Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh intakes documentation #1784

Merged
merged 1 commit into from
May 21, 2024
Merged

Refresh intakes documentation #1784

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions ...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1088,6 +1088,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"2b684979d6174bad69d895c7d8a852e7b206b95f",
"4d5b7b6c06159d6b967f2c2c73f10145"
],
"hosts": [
"www.example.org"
],
"ip": [
"1.2.3.4",
"5.6.7.8"
Expand All @@ -1097,6 +1100,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 59985
},
"url": {
"domain": "www.example.org",
"registered_domain": "example.org",
"subdomain": "www",
"top_level_domain": "org"
}
}

Expand Down
241 changes: 241 additions & 0 deletions ...perations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,248 @@ The following table lists the data source offered by this integration.



In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `file`, `network`, `process`, `registry` |
| Type | `allowed`, `change`, `creation`, `deletion`, `end`, `info`, `start` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "tanium_file_open.json"

```json

{
"message": "{\"event\":\"file_open\",\"hostname\":\"2256269043\",\"host\":\"172.16.2.1\",\"fields\":{\"tanium_process_id\":\"-6966335309415971179\",\"read_flag\":true,\"full_path\":\"/var/lib/rrdcached/db/pve2-vm/115\",\"process__login__user_id\":4294967295,\"process__login__user_name\":null,\"process__pid\":1685,\"process__user__group\":\"root\",\"process__file__full_path\":\"/usr/bin/rrdcached\",\"process__user__name\":\"root\"}}",
"event": {
"action": "file-open",
"category": [
"file"
],
"kind": "event",
"type": [
"info"
]
},
"file": {
"directory": "/var/lib/rrdcached/db/pve2-vm",
"name": "115",
"path": "/var/lib/rrdcached/db/pve2-vm/115"
},
"group": {
"name": "root"
},
"host": {
"hostname": "2256269043",
"ip": [
"172.16.2.1"
],
"name": "2256269043"
},
"observer": {
"name": "2256269043",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"executable": "/usr/bin/rrdcached",
"name": "rrdcached",
"pid": 1685
},
"related": {
"hosts": [
"2256269043"
],
"ip": [
"172.16.2.1"
]
},
"user": {
"id": "4294967295"
}
}

```


=== "tanium_network_connect.json"

```json

{
"message": "{\"event\":\"network_connect\",\"hostname\":\"2421864415\",\"host\":\"172.16.2.1\",\"fields\":{\"remote_port\":80,\"process__login__user_name\":null,\"process__pid\":2540,\"process__user__group\":\"NT AUTHORITY\",\"local_ip\":\"172.16.4.1\",\"local_port\":53671,\"process__file__full_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"tanium_process_id\":\"-4314545011392247632\",\"process__login__user_id\":0,\"remote_ip\":\"184.25.50.65\",\"process__user__name\":\"NETWORK SERVICE\"}}",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"start"
]
},
"destination": {
"address": "184.25.50.65",
"ip": "184.25.50.65",
"port": 80
},
"group": {
"name": "NT AUTHORITY"
},
"host": {
"hostname": "2421864415",
"ip": [
"172.16.2.1"
],
"name": "2421864415"
},
"observer": {
"name": "2421864415",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"executable": "C:\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"pid": 2540
},
"related": {
"hosts": [
"2421864415"
],
"ip": [
"172.16.2.1",
"172.16.4.1",
"184.25.50.65"
]
},
"source": {
"address": "172.16.4.1",
"ip": "172.16.4.1",
"port": 53671
},
"user": {
"id": "0"
}
}

```


=== "tanium_process_start.json"

```json

{
"message": "{\"event\":\"process_start\",\"hostname\":\"1345671024\",\"host\":\"172.16.2.1\",\"fields\":{\"file__md5\":\"8ed54b7dcf043252441bca716b8c461f\",\"tanium_parent_process_id\":\"-6966498655612172786\",\"create_time\":\"2021-07-15T13:47:13.084000+00:00\",\"parent__command_line\":\"pve-firewall\",\"file__full_path\":\"/usr/sbin/ipset\",\"tanium_process_id\":\"-6166594163916654264\",\"pid\":14664,\"login__user_name\":null,\"command_line\":\"ipset save\",\"login__user_id\":4294967295,\"parent__file__full_path\":\"/usr/bin/perl\",\"user__name\":\"root\",\"parent_pid\":1550,\"user__group\":\"root\"}}",
"event": {
"category": [
"process"
],
"kind": "event",
"type": [
"start"
]
},
"file": {
"directory": "/usr/sbin",
"name": "ipset",
"path": "/usr/sbin/ipset"
},
"host": {
"hostname": "1345671024",
"ip": [
"172.16.2.1"
],
"name": "1345671024"
},
"observer": {
"name": "1345671024",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"command_line": "ipset save",
"executable": "/usr/sbin/ipset",
"hash": {
"md5": "8ed54b7dcf043252441bca716b8c461f"
},
"parent": {
"command_line": "pve-firewall",
"executable": "/usr/bin/perl",
"name": "perl",
"pid": 1550
},
"start": "2021-07-15T13:47:13.084000Z"
},
"related": {
"hash": [
"8ed54b7dcf043252441bca716b8c461f"
],
"hosts": [
"1345671024"
],
"ip": [
"172.16.2.1"
]
}
}

