SEKOIA-IO · squioc · Apr 26, 2024 · Apr 25, 2024
diff --git a/...perations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/...perations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md
@@ -68,6 +68,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "process": {
             "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc",
             "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
+            "name": "svchost.exe",
             "parent": {
                 "name": "services.exe",
                 "pid": 11768266
@@ -319,6 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "process": {
             "command_line": "\"gpupdate.exe\" /target:computer",
             "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe",
+            "name": "gpupdate.exe",
             "parent": {
                 "name": "svchost.exe",
                 "pid": 158964342720
@@ -495,6 +497,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "process": {
             "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe 0x4",
             "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe",
+            "name": "conhost.exe",
             "parent": {
                 "pid": 416639351024
             },
@@ -718,7 +721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         },
         "process": {
             "command_line": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"",
-            "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe"
+            "executable": "\\Device\\HarddiskVolume2\\Windows\\System32\\cscript.exe",
+            "name": "cscript.exe"
         },
         "related": {
             "ip": [
@@ -888,6 +892,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "args": "MallocSpaceEfficient=1 XPC_SERVICE_NAME=com.apple.ManagedClient PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=1",
             "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
             "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
+            "name": "ManagedClient",
             "parent": {
                 "name": "launchd",
                 "pid": 494714991831837524
@@ -949,6 +954,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             }
         },
         "registry": {
+            "data": {
+                "strings": "Interactive User"
+            },
             "hive": "MACHINE",
             "key": "SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}",
             "path": "MACHINE\\SOFTWARE\\Classes\\AppID\\{3E390CD3-4EB1-435C-A6FE-AF736C27C94B}\\RunAs",
@@ -1001,7 +1009,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         },
         "process": {
             "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k GPSvcGroup",
-            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe"
+            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+            "name": "svchost.exe"
         },
         "related": {
             "ip": [
@@ -1227,6 +1236,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "process": {
             "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2",
             "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe",
+            "name": "AcroCEF.exe",
             "parent": {
                 "name": "AcroCEF.exe",
                 "pid": 1084277996656
@@ -1342,7 +1352,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             }
         },
         "process": {
-            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll"
+            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll",
+            "name": "shell32.dll"
         },
         "related": {
             "hash": [
@@ -1779,6 +1790,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "process": {
             "command_line": "C:\\WINDOWS\\System32\\rundll32.exe",
             "executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe",
+            "name": "rundll32.exe",
             "parent": {
                 "name": "setup.exe",
                 "pid": 288633815511
@@ -1980,7 +1992,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         },
         "process": {
             "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s BITS",
-            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe"
+            "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+            "name": "svchost.exe"
         },
         "related": {
             "ip": [
@@ -1997,6 +2010,60 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "telemetry_event_40.json"
+
+    ```json
+
+    {
+        "message": "{\"AsepFlags\": \"5\", \"ContextThreadId\": \"1216191193\", \"aip\": \"45.85.223.11\", \"RegObjectName\": \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\", \"Data1\": \"00\", \"RegOperationType\": \"1\", \"event_platform\": \"Win\", \"TokenType\": \"1\", \"TargetCommandLineParameters\": \"\", \"EventOrigin\": \"1\", \"id\": \"6802cffe-a2a5-489f-8e7f-b70331921d65\", \"EffectiveTransmissionClass\": \"3\", \"RegStringValue\": \"Explorer.exe\", \"timestamp\": \"1712663526832\", \"event_simpleName\": \"AsepValueUpdate\", \"ContextTimeStamp\": \"1712663526.308\", \"ConfigStateHash\": \"3318804059\", \"RegType\": \"1\", \"ContextProcessId\": \"235686529\", \"AsepClass\": \"9\", \"AsepIndex\": \"32\", \"AuthenticationId\": \"427985\", \"ConfigBuild\": \"1007.3.0017605.10\", \"RegValueName\": \"Shell\", \"AsepValueType\": \"0\", \"Entitlements\": \"15\", \"name\": \"AsepValueUpdateV7\", \"aid\": \"11111111111111111111111111111111\", \"cid\": \"22222222222222222222222222222222\", \"TargetFileName\": \"\"}",
+        "event": {
+            "action": "AsepValueUpdate",
+            "category": [
+                "registry"
+            ],
+            "type": [
+                "change"
+            ]
+        },
+        "@timestamp": "2024-04-09T11:52:06.832000Z",
+        "agent": {
+            "id": "11111111111111111111111111111111"
+        },
+        "crowdstrike": {
+            "customer_id": "22222222222222222222222222222222"
+        },
+        "host": {
+            "ip": [
+                "45.85.223.11"
+            ],
+            "os": {
+                "platform": "win"
+            }
+        },
+        "registry": {
+            "data": {
+                "strings": "Explorer.exe"
+            },
+            "hive": "MACHINE",
+            "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
+            "path": "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
+            "value": "Shell"
+        },
+        "related": {
+            "ip": [
+                "45.85.223.11"
+            ]
+        },
+        "source": {
+            "nat": {
+                "ip": "45.85.223.11"
+            }
+        }
+    }
+
+	```
+
+
 === "telemetry_event_5.json"
 
