From 0ff4cd25b3a6ccf2ba0b17a8c6f782ff3f6d0c2a Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Fri, 26 Jan 2024 09:58:22 +0000 Subject: [PATCH] Refresh intakes documentation --- .../98fa7079-41ae-4033-a93f-bbd70d114188.md | 284 ++- .../9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md | 72 +- .../b28db14b-e3a7-463e-8659-9bf0e577944f.md | 1534 +++++++++++++++++ .../ee0b3023-524c-40f6-baf5-b69c7b679887.md | 13 +- 4 files changed, 1892 insertions(+), 11 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index f05212e46e..9315ada594 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -126,6 +126,74 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "6", + "type": "Internalsourcedevicetype" + }, + { + "trigger_value": "out", + "type": "Direction" + }, + { + "trigger_value": "application/x-gzip", + "type": "HTTPcontenttype" + }, + { + "trigger_value": "100", + "type": "RareexternalIP" + }, + { + "trigger_value": "100", + "type": "Raredomain" + }, + { + "trigger_value": "false", + "type": "Trustedhostname" + }, + { + "trigger_value": "15", + "type": "Taggedinternalsource" + }, + { + "trigger_value": "104.18.103.100", + "type": "DestinationIP" + }, + { + "trigger_value": "kali.download", + "type": "Connectionhostname" + }, + { + "trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz", + "type": "URI" + }, + { + "trigger_value": "200", + "type": "HTTPresponsecode" + }, + { + "trigger_value": "60493165", + "type": "Individualsizedown" + }, + { + "trigger_value": "679", + "type": "Individualsizeup" + }, + { + "trigger_value": "0", + "type": "Dataratio" + }, + { + "trigger_value": "43965774", + "type": "Ageofdestination" + }, + { + "trigger_value": "AS13335CLOUDFLARENET", + "type": "ASN" + } + ] + }, "creationTime": 1687967508000, "device": { "firstSeen": 1644001727000, @@ -233,6 +301,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [] + }, "creationTime": 1687987892000, "device": { "firstSeen": 1649669953000, @@ -327,6 +398,34 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "kali.download", + "type": "DNShostlookup" + }, + { + "trigger_value": "6", + "type": "Internalsourcedevicetype" + }, + { + "trigger_value": "18", + "type": "Taggedinternalsource" + }, + { + "trigger_value": "out", + "type": "Direction" + }, + { + "trigger_value": "4", + "type": "Taggedinternalsource" + }, + { + "trigger_value": "58", + "type": "Taggedinternalsource" + } + ] + }, "creationTime": 1688266130000, "device": { "firstSeen": 1644001727000, @@ -434,6 +533,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "out", + "type": "Direction" + }, + { + "trigger_value": "6", + "type": "Internalsourcedevicetype" + }, + { + "trigger_value": "53", + "type": "Destinationport" + }, + { + "trigger_value": "192.168.1.2", + "type": "DestinationIP" + }, + { + "trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com", + "type": "Message" + }, + { + "trigger_value": "true", + "type": "Watchedendpoint" + }, + { + "trigger_value": "100", + "type": "Watchedendpointstrength" + }, + { + "trigger_value": "true", + "type": "Internaldestination" + }, + { + "trigger_value": "12", + "type": "Internaldestinationdevicetype" + } + ] + }, "creationTime": 1687774148000, "device": { "firstSeen": 1639068361000, @@ -531,6 +670,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "ThreatIntel", + "type": "Watchedendpointsource" + }, + { + "trigger_value": "4", + "type": "Taggedinternalsource" + }, + { + "trigger_value": "7", + "type": "Internalsourcedevicetype" + }, + { + "trigger_value": "18", + "type": "Taggedinternalsource" + }, + { + "trigger_value": "out", + "type": "Direction" + }, + { + "trigger_value": "38123579", + "type": "Ageofdestination" + }, + { + "trigger_value": "192.168.1.2", + "type": "DestinationIP" + }, + { + "trigger_value": "53", + "type": "Destinationport" + }, + { + "trigger_value": "0", + "type": "Rareexternalendpoint" + }, + { + "trigger_value": "clients2.google.com", + "type": "Message" + } + ] + }, "creationTime": 1687793540000, "device": { "firstSeen": 1666276905000, @@ -574,7 +757,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "39", "ip": [ "192.168.1.3" - ] + ], + "os": { + "name": "Windows(10.0)" + } }, "observer": { "name": "Darktrace", @@ -608,6 +794,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "80", + "type": "Destinationport" + } + ] + }, "creationTime": 1687811713000, "device": { "firstSeen": 1649669953000, @@ -696,6 +890,18 @@ Find below few samples of events and how they are normalized by Sekoia.io. "darktrace": { "threat_visualizer": { "commentCount": 0, + "components": { + "filters": [ + { + "trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago", + "type": "Event details" + }, + { + "trigger_value": "Probe error", + "type": "System