diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 21af5d625d..ebd13dd718 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -68,6 +68,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", "parent": { "name": "services.exe", "pid": 11768266 @@ -319,6 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "\"gpupdate.exe\" /target:computer", "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe", + "name": "gpupdate.exe", "parent": { "name": "svchost.exe", "pid": 158964342720 @@ -495,6 +497,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0x4", "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", + "name": "conhost.exe", "parent": { "pid": 416639351024 }, @@ -718,7 +721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", - "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe" + "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe", + "name": "cscript.exe" }, "related": { "ip": [ @@ -888,6 +892,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "args": "MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1", "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", + "name": "ManagedClient", "parent": { "name": "launchd", "pid": 494714991831837524 @@ -949,6 +954,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "registry": { + "data": { + "strings": "Interactive User" + }, "hive": "MACHINE", "key": "SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}", "path": "MACHINE\\SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\\RunAs", @@ -1001,7 +1009,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup", - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "name": "svchost.exe" }, "related": { "ip": [ @@ -1227,6 +1236,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2", "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe", + "name": "AcroCEF.exe", "parent": { "name": "AcroCEF.exe", "pid": 1084277996656 @@ -1342,7 +1352,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "process": { - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll" + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll", + "name": "shell32.dll" }, "related": { "hash": [ @@ -1779,6 +1790,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process": { "command_line": "C:\\WINDOWS\\System32\\rundll32.exe", "executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe", + "name": "rundll32.exe", "parent": { "name": "setup.exe", "pid": 288633815511 @@ -1980,7 +1992,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s BITS", - "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe" + "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "name": "svchost.exe" }, "related": { "ip": [ @@ -1997,6 +2010,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "telemetry_event_40.json" + + ```json + + { + "message": "{\"AsepFlags\": \"5\", \"ContextThreadId\": \"1216191193\", \"aip\": \"45.85.223.11\", \"RegObjectName\": \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\", \"Data1\": \"00\", \"RegOperationType\": \"1\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"TargetCommandLineParameters\": \"\", \"EventOrigin\": \"1\", \"id\": \"6802cffe-a2a5-489f-8e7f-b70331921d65\", \"EffectiveTransmissionClass\": \"3\", \"RegStringValue\": \"Explorer.exe\", \"timestamp\": \"1712663526832\", \"event_simpleName\": \"AsepValueUpdate\", \"ContextTimeStamp\": \"1712663526.308\", \"ConfigStateHash\": \"3318804059\", \"RegType\": \"1\", \"ContextProcessId\": \"235686529\", \"AsepClass\": \"9\", \"AsepIndex\": \"32\", \"AuthenticationId\": \"427985\", \"ConfigBuild\": \"1007.3.0017605.10\", \"RegValueName\": \"Shell\", \"AsepValueType\": \"0\", \"Entitlements\": \"15\", \"name\": \"AsepValueUpdateV7\", \"aid\": \"11111111111111111111111111111111\", \"cid\": \"22222222222222222222222222222222\", \"TargetFileName\": \"\"}", + "event": { + "action": "AsepValueUpdate", + "category": [ + "registry" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-04-09T11:52:06.832000Z", + "agent": { + "id": "11111111111111111111111111111111" + }, + "crowdstrike": { + "customer_id": "22222222222222222222222222222222" + }, + "host": { + "ip": [ + "45.85.223.11" + ], + "os": { + "platform": "win" + } + }, + "registry": { + "data": { + "strings": "Explorer.exe" + }, + "hive": "MACHINE", + "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "path": "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "value": "Shell" + }, + "related": { + "ip": [ + "45.85.223.11" + ] + }, + "source": { + "nat": { + "ip": "45.85.223.11" + } + } + } + + ``` + + === "telemetry_event_5.json" ```json @@ -2283,6 +2350,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", "end": "2022-08-20T19:06:18.014000Z", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", "parent": { "name": "services.exe", "pid": 11768266 @@ -2355,11 +2423,13 @@ The following table lists the fields that are extracted, normalized under the EC |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.end` | `date` | The time the process ended. | |`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.name` | `keyword` | Process name. | |`process.parent.name` | `keyword` | Process name. | |`process.parent.pid` | `long` | Process id. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | |`process.thread.id` | `long` | Thread ID. | +|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | |`registry.hive` | `keyword` | Abbreviated name for the hive. | |`registry.key` | `keyword` | Hive-relative path of keys. | |`registry.path` | `keyword` | Full path, including hive, key and value | diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index 2f1642512b..49929a1b13 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -1119,6 +1119,110 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "email": "foo.bar@corp.eu", "full_name": "bar foo" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari UI/WKWebView", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148", + "os": { + "name": "iOS", + "version": "14.4" + } + } + } + + ``` + + +=== "user_risk_detection_2.json" + + ```json + + { + "message": "{\"time\": \"3/24/2022 2:42:35 PM\", \"resourceId\": \"/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam\", \"operationName\": \"User Risk Detection\", \"operationVersion\": \"1.0\", \"category\": \"UserRiskEvents\", \"tenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"resultSignature\": \"None\", \"durationMs\": 0, \"callerIpAddress\": \"11.22.33.44\", \"correlationId\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"identity\": \"bar foo\", \"Level\": 4, \"location\": \"fr\", \"properties\": {\"id\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"requestId\": \"d38b6ab7-65b0-419c-b83a-a5787d6fa100\", \"correlationId\": \"325294e4-4026-4cc7-889d-b4be570b3254\", \"riskType\": \"unfamiliarFeatures\", \"riskEventType\": \"unfamiliarFeatures\", \"riskState\": \"atRisk\", \"riskLevel\": \"low\", \"riskDetail\": \"none\", \"source\": \"IdentityProtection\", \"detectionTimingType\": \"realtime\", \"activity\": \"signin\", \"ipAddress\": \"11.22.33.44\", \"location\": {\"city\": \"\", \"state\": \"\", \"countryOrRegion\": \"FR\", \"geoCoordinates\": {\"altitude\": 0, \"latitude\": 46, \"longitude\": 