From 159c5cbb7f4f3e0c7aecbb5d8a7dea775ba9738a Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:46:45 +0000 Subject: [PATCH] Refresh intakes documentation --- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 671 +++++++++++++++++- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 55 +- .../3f330d19-fdea-48ac-96bd-91a447bb26bd.md | 78 ++ .../44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md | 184 +++++ .../4760d0bc-2194-44e5-a876-85102b18d832.md | 110 ++- .../c2faea65-1eb3-4f3f-b895-c8769a749d45.md | 1 + .../c6a43439-7b9d-4678-804b-ebda6756db60.md | 198 ++++++ .../e8ca856f-8a58-490b-bea4-247b12b3d74b.md | 139 +++- 8 files changed, 1422 insertions(+), 14 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 18902144dc..3877605f42 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -17,8 +17,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `event` | -| Category | `file` | -| Type | `access`, `change`, `creation`, `deletion` | +| Category | `authentication`, `configuration`, `file`, `iam`, `session` | +| Type | `access`, `admin`, `connection` | @@ -28,6 +28,359 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "test_admin_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}", + "event": { + "action": "ALERT_CENTER_VIEW", + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-12T14:50:56.780000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "test@test.com" + } + } + }, + "network": { + "application": "admin" + }, + "related": { + "ip": [ + "2222:0:333:1111:7777:5555:6666:ddd" + ], + "user": [ + "test" + ] + }, + "source": { + "address": "2222:0:333:1111:7777:5555:6666:ddd", + "ip": "2222:0:333:1111:7777:5555:6666:ddd" + }, + "user": { + "domain": "test.com", + "email": "test@test.com", + "id": "10125127140", + "name": "test" + } + } + + ``` + + +=== "test_admin_sample2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}", + "event": { + "action": [ + "ALLOW_STRONG_AUTHENTICATION", + "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "ENFORCE_STRONG_AUTHENTICATION" + ], + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "access", + "change" + ] + }, + "@timestamp": "2024-03-12T14:41:33.804000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "test@test.com" + } + } + }, + "network": { + "application": "admin" + }, + "related": { + "ip": [ + "2222:0:333:1111:7777:5555:6666:ddd" + ], + "user": [ + "test" + ] + }, + "source": { + "address": "2222:0:333:1111:7777:5555:6666:ddd", + "ip": "2222:0:333:1111:7777:5555:6666:ddd" + }, + "user": { + "domain": "test.com", + "email": "test@test.com", + "id": "10125127141", + "name": "test" + } + } + + ``` + + +=== "test_calendar_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}", + "event": { + "action": "change_event", + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "change" + ] + }, + "@timestamp": "2024-03-13T10:25:01.859000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.done@test.com" + } + } + }, + "network": { + "application": "calendar" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "joe.done" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "test.com", + "email": "joe.done@test.com", + "id": "1126768166", + "name": "joe.done" + } + } + + ``` + + +=== "test_calendar_sample2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}", + "event": { + "action": [ + "add_event_guest", + "create_event" + ], + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "change", + "creation" + ] + }, + "@timestamp": "2024-03-13T10:36:57.929000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "destination": { + "user": { + "email": "jone.done@test.com" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.doe@test.com" + } + } + }, + "network": { + "application": "calendar" + }, + "related": { + "ip": [ + "ffff:2222:333:11:aa:2222:111:11" + ], + "user": [ + "joe.doe" + ] + }, + "source": { + "address": "ffff:2222:333:11:aa:2222:111:11", + "ip": "ffff:2222:333:11:aa:2222:111:11" + }, + "user": { + "domain": "test.com", + "email": "joe.doe@test.com", + "id": "1158856535600", + "name": "joe.doe" + } + } + + ``` + + +=== "test_chat_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}", + "event": { + "action": "message_posted", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-03-08T10:37:56.354000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.done@test.com" + }, + "chat": { + "message": { + "id": "spaces/AAAApr7T222/messages/oODWFIV2CtA" + }, + "room": { + "name": "Group