword` | User email address. |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.target.email` | `keyword` | User email address. |

232 changes: 232 additions & 0 deletions ...perations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@

## Event Categories


The following table lists the data source offered by this integration.

| Data Source | Description |
| ----------- | ------------------------------------ |
| `Web logs` | collect network activities from source |





In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `web` |
| Type | `access` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "elff_event.json"

```json

{
"message": " {\n \"count\": 1000,\n \"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(user-agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"[email protected]\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"time-taken\": 500,\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }",
"event": {
"action": "Allow",
"category": [
"web"
],
"duration": 500000000,
"kind": "event",
"type": [
"access"
]
},
"@timestamp": "2024-01-17T12:34:56Z",
"broadcom": {
"data_leak_detected": "False",
"file_reputation_score": "95",
"forwarded_for": "192.168.0.1",
"threat_risk": {
"certificate_hostname": "Low",
"dns_lvl": "High",
"lvl": "High"
},
"virus_id": "VirusID1"
},
"client": {
"address": "192.168.1.1",
"bytes": 1024,
"ip": "192.168.1.1",
"user": {
"name": "[email protected]"
}
},
"dns": {
"answers": [
{
"data": "1.2.3.4",
"type": "A"
},
{
"data": "5.6.7.8",
"type": "A"
},
{
"data": "cname1.example.com",
"type": "CNAME"
},
{
"data": "cname2.example.com",
"type": "CNAME"
},
{
"data": "ptr1.example.com",
"type": "PTR"
},
{
"data": "ptr2.example.com",
"type": "PTR"
},
{
"data": "NoError",
"type": "RCODE"
},
{
"data": "NoError1",
"type": "RCODE"
}
],
"op_code": "DNSOpcode1",
"question": {
"class": "DNSQClass1",
"name": "DNSName1",
"type": "DNSQType1"
}
},
"host": {
"os": {
"full": "OS1"
}
},
"http": {
"request": {
"method": "GET"
},
"response": {
"status_code": 200
}
},
"network": {
"application": "App1"
},
"observer": {
"name": "Computer1",
"product": "Cloud Secure Web Gateway",
"vendor": "Broadcom"
},
"related": {
"hosts": [
"DNSName1",
"example.com"
],
"ip": [
"192.168.1.1",
"192.168.2.1"
],
"user": [
"[email protected]"
]
},
"sekoiaio": {
"repeat": {
"count": "1000"
}
},
"server": {
"bytes": 2048,
"ip": "192.168.2.1"
},
"tls": {
"server": {
"x509": {
"alternative_names": [
"RSHostname1"
]
}
}
},
"url": {
"domain": "example.com",
"path": "/path/to/resource",
"port": 80,
"query": "param=value",
"registered_domain": "example.com",
"scheme": "http",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}

```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`broadcom.data_leak_detected` | `keyword` | Broadcom data leak detected |
|`broadcom.file_reputation_score` | `keyword` | Broadcom file reputation score |
|`broadcom.forwarded_for` | `keyword` | Broadcom forwarded for |
|`broadcom.threat_risk.certificate_hostname` | `keyword` | Broadcom threat risk certificate hostname |
|`broadcom.threat_risk.dns_lvl` | `keyword` | Broadcom threat risk dns lvl |
|`broadcom.threat_risk.lvl` | `keyword` | Broadcom threat risk lvl |
|`broadcom.virus_id` | `keyword` | Broadcom virus id |
|`client.bytes` | `long` | Bytes sent from the client to the server. |
|`client.ip` | `ip` | IP address of the client. |
|`client.user.name` | `keyword` | Short name or login of the user. |
|`dns.answers` | `object` | Array of DNS answers. |
|`dns.op_code` | `keyword` | The DNS operation code that specifies the kind of query in the message. |
|`dns.question.class` | `keyword` | The class of records being queried. |
|`dns.question.name` | `keyword` | The name being queried. |
|`dns.question.type` | `keyword` | The type of record being queried. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.duration` | `long` | Duration of the event in nanoseconds. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.os.full` | `keyword` | Operating system name, including the version or code name. |
|`http.request.method` | `keyword` | HTTP request method. |
|`http.response.status_code` | `long` | HTTP response status code. |
|`network.application` | `keyword` | Application level protocol name. |
|`observer.name` | `keyword` | Custom name of the observer. |
|`observer.product` | `keyword` | The product name of the observer. |
|`observer.vendor` | `keyword` | Vendor name of the observer. |
|`server.bytes` | `long` | Bytes sent from the server to the client. |
|`server.ip` | `ip` | IP address of the server. |
|`tls.server.x509.alternative_names` | `keyword` | List of subject alternative names (SAN). |
|`url.domain` | `keyword` | Domain of the url. |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`url.port` | `long` | Port of the request, such as 443. |
|`url.query` | `keyword` | Query string of the request. |
|`url.scheme` | `keyword` | Scheme of the url. |
|`user_agent.original` | `keyword` | Unparsed user_agent string. |