2}}, \"activityDateTime\": \"2023-10-26T5:32:08.107Z\", \"detectedDateTime\": \"2023-10-26T5:32:08.107Z\", \"lastUpdatedDateTime\": \"2023-10-26T5:35:05.938Z\", \"userId\": \"4c64c30a-7a60-4211-bef1-5e4279854e85\", \"userDisplayName\": \"bar foo\", \"userPrincipalName\": \"foo.bar@corp.eu\", \"additionalInfo\": \"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarASN\\\",\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null}]\", \"tokenIssuerType\": \"AzureAD\", \"resourceTenantId\": null, \"homeTenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"userType\": \"member\", \"crossTenantAccessType\": \"none\"}}", + "event": { + "category": [ + "iam" + ], + "reason": "unfamiliarFeatures", + "type": [ + "connection" + ] + }, + "@timestamp": "2022-03-24T14:42:35Z", + "action": { + "name": "User Risk Detection" + }, + "azuread": { + "Level": 4, + "callerIpAddress": "11.22.33.44", + "category": "UserRiskEvents", + "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", + "durationMs": 0, + "identity": "bar foo", + "operationName": "User Risk Detection", + "operationVersion": "1.0", + "properties": { + "activity": "signin", + "correlationId": "325294e4-4026-4cc7-889d-b4be570b3254", + "detectionTimingType": "realtime", + "id": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", + "requestId": "d38b6ab7-65b0-419c-b83a-a5787d6fa100", + "riskDetail": "none", + "riskEventType": "unfamiliarFeatures", + "riskLevel": "low", + "riskReasons": [ + "UnfamiliarASN", + "UnfamiliarBrowser", + "UnfamiliarDevice", + "UnfamiliarEASId", + "UnfamiliarIP", + "UnfamiliarLocation", + "UnfamiliarTenantIPsubnet" + ], + "riskState": "atRisk", + "source": "IdentityProtection" + }, + "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam", + "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad" + }, + "related": { + "ip": [ + "11.22.33.44" + ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "11.22.33.44", + "geo": { + "country_iso_code": "fr", + "location": { + "lat": 46, + "lon": 2 + } + }, + "ip": "11.22.33.44" + }, + "user": { + "email": "foo.bar@corp.eu", + "full_name": "bar foo" + }, + "user_agent": { + "device": { + "name": "Oppo CPH2005" + }, + "name": "Chrome Mobile WebView", + "original": "Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0", + "os": { + "name": "Android", + "version": "12" + }, + "version": "117.0.0" } } @@ -1178,6 +1282,7 @@ The following table lists the fields that are extracted, normalized under the EC |`azuread.properties.riskLevel` | `keyword` | | |`azuread.properties.riskLevelAggregated` | `keyword` | riskLevelAggregated | |`azuread.properties.riskLevelDuringSignIn` | `keyword` | riskLevelDuringSignIn | +|`azuread.properties.riskReasons` | `array` | | |`azuread.properties.riskState` | `keyword` | | |`azuread.properties.source` | `keyword` | | |`azuread.properties.status.additionalDetails` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 173baa545e..9edd4dbc2d 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -1683,6 +1683,36 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "threat_critical.json" + + ```json + + { + "message": "{\"last_update\": \"2024-03-19T04:21:47.324573-05:00\", \"agents\": [{\"security_event_count\": 2, \"agent_hostname\": \"Nuke\", \"agent_id\": \"af5e2f63-becd-4660-ade8-30d04c0dd044\", \"agent_ostype\": \"windows\"}], \"groups\": [], \"log_type\": \"threat\", \"@timestamp\": \"2024-03-19T09:21:47.400211636Z\", \"agent_count\": 1, \"id\": 55, \"status\": \"new\", \"impacted_users\": [], \"rules\": [{\"rule_level\": \"critical\", \"rule_name\": \"Recommended driver block list\", \"security_event_count\": 2, \"rule_id\": \"Recommended driver block list\"}], \"impacted_user_count\": 0, \"creation_date\": \"2024-03-19T04:21:47.186067-05:00\", \"@Version\": \"1\", \"first_seen\": \"2024-03-19T04:21:00-05:00\", \"total_security_event_count\": 2, \"destination\": \"syslog\", \"last_seen\": \"2024-03-19T04:21:00-05:00\", \"level\": \"critical\", \"rule_count\": 1, \"tenant\": \"11111111111111111111\"}", + "event": { + "dataset": "threat", + "end": "2024-03-19T09:21:00Z", + "start": "2024-03-19T09:21:00Z" + }, + "agent": { + "name": "harfanglab" + }, + "harfanglab": { + "count": { + "rules": 1, + "users_impacted": 0 + }, + "groups": [], + "level": "critical", + "rule_level": "critical", + "status": "new", + "threat_id": "55" + } + } + + ``` + + === "threat_log.json" ```json @@ -1706,6 +1736,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "{\"id\": \"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\", \"name\": \"MyGroup!\"}" ], "level": "high", + "rule_level": "medium", "status": "new", "threat_id": "829" }, @@ -2271,6 +2302,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.level` | `keyword` | The risk level associated to the event | |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed | |`harfanglab.process.powershell.script_path` | `keyword` | The powershell script path | +|`harfanglab.rule_level` | `keyword` | Rule level | |`harfanglab.status` | `keyword` | The status of the event | |`harfanglab.threat_id` | `keyword` | Id of the threat | |`host.domain` | `keyword` | Name of the directory the group is a member of. | diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md index 31ddaf31ed..042390913d 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md @@ -15,4 +15,930 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "encrypt.json" + + ```json + + { + "message": "time=10:45:27 device_id=123 log_id=000000 type=encrypt pri=information session_id=\"ziuhiohzf\" msg=\"User user1@1.ca read secure message, id:'ziuhiohzf', sent from: 'user2@2.ca', subject: 'ppt file'\"", + "event": { + "kind": "encrypt", + "message": "User user1@1.ca read secure message, id:'ziuhiohzf', sent from: 'user2@2.ca', subject: 'ppt file'" + }, + "action": { + "outcome_reason": "User user1@1.ca read secure message, id:'ziuhiohzf', sent from: 'user2@2.ca', subject: 'ppt file'", + "properties": { + "device_id": "123", + "log_id": "000000", + "session_id": "ziuhiohzf" + } + }, + "host": { + "name": "abc" + }, + "log": { + "hostname": "abc", + "level": "information" + } + } + + ``` + + +=== "event.json" + + ```json + + { + "message": "time=17:07:46.124 device_id=FEVM020000087260 log_id=00000 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"1Z11R1T1\" msg=\"from=person.fr, size=26135, class=0, nrcpts=1, msgid=something.com, proto=ESMTP, daemon=SMTP_MTA, relay=notifications [1.1.1.1]\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "from=person.fr, size=26135, class=0, nrcpts=1, msgid=something.com, proto=ESMTP, daemon=SMTP_MTA, relay=notifications [1.1.1.1]" + }, + "action": { + "outcome_reason": "from=person.fr, size=26135, class=0, nrcpts=1, msgid=something.com, proto=ESMTP, daemon=SMTP_MTA, relay=notifications [1.1.1.1]", + "properties": { + "class": "0", + "daemon": "SMTP_MTA", + "device_id": "FEVM020000087260", + "log_id": "00000", + "message_id": "something.com", + "nrcpts": "1", + "relay": "notifications", + "session_id": "1Z11R1T1", + "user_identifier": "mail" + } + }, + "email": { + "from": { + "address": [ + "person.fr" + ] + } + }, + "file": { + "size": 26135 + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + }, + "network": { + "protocol": "ESMTP" + }, + "related": { + "user": [ + "mail" + ] + }, + "user": { + "name": "mail" + } + } + + ``` + + +=== "event_smtp_STARTTLS.json" + + ```json + + { + "message": "time=18:33:36.601 device_id=123456 log_id=0003007110 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"12345\" msg=\"STARTTLS=server, relay=something.com [1.1.1.1], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-something, bits=256/256\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "STARTTLS=server, relay=something.com [1.1.1.1], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-something, bits=256/256" + }, + "action": { + "outcome_reason": "STARTTLS=server, relay=something.com [1.1.1.1], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-something, bits=256/256", + "properties": { + "bits_sent_ratio": "256/256", + "device_id": "123456", + "log_id": "0003007110", + "relay": "something.com", + "session_id": "12345", + "start_tls": "server", + "user_identifier": "mail", + "verify": "NO" + } + }, + "host": { + "name": "123" + }, + "log": { + "hostname": "123", + "level": "information" + }, + "related": { + "user": [ + "mail" + ] + }, + "tls": { + "cipher": "ECDHE-RSA-something" + }, + "user": { + "name": "mail" + } + } + + ``` + + +=== "event_smtp_to.json" + + ```json + + { + "message": "time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13KGXMHI007058-13KGXMHK007058\" msg=\"to=, delay=00:00:13, xdelay=00:00:12, mailer=esmtp, pri=50733, relay=email.fr. [1.1.1.1], dsn=2.0.0, stat=Sent (Ok: queued as C41457FCE6)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:13, xdelay=00:00:12, mailer=esmtp, pri=50733, relay=email.fr. [1.1.1.1], dsn=2.0.0, stat=Sent (Ok: queued as C41457FCE6)", + "reason": "Sent (Ok: queued as C41457FCE6)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:13, xdelay=00:00:12, mailer=esmtp, pri=50733, relay=email.fr. [1.1.1.1], dsn=2.0.0, stat=Sent (Ok: queued as C41457FCE6)", + "properties": { + "delay": "00:00:13", + "device_id": "xcvfg", + "dsn_version": "2.0.0", + "log_id": "0003007072", + "mailer": "esmtp", + "priority_level_msg": "50733", + "session_id": "13KGXMHI007058-13KGXMHK007058", + "user_identifier": "mail", + "xdelay": "00:00:12" + } + }, + "destination": { + "address": "email.fr.", + "domain": "email.fr.", + "ip": "1.1.1.1", + "size_in_char": 9 + }, + "host": { + "name": "1234" + }, + "log": { + "hostname": "1234", + "level": "information" + }, + "related": { + "hosts": [ + "email.fr." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "", + "name": "mail" + } + } + + ``` + + +=== "event_smtp_to_bis.json" + + ```json + + { + "message": "time=15:12:29.013 device_id=FEVM020000087260 log_id=0003014581 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13RDCREi014579-13RDCREj014579\" msg=\"to=, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=40733, relay=mail.eu. [1.1.1.1], dsn=2.0.0, stat=Sent ( [InternalId=96830037688413, Hostname=sphinx] 12426 bytes in 0.118, 102,604 KB/sec Queued mail for delivery)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=40733, relay=mail.eu. [1.1.1.1], dsn=2.0.0, stat=Sent ( [InternalId=96830037688413, Hostname=sphinx] 12426 bytes in 0.118, 102,604 KB/sec Queued mail for delivery)", + "reason": "Sent ( [InternalId=96830037688413, Hostname=sphinx] 12426 bytes in 0.118, 102,604 KB/sec Queued mail for delivery)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=40733, relay=mail.eu. [1.1.1.1], dsn=2.0.0, stat=Sent ( [InternalId=96830037688413, Hostname=sphinx] 12426 bytes in 0.118, 102,604 KB/sec Queued mail for delivery)", + "properties": { + "delay": "00:00:02", + "device_id": "FEVM020000087260", + "dsn_version": "2.0.0", + "log_id": "0003014581", + "mailer": "esmtp", + "priority_level_msg": "40733", + "session_id": "13RDCREi014579-13RDCREj014579", + "user_identifier": "mail", + "xdelay": "00:00:01" + } + }, + "destination": { + "address": "mail.eu.", + "domain": "mail.eu.", + "ip": "1.1.1.1", + "size_in_char": 8 + }, + "host": { + "name": "1234" + }, + "log": { + "hostname": "1234", + "level": "information" + }, + "related": { + "hosts": [ + "mail.eu." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "", + "name": "mail" + } + } + + ``` + + +=== "kevent.json" + + ```json + + { + "message": "time=17:34:06.188 device_id=0000 log_id=123 type=kevent subtype=dns pri=information msg=\"UDP DNS response is truncated, try DNS query in TCP (happened 385350 time(s)), DNS question section:{name=something.com, qtype=16, class=1}\"", + "event": { + "category": "dns", + "kind": "kevent", + "message": "UDP DNS response is truncated, try DNS query in TCP (happened 385350 time(s)), DNS question section:{name=something.com, qtype=16, class=1}" + }, + "action": { + "outcome_reason": "UDP DNS response is truncated, try DNS query in TCP (happened 385350 time(s)), DNS question section:{name=something.com, qtype=16, class=1}", + "properties": { + "device_id": "0000", + "log_id": "123" + } + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + } + } + + ``` + + +=== "smtp_event_STARTTLS_client_local_certificate.json" + + ```json + + { + "message": "time=14:35:47.153 device_id=123 log_id=0000 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"14SCZkrD013672-14SCZkrF013672\" msg=\"STARTTLS=client, cert-subject=/CN=EX-01, cert-issuer=/CN=EX-01, verifymsg=unable to get local issuer certificate\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "STARTTLS=client, cert-subject=/CN=EX-01, cert-issuer=/CN=EX-01, verifymsg=unable to get local issuer certificate", + "reason": "unable to get local issuer certificate" + }, + "action": { + "outcome_reason": "STARTTLS=client, cert-subject=/CN=EX-01, cert-issuer=/CN=EX-01, verifymsg=unable to get local issuer certificate", + "properties": { + "device_id": "123", + "log_id": "0000", + "session_id": "14SCZkrD013672-14SCZkrF013672", + "start_tls": "client", + "user_identifier": "mail" + } + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + }, + "related": { + "user": [ + "mail" + ] + }, + "tls": { + "client": { + "issuer": "/CN=EX-01", + "subject": "/CN=EX-01" + } + }, + "user": { + "name": "mail" + } + } + + ``` + + +=== "smtp_event_STARTTLS_server_local_certificate.json" + + ```json + + { + "message": "time=16:10:33.138 device_id=123 log_id=123 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"000\" msg=\"STARTTLS=server, cert-subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=something.com, cert-issuer=issuer, verifymsg=unable to get local issuer certificate\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "STARTTLS=server, cert-subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=something.com, cert-issuer=issuer, verifymsg=unable to get local issuer certificate", + "reason": "unable to get local issuer certificate" + }, + "action": { + "outcome_reason": "STARTTLS=server, cert-subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=something.com, cert-issuer=issuer, verifymsg=unable to get local issuer certificate", + "properties": { + "device_id": "123", + "log_id": "123", + "session_id": "000", + "start_tls": "server", + "user_identifier": "mail" + } + }, + "host": { + "name": "ABC" + }, + "log": { + "hostname": "ABC", + "level": "information" + }, + "related": { + "user": [ + "mail" + ] + }, + "tls": { + "server": { + "issuer": "issuer", + "subject": "/C=US/ST=California/L=Mountain View/O=Google LLC/CN=something.com" + } + }, + "user": { + "name": "mail" + } + } + + ``` + + +=== "smtp_event_STARTTLS_server_signed_certificate.json" + + ```json + + { + "message": "time=14:25:48.564 device_id=123 log_id=0000 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"0000\" msg=\"STARTTLS=server, cert-subject=/something.fr, cert-issuer=issuer name, verifymsg=self signed certificate in certificate chain\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "STARTTLS=server, cert-subject=/something.fr, cert-issuer=issuer name, verifymsg=self signed certificate in certificate chain", + "reason": "self signed certificate in certificate chain" + }, + "action": { + "outcome_reason": "STARTTLS=server, cert-subject=/something.fr, cert-issuer=issuer name, verifymsg=self signed certificate in certificate chain", + "properties": { + "device_id": "123", + "log_id": "0000", + "session_id": "0000", + "start_tls": "server", + "user_identifier": "mail" + } + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + }, + "related": { + "user": [ + "mail" + ] + }, + "tls": { + "server": { + "issuer": "issuer name", + "subject": "/something.fr" + } + }, + "user": { + "name": "mail" + } + } + + ``` + + +=== "smtp_event_to_user_unknown.json" + + ```json + + { + "message": "time=10:50:36.931 device_id=FEVM020000087260 log_id=0003008733 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"1548fVq5008733-1548fVq5008733\" msg=\"to=postmaster, delay=00:00:50, mailer=local, pri=58900, dsn=5.1.1, stat=User unknown(Reason from remote:550 5.1.1 User unknown)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=postmaster, delay=00:00:50, mailer=local, pri=58900, dsn=5.1.1, stat=User unknown(Reason from remote:550 5.1.1 User unknown)", + "reason": "User unknown(Reason from remote:550 5.1.1 User unknown)" + }, + "action": { + "outcome_reason": "to=postmaster, delay=00:00:50, mailer=local, pri=58900, dsn=5.1.1, stat=User unknown(Reason from remote:550 5.1.1 User unknown)", + "properties": { + "delay": "00:00:50", + "device_id": "FEVM020000087260", + "dsn_version": "5.1.1", + "log_id": "0003008733", + "mailer": "local", + "priority_level_msg": "58900", + "session_id": "1548fVq5008733-1548fVq5008733", + "user_identifier": "mail" + } + }, + "host": { + "name": "00000" + }, + "log": { + "hostname": "00000", + "level": "information" + }, + "related": { + "user": [ + "mail" + ] + }, + "user": { + "email": "postmaster", + "name": "mail" + } + } + + ``` + + +=== "spam.json" + + ```json + + { + "message": "time=16:01:46.183 device_id=123 log_id=123 type=spam subtype=default pri=information session_id=\"00000\" client_name=\"mail.outlook.com\" client_ip=\"2.2.2.2\" dst_ip=\"1.1.1.1\" from=\"\" to=\"mail.fr\" subject=\"D\u00e9tail de votre quarantaine: [ 1 message(s) en quarantaine entre le jeu. 15 avr. 2021 14 h 00 +0200 et le jeu. 15 avr. 2021 16 h 00 +0200 ]\" msg=\"File name: icon_deleteall.png, scanned by Antivirus Scanner(clean)\"", + "event": { + "category": "default", + "kind": "spam", + "message": "File name: icon_deleteall.png, scanned by Antivirus Scanner(clean)" + }, + "action": { + "outcome_reason": "File name: icon_deleteall.png, scanned by Antivirus Scanner(clean)", + "properties": { + "device_id": "123", + "event_status": "clean", + "log_id": "123", + "session_id": "00000", + "subject": "D\u00e9tail de votre quarantaine: [ 1 message(s) en quarantaine entre le jeu. 15 avr. 2021 14 h 00 +0200 et le jeu. 15 avr. 2021 16 h 00 +0200 ]" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "email": { + "to": { + "address": [ + "mail.fr" + ] + } + }, + "file": { + "name": "icon_deleteall.png", + "type": "file" + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "mail.outlook.com", + "ip": "2.2.2.2" + } + } + + ``` + + +=== "spam_antispam_url.json" + + ```json + + { + "message": "time=15:08:03.466 device_id=device log_id=121416 type=spam subtype=default pri=information session_id=\"123456\" client_name=\"client\" client_ip=\"2.2.2.2\" dst_ip=\"1.1.1.1\" from=\"whatever.com\" to=\"something.com\" subject=\"d\u00e9finitivement aim\u00e9 cette id\u00e9e et a pris la d\u00e9cision de vous la montrer\" msg=\"FortiGuard-AntiSpam identified spam URL: http://something.something.photos/apmix\"", + "event": { + "category": "default", + "kind": "spam", + "message": "FortiGuard-AntiSpam identified spam URL: http://something.something.photos/apmix" + }, + "action": { + "outcome_reason": "FortiGuard-AntiSpam identified spam URL: http://something.something.photos/apmix", + "properties": { + "device_id": "device", + "log_id": "121416", + "session_id": "123456", + "subject": "d\u00e9finitivement aim\u00e9 cette id\u00e9e et a pris la d\u00e9cision de vous la montrer" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "email": { + "from": { + "address": [ + "whatever.com" + ] + }, + "to": { + "address": [ + "something.com" + ] + } + }, + "host": { + "name": "abc" + }, + "log": { + "hostname": "abc", + "level": "information" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "client", + "ip": "2.2.2.2" + }, + "url": { + "full": "http://something.something.photos/apmix" + } + } + + ``` + + +=== "spam_antivirus.json" + + ```json + + { + "message": "time=10:00:08.543 device_id=abc log_id=0300025551 type=spam subtype=default pri=information session_id=\"123456\" client_name=\"something.live\" client_ip=\"2.2.2.2\" dst_ip=\"1.1.1.1\" from=\"nereply.live\" to=\"info@pms-becus.com\" subject=\"new order to UK\" msg=\"File name: file.ppt(checksum:122452), scanned by Antivirus Scanner(detected)\"", + "event": { + "category": "default", + "kind": "spam", + "message": "File name: file.ppt(checksum:122452), scanned by Antivirus Scanner(detected)" + }, + "action": { + "outcome_reason": "File name: file.ppt(checksum:122452), scanned by Antivirus Scanner(detected)", + "properties": { + "device_id": "abc", + "event_status": "detected", + "log_id": "0300025551", + "session_id": "123456", + "subject": "new order to UK" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "email": { + "from": { + "address": [ + "nereply.live" + ] + }, + "to": { + "address": [ + "info@pms-becus.com" + ] + } + }, + "file": { + "hash": { + "sha256": "122452" + }, + "name": "file.ppt", + "type": "file" + }, + "host": { + "name": "abc" + }, + "log": { + "hostname": "abc", + "level": "information" + }, + "related": { + "hash": [ + "122452" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "something.live", + "ip": "2.2.2.2" + } + } + + ``` + + +=== "spam_webfilter_url.json" + + ```json + + { + "message": "time=09:59:32.943 device_id=FEVM020000087260 log_id=0300025171 type=spam subtype=default pri=information session_id=\"15N7xWCW025167-15N7xWCX025167\" client_name=\"mail@sth.com\" client_ip=\"2.2.2.2\" dst_ip=\"1.1.1.1\" from=\"target.fr\" to=\"source.com\" subject=\"Vos impressions de documents au meilleur prix !\" msg=\"FortiGuard-WebFilter identified URL: url.fr, category: Spam URLs, id: 86.