message" + } + ] + }, "creationTime": 1700634481000, "model": { "then": { @@ -727,6 +933,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_summurizer.json" + + ```json + + { + "message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "event": { + "action": "CREATE_NEEDSCONFIRMATION", + "category": "network", + "kind": "event", + "type": [ + "info" + ] + }, + "darktrace": { + "threat_visualizer": { + "device": { + "firstSeen": 1671027693000, + "ip": "1.2.3.4", + "ips": [ + { + "ip": "1.2.3.4", + "sid": 69, + "time": "2023-12-18 10:00:00", + "timems": 1702893600000, + "vlan": 0 + } + ], + "lastSeen": 1702896182000, + "sid": 69, + "typelabel": "Desktop", + "typename": "desktop" + }, + "pbid": 0 + } + }, + "host": { + "hostname": "test_hostname", + "id": "901", + "ip": [ + "1.2.3.4" + ], + "name": "test_hostname", + "os": { + "name": "Windows" + } + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "related": { + "hosts": [ + "test_hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "user": { + "name": "JDOE" + } + } + } + + ``` + + @@ -745,6 +1023,7 @@ The following table lists the fields that are extracted, normalized under the EC |`darktrace.threat_visualizer.category` | `keyword` | The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical') | |`darktrace.threat_visualizer.children` | `array` | A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633') | |`darktrace.threat_visualizer.commentCount` | `number` | The number of comments made against this breach. | +|`darktrace.threat_visualizer.components.filters` | `array` | | |`darktrace.threat_visualizer.creationTime` | `number` | The timestamp that the record of the breach was created. This is distinct from the time field. | |`darktrace.threat_visualizer.currentGroup` | `keyword` | The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633') | |`darktrace.threat_visualizer.device.firstSeen` | `number` | The first time the device was seen on the network. | @@ -809,15 +1088,18 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.hostname` | `keyword` | Hostname of the host. | |`host.id` | `keyword` | Unique host id. | |`host.ip` | `ip` | Host ip addresses. | |`host.mac` | `keyword` | Host MAC addresses. | |`host.name` | `keyword` | Name of the host. | +|`host.os.name` | `keyword` | Operating system name, without the version. | |`observer.name` | `keyword` | Custom name of the observer. | |`observer.product` | `keyword` | The product name of the observer. | |`service.name` | `keyword` | Name of the service. | +|`source.user.name` | `keyword` | Short name or login of the user. | |`user.email` | `keyword` | User email address. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md index 718027abea..04d8aadd0b 100644 --- a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md +++ b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md @@ -17,8 +17,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert` | -| Category | `authentication`, `network` | -| Type | `connection`, `info` | +| Category | `authentication`, `configuration`, `network` | +| Type | `change`, `connection`, `info` | @@ -289,6 +289,70 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_device_change_event.json" + + ```json + + { + "message": "CEF:0|Claroty|Claroty|0.0|370|device_change_event|5|device_asset_id=FDNTIUE device_uid=5b0e3015-0c8b-4ea4-b707-d25699d79ab0 device_mac_list=[None] device_ip_list=['3.4.5.6'] device_site_name=Lost & Found device_category=IT device_subcategory=Endpoint device_manufacturer=None device_type=None device_type_family=None device_model=None device_connection_type_list=['Ethernet'] device_network_list=['Corporate'] device_labels=[] device_assignees=[] device_note=None device_os=Linux 3.11+ change_id=370 change_timestamp=2024-01-17T09:32:35+00:00 change_type=Offline Status Change change_description=The device Status changed from Offline to Online after 11 days change_alert_id=111 change_alerted_attribute=is_online_text previous_offline_status_change=2024-01-05T14:27:15+00:00 last_offline_status_change=2024-01-17T09:32:35+00:00\n", + "event": { + "category": [ + "configuration" + ], + "kind": "alert", + "reason": "The device Status changed from Offline to Online after 11 days", + "severity": 5, + "type": [ + "change" + ] + }, + "claroty": { + "xdome": { + "alert": { + "id": "111" + }, + "change": { + "alerted_attribute": "is_online_text", + "id": "370", + "type": "Offline Status Change" + }, + "device": { + "category": "IT", + "site_name": "Lost & Found", + "subcategory": "Endpoint" + } + } + }, + "device": { + "id": "FDNTIUE" + }, + "host": { + "id": "5b0e3015-0c8b-4ea4-b707-d25699d79ab0", + "ip": [ + "3.4.5.6" + ], + "mac": [ + "null" + ], + "os": { + "full": "Linux 