```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`dns.answers` | `object` | Array of DNS answers. |
|`dns.question.name` | `keyword` | The name being queried. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`file.directory` | `keyword` | Directory where the file is located. |
|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
|`file.path` | `keyword` | Full path to the file, including the file name. |
|`group.name` | `keyword` | Name of the group. |
|`host.hostname` | `keyword` | Hostname of the host. |
|`host.ip` | `ip` | Host ip addresses. |
|`observer.name` | `keyword` | Custom name of the observer. |
|`observer.product` | `keyword` | The product name of the observer. |
|`observer.type` | `keyword` | The type of the observer the data is coming from. |
|`observer.vendor` | `keyword` | Vendor name of the observer. |
|`process.command_line` | `wildcard` | Full command line that started the process. |
|`process.executable` | `keyword` | Absolute path to the process executable. |
|`process.hash.md5` | `keyword` | MD5 hash. |
|`process.name` | `keyword` | Process name. |
|`process.parent.command_line` | `wildcard` | Full command line that started the process. |
|`process.parent.executable` | `keyword` | Absolute path to the process executable. |
|`process.parent.name` | `keyword` | Process name. |
|`process.parent.pid` | `long` | Process id. |
|`process.pid` | `long` | Process id. |
|`process.start` | `date` | The time the process started. |
|`registry.path` | `keyword` | Full path, including hive, key and value |
|`registry.value` | `keyword` | Name of the value written. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.name` | `keyword` | Short name or login of the user. |

73 changes: 73 additions & 0 deletions ...perations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1690,6 +1690,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"alert": {
"category": "ThreatManagement",
"display_name": "Mass download by a single user",
"id": "c299a0a0-14da-428a-b08d-481d562298cb",
"severity": "High",
"source": "Cloud App Security",
"status": "Active"
Expand Down Expand Up @@ -2159,6 +2160,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"alert": {
"category": "ThreatManagement",
"display_name": "Phish delivered due to an ETR override",
"id": "77f6d9ce-da8f-46bf-a651-4bec3c189770",
"severity": "Informational",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2245,6 +2247,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "DataLossPrevention",
"display_name": "description",
"entity_type": "DlpRuleMatch",
"id": "cf0708c6-e2c5-4962-ae99-9af4799175f4",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2326,6 +2329,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "MailFlow",
"display_name": "Phishing detected",
"entity_type": "MalwareFamily",
"id": "178fa649-642f-4d41-943c-451e2266f4a7",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2406,6 +2410,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "ThreatManagement",
"display_name": "Email reported by user as junk",
"entity_type": "User",
"id": "be2ee3c6-2b3c-42ae-aefe-69f185114418",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2443,6 +2448,73 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "security_compliance_alert_5.json"

```json

{
"message": "{\"CreationTime\": \"2024-04-16T08:01:42\", \"Id\": \"d7cab54f-77b1-4ad5-8f2d-b4bba61e4e93\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"e0ff0845-9d15-4399-86ae-15081e39a16a\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"[email protected]\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"[email protected]\", \"AlertId\": \"a3ce0859-c92c-4f57-b50b-a63dad75ec4a\", \"AlertLinks\": [], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"\", \"EntityType\": \"User\", \"Name\": \"Email reported by user as malware or phish\", \"PolicyId\": \"88d533c5-bad6-4cfb-9245-1776726b55d7\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Investigating\"}",
"event": {
"action": "AlertEntityGenerated",
"category": [
"intrusion_detection"
],
"code": "40",
"kind": "alert",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2024-04-16T08:01:42Z",
"action": {
"id": 40,
"name": "AlertEntityGenerated",
"outcome": "success",
"target": "user"
},
"office365": {
"alert": {
"category": "ThreatManagement",
"display_name": "Email reported by user as malware or phish",
"id": "a3ce0859-c92c-4f57-b50b-a63dad75ec4a",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Investigating"
},
"audit": {
"object_id": "[email protected]"
},
"record_type": 40,
"result_status": "Succeeded",
"user_type": {
"code": 4,
"name": "System"
}
},
"organization": {
"id": "e0ff0845-9d15-4399-86ae-15081e39a16a"
},
"related": {
"user": [
"SecurityComplianceAlerts"
]
},
"rule": {
"id": "88d533c5-bad6-4cfb-9245-1776726b55d7"
},
"service": {
"name": "SecurityComplianceCenter"
},
"user": {
"id": "SecurityComplianceAlerts",
"name": "SecurityComplianceAlerts"
}
}

```


=== "source_log.json"

```json
Expand Down Expand Up @@ -3204,6 +3276,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`office365.alert.description` | `keyword` | |
|`office365.alert.display_name` | `keyword` | |
|`office365.alert.entity_type` | `keyword` | |
|`office365.alert.id` | `keyword` | |
|`office365.alert.severity` | `keyword` | |
|`office365.alert.source` | `keyword` | |
|`office365.alert.status` | `keyword` | |
Expand Down
Loading
Loading