Chat (AAAAAAAAAA)" + } + } + } + }, + "network": { + "application": "chat" + }, + "related": { + "user": [ + "joe.done" + ] + }, + "user": { + "domain": "test.com", + "email": "joe.done@test.com", + "id": "1160802395241", + "name": "joe.done" + } + } + + ``` + + +=== "test_chat_sample2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}", + "event": { + "action": "room_created", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-03-12T10:01:16.430000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.done@test.com" + }, + "chat": { + "room": { + "name": "Group Chat (AAAAAAAAA)" + } + } + } + }, + "network": { + "application": "chat" + }, + "related": { + "user": [ + "joe.done" + ] + }, + "user": { + "domain": "test.com", + "email": "joe.done@test.com", + "id": "1070981817756", + "name": "joe.done" + } + } + + ``` + + === "test_drive_sample.json" ```json @@ -42,6 +395,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "audit#activity", "kind": "event", "type": [ + "access", "change" ] }, @@ -108,6 +462,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "audit#activity", "kind": "event", "type": [ + "access", "change" ] }, @@ -222,6 +577,169 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_groups_entre_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}", + "event": { + "action": "delete_group", + "category": [ + "iam" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "admin" + ] + }, + "@timestamp": "2024-03-11T15:20:33.157000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.done@test.com" + } + } + }, + "network": { + "application": "groups_enterprise" + }, + "related": { + "user": [ + "joe.done" + ] + }, + "user": { + "domain": "test.com", + "email": "joe.done@test.com", + "group": { + "id": "testgroup@test.com" + }, + "id": "109472445", + "name": "joe.done" + } + } + + ``` + + +=== "test_meet_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-03-13T11:02:40.037000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Argenteuil" + } + }, + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "jone.doe@test.com" + }, + "meet": { + "code": "GMGSZDDDDD" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "user": [ + "jone.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "jone.doe@test.com", + "id": "1098488062555", + "name": "jone.doe" + } + } + + ``` + + +=== "test_meet_sample2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}", + "event": { + "action": "presentation_started", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-03-13T10:31:23.630000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "jone.done@test.com" + }, + "meet": { + "code": "BWXXZYNUUU" + } + } + }, + "network": { + "application": "meet" + }, + "related": { + "user": [ + "jone.done" + ] + }, + "user": { + "domain": "test.com", + "email": "jone.done@test.com", + "id": "1070981817756", + "name": "jone.done" + } + } + + ``` + + === "test_target_user.json" ```json @@ -229,13 +747,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}", "event": { - "action": "edit", + "action": [ + "change_user_access", + "edit" + ], "category": [ "file" ], "dataset": "admin#reports#activity", "kind": "event", "type": [ + "access", "change" ] }, @@ -290,6 +812,138 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_token_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}", + "event": { + "action": "authorize", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2024-03-13T11:24:59.810000Z", + "client": { + "user": { + "id": "11057316681905" + } + }, + "cloud": { + "account": { + "id": "C03foh04q" + } + }, + "google": { + "report": { + "actor": { + "email": "JONE.DOE@test.com" + }, + "token": { + "app_name": "Test Log