Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh intakes documentation #1699

Merged
merged 1 commit into from
Mar 27, 2024
Merged

Refresh intakes documentation #1699

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
671 changes: 668 additions & 3 deletions ...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
View file
Open in desktop

Large diffs are not rendered by default.

55 changes: 47 additions & 8 deletions ...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -941,9 +941,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "192.168.120.41",
"port": 2525
},
"network": {
"direction": "outbound"
},
"host": {
"domain": "EXAMPLE",
"hostname": "EXCHANGE",
Expand All @@ -956,6 +953,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "EXCHANGE"
},
"network": {
"direction": "outbound"
},
"process": {
"executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MSExchangeHMWorker.exe",
"pid": 14228
Expand Down Expand Up @@ -1010,9 +1010,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "172.31.9.222",
"port": 3389
},
"network": {
"direction": "inbound"
},
"host": {
"domain": "WORKGROUP",
"hostname": "REDACTED",
Expand All @@ -1025,6 +1022,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "REDACTED"
},
"network": {
"direction": "inbound"
},
"process": {
"executable": "C:\\Windows\\System32\\svchost.exe",
"pid": 1004
Expand Down Expand Up @@ -1594,6 +1594,40 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "threat_log.json"

```json

{
"message": "{\"impacted_user_count\":3,\"destination\":\"syslog\",\"level\":\"high\",\"id\":829,\"status\":\"new\",\"@version\":\"1\",\"last_seen\":\"2024-03-13T06:25:00-05:00\",\"log_type\":\"threat\",\"rule_count\":4,\"@timestamp\":\"2024-03-13T11:26:29.606617060Z\",\"groups\":[{\"name\":\"MyGroup!\",\"id\":\"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\"}],\"agents\":[{\"agent_hostname\":\"DESKTOP_0001\",\"agent_ostype\":\"macos\",\"security_event_count\":17662,\"agent_id\":\"215fe295-905f-4a8d-8347-e9d438d4e415\"},{\"agent_hostname\":\"DESKTOP_0020\",\"agent_ostype\":\"macos\",\"security_event_count\":9903,\"agent_id\":\"999ba0c7-96b8-4c57-bf0e-63b24813c873\"}],\"agent_count\":2,\"rules\":[{\"security_event_count\":44,\"rule_id\":\"3daba65e-a7e6-4211-8294-01816f11d659\",\"rule_level\":\"medium\",\"rule_name\":\"NewLaunchDaemonaddedviacommandline\"},{\"security_event_count\":38236,\"rule_id\":\"c502ee75-e425-4100-a8c8-927bc0c1080c\",\"rule_level\":\"low\",\"rule_name\":\"Discovery:Users(macOS)\"},{\"security_event_count\":13,\"rule_id\":\"6915ff50-36b9-43fb-8368-b07f5a702767\",\"rule_level\":\"medium\",\"rule_name\":\"Discovery:Who(macOS)\"},{\"security_event_count\":1525,\"rule_id\":\"7da2cbac-fd59-4ea1-a95b-5f717822ebaa\",\"rule_level\":\"medium\",\"rule_name\":\"Timestompingfilewithtouch(macOS)\"}],\"impacted_users\":[{\"user_sid\":\"root\",\"security_event_count\":39432,\"user_name\":\"root\"},{\"user_sid\":\"john-doe\",\"security_event_count\":8,\"user_name\":\"john-doe\"},{\"user_sid\":\"janedoe\",\"security_event_count\":1,\"user_name\":\"janedoe\"}],\"creation_date\":\"2024-02-07T09:18:21.799384-06:00\",\"last_update\":\"2024-03-13T06:26:29.162934-05:00\",\"total_security_event_count\":40061,\"first_seen\":\"2024-02-07T09:18:00-06:00\",\"tenant\":\"111111111111111\"}",
"event": {
"dataset": "threat",
"end": "2024-03-13T11:25:00Z",
"start": "2024-02-07T15:18:00Z"
},
"agent": {
"name": "harfanglab"
},
"harfanglab": {
"count": {
"rules": 4,
"users_impacted": 3
},
"groups": [
"{\"id\": \"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\", \"name\": \"MyGroup!\"}"
],
"level": "high",
"status": "new",
"threat_id": "829"
},
"user": {
"roles": "MyGroup!"
}
}