     ```json
@@ -2283,6 +2350,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc",
             "end": "2022-08-20T19:06:18.014000Z",
             "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
+            "name": "svchost.exe",
             "parent": {
                 "name": "services.exe",
                 "pid": 11768266
@@ -2355,11 +2423,13 @@ The following table lists the fields that are extracted, normalized under the EC
 |`process.command_line` | `wildcard` | Full command line that started the process. |
 |`process.end` | `date` | The time the process ended. |
 |`process.executable` | `keyword` | Absolute path to the process executable. |
+|`process.name` | `keyword` | Process name. |
 |`process.parent.name` | `keyword` | Process name. |
 |`process.parent.pid` | `long` | Process id. |
 |`process.pid` | `long` | Process id. |
 |`process.start` | `date` | The time the process started. |
 |`process.thread.id` | `long` | Thread ID. |
+|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. |
 |`registry.hive` | `keyword` | Abbreviated name for the hive. |
 |`registry.key` | `keyword` | Hive-relative path of keys. |
 |`registry.path` | `keyword` | Full path, including hive, key and value |

diff --git a/...perations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/...perations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md
@@ -1119,6 +1119,110 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "user": {
             "email": "[email protected]",
             "full_name": "bar foo"
+        },
+        "user_agent": {
+            "device": {
+                "name": "iPhone"
+            },
+            "name": "Mobile Safari UI/WKWebView",
+            "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148",
+            "os": {
+                "name": "iOS",
+                "version": "14.4"
+            }
+        }
+    }
+
+	```
+
+
+=== "user_risk_detection_2.json"
+
+    ```json
+
+    {
+        "message": "{\"time\": \"3/24/2022 2:42:35 PM\", \"resourceId\": \"/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam\", \"operationName\": \"User Risk Detection\", \"operationVersion\": \"1.0\", \"category\": \"UserRiskEvents\", \"tenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"resultSignature\": \"None\", \"durationMs\": 0, \"callerIpAddress\": \"11.22.33.44\", \"correlationId\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"identity\": \"bar foo\", \"Level\": 4, \"location\": \"fr\", \"properties\": {\"id\": \"ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080\", \"requestId\": \"d38b6ab7-65b0-419c-b83a-a5787d6fa100\", \"correlationId\": \"325294e4-4026-4cc7-889d-b4be570b3254\", \"riskType\": \"unfamiliarFeatures\", \"riskEventType\": \"unfamiliarFeatures\", \"riskState\": \"atRisk\", \"riskLevel\": \"low\", \"riskDetail\": \"none\", \"source\": \"IdentityProtection\", \"detectionTimingType\": \"realtime\", \"activity\": \"signin\", \"ipAddress\": \"11.22.33.44\", \"location\": {\"city\": \"\", \"state\": \"\", \"countryOrRegion\": \"FR\", \"geoCoordinates\": {\"altitude\": 0, \"latitude\": 46, \"longitude\": 2}}, \"activityDateTime\": \"2023-10-26T5:32:08.107Z\", \"detectedDateTime\": \"2023-10-26T5:32:08.107Z\", \"lastUpdatedDateTime\": \"2023-10-26T5:35:05.938Z\", \"userId\": \"4c64c30a-7a60-4211-bef1-5e4279854e85\", \"userDisplayName\": \"bar foo\", \"userPrincipalName\": \"[email protected]\", \"additionalInfo\": \"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarASN\\\",\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null}]\", \"tokenIssuerType\": \"AzureAD\", \"resourceTenantId\": null, \"homeTenantId\": \"2d0c1986-ef7b-4bbf-8428-3c837471e7ad\", \"userType\": \"member\", \"crossTenantAccessType\": \"none\"}}",
+        "event": {
+            "category": [
+                "iam"
+            ],
+            "reason": "unfamiliarFeatures",
+            "type": [
+                "connection"
+            ]
+        },
+        "@timestamp": "2022-03-24T14:42:35Z",
+        "action": {
+            "name": "User Risk Detection"
+        },
+        "azuread": {
+            "Level": 4,
+            "callerIpAddress": "11.22.33.44",
+            "category": "UserRiskEvents",
+            "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
+            "durationMs": 0,
+            "identity": "bar foo",
+            "operationName": "User Risk Detection",
+            "operationVersion": "1.0",
+            "properties": {
+                "activity": "signin",
+                "correlationId": "325294e4-4026-4cc7-889d-b4be570b3254",
+                "detectionTimingType": "realtime",
+                "id": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
+                "requestId": "d38b6ab7-65b0-419c-b83a-a5787d6fa100",
+                "riskDetail": "none",
+                "riskEventType": "unfamiliarFeatures",
+                "riskLevel": "low",
+                "riskReasons": [
+                    "UnfamiliarASN",
+                    "UnfamiliarBrowser",
+                    "UnfamiliarDevice",
+                    "UnfamiliarEASId",
+                    "UnfamiliarIP",
+                    "UnfamiliarLocation",
+                    "UnfamiliarTenantIPsubnet"
+                ],
+                "riskState": "atRisk",
+                "source": "IdentityProtection"
+            },
+            "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam",
+            "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad"
+        },
+        "related": {
+            "ip": [
+                "11.22.33.44"
+            ]
+        },
+        "service": {
+            "name": "Azure Active Directory",
+            "type": "ldap"
+        },
+        "source": {
+            "address": "11.22.33.44",
+            "geo": {
+                "country_iso_code": "fr",
+                "location": {
+                    "lat": 46,
+                    "lon": 2
+                }
+            },
+            "ip": "11.22.33.44"
+        },
+        "user": {
+            "email": "[email protected]",
+            "full_name": "bar foo"
+        },
+        "user_agent": {
+            "device": {
+                "name": "Oppo CPH2005"
+            },
+            "name": "Chrome Mobile WebView",
+            "original": "Mozilla/5.0 (Linux; Android 12; CPH2005 Build/RKQ1.211103.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 PKeyAuth/1.0",
+            "os": {
+                "name": "Android",
+                "version": "12"
+            },
+            "version": "117.0.0"
         }
     }
 