Workspace", + "type": "WEB" + } + } + }, + "network": { + "application": "token" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JONE.DOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "test.com", + "email": "JONE.DOE@test.com", + "id": "109472445", + "name": "JONE.DOE" + } + } + + ``` + + +=== "test_token_sample2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}", + "event": { + "action": "activity", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "kind": "event", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2024-03-13T11:25:23.391000Z", + "client": { + "user": { + "id": "110573166819" + } + }, + "cloud": { + "account": { + "id": "C03foh5555" + } + }, + "google": { + "report": { + "actor": { + "email": "JOE.DONE@test.com" + }, + "token": { + "app_name": "Test Log Workspace", + "type": "WEB" + } + } + }, + "network": { + "application": "token" + }, + "related": { + "ip": [ + "1.1.1.1" + ], + "user": [ + "JOE.DONE" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "user": { + "domain": "test.com", + "email": "JOE.DONE@test.com", + "id": "1094724450", + "name": "JOE.DONE" + } + } + + ``` + + @@ -300,7 +954,11 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`client.geo.country_iso_code` | `keyword` | Country ISO code. | +|`client.geo.region_name` | `keyword` | Region name. | +|`client.user.id` | `keyword` | Unique identifier of the user. | |`cloud.account.id` | `keyword` | The cloud account or organization id. | +|`destination.user.email` | `keyword` | User email address. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | @@ -311,11 +969,18 @@ The following table lists the fields that are extracted, normalized under the EC |`file.owner` | `keyword` | File owner's username. | |`file.type` | `keyword` | File type (file, dir, or symlink). | |`google.report.actor.email` | `keyword` | | +|`google.report.chat.message.id` | `keyword` | Message id | +|`google.report.chat.room.name` | `keyword` | Room name | +|`google.report.meet.code` | `keyword` | Meet code | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | +|`google.report.token.app_name` | `keyword` | Token authorization application name | +|`google.report.token.type` | `keyword` | Token type | |`network.application` | `keyword` | Application level protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`source.ip` | `ip` | IP address of the source. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | +|`user.group.id` | `keyword` | Unique identifier for the group on the system/platform. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user.target.email` | `keyword` | User email address. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 4d9ed0211a..8d63e95328 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -941,9 +941,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "192.168.120.41", "port": 2525 }, - "network": { - "direction": "outbound" - }, "host": { "domain": "EXAMPLE", "hostname": "EXCHANGE", @@ -956,6 +953,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "EXCHANGE" }, + "network": { + "direction": "outbound" + }, "process": { "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MSExchangeHMWorker.exe", "pid": 14228 @@ -1010,9 +1010,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "172.31.9.222", "port": 3389 }, - "network": { - "direction": "inbound" - }, "host": { "domain": "WORKGROUP", "hostname": "REDACTED", @@ -1025,6 +1022,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "log": { "hostname": "REDACTED" }, + "network": { + "direction": "inbound" + }, "process": { "executable": "C:\\Windows\\System32\\svchost.exe", "pid": 1004 @@ -1594,6 +1594,40 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "threat_log.json" + + ```json + + { + "message": "{\"impacted_user_count\":3,\"destination\":\"syslog\",\"level\":\"high\",\"id\":829,\"status\":\"new\",\"@version\":\"1\",\"last_seen\":\"2024-03-13T06:25:00-05:00\",\"log_type\":\"threat\",\"rule_count\":4,\"@timestamp\":\"2024-03-13T11:26:29.606617060Z\",\"groups\":[{\"name\":\"MyGroup!