```


=== "wineeventlog-event.json"

```json
Expand Down Expand Up @@ -2047,9 +2081,11 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.code` | `keyword` | Identification code for this event. |
|`event.dataset` | `keyword` | Name of the dataset. |
|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.provider` | `keyword` | Source of the event. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`file.hash.md5` | `keyword` | MD5 hash. |
|`file.hash.sha1` | `keyword` | SHA1 hash. |
Expand All @@ -2067,14 +2103,17 @@ The following table lists the fields that are extracted, normalized under the EC
|`harfanglab.alert_subtype` | `keyword` | The subtype of the alert |
|`harfanglab.alert_time` | `keyword` | The timestamp of the alert |
|`harfanglab.alert_unique_id` | `keyword` | The identifier of the alert |
|`harfanglab.count.rules` | `number` | Total count of rules |
|`harfanglab.count.users_impacted` | `number` | Total count of impacted users |
|`harfanglab.execution` | `long` | Execution time |
|`harfanglab.grandparent.process.ancestors` | `keyword` | All process parents |
|`harfanglab.grandparent.process.command_line` | `keyword` | Command line that started the grandparent process |
|`harfanglab.grandparent.process.executable` | `keyword` | Absolute path to the grandparent process executable |
|`harfanglab.groups` | `keyword` | harfanglab groups |
|`harfanglab.level` | `keyword` | The risk level associated to the alert |
|`harfanglab.level` | `keyword` | The risk level associated to the event |
|`harfanglab.process.powershell.command` | `keyword` | The powershell command executed |
|`harfanglab.status` | `keyword` | The status of the alert |
|`harfanglab.status` | `keyword` | The status of the event |
|`harfanglab.threat_id` | `keyword` | Id of the threat |
|`host.domain` | `keyword` | Name of the directory the group is a member of. |
|`host.hostname` | `keyword` | Hostname of the host. |
|`host.name` | `keyword` | Name of the host. |
Expand Down
78 changes: 78 additions & 0 deletions ...perations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -653,6 +653,83 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "event_pua_detected_2.json"

```json

{
"message": "{\"appSha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"source_info\": {\"ip\": \"1.2.3.4\"}, \"customer_id\": \"d9b11461-9678-4448-ab88-4b5211d2bf5e\", \"endpoint_id\": \"61092e0b-b6f5-46c5-b0a7-68ee3b2dc822\", \"endpoint_type\": \"computer\", \"threat\": \"Generic Reputation PUA\", \"origin\": \"ML\", \"type\": \"Event::Endpoint::CorePuaDetection\", \"id\": \"c39307f6-0c51-4a55-af23-f2ac7905416d\", \"group\": \"PUA\", \"rt\": \"2023-08-07T21:55:28.843Z\", \"severity\": \"medium\", \"duid\": \"63ed3118d043e176065be9ba\", \"end\": \"2023-08-07T21:55:27.508Z\", \"name\": \"PUA detected: 'Generic Reputation PUA' at 'C:\\\\Users\\\\John Doe\\\\Documents\\\\suspicious.zip'\", \"dhost\": \"LAPTOP-01\", \"suser\": \"LAPTOP-01\\\\John Doe\"}",
"event": {
"action": "detected",
"category": [
"file"
],
"code": "Event::Endpoint::CorePuaDetection",
"end": "2023-08-07T21:55:27.508000Z",
"kind": "event",
"reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'",
"type": [
"info"
]
},
"@timestamp": "2023-08-07T21:55:28.843000Z",
"file": {
"directory": "C:\\Users\\John Doe\\Documents",
"hash": {
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
},
"name": "suspicious.zip",
"path": "C:\\Users\\John Doe\\Documents\\suspicious.zip"
},
"host": {
"hostname": "LAPTOP-01",
"name": "LAPTOP-01"
},
"log": {
"level": "medium"
},
"observer": {
"ip": "1.2.3.4"
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
],
"hosts": [
"LAPTOP-01"
],
"ip": [
"1.2.3.4"
],
"user": [
"John Doe"
]
},
"rule": {
"name": "Generic Reputation PUA"
},
"sophos": {
"customer": {
"id": "d9b11461-9678-4448-ab88-4b5211d2bf5e"
},
"endpoint": {
"id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822",
"type": "computer"
},
"event": {
"group": "PUA"
}
},
"user": {
"domain": "LAPTOP-01",
"id": "63ed3118d043e176065be9ba",
"name": "John Doe"
}
}

```


=== "event_registered.json"

```json
Expand Down Expand Up @@ -1087,6 +1164,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`file.hash.sha256` | `keyword` | SHA256 hash. |
|`file.path` | `keyword` | Full path to the file, including the file name. |
|`file.size` | `long` | File size in bytes. |
|`host.hostname` | `keyword` | Hostname of the host. |
Expand Down
Loading
Loading