@@ -1178,6 +1282,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`azuread.properties.riskLevel` | `keyword` |  |
 |`azuread.properties.riskLevelAggregated` | `keyword` | riskLevelAggregated |
 |`azuread.properties.riskLevelDuringSignIn` | `keyword` | riskLevelDuringSignIn |
+|`azuread.properties.riskReasons` | `array` |  |
 |`azuread.properties.riskState` | `keyword` |  |
 |`azuread.properties.source` | `keyword` |  |
 |`azuread.properties.status.additionalDetails` | `keyword` |  |

diff --git a/...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/...perations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
@@ -1683,6 +1683,36 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "threat_critical.json"
+
+    ```json
+
+    {
+        "message": "{\"last_update\": \"2024-03-19T04:21:47.324573-05:00\", \"agents\": [{\"security_event_count\": 2, \"agent_hostname\": \"Nuke\", \"agent_id\": \"af5e2f63-becd-4660-ade8-30d04c0dd044\", \"agent_ostype\": \"windows\"}], \"groups\": [], \"log_type\": \"threat\", \"@timestamp\": \"2024-03-19T09:21:47.400211636Z\", \"agent_count\": 1, \"id\": 55, \"status\": \"new\", \"impacted_users\": [], \"rules\": [{\"rule_level\": \"critical\", \"rule_name\": \"Recommended driver block list\", \"security_event_count\": 2, \"rule_id\": \"Recommended driver block list\"}], \"impacted_user_count\": 0, \"creation_date\": \"2024-03-19T04:21:47.186067-05:00\", \"@Version\": \"1\", \"first_seen\": \"2024-03-19T04:21:00-05:00\", \"total_security_event_count\": 2, \"destination\": \"syslog\", \"last_seen\": \"2024-03-19T04:21:00-05:00\", \"level\": \"critical\", \"rule_count\": 1, \"tenant\": \"11111111111111111111\"}",
+        "event": {
+            "dataset": "threat",
+            "end": "2024-03-19T09:21:00Z",
+            "start": "2024-03-19T09:21:00Z"
+        },
+        "agent": {
+            "name": "harfanglab"
+        },
+        "harfanglab": {
+            "count": {
+                "rules": 1,
+                "users_impacted": 0
+            },
+            "groups": [],
+            "level": "critical",
+            "rule_level": "critical",
+            "status": "new",
+            "threat_id": "55"
+        }
+    }
+
+	```
+
+
 === "threat_log.json"
 
     ```json
@@ -1706,6 +1736,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 "{\"id\": \"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\", \"name\": \"MyGroup!\"}"
             ],
             "level": "high",
+            "rule_level": "medium",
             "status": "new",
             "threat_id": "829"
         },
@@ -2271,6 +2302,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`harfanglab.level` | `keyword` | The risk level associated to the event |
 |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed |
 |`harfanglab.process.powershell.script_path` | `keyword` | The powershell script path |
+|`harfanglab.rule_level` | `keyword` | Rule level |
 |`harfanglab.status` | `keyword` | The status of the event |
 |`harfanglab.threat_id` | `keyword` | Id of the threat |
 |`host.domain` | `keyword` | Name of the directory the group is a member of. |