\",\"id\":\"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\"}],\"agents\":[{\"agent_hostname\":\"DESKTOP_0001\",\"agent_ostype\":\"macos\",\"security_event_count\":17662,\"agent_id\":\"215fe295-905f-4a8d-8347-e9d438d4e415\"},{\"agent_hostname\":\"DESKTOP_0020\",\"agent_ostype\":\"macos\",\"security_event_count\":9903,\"agent_id\":\"999ba0c7-96b8-4c57-bf0e-63b24813c873\"}],\"agent_count\":2,\"rules\":[{\"security_event_count\":44,\"rule_id\":\"3daba65e-a7e6-4211-8294-01816f11d659\",\"rule_level\":\"medium\",\"rule_name\":\"NewLaunchDaemonaddedviacommandline\"},{\"security_event_count\":38236,\"rule_id\":\"c502ee75-e425-4100-a8c8-927bc0c1080c\",\"rule_level\":\"low\",\"rule_name\":\"Discovery:Users(macOS)\"},{\"security_event_count\":13,\"rule_id\":\"6915ff50-36b9-43fb-8368-b07f5a702767\",\"rule_level\":\"medium\",\"rule_name\":\"Discovery:Who(macOS)\"},{\"security_event_count\":1525,\"rule_id\":\"7da2cbac-fd59-4ea1-a95b-5f717822ebaa\",\"rule_level\":\"medium\",\"rule_name\":\"Timestompingfilewithtouch(macOS)\"}],\"impacted_users\":[{\"user_sid\":\"root\",\"security_event_count\":39432,\"user_name\":\"root\"},{\"user_sid\":\"john-doe\",\"security_event_count\":8,\"user_name\":\"john-doe\"},{\"user_sid\":\"janedoe\",\"security_event_count\":1,\"user_name\":\"janedoe\"}],\"creation_date\":\"2024-02-07T09:18:21.799384-06:00\",\"last_update\":\"2024-03-13T06:26:29.162934-05:00\",\"total_security_event_count\":40061,\"first_seen\":\"2024-02-07T09:18:00-06:00\",\"tenant\":\"111111111111111\"}", + "event": { + "dataset": "threat", + "end": "2024-03-13T11:25:00Z", + "start": "2024-02-07T15:18:00Z" + }, + "agent": { + "name": "harfanglab" + }, + "harfanglab": { + "count": { + "rules": 4, + "users_impacted": 3 + }, + "groups": [ + "{\"id\": \"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\", \"name\": \"MyGroup!\"}" + ], + "level": "high", + "status": "new", + "threat_id": "829" + }, + "user": { + "roles": "MyGroup!" + } + } + + ``` + + === "wineeventlog-event.json" ```json @@ -2047,9 +2081,11 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.dataset` | `keyword` | Name of the dataset. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.md5` | `keyword` | MD5 hash. | |`file.hash.sha1` | `keyword` | SHA1 hash. | @@ -2067,14 +2103,17 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.alert_subtype` | `keyword` | The subtype of the alert | |`harfanglab.alert_time` | `keyword` | The timestamp of the alert | |`harfanglab.alert_unique_id` | `keyword` | The identifier of the alert | +|`harfanglab.count.rules` | `number` | Total count of rules | +|`harfanglab.count.users_impacted` | `number` | Total count of impacted users | |`harfanglab.execution` | `long` | Execution time | |`harfanglab.grandparent.process.ancestors` | `keyword` | All process parents | |`harfanglab.grandparent.process.command_line` | `keyword` | Command line that started the grandparent process | |`harfanglab.grandparent.process.executable` | `keyword` | Absolute path to the grandparent process executable | |`harfanglab.groups` | `keyword` | harfanglab groups | -|`harfanglab.level` | `keyword` | The risk level associated to the alert | +|`harfanglab.level` | `keyword` | The risk level associated to the event | |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed | -|`harfanglab.status` | `keyword` | The status of the alert | +|`harfanglab.status` | `keyword` | The status of the event | +|`harfanglab.threat_id` | `keyword` | Id of the threat | |`host.domain` | `keyword` | Name of the directory the group is a member of. | |`host.hostname` | `keyword` | Hostname of the host. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index 31ab92dff3..61eef77d8e 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -653,6 +653,83 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "event_pua_detected_2.json" + + ```json + + { + "message": "{\"appSha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"source_info\": {\"ip\": \"1.2.3.4\"}, \"customer_id\": \"d9b11461-9678-4448-ab88-4b5211d2bf5e\", \"endpoint_id\": \"61092e0b-b6f5-46c5-b0a7-68ee3b2dc822\", \"endpoint_type\": \"computer\", \"threat\": \"Generic Reputation PUA\", \"origin\": \"ML\", \"type\": \"Event::Endpoint::CorePuaDetection\", \"id\": \"c39307f6-0c51-4a55-af23-f2ac7905416d\", \"group\": \"PUA\", \"rt\": \"2023-08-07T21:55:28.843Z\", \"severity\": \"medium\", \"duid\": \"63ed3118d043e176065be9ba\", \"end\": \"2023-08-07T21:55:27.508Z\", \"name\": \"PUA detected: 'Generic Reputation PUA' at 'C:\\\\Users\\\\John Doe\\\\Documents\\\\suspicious.zip'\", \"dhost\": \"LAPTOP-01\", \"suser\": \"LAPTOP-01\\\\John Doe\"}", + "event": { + "action": "detected", + "category": [ + "file" + ], + "code": "Event::Endpoint::CorePuaDetection", + "end": "2023-08-07T21:55:27.508000Z", + "kind": "event", + "reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'", + "type": [ + "info" + ] + }, + "@timestamp": "2023-08-07T21:55:28.843000Z", + "file": { + "directory": "C:\\Users\\John Doe\\Documents", + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "suspicious.zip", + "path": "C:\\Users\\John Doe\\Documents\\suspicious.zip" + }, + "host": { + "hostname": "LAPTOP-01", + "name": "LAPTOP-01" + }, + "log": { + "level": "medium" + }, + "observer": { + "ip": "1.2.3.4" + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "hosts": [ + "LAPTOP-01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "John Doe" + ] + }, + "rule": { + "name": "Generic Reputation PUA" + }, + "sophos": { + "customer": { + "id": "d9b11461-9678-4448-ab88-4b5211d2bf5e" + }, + "endpoint": { + "id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822", + "type": "computer" + }, + "event": { + "group": "PUA" + } + }, + "user": { + "domain": "LAPTOP-01", + "id": "63ed3118d043e176065be9ba", + "name": "John Doe" + } + } + + ``` + + === "event_registered.json" ```json @@ -1087,6 +1164,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | |`file.path` | `keyword` | Full path to the file, including the file name. | |`file.size` | `long` | File size in bytes. | |`host.hostname` | `keyword` | Hostname of the host. | diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md index 9f0690acb6..387e04439c 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md @@ -316,6 +316,185 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "event_1.json" + + ```json + + { + "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "event": { + "kind": "alert", + "outcome": "success" + }, + "action": { + "name": "C-ADMIN-RESTRICT-AUTH", + "outcome": "success", + "outcome_reason": "R-PRIVUSER-CAN-LOGON", + "properties": { + "ADdevianceID": 1958016, + "ADdomainName": "emea.corp", + "ADforestName": "Alsid Forest", + "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp", + "alertID": 1, + "alertSeverityLevel": "high", + "eventID": "49271575" + }, + "type": "alert" + }, + "related": { + "user": [ + "John DOE" + ] + }, + "service": { + "name": "active directory", + "type": "ldap" + }, + "user": { + "domain": "emea.corp", + "name": "John DOE" + } + } + + ``` + + +=== "event_2.json" + + ```json + + { + "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "event": { + "kind": "alert", + "outcome": "success" + }, + "action": { + "name": "C-UNCONST-DELEG", + "outcome": "success", + "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED", + "properties": { + "ADdevianceID": 1920595, + "ADdomainName": "emea.corp", + "ADforestName": "Alsid Forest", + "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp", + "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp", + "alertID": 1, + "alertSeverityLevel": "critical", + "eventID": "50666797" + }, + "type": "alert" + }, + "related": { + "user": [ + "Thrid Backup" + ] + }, + "service": { + "name": "active directory", + "type": "ldap" + }, + "user": { + "name": "Thrid Backup" + } + } + + ``` + + +=== "event_3.json" + + ```json + + { + "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "event": { + "kind": "alert", + "outcome": "success" + }, + "action": { + "name": "C-NATIVE-ADM-GROUP-MEMBERS", + "outcome": "success", + "outcome_reason": "R-NOT-IN-WHITELIST", + "properties": { + "ADdevianceID": 1959337, + "ADdomainName": "emea.corp", + "ADforestName": "Alsid Forest", + "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "alertID": 1, + "alertSeverityLevel": "critical", + "eventID": "51204253" + }, + "type": "alert" + }, + "related": { + "user": [ + "John Doe" + ] + }, + "service": { + "name": "active directory", + "type": "ldap" + }, + "user": { + "group": { + "name": "Main Administrators" + }, + "name": "John Doe" + } + } + + ``` + + +=== "event_4.json" + + ```json + + { + "message": " \"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "event": { + "kind": "alert", + "outcome": "success" + }, + "action": { + "name": "C-ADMIN-RESTRICT-AUTH", + "outcome": "success", + "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST", + "properties": { + "ADdevianceID": 1958033, + "ADdomainName": "emea.corp", + "ADforestName": "Alsid Forest", + "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "alertID": 