3.11+" + } + }, + "observer": { + "product": "Claroty", + "vendor": "Claroty", + "version": "0.0" + }, + "related": { + "ip": [ + "3.4.5.6" + ] + } + } + + ``` + + === "test_expired_certificate.json" ```json @@ -650,6 +714,10 @@ The following table lists the fields that are extracted, normalized under the EC |`claroty.xdome.alert.id` | `keyword` | | |`claroty.xdome.alert.name` | `keyword` | | |`claroty.xdome.alert.type` | `keyword` | | +|`claroty.xdome.change.alerted_attribute` | `keyword` | | +|`claroty.xdome.change.id` | `keyword` | | +|`claroty.xdome.change.timestamp` | `keyword` | | +|`claroty.xdome.change.type` | `keyword` | | |`claroty.xdome.client_id` | `keyword` | | |`claroty.xdome.device.category` | `keyword` | | |`claroty.xdome.device.site_name` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md index 03a17936e0..7054d3d2c7 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md @@ -12,7 +12,1541 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `authentication`, `network`, `session` | +| Type | `end`, `protocol`, `start` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "accepted_gssapi-with-mic.json" + + ```json + + { + "message": " Accepted gssapi-with-mic for ubuntu from 1.2.3.4 port 51826 ssh2", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted gssapi-with-mic", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "gssapi-with-mic" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "ubuntu" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51826, + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "accepted_password.json" + + ```json + + { + "message": " Accepted password for ubuntu from 1.2.3.4 port 51826 ssh2", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted password", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "password" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "ubuntu" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51826, + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "accepted_publickey.json" + + ```json + + { + "message": " Accepted publickey for ubuntu from 1.2.3.4 port 51826 ssh2: RSA SHA256:AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted publickey", + "target": "user", + "type": "open" + }, + "file": { + "hash": { + "sha256": "AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=" + } + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "publickey" + } + }, + "related": { + "hash": [ + "AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ubuntu" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51826, + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "authentication_attempts_exceeded.json" + + ```json + + { + "message": " error: maximum authentication attempts exceeded for invalid user support from ssh.example.org port 51219 ssh2 [preauth]", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "maximum authentication attempts exceeded", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "hosts": [ + "ssh.example.org" + ], + "user": [ + "support" + ] + }, + "source": { + "address": "ssh.example.org", + "domain": "ssh.example.org", + "port": 51219, + "registered_domain": "example.org", + "subdomain": "ssh", + "top_level_domain": "org", + "user": { + "name": "support" + } + }, + "user": { + "name": "support" + } + } + + ``` + + +=== "authentication_too_many_failures.json" + + ```json + + { + "message": " Disconnecting invalid user support 1.2.3.4 port 51219: Too many authentication failures [preauth]", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Disconnecting", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "support" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51219, + "user": { + "name": "support" + } + }, + "user": { + "name": "support" + } + } + + ``` + + +=== "bad_protocol.json" + + ```json + + { + "message": " Bad protocol version identification '\\003' from 1.2.3.4 port 407", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "protocol" + ] + }, + "action": { + "name": "negotiate", + "outcome": "failure", + "outcome_reason": "Bad protocol version", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 407 + } + } + + ``` + + +=== "connection_closed.json" + + ```json + + { + "message": " Connection closed by 1.2.3.4 port 51488 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51488 + } + } + + ``` + + +=== "connection_closed_authenticating_user.json" + + ```json + + { + "message": " Connection closed by authenticating user backup 1.2.3.4 port 49424 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "backup" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49424, + "user": { + "name": "backup" + } + }, + "user": { + "name": "backup" + } + } + + ``` + + +=== "connection_closed_illegal_user.json" + + ```json + + { + "message": " Connection closed by illegal