Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh intakes documentation #1575

Merged
merged 1 commit into from
Jan 26, 2024
Merged

Refresh intakes documentation #1575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
284 changes: 283 additions & 1 deletion ...perations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,74 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "application/x-gzip",
"type": "HTTPcontenttype"
},
{
"trigger_value": "100",
"type": "RareexternalIP"
},
{
"trigger_value": "100",
"type": "Raredomain"
},
{
"trigger_value": "false",
"type": "Trustedhostname"
},
{
"trigger_value": "15",
"type": "Taggedinternalsource"
},
{
"trigger_value": "104.18.103.100",
"type": "DestinationIP"
},
{
"trigger_value": "kali.download",
"type": "Connectionhostname"
},
{
"trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz",
"type": "URI"
},
{
"trigger_value": "200",
"type": "HTTPresponsecode"
},
{
"trigger_value": "60493165",
"type": "Individualsizedown"
},
{
"trigger_value": "679",
"type": "Individualsizeup"
},
{
"trigger_value": "0",
"type": "Dataratio"
},
{
"trigger_value": "43965774",
"type": "Ageofdestination"
},
{
"trigger_value": "AS13335CLOUDFLARENET",
"type": "ASN"
}
]
},
"creationTime": 1687967508000,
"device": {
"firstSeen": 1644001727000,
Expand Down Expand Up @@ -233,6 +301,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": []
},
"creationTime": 1687987892000,
"device": {
"firstSeen": 1649669953000,
Expand Down Expand Up @@ -327,6 +398,34 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "kali.download",
"type": "DNShostlookup"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "58",
"type": "Taggedinternalsource"
}
]
},
"creationTime": 1688266130000,
"device": {
"firstSeen": 1644001727000,
Expand Down Expand Up @@ -434,6 +533,46 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com",
"type": "Message"
},
{
"trigger_value": "true",
"type": "Watchedendpoint"
},
{
"trigger_value": "100",
"type": "Watchedendpointstrength"
},
{
"trigger_value": "true",
"type": "Internaldestination"
},
{
"trigger_value": "12",
"type": "Internaldestinationdevicetype"
}
]
},
"creationTime": 1687774148000,
"device": {
"firstSeen": 1639068361000,
Expand Down Expand Up @@ -531,6 +670,50 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "ThreatIntel",
"type": "Watchedendpointsource"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "7",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "38123579",
"type": "Ageofdestination"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "0",
"type": "Rareexternalendpoint"
},
{
"trigger_value": "clients2.google.com",
"type": "Message"
}
]
},
"creationTime": 1687793540000,
"device": {
"firstSeen": 1666276905000,
Expand Down Expand Up @@ -574,7 +757,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"id": "39",
"ip": [
"192.168.1.3"
]
],
"os": {
"name": "Windows(10.0)"
}
},
"observer": {
"name": "Darktrace",
Expand Down Expand Up @@ -608,6 +794,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "80",
"type": "Destinationport"
}
]
},
"creationTime": 1687811713000,
"device": {
"firstSeen": 1649669953000,
Expand Down Expand Up @@ -696,6 +890,18 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago",
"type": "Event details"
},
{
"trigger_value": "Probe error",
"type": "System message"
}
]
},
"creationTime": 1700634481000,
"model": {
"then": {
Expand Down Expand Up @@ -727,6 +933,78 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_summurizer.json"

```json

{
"message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
"event": {
"action": "CREATE_NEEDSCONFIRMATION",
"category": "network",
"kind": "event",
"type": [
"info"
]
},
"darktrace": {
"threat_visualizer": {
"device": {
"firstSeen": 1671027693000,
"ip": "1.2.3.4",
"ips": [
{
"ip": "1.2.3.4",
"sid": 69,
"time": "2023-12-18 10:00:00",
"timems": 1702893600000,
"vlan": 0
}
],
"lastSeen": 1702896182000,
"sid": 69,
"typelabel": "Desktop",
"typename": "desktop"
},
"pbid": 0
}
},
"host": {
"hostname": "test_hostname",
"id": "901",
"ip": [
"1.2.3.4"
],
"name": "test_hostname",
"os": {
"name": "Windows"
}
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"hosts": [
"test_hostname"
],
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"user": {
"name": "JDOE"
}
}
}

```





Expand All @@ -745,6 +1023,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`darktrace.threat_visualizer.category` | `keyword` | The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical') |
|`darktrace.threat_visualizer.children` | `array` | A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
|`darktrace.threat_visualizer.commentCount` | `number` | The number of comments made against this breach. |
|`darktrace.threat_visualizer.components.filters` | `array` | |
|`darktrace.threat_visualizer.creationTime` | `number` | The timestamp that the record of the breach was created. This is distinct from the time field. |
|`darktrace.threat_visualizer.currentGroup` | `keyword` | The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
|`darktrace.threat_visualizer.device.firstSeen` | `number` | The first time the device was seen on the network. |
Expand Down Expand Up @@ -809,15 +1088,18 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.hostname` | `keyword` | Hostname of the host. |
|`host.id` | `keyword` | Unique host id. |
|`host.ip` | `ip` | Host ip addresses. |
|`host.mac` | `keyword` | Host MAC addresses. |
|`host.name` | `keyword` | Name of the host. |
|`host.os.name` | `keyword` | Operating system name, without the version. |
|`observer.name` | `keyword` | Custom name of the observer. |
|`observer.product` | `keyword` | The product name of the observer. |
|`service.name` | `keyword` | Name of the service. |
|`source.user.name` | `keyword` | Short name or login of the user. |
|`user.email` | `keyword` | User email address. |
|`user.name` | `keyword` | Short name or login of the user. |

Loading
Loading