1, + "alertSeverityLevel": "high", + "eventID": "49271575" + }, + "type": "alert" + }, + "related": { + "user": [ + "John Doe" + ] + }, + "service": { + "name": "active directory", + "type": "ldap" + }, + "user": { + "domain": "emea.corp", + "name": "John Doe" + } + } + + ``` + + === "ioe_security_alert1.json" ```json @@ -627,6 +806,8 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.OperatingSystem` | `keyword` | | |`action.properties.OperatingSystemVersion` | `keyword` | | |`action.properties.OuCn` | `keyword` | | +|`action.properties.ParentContainer` | `keyword` | | +|`action.properties.PrivilegesPath` | `keyword` | | |`action.properties.RaSignatureAttributeDeviantAces` | `keyword` | | |`action.properties.RaSignatureAttributeMisconfigured` | `keyword` | | |`action.properties.SanConfigCsrMisconfigured` | `keyword` | | @@ -655,4 +836,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`service.name` | `keyword` | Name of the service. | |`service.type` | `keyword` | The type of the service. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.group.name` | `keyword` | Name of the group. | +|`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md index 33dfe7d8e5..b6c402e5d8 100644 --- a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md +++ b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `event` | -| Category | `authentication`, `configuration`, `host`, `process` | +| Category | `authentication`, `configuration`, `host`, `network`, `process` | | Type | `change`, `end`, `info`, `start` | @@ -480,6 +480,108 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_traffic_denied.json" + + ```json + + { + "message": "Feb 7 13:50:57 localhost : #INFO# list ACL-WAN-IN denied udp 0.0.0.0:547-> 5.6.7.8:546 3 matches", + "event": { + "action": "denied", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-02-07T13:50:57Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 546 + }, + "log": { + "level": "INFO" + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "OneOS", + "vendor": "Ekinops" + }, + "related": { + "ip": [ + "0.0.0.0", + "5.6.7.8" + ] + }, + "rule": { + "name": "ACL-WAN-IN" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "port": 547 + } + } + + ``` + + +=== "test_traffic_permitted.json" + + ```json + + { + "message": "Feb 7 13:50:57 localhost : #INFO# list ACL-WAN-OUT permitted proto 9 0.0.0.0:547-> 5.6.7.8:546 11 matches", + "event": { + "action": "permitted", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-02-07T13:50:57Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 546 + }, + "log": { + "level": "INFO" + }, + "network": { + "iana_number": "9" + }, + "observer": { + "product": "OneOS", + "vendor": "Ekinops" + }, + "related": { + "ip": [ + "0.0.0.0", + "5.6.7.8" + ] + }, + "rule": { + "name": "ACL-WAN-OUT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "port": 547 + } + } + + ``` + + @@ -490,6 +592,8 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | |`ekinops.oneos.origin` | `keyword` | Origin of the event | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | @@ -499,9 +603,13 @@ The following table lists the fields that are extracted, normalized under the EC |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`log.level` | `keyword` | Log level of the log event. | +|`network.iana_number` | `keyword` | IANA Protocol Number. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`observer.ingress.interface.name` | `keyword` | Interface name | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | +|`rule.name` | `keyword` | Rule name | |`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md index fa3601c8ec..9282d5a41f 100644 --- a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md +++ b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md @@ -228,6 +228,7 @@ The following table lists the fields that are extracted, normalized under the EC |`fastly.waf.audit.event_id` | `keyword` | Fastly event ID | |`fastly.waf.audit.has_attachments` | `boolean` | Event message has attachments | |`fastly.waf.audit.message` | `keyword` | Event description | +|`fastly.waf.audit.site_name` | `keyword` | Site name | |`fastly.waf.audit.token_name` | `keyword` | Token name | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md