\"", + "event": { + "category": "default", + "kind": "spam", + "message": "FortiGuard-WebFilter identified URL: url.fr, category: Spam URLs, id: 86." + }, + "action": { + "outcome_reason": "FortiGuard-WebFilter identified URL: url.fr, category: Spam URLs, id: 86.", + "properties": { + "device_id": "FEVM020000087260", + "log_id": "0300025171", + "session_id": "15N7xWCW025167-15N7xWCX025167", + "spam_category": "Spam URLs", + "spam_id": 86, + "subject": "Vos impressions de documents au meilleur prix !" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "email": { + "from": { + "address": [ + "target.fr" + ] + }, + "to": { + "address": [ + "source.com" + ] + } + }, + "host": { + "name": "12345" + }, + "log": { + "hostname": "12345", + "level": "information" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "mail@sth.com", + "ip": "2.2.2.2" + }, + "url": { + "full": "url.fr" + } + } + + ``` + + +=== "statistics.json" + + ```json + + { + "message": "time=11:37:27.544 device_id=ABC log_id=0200017947 type=statistics pri=information session_id=\"123\" client_name=\"Address.com\" client_ip=\"2.2.2.2\" client_cc=\"FR\" dst_ip=\"1.1.1.1\" from=\"something.fr\" hfrom=\"something.fr\" to=\"something.fr\" polid=\"0:1:1\" domain=\"host.com\" mailer=\"mta\" resolved=\"OK\" src_type=\"int\" direction=\"in\" virus=\"\" disposition=\"Accept\" classifier=\"Domain Safe\" message_length=\"112389\" subject=confidential subject", + "event": { + "kind": "statistics", + "outcome": "Accept" + }, + "action": { + "outcome": "Accept", + "outcome_reason": "Domain Safe", + "properties": { + "device_id": "ABC", + "dns_resolution_attempt": "OK", + "host_sender": "something.fr", + "log_id": "0200017947", + "mailer": "mta", + "policy_id": "0:1:1", + "session_id": "123", + "source_country": "FR", + "src_type": "int", + "subject": "confidential subject" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "email": { + "from": { + "address": [ + "something.fr" + ] + }, + "to": { + "address": [ + "something.fr" + ] + } + }, + "host": { + "name": "B96f1GJTxDUKbh2l" + }, + "http": { + "request": { + "bytes": 112389 + } + }, + "log": { + "hostname": "B96f1GJTxDUKbh2l", + "level": "information" + }, + "network": { + "direction": "in" + }, + "related": { + "hosts": [ + "host.com" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "Address.com", + "domain": "host.com", + "ip": "2.2.2.2", + "size_in_char": 8 + } + } + + ``` + + +=== "virus.json" + + ```json + + { + "message": "time=16:17:10.683 device_id=ABC log_id=1234271 type=virus subtype=fortisandbox pri=information from=\"\" to=\"\" client_name=\"\" client_ip=\"\" session_id=\"123456789\" msg=\"File file.pdf (checksum: 1234271) has been scanned by FortiSandbox. Scan result: rating=CLEAN\"", + "event": { + "category": "fortisandbox", + "kind": "virus", + "message": "File file.pdf (checksum: 1234271) has been scanned by FortiSandbox. Scan result: rating=CLEAN" + }, + "action": { + "outcome_reason": "File file.pdf (checksum: 1234271) has been scanned by FortiSandbox. Scan result: rating=CLEAN", + "properties": { + "device_id": "ABC", + "event_status": "CLEAN", + "log_id": "1234271", + "session_id": "123456789" + } + }, + "file": { + "hash": { + "sha256": "1234271" + }, + "name": "file.pdf", + "type": "file" + }, + "host": { + "name": "hostname" + }, + "log": { + "hostname": "hostname", + "level": "information" + }, + "related": { + "hash": [ + "1234271" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.bits_sent_ratio` | `keyword` | | +|`action.properties.class` | `keyword` | | +|`action.properties.daemon` | `keyword` | | +|`action.properties.delay` | `keyword` | | +|`action.properties.device_id` | `keyword` | | +|`action.properties.dns_resolution_attempt` | `keyword` | | +|`action.properties.dsn_version` | `keyword` | | +|`action.properties.event_status` | `keyword` | | +|`action.properties.host_sender` | `keyword` | | +|`action.properties.hostname_info` | `keyword` | | +|`action.properties.log_id` | `keyword` | | +|`action.properties.mailer` | `keyword` | | +|`action.properties.message_id` | `keyword` | | +|`action.properties.nrcpts` | `keyword` | | +|`action.properties.policy_id` | `keyword` | | +|`action.properties.priority_level_msg` | `keyword` | | +|`action.properties.relay` | `keyword` | | +|`action.properties.session_id` | `keyword` | | +|`action.properties.source_country` | `keyword` | | +|`action.properties.spam_category` | `keyword` | | +|`action.properties.spam_id` | `number` | | +|`action.properties.src_type` | `keyword` | | +|`action.properties.start_tls` | `keyword` | | +|`action.properties.stat` | `keyword` | | +|`action.properties.subject` | `keyword` | | +|`action.properties.user_identifier` | `keyword` | | +|`action.properties.verify` | `keyword` | | +|`action.properties.virus` | `keyword` | | +|`action.properties.xdelay` | `keyword` | | +|`destination.address` | `keyword` | Destination network address. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.size_in_char` | `number` | | +|`email.from.address` | `array` | | +|`email.to.address` | `array` | | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.size` | `long` | File size in bytes. | +|`file.type` | `keyword` | File type (file, dir, or symlink). | +|`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | +|`log.level` | `keyword` | Log level of the log event. | +|`network.direction` | `keyword` | Direction of the network traffic. | +|`network.protocol` | `keyword` | Application protocol name. | +|`source.address` | `keyword` | Source network address. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.size_in_char` | `number` | | +|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`tls.client.issuer` | `keyword` | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | +|`tls.client.subject` | `keyword` | Distinguished name of subject of the x.509 certificate presented by the client. | +|`tls.server.issuer` | `keyword` | Subject of the issuer of the x.509 certificate presented by the server. | +|`tls.server.subject` | `keyword` | Subject of the x.509 certificate presented by the server. | +|`url.full` | `wildcard` | Full unparsed URL. | +|`user.email` | `keyword` | User email address. | +|`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md new file mode 100644 index 0000000000..12c65cae61 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md @@ -0,0 +1,126 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web proxy` | Ubika detects and mitigates threats against web applications and APIs. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `web` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event.json" + + ```json + + { + "message": "{\"id\": \"ZhVpSAoAQi8AAE20AkoAAABB\", \"application_id\": \"www.some-app.com\", \"ip_source\": \"1.2.3.4\", \"http_method\": \"GET\", \"protocol\": \"HTTP/1.1\", \"hostname\": \"www.some-app.com.289339716950101.app.d.eu-west-2.cloudprotector.com\", \"path\": \"/\", \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\", \"x_forwarded_for\": \"1.2.3.4\", \"http_status_code\": 200, \"response_size\": 633, \"total_response_time\": 35, \"timestamp\": 1712679240}", + "event": { + "category": [ + "web" + ], + "duration": 35000000, + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-09T16:14:00Z", + "destination": { + "bytes": 633 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "forwarded_ip": "1.2.3.4" + }, + "observer": { + "name": "www.some-app.com.289339716950101.app.d.eu-west-2.cloudprotector.com", + "product": "Cloud Protector", + "vendor": "Ubika" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "ubika": { + "cloud_protector": { + "application_id": "www.some-app.com" + } + }, + "url": { + "path": "/" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36", + "os": { + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "122.0.0" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.duration` | `long` | Duration of the event in nanoseconds. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`source.ip` | `ip` | IP address of the source. | +|`ubika.cloud_protector.application_id` | `keyword` | Website server name | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index b85ebdba7f..dc17e02f43 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -2135,7 +2135,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"CreationTime\": \"2023-08-31T07:24:24\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Operation\": \"AlertTriggered\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"ts\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"te\\\":\\\"2023-08-31T07:23:13.0000000Z\\\",\\\"tid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"tdc\\\":\\\"1\\\",\\\"af\\\":\\\"0\\\",\\\"tht\\\":\\\"Phish,\\n\\nMalicious\\\",\\\"als\\\":\\\"Protection\\\",\\\"op\\\":\\\"Protection\\\",\\\"wsrt\\\":\\\"0001-01-01T00:00:00\\\",\\\"mdt\\\":\\\"u\\\",\\\"rid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"cid\\\":\\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\",\\\"ad\\\":\\\"This\\nalert fires when message containing phish was delivered due to an ETR override. \\n-V1.0.0.5\\\",\\\"lon\\\":\\\"Protection\\\",\\\"an\\\":\\\"Phish delivered due to an ETR override\\\",\\\"sev\\\":\\\"Informational\\\"}\", \"Name\": \"Phish delivered due to an ETR override\", \"PolicyId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Severity\": \"Informational\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "message": "{\"CreationTime\": \"2023-08-31T07:24:24\", \"Id\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Operation\": \"AlertTriggered\", \"OrganizationId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"ts\\\": \\\"2023-08-31T07:23:13.0000000Z\\\", \\\"te\\\": \\\"2023-08-31T07:23:13.0000000Z\\\", \\\"tid\\\": \\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\", \\\"tdc\\\": \\\"1\\\", \\\"af\\\": \\\"0\\\", \\\"tht\\\": \\\"Phish,\\\\n\\\\nMalicious\\\", \\\"als\\\": \\\"Protection\\\", \\\"op\\\": \\\"Protection\\\", \\\"wsrt\\\": \\\"0001-01-01T00:00:00\\\", \\\"mdt\\\": \\\"u\\\", \\\"rid\\\": \\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\", \\\"cid\\\": \\\"77f6d9ce-da8f-46bf-a651-4bec3c189770\\\", \\\"ad\\\": \\\"This\\\\nalert fires when message containing phish was delivered due to an ETR override. \\\\n-V1.0.0.5\\\", \\\"lon\\\": \\\"Protection\\\", \\\"an\\\": \\\"Phish delivered due to an ETR override\\\", \\\"sev\\\": \\\"Informational\\\"}\", \"Name\": \"Phish delivered due to an ETR override\", \"PolicyId\": \"77f6d9ce-da8f-46bf-a651-4bec3c189770\", \"Severity\": \"Informational\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", "event": { "action": "AlertTriggered", "category": [ @@ -2196,6 +2196,253 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "security_compliance_alert_2.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-04-04T08:15:14\", \"Id\": \"11c950ca-f6b6-4bbf-a0fc-bb287f9c1ef4\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"241cae47-1a82-46a7-bfae-4b0a86f89c8b\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"9ccf6a76-3106-4bad-ad80-fc515b137ba2\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"b2358a80-85d3-488e-8285-db123ce918a4\", \"AlertId\": \"cf0708c6-e2c5-4962-ae99-9af4799175f4\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"Custom\", \"Category\": \"DataLossPrevention\", \"Comments\": \"New alert\", \"Data\": \"{\\\"etype\\\":\\\"DlpRuleMatch\\\",\\\"eid\\\":\\\"48aa73f6-b740-438b-861d-441281310de7\\\",\\\"tid\\\":\\\"21692c1b-2bd4-464a-aa27-6658fe410b4b\\\",\\\"ts\\\":\\\"2024-04-04T07:36:48.0000000Z\\\",\\\"te\\\":\\\"2024-04-04T07:36:48.0000000Z\\\",\\\"at\\\":\\\"2024-04-04T07:36:48.0000000Z\\\",\\\"dpid\\\":\\\"2401d128-ab89-4552-a6da-b2f77c3d212c\\\",\\\"dpn\\\":\\\"Data\\\",\\\"drid\\\":\\\"70ce5ca3-1da6-45d2-8699-8d470a719ab3\\\",\\\"drn\\\":\\\"rulename\\\",\\\"dmrid\\\":\\\"793fed0d-79e2-4bf8-b057-67c77a6db003\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"von\\\":\\\"RE: Subject\\\",\\\"dact\\\":\\\"GenerateAlert\\\",\\\"cc\\\":\\\"suspicious@spam.com,spam.enquiries@other.com\\\",\\\"to\\\":\\\"john.doe@example.org\\\",\\\"mfrm\\\":\\\"spam@freemovie.com\\\",\\\"dpm\\\":\\\"Enable\\\",\\\"lon\\\":\\\"DlpRuleMatch\\\"}\", \"EntityType\": \"DlpRuleMatch\", \"Name\": \"description\", \"PolicyId\": \"bef2401e-5c6c-476b-aedb-e2f521fafb1f\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-04-04T08:15:14Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "email": { + "cc": { + "address": [ + "spam.enquiries@other.com", + "suspicious@spam.com" + ] + }, + "from": { + "address": [ + "spam@freemovie.com" + ] + }, + "subject": "RE: Subject", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "office365": { + "alert": { + "category": "DataLossPrevention", + "display_name": "description", + "entity_type": "DlpRuleMatch", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "9ccf6a76-3106-4bad-ad80-fc515b137ba2" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "241cae47-1a82-46a7-bfae-4b0a86f89c8b" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "bef2401e-5c6c-476b-aedb-e2f521fafb1f" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + +=== "security_compliance_alert_3.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-04-04T08:09:07\", \"Id\": \"9bb5e4b2-febd-4f1a-93bb-1380f7868320\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"9eb6ae86-0209-4328-856e-3f7971a6c654\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"4dde17d2-635a-498b-914e-73898a280433\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"a1bba0c6-d8d0-4710-8fc3-6085b3ac79fc\", \"AlertId\": \"178fa649-642f-4d41-943c-451e2266f4a7\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"Custom\", \"Category\": \"MailFlow\", \"Comments\": \"New alert\", \"Data\": \"{\\\"etype\\\":\\\"MalwareFamily\\\",\\\"at\\\":\\\"2024-04-04T08:07:58.0000000Z\\\",\\\"md\\\":\\\"2024-04-04T08:07:58.0000000Z\\\",\\\"sip\\\":\\\"217.182.111.68\\\",\\\"ms\\\":\\\"[MARKETING] Free movies for