user default 1.2.3.4 port 49424 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "default" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49424, + "user": { + "name": "default" + } + }, + "user": { + "name": "default" + } + } + + ``` + + +=== "connection_closed_invalid_user.json" + + ```json + + { + "message": " Connection closed by invalid user pi 1.2.3.4 port 42608 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "pi" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 42608, + "user": { + "name": "pi" + } + }, + "user": { + "name": "pi" + } + } + + ``` + + +=== "connection_reset.json" + + ```json + + { + "message": " Connection reset by 1.2.3.4 port 45611 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "reset", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 45611 + } + } + + ``` + + +=== "disconnected.json" + + ```json + + { + "message": " Disconnected from 1.2.3.4 port 39906 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39906 + } + } + + ``` + + +=== "disconnected_authenticating_user.json" + + ```json + + { + "message": " Disconnected from authenticating user backup 1.2.3.4 port 49424 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "backup" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49424, + "user": { + "name": "backup" + } + }, + "user": { + "name": "backup" + } + } + + ``` + + +=== "disconnected_illegal_user.json" + + ```json + + { + "message": " Disconnected from illegal user default 1.2.3.4 port 48792 [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "default" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 48792, + "user": { + "name": "default" + } + }, + "user": { + "name": "default" + } + } + + ``` + + +=== "disconnected_user.json" + + ```json + + { + "message": " Disconnected from user ubuntu 1.2.3.4 port 44708", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "ubuntu" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 44708, + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "failed_password.json" + + ```json + + { + "message": " Failed password for backup from 1.2.3.4 port 60150 ssh2", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Failed password", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "backup" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 60150, + "user": { + "name": "backup" + } + }, + "user": { + "name": "backup" + } + } + + ``` + + +=== "invalid_user.json" + + ```json + + { + "message": " Invalid user jdoe from ssh.example.org port 48792", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Invalid user", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "hosts": [ + "ssh.example.org" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "ssh.example.org", + "domain": "ssh.example.org", + "port": 48792, + "registered_domain": "example.org", + "subdomain": "ssh", + "top_level_domain": "org", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "invalid_user2.json" + + ```json + + { + "message": " input_userauth_request: invalid user jdoe [preauth]", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "invalid user", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "user": [ + "jdoe" + ] + }, + "source": { + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "kex_exchange_identification.json" + + ```json + + { + "message": " error: kex_exchange_identification: Connection closed by remote host", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Connection closed by remote host", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + } + } + + ``` + + +=== "not_receive_identification.json" + + ```json + + { + "message": " Did not receive identification string from 1.2.3.4 port 50622", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Did not receive identification string", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50622 + } + } + + ``` + + +=== "pam_authentication_failure.json" + + ```json + + { + "message": " pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "sshd:auth", + "outcome": "failure", + "outcome_reason": "pam_unix(sshd:auth): authentication failure;", + "target": "user", + "type": "authentication" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "pam_check_pass.json" + + ```json + + { + "message": " pam_unix(sshd:auth): check pass; user unknown", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:auth", + "outcome": "success", + "target": "user", + "type": "check" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "unknown" + ] + }, + "source": { + "user": { + "name": "unknown" + } + }, + "user": { + "name": "unknown" + } + } + + ``` + + +=== "pam_more_auth_failure.json" + + ```json + + { + "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "sshd:auth", + "outcome": "failure", + "target": "user", + "type": "authentication" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "root" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "root" + } + }, + "user": { + "id": "0", + "name": "root" + } + } + + ``` + + +=== "pam_session_closed.json" + + ```json + + { + "message": " pam_unix(sshd:session): session closed for user ubuntu", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "ubuntu" + ] + }, + "source": { + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "pam_session_opened.json" + + ```json + + { + "message": " pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "ubuntu" + ] + }, + "source": { + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "received_disconnect_bye_bye.json" + + ```json + + { + "message": " Received disconnect from 1.2.3.4 port 39906:11: Bye Bye [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "Bye Bye", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39906 + } + } + + ``` + + +=== "received_disconnect_empty_message.json" + + ```json + + { + "message": " Received disconnect from 1.2.3.4 port 16899:11: [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 16899 + } + } + + ``` + + +=== "received_disconnect_thank_you.json" + + ```json + + { + "message": " Received disconnect from 1.2.3.4 port 36958:11: Normal Shutdown, Thank you for playing [preauth]", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "Normal Shutdown, Thank you for playing", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36958 + } + } + + ``` + + +=== "received_disconnect_user.json" + + ```json + + { + "message": " Received disconnect from 1.2.3.4 port 44708:11: disconnected by user", + "event": { + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "disconnected by user", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 44708 + } + } + + ``` + + +=== "unable_to_negociate.json" + + ```json + + { + "message": " Unable to negotiate with 1.2.3.4 port 27824: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]", + "event": { + "category": [ + "session" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "negotiate", + "outcome": "failure", + "outcome_reason": "Unable to negotiate with", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 27824 + } + } + + ``` + + +=== "user_not_allowed.json" + + ```json + + { + "message": " User root from 1.2.3.4 not allowed because not listed in AllowUsers", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "not allowed because not listed in AllowUsers", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "root" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "root" + } + }, + "user": { + "name": "root" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.target` | `keyword` | | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`openssh.auth.method` | `keyword` | | +|`process.name` | `keyword` | Process name. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`source.user.name` | `keyword` | Short name or login of the user. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index 0031c13208..277f3cf04d 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -69,6 +69,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "network": { + "application": "General HTTPS", "protocol": "https", "transport": "tcp" }, @@ -88,8 +89,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "version": "7.0.1-1234-R5678" }, "process": { - "entity_id": "1234", - "name": "General HTTPS" + "entity_id": "1234" }, "related": { "ip": [ @@ -164,6 +164,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "network": { + "application": "General DNS", "protocol": "dns", "transport": "udp" }, @@ -182,9 +183,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "SonicWall", "version": "7.0.1-1234-R5678" }, - "process": { - "name": "General DNS" - }, "related": { "ip": [ "12.3.123.123", @@ -258,6 +256,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "network": { + "application": "General HTTPS", "protocol": "https", "transport": "tcp" }, @@ -276,9 +275,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vendor": "SonicWall", "version": "7.0.1-1234-R5678" }, - "process": { - "name": "General HTTPS" - }, "related": { "ip": [ "10.0.10.20", @@ -667,6 +663,7 @@ The following table lists the fields that are extracted, normalized under the EC |`http.request.method` | `keyword` | HTTP request method. | |`http.request.referrer` | `keyword` | Referrer for this HTTP request. | |`log.syslog.facility.name` | `keyword` | Syslog text-based facility of the event. | +|`network.application` | `keyword` | Application level protocol name. | |`observer.egress.interface.name` | `keyword` | Interface name | |`observer.ingress.interface.name` | `keyword` | Interface name | |`observer.type` | `keyword` | The type of the observer the data is coming from. |