index 5451993b63..6554b3fa16 100644 --- a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md +++ b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md @@ -12,7 +12,205 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `vulnerability` | +| Type | `info` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_1.json" + + ```json + + { + "message": "active='true',computer_category='desktop',computer_criticality='criticality_medium',\ncomputer_id='0',computer_name='test_syslog',computer_os='',computer_os_arch='',computer_os_name='',\ncreated_at='2022-10-03 14:02:32 +0200',cve_code='CVE-XXXX-XXXX',cve_level='high',cve_published_at='2022-10-03 14:02:32 +0200'\n,cve_score='10.0',cve_status='ignored',cvss_AC='access_complexity_low',cvss_AV='access_vector_network',cvss_Au='authentication_none',\ncvss_A='availability_impact_complete',cvss_C='confidentiality_impact_complete',cvss_I='integrity_impact_complete',fixed_at='',\ngroups='berlin,development',ignored='true',ip='127.0.0.1',source_node='cyberwatch',updated_at='2022-10-03 14:02:32 +0200'", + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-10-03T12:02:32Z", + "cyberwatch": { + "vas": { + "active": true, + "computer": { + "criticality": "criticality_medium" + }, + "cve": { + "published_at": "2022-10-03T12:02:32.000000Z", + "status": "ignored" + }, + "cvss": { + "attack_authentication": "authentication_none", + "attack_complexity": "access_complexity_low", + "attack_vector": "access_vector_network", + "availability": "availability_impact_complete", + "confidentiality": "confidentiality_impact_complete", + "integrity": "integrity_impact_complete" + }, + "groups": [ + "berlin", + "development" + ], + "ignored": "true" + } + }, + "device": { + "id": "0" + }, + "host": { + "id": "0", + "ip": "127.0.0.1", + "name": "test_syslog", + "type": "desktop" + }, + "observer": { + "name": "cyberwatch", + "product": "cyberwatch" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "vulnerability": { + "id": "CVE-XXXX-XXXX", + "score": { + "base": 10.0 + }, + "severity": "high" + } + } + + ``` + + +=== "test_2.json" + + ```json + + { + "message": "node='master',active='true',computer_category='desktop',computer_criticality='criticality_medium',computer_id='0',computer_name='test_syslog',computer_os='',computer_os_arch='',computer_os_name='',created_at='2024-03-07 11:36:11 +0100',cve_code='CVE-XXXX-XXXX',cve_level='high',cve_published_at='2024-03-07 11:36:11 +0100',cve_score='10.0',cve_status='ignored',cvss_AC='access_complexity_low',cvss_AV='access_vector_network',cvss_Au='authentication_none',cvss_A='availability_impact_complete',cvss_C='confidentiality_impact_complete',cvss_I='integrity_impact_complete',epss='0.90484',fixed_at='',groups='berlin,development',ignored='true',ip='127.0.0.1',source_node='cyberwatch',updated_at='2024-03-07 11:36:11 +0100'", + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-07T10:36:11Z", + "cyberwatch": { + "vas": { + "active": true, + "computer": { + "criticality": "criticality_medium" + }, + "cve": { + "published_at": "2024-03-07T10:36:11.000000Z", + "status": "ignored" + }, + "cvss": { + "attack_authentication": "authentication_none", + "attack_complexity": "access_complexity_low", + "attack_vector": "access_vector_network", + "availability": "availability_impact_complete", + "confidentiality": "confidentiality_impact_complete", + "integrity": "integrity_impact_complete" + }, + "epss": { + "score": "0.90484" + }, + "groups": [ + "berlin", + "development" + ], + "ignored": "true" + } + }, + "device": { + "id": "0" + }, + "host": { + "id": "0", + "ip": "127.0.0.1", + "name": "test_syslog", + "type": "desktop" + }, + "observer": { + "name": "cyberwatch", + "product": "cyberwatch" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "vulnerability": { + "id": "CVE-XXXX-XXXX", + "score": { + "base": 10.0 + }, + "severity": "high" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`cyberwatch.vas.active` | `boolean` | Indicates the current presence of the vulnerability on the asset | +|`cyberwatch.vas.computer.criticality` | `keyword` | Criticality of the asset as defined in Cyberwatch | +|`cyberwatch.vas.cve.published_at` | `keyword` | CVE Publication Date | +|`cyberwatch.vas.cve.status` | `keyword` | Vulnerability status on the affected asset | +|`cyberwatch.vas.cvss.attack_authentication` | `keyword` | Vulnerability exploitability metric: authentication | +|`cyberwatch.vas.cvss.attack_complexity` | `keyword` | Vulnerability exploitability metric: access complexity | +|`cyberwatch.vas.cvss.attack_vector` | `keyword` | Vulnerability exploitability metric: access vector | +|`cyberwatch.vas.cvss.availability` | `keyword` | Vulnerability impact metric: availability | +|`cyberwatch.vas.cvss.confidentiality` | `keyword` | Vulnerability impact metric: confidentiality | +|`cyberwatch.vas.cvss.integrity` | `keyword` | Vulnerability impact metric: integrity | +|`cyberwatch.vas.epss.score` | `keyword` | Exploit Prediction Scoring System | +|`cyberwatch.vas.fixed_at` | `datetime` | Vulnerability corrected on the asset on | +|`cyberwatch.vas.groups` | `array` | Lists of groups | +|`cyberwatch.vas.ignored` | `keyword` | Indicates whether the vulnerability has been ignored on the asset or not | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.provider` | `keyword` | Source of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.architecture` | `keyword` | Operating system architecture. | +|`host.id` | `keyword` | Unique host id. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.name` | `keyword` | Name of the host. | +|`host.os.full` | `keyword` | Operating system name, including the version or code name. | +|`host.os.name` | `keyword` | Operating system name, without the version. | +|`host.type` | `keyword` | Type of host. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`vulnerability.id` | `keyword` | ID of the vulnerability. | +|`vulnerability.score.base` | `float` | Vulnerability Base score. | +|`vulnerability.severity` | `keyword` | Severity of the vulnerability. | + diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index ebe9c7e89e..e3436fb49c 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -18,8 +18,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `event` | -| Category | `network` | -| Type | `info` | +| Category | `authentication`, `network` | +| Type | `info`, `start` | @@ -927,6 +927,138 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "ldap_incorrect_password.json" + + ```json + + { + "message": "Incorrect password supplied for LDAP DN \"CN=DOE john,OU=users,DC=example,DC=org\".", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "start" + ] + }, + "related": { + "user": [ + "DOE john" + ] + }, + "user": { + "domain": "example.org", + "name": "DOE john" + } + } + + ``` + + +=== "ldap_invalid_credentials.json" + + ```json + + { + "message": "2023-10-31 15:09:55 LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839)", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "start" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "ldap_invalid_credentials_2.json" + + ```json + + { + "message": "2023-10-31 15:09:55 ldap_bind with zero-length password is forbidden.", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "start" + ] + }, + "@timestamp": "2023-10-31T15:09:55Z" + } + + ``` + + +=== "ldap_user_not_found.json" + + ```json + + { + "message": "LDAP user \"xxxxxxx\" was not found.", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "start" + ] + }, + "related": { + "user": [ + "xxxxxxx" + ] + }, + "user": { + "name": "xxxxxxx" + } + } + + ``` + + +=== "ldap_user_not_found_2.json" + + ```json + + { + "message": "Unable to bind as XXX", + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "type": [ + "start" + ] + }, + "related": { + "user": [ + "XXX" + ] + }, + "user": { + "name": "XXX" + } + } + + ``` + + === "tls_information_0.json" ```json @@ -1127,6 +1259,7 @@ The following table lists the fields that are extracted, normalized under the EC |`client.port` | `long` | Port of the client. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.egress.interface.name` | `keyword` | Interface name | @@ -1136,4 +1269,6 @@ The following table lists the fields that are extracted, normalized under the EC |`openvpn.peer.ip` | `keyword` | OpenVPN peer IP | |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | |`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.name` | `keyword` | Short name or login of the user. |