you\\\",\\\"imsgid\\\":\\\"\\\",\\\"dm\\\":\\\"CrossOrgSpoof\\\",\\\"eid\\\":\\\"58fe2050-27be-431f-a035-2cba142cb021-15828634862951700795-1\\\",\\\"aii\\\":\\\"58fe2050-27be-431f-a035-2cba142cb021\\\",\\\"thn\\\":\\\"Phish, Malicious\\\",\\\"ts\\\":\\\"2024-04-04T08:06:58.0000000Z\\\",\\\"te\\\":\\\"2024-04-04T08:08:58.0000000Z\\\",\\\"fvs\\\":\\\"Filters\\\",\\\"tpt\\\":\\\"AntiPhishPolicy\\\",\\\"tpid\\\":\\\"b3caa8a3-c6de-4d06-b2a4-8968c6d1f2d5\\\",\\\"tid\\\":\\\"7fca7e7b-11e7-48c7-b345-1145a7a3a918\\\",\\\"tht\\\":\\\"Phish, Malicious\\\",\\\"trc\\\":\\\"john.doe@example.org\\\",\\\"tsd\\\":\\\"communications@spam.com\\\",\\\"tdc\\\":\\\"1\\\",\\\"cpid\\\":null,\\\"lon\\\":\\\"Protection\\\"}\", \"EntityType\": \"MalwareFamily\", \"Name\": \"Phishing detected\", \"PolicyId\": \"40663ca5-73da-43ca-b0be-af8b54987339\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-04-04T08:09:07Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "email": { + "from": { + "address": [ + "communications@spam.com" + ] + }, + "message_id": "f2231b61bc5cbb95893c5b62281e4f4c@spam.com", + "subject": "[MARKETING] Free movies for you", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "office365": { + "alert": { + "category": "MailFlow", + "display_name": "Phishing detected", + "entity_type": "MalwareFamily", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "4dde17d2-635a-498b-914e-73898a280433" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "9eb6ae86-0209-4328-856e-3f7971a6c654" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "40663ca5-73da-43ca-b0be-af8b54987339" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + +=== "security_compliance_alert_4.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-04-04T08:22:40\", \"Id\": \"be2ee3c6-2b3c-42ae-aefe-69f185114418\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"be2ee3c6-2b3c-42ae-aefe-69f185114418\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"john.doe@example.org\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"john.doe@example.org\", \"AlertId\": \"be2ee3c6-2b3c-42ae-aefe-69f185114418\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"john.doe@example.org\\\",\\\"tid\\\":\\\"be2ee3c6-2b3c-42ae-aefe-69f185114418\\\",\\\"ts\\\":\\\"2024-04-04T08:20:21.0000000Z\\\",\\\"te\\\":\\\"2024-04-04T08:20:21.0000000Z\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"john.doe@example.org\\\",\\\"ut\\\":\\\"Regular\\\",\\\"ssic\\\":\\\"0\\\",\\\"tsd\\\":\\\"Sender \\\",\\\"sip\\\":\\\"1.2.3.4\\\",\\\"srt\\\":\\\"0\\\",\\\"trc\\\":\\\"john.doe@example.org\\\",\\\"ms\\\":\\\"suject\\\",\\\"sid\\\":\\\"be2ee3c6-2b3c-42ae-aefe-69f185114418\\\",\\\"aii\\\":\\\"be2ee3c6-2b3c-42ae-aefe-69f185114418\\\",\\\"md\\\":\\\"2024-04-04T07:50:14.0000000Z\\\",\\\"etps\\\":\\\"KesMailId:1111111111111111;FingerprintData:AAAAAAAA.BBBBBBBB.CCCCCCCF.72AC895E.200F2;SubmissionCategory:Email;RescanVerdict:NotSpam;SubmissionSource:Microsoft;SubmissionId:be2ee3c6-2b3c-42ae-aefe-69f185114418;OriginalVerdict:Allow\\\",\\\"lon\\\":\\\"UserSubmission\\\"}\", \"EntityType\": \"User\", \"Name\": \"Email reported by user as junk\", \"PolicyId\": \"be2ee3c6-2b3c-42ae-aefe-69f185114418\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-04-04T08:22:40Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "email": { + "from": { + "address": [ + "Sender " + ] + }, + "subject": "suject", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Email reported by user as junk", + "entity_type": "User", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "john.doe@example.org" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "be2ee3c6-2b3c-42ae-aefe-69f185114418" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "be2ee3c6-2b3c-42ae-aefe-69f185114418" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + === "source_log.json" ```json @@ -2927,6 +3174,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties` | `object` | A list of objects describing the action | |`action.target` | `keyword` | The target of the action | |`email.attachments` | `array` | A list of objects describing the attachment files sent along with an email message | +|`email.cc.address` | `keyword` | Email address of CC recipient | |`email.delivery_timestamp` | `date` | The date and time when the email message was received by the service or client | |`email.from.address` | `keyword` | The email address of the sender, typically from the RFC 5322 From: header field | |`email.local_id` | `keyword` | Unique identifier given to the email by the source that created the event | @@ -2955,6 +3203,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.alert.client_ips` | `array` | | |`office365.alert.description` | `keyword` | | |`office365.alert.display_name` | `keyword` | | +|`office365.alert.entity_type` | `keyword` | | |`office365.alert.severity` | `keyword` | | |`office365.alert.source` | `keyword` | | |`office365.alert.status` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md index 7f24a9c810..5fea47a537 100644 --- a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md +++ b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | ---- | ------ | | Kind | `alert` | | Category | `intrusion_detection` | -| Type | `` | +| Type | `blocked` | @@ -39,7 +39,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "kind": "alert", - "reason": "module_name == 'eaccess' and event.SECURITY_URL == '/phpinfo.php' and event.SECURITY_ATTACKID == '10527-0 ' and tokens['http_ea__block_reason'] == 'http_blacklist' and tokens['http_ea__block_part'] == 'uri' and tokens['http_ea_bl__is_custom_rule'] == False and tokens['http_ea_seclist__is_combine_rule'] == False and tokens['http_ea_seclist__is_virtual_patching'] == False" + "reason": "module_name == 'eaccess' and event.SECURITY_URL == '/phpinfo.php' and event.SECURITY_ATTACKID == '10527-0 ' and tokens['http_ea__block_reason'] == 'http_blacklist' and tokens['http_ea__block_part'] == 'uri' and tokens['http_ea_bl__is_custom_rule'] == False and tokens['http_ea_seclist__is_combine_rule'] == False and tokens['http_ea_seclist__is_virtual_patching'] == False", + "type": [ + "blocked" + ] }, "@timestamp": "2024-04-09T16:14:37Z", "http": { @@ -89,13 +92,13 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`rule.id` | `keyword` | Rule ID | |`source.ip` | `ip` | IP address of the source. | -|`ubika.cloud_protector.application_id` | `keyword` | | -|`ubika.cloud_protector.attack_id` | `keyword` | | +|`ubika.cloud_protector.application_id` | `keyword` | Website server name | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.query` | `keyword` | Query string of the request. | diff --git a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md new file mode 100644 index 0000000000..b2ada17b51 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md @@ -0,0 +1,330 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | Privileged Access Management mechanism | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `process`, `session` | +| Type | `end`, `start` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "connexion1.json" + + ```json + + { + "message": "Connexion au portail web org:example, user:jdoe@local, ip:1.2.3.4", + "event": { + "category": "session", + "outcome": "success", + "reason": "Connexion au portail web", + "type": "start" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "local", + "name": "jdoe" + } + } + + ``` + + +=== "connexion2.json" + + ```json + + { + "message": "Connexion d'un plugin utilisateur org:example, user:jdoe@local, ip:1.2.3.4", + "event": { + "category": "session", + "outcome": "success", + "reason": "Connexion d'un plugin utilisateur", + "type": "start" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "local", + "name": "jdoe" + } + } + + ``` + + +=== "deconnexion1.json" + + ```json + + { + "message": "D\u00e9connexion du portail web org:example, user:jdoe@EXAMPLE, ip:1.2.3.4", + "event": { + "category": "session", + "outcome": "success", + "reason": "D\u00e9connexion du portail web", + "type": "end" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + +=== "deconnexion2.json" + + ```json + + { + "message": "D\u00e9connexion d'un plugin utilisateur org:example, user:jdoe@local, ip:10.48.178.33", + "event": { + "category": "session", + "outcome": "success", + "reason": "D\u00e9connexion d'un plugin utilisateur", + "type": "end" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "10.48.178.33" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "10.48.178.33", + "ip": "10.48.178.33" + }, + "user": { + "domain": "local", + "name": "jdoe" + } + } + + ``` + + +=== "process1.json" + + ```json + + { + "message": "Fermeture d'une application RDS : DETECTION CENTRAL (RDP) AGENT CLIENT org:example, user:jdoe@EXAMPLE, ip:1.2.3.4", + "event": { + "category": "process", + "outcome": "success", + "reason": "Fermeture d'une application RDS : DETECTION CENTRAL (RDP) AGENT CLIENT", + "type": "end" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + +=== "process2.json" + + ```json + + { + "message": "Lancement d'une application RDS : DETECTION CENTRAL (RDP) AGENT CLIENT org:example, user:jdoe@EXAMPLE, ip:1.2.3.4", + "event": { + "category": "process", + "outcome": "success", + "reason": "Lancement d'une application RDS : DETECTION CENTRAL (RDP) AGENT CLIENT", + "type": "start" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + +=== "session.json" + + ```json + + { + "message": "Echec de la connexion au portail web : erreur d'authentification d'un utilisateur org:example, user:jdoe@EXAMPLE, ip:1.2.3.4", + "event": { + "category": "session", + "outcome": "failure", + "reason": "Echec de la connexion au portail web : erreur d'authentification d'un utilisateur", + "type": "start" + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "organization": { + "name": "example" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`organization.name` | `keyword` | Organization name. | +|`source.ip` | `ip` | IP address of the source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md index 716278a5c6..1e89f8c760 100644 --- a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md +++ b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md @@ -12,7 +12,286 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `access` | +| Category | `` | +| Type | `` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "access.json" + + ```json + + { + "message": "1.1.1.1:65276 [29/Feb/2024:15:01:18.909] HTTP~ Store/OpenIP-MyHa-Front-Tomcat-1 0/0/0/5/5 200 7500 - - --VN 409/407/0/0/0 0/0 \"GET /css/datatables.css?b=206 HTTP/1.1\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 7500, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 65276 + }, + "url": { + "original": "/css/datatables.css?b=206", + "path": "/css/datatables.css", + "query": "b=206" + } + } + + ``` + + +=== "access2.json" + + ```json + + { + "message": " 1.1.1.1:64772 [29/Feb/2024:14:01:19.832] fe_exchange~ be_exchange_mapi/dnrsmsg03 0/0/0/67/73 200 397387 - - ---- 1186/1186/1124/1125/0 0/0 \"POST \n/mapi/emsmdb/?MailboxId=676395c0-caac-4df4-afa1-a6037b150194@corp.com HTTP/1.1\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "POST" + }, + "response": { + "bytes": 397387, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 64772 + }, + "url": { + "original": "/mapi/emsmdb/?MailboxId=676395c0-caac-4df4-afa1-a6037b150194@corp.com", + "path": "/mapi/emsmdb/", + "query": "MailboxId=676395c0-caac-4df4-afa1-a6037b150194@corp.com" + } + } + + ``` + + +=== "access3.json" + + ```json + + { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } + + ``` + + +=== "json.json" + + ```json + + { + "message": "hapee-lb[16320]: [ACCESS] 2022 {\"ctn\":\"html\",\"ctj\":\"text\",\"ssl\":false,\"ti\":1991,\"code\":200,\"tc\":0,\"trr\":0,\"qs\":\"1570172897\",\"backend\":\"backoffice.corp.fr\",\"meth\":\"GET\",\"country\":\"FR\",\"fingerprint\":\"y-faecbg--p-x-x-00000000-c40cb9ee-e1fe6ca8-e1fe6ca8-cf70e9fb-n-s-1.1-y-n-n-n\",\"date\":1570173201.114,\"uniqueid\":\"waf-06-5376CF7E:BA07_B9C7B823:0050_5D96F111_339D7F:3FC0\",\"tw\":0,\"ipqual\":\"{\\\"al\\\":\\\"fr-FR\\\",\\\"san\\\":{\\\"anomalies\\\":{},\\\"score\\\":0},\\\"uaqual\\\":{\\\"dt\\\":\\\"Desktop\\\"},\\\"signals\\\":{\\\"is_ip_auth\\\":true,\\\"is_crawler\\\":false},\\\"ipqual\\\":{\\\"country\\\":\\\"FR\\\"}}\",\"port\":47623,\"status\":\"ip-safe\",\"path\":\"\\/session.php\",\"th\":0,\"to3\":11,\"vers\":\"HTTP\\/1.1\",\"ip\":\"83.118.207.126\",\"tr\":31,\"pn\":\"Windows\",\"action\":\"forward\",\"fssl\":false,\"pv\":\"10.0\",\"fqdn\":\"backoffice.corp.fr\",\"bytes\":363,\"browser\":\"Chrome\",\"ua\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/77.0.3865.90 Safari\\/537.36\",\"trtt\":8,\"state\":\"----\",\"tt\":2022}", + "event": { + "kind": "access", + "outcome": "ip-safe" + }, + "action": { + "name": "forward", + "outcome": "ip-safe" + }, + "destination": { + "address": "backoffice.corp.fr", + "domain": "backoffice.corp.fr", + "registered_domain": "corp.fr", + "size_in_char": 18, + "subdomain": "backoffice", + "top_level_domain": "fr" + }, + "host": { + "name": "B96f1GJTxDUKbh2l" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 363, + "status_code": 200 + }, + "version": "1.1" + }, + "log": { + "hostname": "B96f1GJTxDUKbh2l" + }, + "os": { + "name": "Windows", + "version": "10.0" + }, + "related": { + "hosts": [ + "backoffice.corp.fr" + ], + "ip": [ + "83.118.207.126" + ] + }, + "source": { + "address": "83.118.207.126", + "ip": "83.118.207.126", + "port": 47623 + }, + "url": { + "original": "backoffice.corp.fr/session.php", + "path": "/session.php" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "77.0.3865" + } + } + + ``` + + +=== "standard.json" + + ```json + + { + "message": " 127.0.0.1:59692 [03/Oct/2019:15:05:32.500] http-in backend1/web-server1 0/0/0/0/0 304 134 - - ---- 1/1/0/0/0 0/0 \"GET /icons/openlogo-75.png HTTP/1.1\"", + "event": { + "kind": "access" + }, + "host": { + "name": "B96f1GJTxDUKbh2l" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 134, + "status_code": 304 + }, + "version": "1.1" + }, + "log": { + "hostname": "B96f1GJTxDUKbh2l" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 59692 + }, + "url": { + "original": "/icons/openlogo-75.png", + "path": "/icons/openlogo-75.png" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.size_in_char` | `number` | Size of the domain name | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`os.name` | `keyword` | OS name | +|`os.version` | `keyword` | OS name | +|`source.address` | `keyword` | Source network address. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`tls.version_protocol` | `keyword` | Normalized lowercase protocol name parsed from original string. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | +