diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md index 72afcdfa8d..a9490b2ac0 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `` | -| Category | `intrusion_detection`, `malware`, `network`, `process`, `web` | +| Category | `email`, `intrusion_detection`, `malware`, `network`, `process`, `web` | | Type | `denied`, `info` | @@ -324,6 +324,166 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "collaborationProtectionEmailScan.json" + + ```json + + { + "message": "{\n \"id\": \"cf81f722-6d92-3965-8cd7-89da1dc3c91d_0\",\n \"serverTimestamp\": 1589373818926,\n \"persistenceTimestamp\": 1589373818926,\n \"account\": {\n \"uuid\": \"51cebe8d-f671-4d50-b4fd-7f701cea1dc3\",\n \"name\": \"Test Company\",\n \"orgPath\": \"00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/\"\n },\n \"severity\": \"warning\",\n \"engine\": \"collaborationProtectionEmailScan\",\n \"source\": \"\",\n \"action\": \"noneBecauseMissing\",\n \"txId\": \"0000-a7b175cb49074a86-0000-24347384954574830\",\n \"details\": {\n \"eventId\": \"82d7000d-c6ce-42db-823e-a14bf0d9f5af\",\n \"userPrincipalName\": \"hietpo@6kc3b2.onmicrosoft.com\",\n \"serviceType\": \"o365-exchange\",\n \"serviceId\": \"11111111-1111-1111-1111-111111111111\",\n \"severity\": \"medium\",\n \"category\": \"harmfulContent\",\n \"created\": \"1683888672000\",\n \"itemSender\": \"AdeleV@6kc3b2.onmicrosoft.com\",\n \"sendingServerIP\": \"fe80::459d:de80:c84:df2e\",\n \"itemParentFolderName\": \"Inbox\",\n \"itemSize\": \"36647\",\n \"itemSubject\": \"Test111\",\n \"internetMessageId\": \"\",\n \"itemType\": \"EmailMessage\",\n \"unsafeUrlCount\": \"1\",\n \"unsafeAttachmentCount\": \"2\",\n \"itemDateTimeReceived\": \"1683888661000\",\n \"attachments\": \"[{\\\"sha1\\\":\\\"f698eb70e11a36e0ffa6525d386cc127815247fd\\\",\\\"prevalence\\\":\\\"common\\\",\\\"filename\\\":\\\"bad_boy.scan\\\",\\\"size\\\":\\\"251\\\",\\\"prevalenceScore\\\":\\\"60\\\",\\\"verdict\\\":\\\"Unsafe\\\",\\\"reputation\\\":\\\"unknown\\\",\\\"reputationScore\\\":\\\"150\\\",\\\"detonation\\\":\\\"false\\\"},{\\\"sha1\\\":\\\"0912b6e31ec6f676af5bab5f1e95b3ab8cb13660\\\",\\\"prevalence\\\":\\\"unique\\\",\\\"filename\\\":\\\"good_boy-unique-1.ok\\\",\\\"size\\\":\\\"1048836\\\",\\\"prevalenceScore\\\":\\\"1\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"unknown\\\",\\\"reputationScore\\\":\\\"150\\\",\\\"detonation\\\":\\\"false\\\"}]\",\n \"urls\": \"[{\\\"sha1\\\":\\\"ebe616225523aa82c5398a543a56761dd74bd3ff\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-80\\\",\\\"url\\\":\\\"unsafe.fstestdomain.com\\\"}]\"\n },\n \"reporting\": {\n \"timestamp\": 1589373818926\n },\n \"target\": {\n \"id\": \"hietpo@6kc3b2.onmicrosoft.com\",\n \"name\": \"hietpo@6kc3b2.onmicrosoft.com\"\n },\n \"fingerprint\": {\n \"similarity\": \"g10F9A4ycYu9z9FP\"\n }\n}", + "event": { + "action": "noneBecauseMissing", + "category": [ + "email" + ], + "dataset": "collaborationProtectionEmailScan", + "type": [ + "info" + ] + }, + "action": { + "properties": { + "UserPrincipalName": "hietpo@6kc3b2.onmicrosoft.com" + } + }, + "agent": { + "type": "WithSecure Agent" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "scan", + "hash": { + "sha1": "f698eb70e11a36e0ffa6525d386cc127815247fd" + }, + "name": "bad_boy.scan", + "size": 251 + } + }, + { + "file": { + "extension": "ok", + "hash": { + "sha1": "0912b6e31ec6f676af5bab5f1e95b3ab8cb13660" + }, + "name": "good_boy-unique-1.ok", + "size": 1048836 + } + } + ], + "delivery_timestamp": "2023-05-12T10:51:01Z", + "from": { + "address": [ + "AdeleV@6kc3b2.onmicrosoft.com" + ] + }, + "message_id": "AM5PR03MB30590FDF840881C2FC831988AC759@AM5PR03MB3059.eurprd03.prod.outlook.com", + "subject": "Test111", + "to": { + "address": [ + "hietpo@6kc3b2.onmicrosoft.com" + ] + } + }, + "file": { + "created": "2023-05-12T10:51:12Z" + }, + "related": { + "ip": [ + "fe80::459d:de80:c84:df2e" + ] + }, + "service": { + "type": "o365-exchange" + }, + "source": { + "address": "fe80::459d:de80:c84:df2e", + "ip": "fe80::459d:de80:c84:df2e" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "email": { + "address": "AdeleV@6kc3b2.onmicrosoft.com" + }, + "file": { + "hash": "f698eb70e11a36e0ffa6525d386cc127815247fd", + "size": 251 + }, + "ip": "fe80::459d:de80:c84:df2e", + "name": "bad_boy.scan", + "type": "file" + } + }, + { + "indicator": { + "type": "url", + "url": { + "original": "unsafe.fstestdomain.com" + } + } + } + ] + }, + "withsecure": { + "email": { + "attachments": [ + { + "file": { + "name": "bad_boy.scan", + "prevalence": { + "code": 60, + "name": "common" + }, + "reputation": { + "code": 150, + "name": "unknown" + }, + "verdict": "Unsafe" + } + }, + { + "file": { + "name": "good_boy-unique-1.ok", + "prevalence": { + "code": 1, + "name": "unique" + }, + "reputation": { + "code": 150, + "name": "unknown" + }, + "verdict": "Safe" + } + } + ], + "urls": [ + { + "url": { + "hash": { + "sha1": "ebe616225523aa82c5398a543a56761dd74bd3ff" + }, + "original": "unsafe.fstestdomain.com", + "reputation": { + "code": -80, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + } + ] + }, + "incident": { + "fingerprint": "g10F9A4ycYu9z9FP" + }, + "severity": "warning" + } + } + + ``` + + === "deepguard_blocked_executable_file.json" ```json @@ -493,6 +653,289 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "emailscan_event.json" + + ```json + + { + "message": "{\n \"severity\": \"critical\",\n \"acknowledged\": false,\n \"engine\": \"emailScan\",\n \"serverTimestamp\": \"2024-07-18T07:47:29.438Z\",\n \"organization\": {\n \"name\": \"MyCompany FR\",\n \"id\": \"984a72d0-473f-440b-bfa8-1a9cd453ae67\"\n },\n \"action\": \"subjectModifiedAndUrlsUnlinked\",\n \"details\": {\n \"serviceType\": \"o365-exchange\",\n \"severity\": \"high\",\n \"unsafeAttachmentCount\": \"0\",\n \"eventId\": \"c01c51ab-e816-4855-720b-e4cead0c7ed0\",\n \"itemType\": \"EmailMessage\",\n \"itemDateTimeReceived\": \"1721288846000\",\n \"created\": \"1721288849000\",\n \"itemSender\": \"john.doe@attacker.com\",\n \"itemSubject\": \"RE: Discussion contrat important MyCompany\",\n \"sendingServerIP\": \"168.40.38.82\",\n \"internetMessageId\": \"<202418010146.g984g80se2aofj@attacker.com>\",\n \"urls\": \"[{\\\"sha1\\\":\\\"3b923d078ea3bd39489ed6d334c423e4478a8ee3\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"80\\\",\\\"url\\\":\\\"https://aka.ms/LearnAboutSenderIdentification\\\"},{\\\"sha1\\\":\\\"429365d0bd3efc753c6cc7b50900005037a3b341\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-100\\\",\\\"url\\\":\\\"https://attacker.com/mk/op/sh/zejfz4647646/zef545zef\\\"},{\\\"sha1\\\":\\\"72c4aa6d5261823eae1cdf42ff4831501fc1833b\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-100\\\",\\\"url\\\":\\\"https://attacker.com/mk/cl/f/sh/sg6r4gr6g4r6gegg/r4g4g6g\\\"},{\\\"sha1\\\":\\\"eecba1edb19a70641dd4147569d7034bd0eba8dd\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"0\\\",\\\"url\\\":\\\"https://attacker.com/im/sh/zef46zf4e.png?u=zef4efezf\\\"},{\\\"sha1\\\":\\\"b0f1884585d0f926ad3f7514f687fa9dd9d43440\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-100\\\",\\\"url\\\":\\\"https://attacker.com/mk/cl/f/sh/ze4fz4fz4fzfe/45zef5-I\\\"},{\\\"sha1\\\":\\\"2ff0b754247642ecc8a7108094c4762c43a8be76\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-100\\\",\\\"url\\\":\\\"https://attacker.com/mk/cl/f/sh/zefezfezfz4fe/zefezf\\\"},{\\\"sha1\\\":\\\"2db67f3b041683ac7f09a97a7f467f2ea741c676\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"80\\\",\\\"url\\\":\\\"https://cloud.sucpiciousserver.com/collect/bc/zefzfz?p=zefz4z4fz6f-wh878kG0mKc-zef5fez5fez-x7\\\"},{\\\"sha1\\\":\\\"627e5d03ba9c069feba1631f075a3ac9430b2213\\\",\\\"verdict\\\":\\\"HarmfulUrl\\\",\\\"reputation\\\":\\\"unsafe_url\\\",\\\"reputationScore\\\":\\\"-100\\\",\\\"url\\\":\\\"https://attacker.com/mk/un/sh/zefzf654fzfz/TDv7NJlnZGSy\\\"},{\\\"sha1\\\":\\\"7b12be67065fbf8a90f060715b519d85377583dc\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"80\\\",\\\"url\\\":\\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\\"},{\\\"sha1\\\":\\\"52eba95aa675c57a73054346fb8e85898c1d3a55\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"0\\\",\\\"url\\\":\\\"https://attacker.com/im/sh/zf5f4ezf.png?u=q5f4ezfzf\\\"},{\\\"sha1\\\":\\\"852dd2f9350123f2aa549c38388566eaf1eebdf6\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"80\\\",\\\"url\\\":\\\"cloud.letsignit.com\\\"},{\\\"sha1\\\":\\\"3d7a60d037e4ddf46283b1f256392bfcda4870a0\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"0\\\",\\\"url\\\":\\\"https://attacker.com/im/sh/fe4f5-.png?u=2BpAyz2gMiWncgNhSdtyKCSpskKSlwJEaT\\\"},{\\\"sha1\\\":\\\"3620e33317a00f5f5541846a6528671583460d69\\\",\\\"verdict\\\":\\\"Safe\\\",\\\"reputation\\\":\\\"safe_url\\\",\\\"reputationScore\\\":\\\"0\\\",\\\"url\\\":\\\"https://attacker.com/im/sh/zefzf6ezf.png?u=zf7ez4fezf1ezf\\\"}]\",\n \"itemParentFolderName\": \"Junk Email\",\n \"itemSize\": \"57452\",\n \"category\": \"harmfulContent\",\n \"serviceId\": \"89b60773-40d4-4354-8431-f846e38487a1\",\n \"unsafeUrlCount\": \"5\",\n \"userPrincipalName\": \"victim.doe@mycompany.com\"\n },\n \"id\": \"f3ae087f-058d-3963-bdf7-2b2f18789369_0\",\n \"persistenceTimestamp\": \"2024-07-18T07:47:33.590Z\",\n \"eventTransactionId\": \"0000-48892313f0334054-0000-2truoi8ofr840vm\",\n \"target\": {\n \"name\": \"victim.doe@mycompany.com\",\n \"id\": \"victim.doe@mycompany.com\"\n }\n}", + "event": { + "action": "subjectModifiedAndUrlsUnlinked", + "category": [ + "email" + ], + "dataset": "emailScan", + "type": [ + "info" + ] + }, + "action": { + "properties": { + "UserPrincipalName": "victim.doe@mycompany.com" + } + }, + "agent": { + "type": "WithSecure Agent" + }, + "email": { + "delivery_timestamp": "2024-07-18T07:47:26Z", + "from": { + "address": [ + "john.doe@attacker.com" + ] + }, + "message_id": "202418010146.g984g80se2aofj@attacker.com", + "subject": "RE: Discussion contrat important MyCompany", + "to": { + "address": [ + "victim.doe@mycompany.com" + ] + } + }, + "file": { + "created": "2024-07-18T07:47:29Z" + }, + "organization": { + "id": "984a72d0-473f-440b-bfa8-1a9cd453ae67", + "name": "MyCompany FR" + }, + "related": { + "ip": [ + "168.40.38.82" + ] + }, + "service": { + "type": "o365-exchange" + }, + "source": { + "address": "168.40.38.82", + "ip": "168.40.38.82" + }, + "threat": { + "enrichments": [ + { + "indicator": { + "type": "url", + "url": { + "original": "https://attacker.com/mk/op/sh/zejfz4647646/zef545zef" + } + } + }, + { + "indicator": { + "type": "url", + "url": { + "original": "https://attacker.com/mk/cl/f/sh/sg6r4gr6g4r6gegg/r4g4g6g" + } + } + }, + { + "indicator": { + "type": "url", + "url": { + "original": "https://attacker.com/mk/cl/f/sh/ze4fz4fz4fzfe/45zef5-I" + } + } + }, + { + "indicator": { + "type": "url", + "url": { + "original": "https://attacker.com/mk/cl/f/sh/zefezfezfz4fe/zefezf" + } + } + }, + { + "indicator": { + "type": "url", + "url": { + "original": "https://attacker.com/mk/un/sh/zefzf654fzfz/TDv7NJlnZGSy" + } + } + } + ] + }, + "withsecure": { + "email": { + "urls": [ + { + "url": { + "hash": { + "sha1": "3b923d078ea3bd39489ed6d334c423e4478a8ee3" + }, + "original": "https://aka.ms/LearnAboutSenderIdentification", + "reputation": { + "code": 80, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "429365d0bd3efc753c6cc7b50900005037a3b341" + }, + "original": "https://attacker.com/mk/op/sh/zejfz4647646/zef545zef", + "reputation": { + "code": -100, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + }, + { + "url": { + "hash": { + "sha1": "72c4aa6d5261823eae1cdf42ff4831501fc1833b" + }, + "original": "https://attacker.com/mk/cl/f/sh/sg6r4gr6g4r6gegg/r4g4g6g", + "reputation": { + "code": -100, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + }, + { + "url": { + "hash": { + "sha1": "eecba1edb19a70641dd4147569d7034bd0eba8dd" + }, + "original": "https://attacker.com/im/sh/zef46zf4e.png?u=zef4efezf", + "reputation": { + "code": 0, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "b0f1884585d0f926ad3f7514f687fa9dd9d43440" + }, + "original": "https://attacker.com/mk/cl/f/sh/ze4fz4fz4fzfe/45zef5-I", + "reputation": { + "code": -100, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + }, + { + "url": { + "hash": { + "sha1": "2ff0b754247642ecc8a7108094c4762c43a8be76" + }, + "original": "https://attacker.com/mk/cl/f/sh/zefezfezfz4fe/zefezf", + "reputation": { + "code": -100, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + }, + { + "url": { + "hash": { + "sha1": "2db67f3b041683ac7f09a97a7f467f2ea741c676" + }, + "original": "https://cloud.sucpiciousserver.com/collect/bc/zefzfz?p=zefz4z4fz6f-wh878kG0mKc-zef5fez5fez-x7", + "reputation": { + "code": 80, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "627e5d03ba9c069feba1631f075a3ac9430b2213" + }, + "original": "https://attacker.com/mk/un/sh/zefzf654fzfz/TDv7NJlnZGSy", + "reputation": { + "code": -100, + "name": "unsafe_url" + }, + "verdict": "HarmfulUrl" + } + }, + { + "url": { + "hash": { + "sha1": "7b12be67065fbf8a90f060715b519d85377583dc" + }, + "original": "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd", + "reputation": { + "code": 80, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "52eba95aa675c57a73054346fb8e85898c1d3a55" + }, + "original": "https://attacker.com/im/sh/zf5f4ezf.png?u=q5f4ezfzf", + "reputation": { + "code": 0, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "852dd2f9350123f2aa549c38388566eaf1eebdf6" + }, + "original": "cloud.letsignit.com", + "reputation": { + "code": 80, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "3d7a60d037e4ddf46283b1f256392bfcda4870a0" + }, + "original": "https://attacker.com/im/sh/fe4f5-.png?u=2BpAyz2gMiWncgNhSdtyKCSpskKSlwJEaT", + "reputation": { + "code": 0, + "name": "safe_url" + }, + "verdict": "Safe" + } + }, + { + "url": { + "hash": { + "sha1": "3620e33317a00f5f5541846a6528671583460d69" + }, + "original": "https://attacker.com/im/sh/zefzf6ezf.png?u=zf7ez4fezf1ezf", + "reputation": { + "code": 0, + "name": "safe_url" + }, + "verdict": "Safe" + } + } + ] + }, + "severity": "critical" + } + } + + ``` + + === "firewall_blocked_connection.json" ```json @@ -791,6 +1234,12 @@ The following table lists the fields that are extracted, normalized under the EC |`agent.type` | `keyword` | Type of the agent. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | +|`email.attachments` | `nested` | List of objects describing the attachments. | +|`email.delivery_timestamp` | `date` | Date and time when message was delivered. | +|`email.from.address` | `keyword` | The sender's email address. | +|`email.message_id` | `wildcard` | Value from the Message-ID header. | +|`email.subject` | `keyword` | The subject of the email message. | +|`email.to.address` | `keyword` | Email address of recipient | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | @@ -822,14 +1271,18 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.description` | `keyword` | Rule description | |`rule.id` | `keyword` | Rule ID | |`rule.name` | `keyword` | Rule name | +|`service.type` | `keyword` | The type of the service. | |`source.address` | `keyword` | Source network address. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`threat.enrichments` | `nested` | List of objects containing indicators enriching the event. | |`url.full` | `wildcard` | Full unparsed URL. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | |`withsecure.alert.type` | `keyword` | Type of alert | |`withsecure.amsi.content_name` | `keyword` | Filename, URL, unique script ID, or similar of the content | +|`withsecure.email.attachments` | `array` | Email attachments | +|`withsecure.email.urls` | `array` | URLS found on the mail's body | |`withsecure.file.prevalence` | `keyword` | The prevalence rating of the file. 0 - Undefined or not known. 1-50 Rare files. 50-100 Common files. | |`withsecure.file.rarity` | `keyword` | Rarity of the file | |`withsecure.file.reputation` | `keyword` | The reputation rating of the file, 0-9 - Clean file. 10-79 - Suspicious or potential unwanted (PUA) or Riskware. 0-89 - Unwanted Application. 90-100 - Known malicious. 101-999 - Unknown. | diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48_sample.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48_sample.md index ec88e3c030..3d6066625a 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48_sample.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48_sample.md @@ -197,6 +197,60 @@ In this section, you will find examples of raw logs as generated natively by the +=== "collaborationProtectionEmailScan" + + + ```json + { + "id": "cf81f722-6d92-3965-8cd7-89da1dc3c91d_0", + "serverTimestamp": 1589373818926, + "persistenceTimestamp": 1589373818926, + "account": { + "uuid": "51cebe8d-f671-4d50-b4fd-7f701cea1dc3", + "name": "Test Company", + "orgPath": "00000000-0000-0000-0000-000000000000/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/51cebe8d-f671-4d50-b4fd-7f701cea1dc3/" + }, + "severity": "warning", + "engine": "collaborationProtectionEmailScan", + "source": "", + "action": "noneBecauseMissing", + "txId": "0000-a7b175cb49074a86-0000-24347384954574830", + "details": { + "eventId": "82d7000d-c6ce-42db-823e-a14bf0d9f5af", + "userPrincipalName": "hietpo@6kc3b2.onmicrosoft.com", + "serviceType": "o365-exchange", + "serviceId": "11111111-1111-1111-1111-111111111111", + "severity": "medium", + "category": "harmfulContent", + "created": "1683888672000", + "itemSender": "AdeleV@6kc3b2.onmicrosoft.com", + "sendingServerIP": "fe80::459d:de80:c84:df2e", + "itemParentFolderName": "Inbox", + "itemSize": "36647", + "itemSubject": "Test111", + "internetMessageId": "", + "itemType": "EmailMessage", + "unsafeUrlCount": "1", + "unsafeAttachmentCount": "2", + "itemDateTimeReceived": "1683888661000", + "attachments": "[{\"sha1\":\"f698eb70e11a36e0ffa6525d386cc127815247fd\",\"prevalence\":\"common\",\"filename\":\"bad_boy.scan\",\"size\":\"251\",\"prevalenceScore\":\"60\",\"verdict\":\"Unsafe\",\"reputation\":\"unknown\",\"reputationScore\":\"150\",\"detonation\":\"false\"},{\"sha1\":\"0912b6e31ec6f676af5bab5f1e95b3ab8cb13660\",\"prevalence\":\"unique\",\"filename\":\"good_boy-unique-1.ok\",\"size\":\"1048836\",\"prevalenceScore\":\"1\",\"verdict\":\"Safe\",\"reputation\":\"unknown\",\"reputationScore\":\"150\",\"detonation\":\"false\"}]", + "urls": "[{\"sha1\":\"ebe616225523aa82c5398a543a56761dd74bd3ff\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-80\",\"url\":\"unsafe.fstestdomain.com\"}]" + }, + "reporting": { + "timestamp": 1589373818926 + }, + "target": { + "id": "hietpo@6kc3b2.onmicrosoft.com", + "name": "hietpo@6kc3b2.onmicrosoft.com" + }, + "fingerprint": { + "similarity": "g10F9A4ycYu9z9FP" + } + } + ``` + + + === "deepguard_blocked_executable_file" @@ -322,6 +376,52 @@ In this section, you will find examples of raw logs as generated natively by the +=== "emailscan_event" + + + ```json + { + "severity": "critical", + "acknowledged": false, + "engine": "emailScan", + "serverTimestamp": "2024-07-18T07:47:29.438Z", + "organization": { + "name": "MyCompany FR", + "id": "984a72d0-473f-440b-bfa8-1a9cd453ae67" + }, + "action": "subjectModifiedAndUrlsUnlinked", + "details": { + "serviceType": "o365-exchange", + "severity": "high", + "unsafeAttachmentCount": "0", + "eventId": "c01c51ab-e816-4855-720b-e4cead0c7ed0", + "itemType": "EmailMessage", + "itemDateTimeReceived": "1721288846000", + "created": "1721288849000", + "itemSender": "john.doe@attacker.com", + "itemSubject": "RE: Discussion contrat important MyCompany", + "sendingServerIP": "168.40.38.82", + "internetMessageId": "<202418010146.g984g80se2aofj@attacker.com>", + "urls": "[{\"sha1\":\"3b923d078ea3bd39489ed6d334c423e4478a8ee3\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"80\",\"url\":\"https://aka.ms/LearnAboutSenderIdentification\"},{\"sha1\":\"429365d0bd3efc753c6cc7b50900005037a3b341\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-100\",\"url\":\"https://attacker.com/mk/op/sh/zejfz4647646/zef545zef\"},{\"sha1\":\"72c4aa6d5261823eae1cdf42ff4831501fc1833b\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-100\",\"url\":\"https://attacker.com/mk/cl/f/sh/sg6r4gr6g4r6gegg/r4g4g6g\"},{\"sha1\":\"eecba1edb19a70641dd4147569d7034bd0eba8dd\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"0\",\"url\":\"https://attacker.com/im/sh/zef46zf4e.png?u=zef4efezf\"},{\"sha1\":\"b0f1884585d0f926ad3f7514f687fa9dd9d43440\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-100\",\"url\":\"https://attacker.com/mk/cl/f/sh/ze4fz4fz4fzfe/45zef5-I\"},{\"sha1\":\"2ff0b754247642ecc8a7108094c4762c43a8be76\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-100\",\"url\":\"https://attacker.com/mk/cl/f/sh/zefezfezfz4fe/zefezf\"},{\"sha1\":\"2db67f3b041683ac7f09a97a7f467f2ea741c676\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"80\",\"url\":\"https://cloud.sucpiciousserver.com/collect/bc/zefzfz?p=zefz4z4fz6f-wh878kG0mKc-zef5fez5fez-x7\"},{\"sha1\":\"627e5d03ba9c069feba1631f075a3ac9430b2213\",\"verdict\":\"HarmfulUrl\",\"reputation\":\"unsafe_url\",\"reputationScore\":\"-100\",\"url\":\"https://attacker.com/mk/un/sh/zefzf654fzfz/TDv7NJlnZGSy\"},{\"sha1\":\"7b12be67065fbf8a90f060715b519d85377583dc\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"80\",\"url\":\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"},{\"sha1\":\"52eba95aa675c57a73054346fb8e85898c1d3a55\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"0\",\"url\":\"https://attacker.com/im/sh/zf5f4ezf.png?u=q5f4ezfzf\"},{\"sha1\":\"852dd2f9350123f2aa549c38388566eaf1eebdf6\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"80\",\"url\":\"cloud.letsignit.com\"},{\"sha1\":\"3d7a60d037e4ddf46283b1f256392bfcda4870a0\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"0\",\"url\":\"https://attacker.com/im/sh/fe4f5-.png?u=2BpAyz2gMiWncgNhSdtyKCSpskKSlwJEaT\"},{\"sha1\":\"3620e33317a00f5f5541846a6528671583460d69\",\"verdict\":\"Safe\",\"reputation\":\"safe_url\",\"reputationScore\":\"0\",\"url\":\"https://attacker.com/im/sh/zefzf6ezf.png?u=zf7ez4fezf1ezf\"}]", + "itemParentFolderName": "Junk Email", + "itemSize": "57452", + "category": "harmfulContent", + "serviceId": "89b60773-40d4-4354-8431-f846e38487a1", + "unsafeUrlCount": "5", + "userPrincipalName": "victim.doe@mycompany.com" + }, + "id": "f3ae087f-058d-3963-bdf7-2b2f18789369_0", + "persistenceTimestamp": "2024-07-18T07:47:33.590Z", + "eventTransactionId": "0000-48892313f0334054-0000-2truoi8ofr840vm", + "target": { + "name": "victim.doe@mycompany.com", + "id": "victim.doe@mycompany.com" + } + } + ``` + + + === "firewall_blocked_connection" diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 51c4448860..0f6cd024fb 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -399,6 +399,126 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_connection_acknowledged.json" + + ```json + + { + "message": "{\"time\":\"2024-08-30T07:00:12.5431823Z\",\"tenantId\":\"e9dc510f-a9d1-4041-ba9c-3308ff2cafba\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-08-30T06:57:48.6877713Z\",\"properties\":{\"DeviceName\":\"dks001.example.org\",\"DeviceId\":\"fe0395f347034d61a2c2c718d14df664\",\"ReportId\":33227,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":443,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":56468,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"InboundConnectionAcknowledged\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"Source Mac\\\":\\\"84:fa:b1:70:bf:8e\\\",\\\"Destination Mac\\\":\\\"80:95:bb:71:95:aa\\\",\\\"Tcp Flags\\\":18,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-08-30T07:04:25.6763023Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "device_network_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-30T07:04:25.676302Z", + "action": { + "type": "InboundConnectionAcknowledged" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 56468 + }, + "host": { + "id": "fe0395f347034d61a2c2c718d14df664", + "name": "dks001.example.org" + }, + "microsoft": { + "defender": { + "report": { + "id": "33227" + } + } + }, + "network": { + "protocol": "TcpV4" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + } + } + + ``` + + +=== "test_connection_attempt.json" + + ```json + + { + "message": "{\"time\": \"2024-08-07T14:40:43.3217277Z\", \"tenantId\": \"32fd1322-613a-4307-8da8-d9f2ba7dcfee\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceNetworkEvents\", \"_TimeReceivedBySvc\": \"2024-08-07T14:39:52.9339374Z\", \"properties\": {\"DeviceName\": \"desktop01.example.com\", \"DeviceId\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"ReportId\": 355896, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": 7680, \"LocalIP\": \"5.6.7.8\", \"LocalPort\": 56499, \"Protocol\": \"TcpV4\", \"RemoteUrl\": null, \"InitiatingProcessCreationTime\": null, \"InitiatingProcessId\": 0, \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"InitiatingProcessAccountSid\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessTokenElevation\": \"None\", \"AppGuardContainerId\": \"\", \"LocalIPType\": null, \"RemoteIPType\": null, \"ActionType\": \"ConnectionAttempt\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AdditionalFields\": \"{\\\"Source Mac\\\":\\\"10:9f:4b:3c:50:d7\\\",\\\"Destination Mac\\\":\\\"b0:df:72:9d:29:9b\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\", \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-08-07T14:39:37.2995901Z\", \"MachineGroup\": \"All_Win10_11\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "device_network_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-07T14:39:37.299590Z", + "action": { + "type": "ConnectionAttempt" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 7680 + }, + "host": { + "id": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "name": "desktop01.example.com" + }, + "microsoft": { + "defender": { + "report": { + "id": "355896" + } + } + }, + "network": { + "protocol": "TcpV4" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 56499 + } + } + + ``` + + === "test_detection_source.json" ```json @@ -1993,6 +2113,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_inbound_connection_attempt.json" + + ```json + + { + "message": "{\"time\": \"2024-08-08T06:10:51.1543444Z\", \"tenantId\": \"a8904d16-ae79-4f8f-90bd-f64c48898705\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceNetworkEvents\", \"_TimeReceivedBySvc\": \"2024-08-08T06:09:04.2831271Z\", \"properties\": {\"DeviceName\": \"device-01\", \"DeviceId\": \"42b7f57bd4dfbb5e693ce27196e4811ba5ca84d1\", \"ReportId\": 7053, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": 46112, \"LocalIP\": \"5.6.7.8\", \"LocalPort\": 443, \"Protocol\": \"TcpV4\", \"RemoteUrl\": null, \"InitiatingProcessCreationTime\": null, \"InitiatingProcessId\": 0, \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"InitiatingProcessAccountSid\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessTokenElevation\": \"None\", \"AppGuardContainerId\": \"\", \"LocalIPType\": null, \"RemoteIPType\": null, \"ActionType\": \"InboundConnectionAttempt\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AdditionalFields\": \"{\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":60}\", \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-08-08T06:07:08.3444146Z\", \"MachineGroup\": \"UnassignedGroup\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "device_network_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-08T06:07:08.344414Z", + "action": { + "type": "InboundConnectionAttempt" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "host": { + "id": "42b7f57bd4dfbb5e693ce27196e4811ba5ca84d1", + "name": "device-01" + }, + "microsoft": { + "defender": { + "report": { + "id": "7053" + } + } + }, + "network": { + "protocol": "TcpV4" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 46112 + } + } + + ``` + + === "test_local_ip.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index 16f3caed07..1ad2cc8355 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -328,6 +328,132 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_connection_acknowledged" + + + ```json + { + "time": "2024-08-30T07:00:12.5431823Z", + "tenantId": "e9dc510f-a9d1-4041-ba9c-3308ff2cafba", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceNetworkEvents", + "_TimeReceivedBySvc": "2024-08-30T06:57:48.6877713Z", + "properties": { + "DeviceName": "dks001.example.org", + "DeviceId": "fe0395f347034d61a2c2c718d14df664", + "ReportId": 33227, + "RemoteIP": "5.6.7.8", + "RemotePort": 443, + "LocalIP": "1.2.3.4", + "LocalPort": 56468, + "Protocol": "TcpV4", + "RemoteUrl": null, + "InitiatingProcessCreationTime": null, + "InitiatingProcessId": 0, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentFileName": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "InitiatingProcessAccountSid": null, + "InitiatingProcessFileName": null, + "InitiatingProcessIntegrityLevel": null, + "InitiatingProcessTokenElevation": "None", + "AppGuardContainerId": "", + "LocalIPType": null, + "RemoteIPType": null, + "ActionType": "InboundConnectionAcknowledged", + "InitiatingProcessSHA256": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AdditionalFields": "{\"Source Mac\":\"84:fa:b1:70:bf:8e\",\"Destination Mac\":\"80:95:bb:71:95:aa\",\"Tcp Flags\":18,\"Packet Size\":66}", + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-08-30T07:04:25.6763023Z", + "MachineGroup": null + }, + "Tenant": "DefaultTenant" + } + ``` + + + +=== "test_connection_attempt" + + + ```json + { + "time": "2024-08-07T14:40:43.3217277Z", + "tenantId": "32fd1322-613a-4307-8da8-d9f2ba7dcfee", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceNetworkEvents", + "_TimeReceivedBySvc": "2024-08-07T14:39:52.9339374Z", + "properties": { + "DeviceName": "desktop01.example.com", + "DeviceId": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "ReportId": 355896, + "RemoteIP": "1.2.3.4", + "RemotePort": 7680, + "LocalIP": "5.6.7.8", + "LocalPort": 56499, + "Protocol": "TcpV4", + "RemoteUrl": null, + "InitiatingProcessCreationTime": null, + "InitiatingProcessId": 0, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentFileName": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "InitiatingProcessAccountSid": null, + "InitiatingProcessFileName": null, + "InitiatingProcessIntegrityLevel": null, + "InitiatingProcessTokenElevation": "None", + "AppGuardContainerId": "", + "LocalIPType": null, + "RemoteIPType": null, + "ActionType": "ConnectionAttempt", + "InitiatingProcessSHA256": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AdditionalFields": "{\"Source Mac\":\"10:9f:4b:3c:50:d7\",\"Destination Mac\":\"b0:df:72:9d:29:9b\",\"Tcp Flags\":2,\"Packet Size\":66}", + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-08-07T14:39:37.2995901Z", + "MachineGroup": "All_Win10_11" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_detection_source" @@ -1480,6 +1606,69 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_inbound_connection_attempt" + + + ```json + { + "time": "2024-08-08T06:10:51.1543444Z", + "tenantId": "a8904d16-ae79-4f8f-90bd-f64c48898705", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceNetworkEvents", + "_TimeReceivedBySvc": "2024-08-08T06:09:04.2831271Z", + "properties": { + "DeviceName": "device-01", + "DeviceId": "42b7f57bd4dfbb5e693ce27196e4811ba5ca84d1", + "ReportId": 7053, + "RemoteIP": "1.2.3.4", + "RemotePort": 46112, + "LocalIP": "5.6.7.8", + "LocalPort": 443, + "Protocol": "TcpV4", + "RemoteUrl": null, + "InitiatingProcessCreationTime": null, + "InitiatingProcessId": 0, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentFileName": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "InitiatingProcessAccountSid": null, + "InitiatingProcessFileName": null, + "InitiatingProcessIntegrityLevel": null, + "InitiatingProcessTokenElevation": "None", + "AppGuardContainerId": "", + "LocalIPType": null, + "RemoteIPType": null, + "ActionType": "InboundConnectionAttempt", + "InitiatingProcessSHA256": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AdditionalFields": "{\"Source Mac\":\"0a:ac:f5:b4:e6:37\",\"Destination Mac\":\"18:e8:f8:74:c9:0d\",\"Tcp Flags\":2,\"Packet Size\":60}", + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-08-08T06:07:08.3444146Z", + "MachineGroup": "UnassignedGroup" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_local_ip" diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md index 03bf80f489..3e6a97fc33 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md @@ -210,7 +210,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "file": { "name": "O2MDFvst.INF", - "path": "D:\\\\2. DRIVER\\\\drivers WIN7\\\\Drivers\\\\DP_CardReader_14032.7z\\\\O2Micro\\\\FORCED\\\\6x86\\\\" + "path": "D:\\\\2. DRIVER\\\\drivers WIN7\\\\Drivers\\\\DP_CardReader_14032.7z\\\\O2Micro\\\\FORCED\\\\6x86" }, "host": { "name": "shost1" @@ -992,6 +992,72 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "trojan_event.json" + + ```json + + { + "message": "0|Trend Micro|Apex Central|2019|AV:File cleaned|Trojan.Win32.FRS.VSNW03G24|3|deviceExternalId=3541 rt=Sep 02 2024 07:28:21 GMT+00:00 cnt=1 dhost=host TMCMLogDetectedHost=host duser=host\\\\username act=File cleaned cn1Label=Pattern cn1=1956500 cn2Label=Second_Action cn2=1 cs1Label=VLF_FunctionCode cs1=Scheduled Scan cs2Label=Engine cs2=1.2.3.4 cs3Label=Product_Version cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=First_Action_Result cs5=File cleaned cs6Label=Second_Action_Result cs6=N/A cat=1703 dvchost=host.test.trendmicro.com cn3Label=Overall_Risk_Rating cn3=0 fname=filename.rb filePath=C:\\\\path\\\\to\\\\the\\\\file\\\\ dst=5.6.7.8 TMCMLogDetectedIP=5.6.7.8 fileHash=ABCDE0123456789ABCDE deviceFacility=Apex One ApexCentralHost=Standard Endpoint Protection Manager devicePayloadId=ABCDEF012345-67890ABC-DEF1-2345-6789 TMCMdevicePlatform=Windows 10 10.0 (Build 19045) deviceNtDomain=N/A dntdom=Workgroup\\\\\n", + "event": { + "action": "File cleaned", + "category": [ + "malware" + ], + "dataset": "Trojan.Win32.FRS.VSNW03G24", + "severity": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-02T07:28:21Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "hash": { + "sha1": "ABCDE0123456789ABCDE" + }, + "name": "filename.rb", + "path": "C:\\\\path\\\\to\\\\the\\\\file" + }, + "host": { + "name": "host" + }, + "observer": { + "product": "Apex Central", + "vendor": "Trend Micro", + "version": "2019" + }, + "related": { + "hash": [ + "ABCDE0123456789ABCDE" + ], + "hosts": [ + "host.test.trendmicro.com" + ], + "ip": [ + "5.6.7.8" + ], + "user": [ + "username" + ] + }, + "rule": { + "id": "AV:File cleaned" + }, + "server": { + "domain": "host.test.trendmicro.com" + }, + "user": { + "domain": "host", + "name": "username" + } + } + + ``` + + === "virus_malware_event.json" ```json @@ -1013,7 +1079,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2016-02-18T14:34:00Z", "file": { "name": "0348C693056617D34FC5B5BAB4643885FEE5FEDF;0xD5D56AC2", - "path": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\trend_test_virus\\\\Trojans\\\\" + "path": "C:\\\\Users\\\\Administrator\\\\Desktop\\\\trend_test_virus\\\\Trojans" }, "host": { "name": "ApexOneClient01" @@ -1067,7 +1133,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2023-03-15T13:23:47Z", "file": { "name": "5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687", - "path": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687\\\\" + "path": "C:\\\\Users\\\\adminuser\\\\Downloads\\\\5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687" }, "host": { "name": "mymachine.local" @@ -1212,6 +1278,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.id` | `keyword` | Rule ID | |`rule.name` | `keyword` | Rule name | |`rule.ruleset` | `keyword` | Rule ruleset | +|`server.domain` | `keyword` | The domain name of the server. | |`source.address` | `keyword` | Source network address. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | @@ -1229,6 +1296,7 @@ The following table lists the fields that are extracted, normalized under the EC |`trendmicro.apexone.VirusName` | `keyword` | Provides the specific name of a virus as detected by Trend Micro. This is fundamental for virus identification and subsequent mitigation strategies. | |`trendmicro.apexone.behavior.target` | `keyword` | | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | |`user.target.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365_sample.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365_sample.md index 5d4746e80c..2826707abc 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365_sample.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365_sample.md @@ -140,6 +140,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "trojan_event" + + ``` + 0|Trend Micro|Apex Central|2019|AV:File cleaned|Trojan.Win32.FRS.VSNW03G24|3|deviceExternalId=3541 rt=Sep 02 2024 07:28:21 GMT+00:00 cnt=1 dhost=host TMCMLogDetectedHost=host duser=host\\username act=File cleaned cn1Label=Pattern cn1=1956500 cn2Label=Second_Action cn2=1 cs1Label=VLF_FunctionCode cs1=Scheduled Scan cs2Label=Engine cs2=1.2.3.4 cs3Label=Product_Version cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=First_Action_Result cs5=File cleaned cs6Label=Second_Action_Result cs6=N/A cat=1703 dvchost=host.test.trendmicro.com cn3Label=Overall_Risk_Rating cn3=0 fname=filename.rb filePath=C:\\path\\to\\the\\file\\ dst=5.6.7.8 TMCMLogDetectedIP=5.6.7.8 fileHash=ABCDE0123456789ABCDE deviceFacility=Apex One ApexCentralHost=Standard Endpoint Protection Manager devicePayloadId=ABCDEF012345-67890ABC-DEF1-2345-6789 TMCMdevicePlatform=Windows 10 10.0 (Build 19045) deviceNtDomain=N/A dntdom=Workgroup\\ + + ``` + + + === "virus_malware_event" ``` diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index dde7feb8c0..bf6f51db78 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -394,14 +394,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], - "id": "00000000-0000-0000-0000-000000000000", + "outcome": "success", "type": [ "start" ] }, "@timestamp": "2022-04-05T13:07:16.779653Z", "action": { - "name": "Sign-in activity" + "name": "Sign-in activity", + "outcome": "success" }, "azuread": { "Level": 4, @@ -546,6 +547,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], + "outcome": "failure", "reason": "External security challenge was not satisfied.", "type": [ "start" @@ -553,7 +555,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2022-03-30T14:52:21.706218Z", "action": { - "name": "Sign-in activity" + "name": "Sign-in activity", + "outcome": "failure" }, "azuread": { "Level": 4, @@ -658,14 +661,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], - "id": "00000000-0000-0000-0000-000000000000", + "outcome": "success", "type": [ "start" ] }, "@timestamp": "2022-03-31T12:26:46.019095Z", "action": { - "name": "Sign-in activity" + "name": "Sign-in activity", + "outcome": "success" }, "azuread": { "Level": 4, @@ -770,14 +774,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], - "id": "00000000-0000-0000-0000-000000000000", + "outcome": "success", "type": [ "start" ] }, "@timestamp": "2023-08-16T15:32:05.577260Z", "action": { - "name": "Sign-in activity" + "name": "Sign-in activity", + "outcome": "success" }, "azuread": { "Level": 4, @@ -890,13 +895,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], + "outcome": "success", "type": [ "start" ] }, "@timestamp": "2023-10-04T13:09:02.679994Z", "action": { - "name": "Sign-in activity" + "name": "Sign-in activity", + "outcome": "success" }, "azuread": { "Level": 4, diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index ac714c0d1f..da08d70cb0 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -510,6 +510,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "epp_detection_summary_event_3.json" + + ```json + + { + "message": "{\"metadata\":{\"customerIDString\":\"7da61e27e34f4b8394080000000\",\"offset\":13950706,\"eventType\":\"EppDetectionSummaryEvent\",\"eventCreationTime\":1723134750000,\"version\":\"1.0\"},\"event\":{\"Hostname\":\"FRHOSTNAME\",\"Name\":\"OnDemandScanfiletest\",\"Severity\":70,\"FileName\":\"testfile.vmx\",\"FilePath\":\"D:\\\\RECYCLER\\\\testpath\\\\testfile.vmx\",\"SHA256String\":\"774f50830a645392a94338815913e281096f1594ce5f4d992cf3f167fde509a1\",\"FalconHostLink\":\"https://falcon.eu-1.crowdstrike.com/activity-v2/detections\",\"AgentId\":\"1122025ec596478d830520000000000\",\"CompositeId\":\"7da61e27e34f4b8394081896af72e2c7\",\"LocalIP\":\"1.2.3.4\",\"MACAddress\":\"88-44-66-77-11-22\",\"Tactic\":\"Machine Learning\",\"Technique\":\"Sensor-based ML\",\"Objective\":\"Falcon Detection Method\",\"HostGroups\":\"2a5927e82d644aa9,be74ccf2c2f444cf900\",\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon Insight\",\"DataDomains\":\"Endpoint\",\"Type\":\"ods\",\"LocalIPv6\":\"\"}}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "severity": 70, + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-08T16:32:30Z", + "crowdstrike": { + "event_type": "EppDetectionSummaryEvent", + "host_groups": [ + "2a5927e82d644aa9", + "be74ccf2c2f444cf900" + ] + }, + "file": { + "hash": { + "sha256": "774f50830a645392a94338815913e281096f1594ce5f4d992cf3f167fde509a1" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ], + "mac": [ + "88-44-66-77-11-22" + ] + }, + "process": { + "name": "testfile.vmx", + "working_directory": "D:\\RECYCLER\\testpath\\testfile.vmx" + }, + "related": { + "hash": [ + "774f50830a645392a94338815913e281096f1594ce5f4d992cf3f167fde509a1" + ], + "ip": [ + "1.2.3.4" + ] + }, + "threat": { + "tactic": { + "name": "Machine Learning" + }, + "technique": { + "name": "Sensor-based ML" + } + } + } + + ``` + + === "identity_protection_1.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md index 7cdc33efad..8c4b913011 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md @@ -890,6 +890,45 @@ In this section, you will find examples of raw logs as generated natively by the +=== "epp_detection_summary_event_3" + + + ```json + { + "metadata": { + "customerIDString": "7da61e27e34f4b8394080000000", + "offset": 13950706, + "eventType": "EppDetectionSummaryEvent", + "eventCreationTime": 1723134750000, + "version": "1.0" + }, + "event": { + "Hostname": "FRHOSTNAME", + "Name": "OnDemandScanfiletest", + "Severity": 70, + "FileName": "testfile.vmx", + "FilePath": "D:\\RECYCLER\\testpath\\testfile.vmx", + "SHA256String": "774f50830a645392a94338815913e281096f1594ce5f4d992cf3f167fde509a1", + "FalconHostLink": "https://falcon.eu-1.crowdstrike.com/activity-v2/detections", + "AgentId": "1122025ec596478d830520000000000", + "CompositeId": "7da61e27e34f4b8394081896af72e2c7", + "LocalIP": "1.2.3.4", + "MACAddress": "88-44-66-77-11-22", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "HostGroups": "2a5927e82d644aa9,be74ccf2c2f444cf900", + "SourceVendors": "CrowdStrike", + "SourceProducts": "Falcon Insight", + "DataDomains": "Endpoint", + "Type": "ods", + "LocalIPv6": "" + } + } + ``` + + + === "identity_protection_1" diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index d9542dcfd5..23103d60b4 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -993,6 +993,79 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "windows_5156.json" + + ```json + + { + "message": "{\"action\":{\"properties\":{\"Application\":\"\\\\device\\\\harddisk\\\\windows\\\\system32\\\\test.exe\",\"Direction\":\"%%14593\",\"EventType\":\"AUDIT_SUCCESS\",\"FilterRTID\":\"72760\",\"Keywords\":\"0x8020000000000000\",\"LayerName\":\"%%14611\",\"LayerRTID\":\"48\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\"},\"id\":5156},\"destination\":{\"address\":\"1.2.3.4\",\"ip\":\"1.2.3.4\",\"port\":1},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":5156},\"agent\":{\"id\":\"72d68eb9bacfe73d21ff765b4e81aaec6934169b947daae740666327bd5f5e8c\",\"version\":\"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"hostname\",\"ip\":[\"5.6.7.8\"]},\"network\":{\"transport\":\"tcp\"},\"process\":{\"pid\":2184},\"source\":{\"address\":\"5.6.7.8\",\"ip\":\"5.6.7.8\",\"port\":2},\"@timestamp\":\"2024-07-19T14:10:28.962733Z\"}", + "event": { + "code": "5156", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-07-19T14:10:28.962733Z", + "action": { + "id": 5156, + "properties": { + "Application": "\\device\\harddisk\\windows\\system32\\test.exe", + "Direction": "%%14593", + "EventType": "AUDIT_SUCCESS", + "FilterRTID": "72760", + "Keywords": "0x8020000000000000", + "LayerName": "%%14611", + "LayerRTID": "48", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "RemoteMachineID": "S-1-0-0", + "RemoteUserID": "S-1-0-0", + "Severity": "LOG_ALWAYS", + "SourceName": "Microsoft-Windows-Security-Auditing" + } + }, + "agent": { + "id": "72d68eb9bacfe73d21ff765b4e81aaec6934169b947daae740666327bd5f5e8c", + "version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 + }, + "host": { + "hostname": "hostname", + "ip": [ + "5.6.7.8" + ], + "name": "hostname", + "os": { + "type": "windows" + } + }, + "network": { + "transport": "tcp" + }, + "process": { + "name": "test.exe", + "pid": 2184 + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 2 + } + } + + ``` + + === "windows_auth.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md index b0b9798ebf..532d80b186 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md @@ -756,6 +756,67 @@ In this section, you will find examples of raw logs as generated natively by the +=== "windows_5156" + + + ```json + { + "action": { + "properties": { + "Application": "\\device\\harddisk\\windows\\system32\\test.exe", + "Direction": "%%14593", + "EventType": "AUDIT_SUCCESS", + "FilterRTID": "72760", + "Keywords": "0x8020000000000000", + "LayerName": "%%14611", + "LayerRTID": "48", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "RemoteMachineID": "S-1-0-0", + "RemoteUserID": "S-1-0-0", + "Severity": "LOG_ALWAYS", + "SourceName": "Microsoft-Windows-Security-Auditing" + }, + "id": 5156 + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 + }, + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "code": 5156 + }, + "agent": { + "id": "72d68eb9bacfe73d21ff765b4e81aaec6934169b947daae740666327bd5f5e8c", + "version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db" + }, + "host": { + "os": { + "type": "windows" + }, + "hostname": "hostname", + "ip": [ + "5.6.7.8" + ] + }, + "network": { + "transport": "tcp" + }, + "process": { + "pid": 2184 + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 2 + }, + "@timestamp": "2024-07-19T14:10:28.962733Z" + } + ``` + + + === "windows_auth" diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md index 7ee76c61f4..3df5c748bd 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md @@ -42,19 +42,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4719, "name": "System audit policy was changed", "outcome": "success", - "properties": [ - { - "AuditPolicyChanges": "%%8450", - "opcode": 0 - } - ], - "record_id": 56204662, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "AuditPolicyChanges": "%%8450", "CategoryId": "%%8273", + "Opcode": 0, "SubcategoryGuid": "{0CCE9215-69AE-11D9-BED3-505054503030}", "SubcategoryId": "%%12544", "SubjectDomainName": "ACME", @@ -62,6 +53,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "Acmesubject$", "SubjectUserSid": "S-1-5-18" }, + "record_id": 56204662, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -102,6 +97,93 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_5156.json" + + ```json + + { + "message": "{\"time\":\"2024-08-05T09:42:02.6748562Z\",\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"DeploymentId\":\"6abbdff3-a82c-4089-9953-44123e5f2400\",\"Role\":\"IaaS\",\"RoleInstance\":\"ROLE01\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventId\":5156,\"Level\":0,\"Pid\":4,\"Tid\":304100,\"Opcode\":0,\"Task\":12810,\"Channel\":\"Security\",\"Description\":\"The Windows Filtering Platform has permitted a connection.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t2652\\r\\n\\tApplication Name:\\t\\\\device\\\\harddisk\\\\program files\\\\test agent\\\\test_agentd.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tDirection:\\t\\tInbound\\r\\n\\tSource Address:\\t\\t1.2.3.4\\r\\n\\tSource Port:\\t\\t1\\r\\n\\tDestination Address:\\t5.6.7.8\\r\\n\\tDestination Port:\\t\\t2\\r\\n\\tProtocol:\\t\\t6\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t163770\\r\\n\\tLayer Name:\\t\\tReceive/Accept\\r\\n\\tLayer Run-Time ID:\\t44\",\"RawXml\":\"5156101281000x8020000000000000646405017Securitytest.fr.domain.dom2652\\\\device\\\\harddisk\\\\program files\\\\test agent\\\\test_agentd.exe%%145921.2.3.415.6.7.826163770%%1461044S-1-0-0S-1-0-0\"}}", + "event": { + "code": "5156", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 5156, + "name": "The Windows Filtering Platform has allowed a connection", + "outcome": "success", + "properties": { + "Application": "\\device\\harddisk\\program files\\test agent\\test_agentd.exe", + "DestAddress": "5.6.7.8", + "DestPort": "2", + "Direction": "%%14592", + "FilterRTID": "163770", + "LayerName": "%%14610", + "LayerRTID": "44", + "Opcode": 0, + "ProcessID": "2652", + "Protocol": "6", + "RemoteMachineID": "S-1-0-0", + "RemoteUserID": "S-1-0-0", + "SourceAddress": "1.2.3.4", + "SourcePort": "1" + }, + "record_id": 646405017, + "type": "Security" + }, + "azure_windows": { + "opcode": "0", + "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "12810" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 2 + }, + "host": { + "hostname": "test.fr.domain.dom", + "name": "test.fr.domain.dom" + }, + "log": { + "hostname": "test.fr.domain.dom" + }, + "network": { + "transport": "6" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "\\device\\harddisk\\program files\\test agent\\test_agentd.exe", + "name": "test_agentd.exe", + "pid": 4, + "thread": { + "id": 304100 + }, + "working_directory": "\\device\\harddisk\\program files\\test agent" + }, + "related": { + "hosts": [ + "test.fr.domain.dom" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 + } + } + + ``` + + === "event_4648.json" ```json @@ -117,19 +199,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4648, "name": "A logon was attempted using explicit credentials", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 185982314, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "IpAddress": "-", "IpPort": "-", "LogonGuid": "{bcd3f290-9f73-4e62-a998-475e7db8384c}", + "Opcode": 0, "ProcessId": "0x15bc", "ProcessName": "C:\\Program Files (x86)\\Okta\\Okta AD Agent\\OktaAgentService.exe", "SubjectDomainName": "EXAMPLE", @@ -142,6 +216,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "TargetServerName": "localhost", "TargetUserName": "JDO" }, + "record_id": 185982314, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -192,6 +270,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"category\":\"WindowsEventLogsTable\",\"level\":\"Informational\",\"properties\":{\"Channel\":\"Security\",\"DeploymentId\":\"cbfba34a-3d3d-4425-aefb-968ee470a8f4\",\"Description\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tIdentification\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1004336348-2052111302-725345543-33053\\r\\n\\tAccount Name:\\t\\tHOSTMON\\r\\n\\tAccount Domain:\\t\\tACME.LOCAL\\r\\n\\tLogon ID:\\t\\t0x6409B67A\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.129.224.1\\r\\n\\tSource Port:\\t\\t55731\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"EventId\":4624,\"Level\":0,\"Opcode\":0,\"Pid\":632,\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"RawXml\":\"4624201254400x80200000000000009999727SecurityAZNTPI-01.acme.localS-1-0-0--0x0S-1-5-21-1004336348-2052111302-725345543-33053HOSTMONACME.LOCAL0x6409b67a3KerberosKerberos-{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}--00x0-10.129.224.155731%%1832---%%18430x0%%1842\",\"Role\":\"IaaS\",\"RoleInstance\":\"_AZNTPI-01\",\"Task\":12544,\"Tid\":904},\"time\":\"2019-07-22T11:20:54.5585776Z\"}", "event": { + "action": "authentication_network", "category": [ "authentication" ], @@ -206,22 +285,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4624, "name": "An account was successfully logged on", "outcome": "success", - "properties": [ - { - "domain": "ACME.LOCAL", - "id": "S-1-5-21-1004336348-2052111302-725345543-33053", - "name": "HOSTMON", - "opcode": 0, - "type": "targetedUser" - } - ], - "record_id": 9999727, - "target": "user", - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "AuthenticationPackageName": "Kerberos", + "Domain": "{\"name\": \"ACME.LOCAL\"}", "ElevatedToken": "%%1842", "ImpersonationLevel": "%%1832", "IpAddress": "10.129.224.1", @@ -231,6 +297,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "LogonGuid": "{FF0FDD6A-555D-EA36-45CB-9167DFB9C75D}", "LogonProcessName": "Kerberos", "LogonType": "3", + "Name": "HOSTMON", + "Opcode": 0, "ProcessId": "0x0", "ProcessName": "-", "RestrictedAdminMode": "-", @@ -246,9 +314,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "TargetUserName": "HOSTMON", "TargetUserSid": "S-1-5-21-1004336348-2052111302-725345543-33053", "TransmittedServices": "-", + "Type": "targetedUser", "VirtualAccount": "%%1843", "WorkstationName": "-" }, + "record_id": 9999727, + "target": "user", + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -291,7 +365,19 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "sekoiaio": { + "authentication": { + "process": { + "name": "Kerberos" + } + }, + "client": { + "name": "AZNTPI-01.acme.local", + "os": { + "type": "windows" + } + }, "server": { + "name": "AZNTPI-01.acme.local", "os": { "type": "windows" } @@ -303,7 +389,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 55731 }, "user": { - "id": "S-1-0-0" + "id": "S-1-0-0", + "target": { + "id": "S-1-5-21-1004336348-2052111302-725345543-33053", + "name": "HOSTMON" + } } } @@ -325,22 +415,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 5058, "name": "Key file operation", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 249096, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "AlgorithmName": "UNKNOWN", "ClientCreationTime": "2019-06-24T09:18:43.902454200Z", "ClientProcessId": "5396", "KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\5dc8d7cc0741b353e4e980818c304a9b_f67648d5-9dc6-457b-b947-f44d21889d9b", "KeyName": "{3F1E0FA6-ACA6-4152-803B-976EF5816428}", "KeyType": "%%2499", + "Opcode": 0, "Operation": "%%2458", "ProviderName": "Microsoft Software Key Storage Provider", "ReturnCode": "0x0", @@ -349,6 +431,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "WindowsDesktop$", "SubjectUserSid": "S-1-5-18" }, + "record_id": 249096, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -404,27 +490,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4634, "name": "An account was logged off", "outcome": "success", - "properties": [ - { - "domain": "ACME", - "id": "S-1-5-18", - "name": "AZNTPI-01$", - "opcode": 0, - "type": "targetedUser" - } - ], - "record_id": 10036511, - "target": "user", - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { + "Domain": "{\"name\": \"ACME\"}", "LogonType": "3", + "Name": "AZNTPI-01$", + "Opcode": 0, "TargetDomainName": "ACME", "TargetLogonId": "0x686007f9", "TargetUserName": "AZNTPI-01$", - "TargetUserSid": "S-1-5-18" + "TargetUserSid": "S-1-5-18", + "Type": "targetedUser" }, + "record_id": 10036511, + "target": "user", + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -480,21 +561,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4688, "name": "A new process has been created", "outcome": "success", - "properties": [ - { - "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", - "opcode": 0 - } - ], - "record_id": 3892523, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "CommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe\" -PerfMode optimize -quickscan -event -json", "MandatoryLabel": "S-1-16-16384", "NewProcessId": "0x50", "NewProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 52\\696\\pmfexe.exe", + "Opcode": 0, "ParentProcessName": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", "ProcessId": "0x1568", "SubjectDomainName": "ACME", @@ -507,6 +579,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "TargetUserSid": "S-1-0-0", "TokenElevationType": "%%1936" }, + "record_id": 3892523, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -572,19 +648,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4688, "name": "A new process has been created", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 4948641, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-ExecutionPolicy\" \"Unrestricted\" \"-Noninteractive\" \"-NoProfile\" \"-NoLogo\" \"-File\" \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\AzureMetadata.ps1\"", "NewProcessId": "0x17b4", "NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "Opcode": 0, "ProcessId": "0x1788", "SubjectDomainName": "ACME", "SubjectLogonId": "0x3e7", @@ -596,6 +664,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "TargetUserSid": "S-1-0-0", "TokenElevationType": "%%1936" }, + "record_id": 4948641, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -658,11 +730,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 10001, "name": "no match", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], + "properties": { + "Opcode": 0 + }, "record_id": 9379, "type": "Application" }, @@ -714,17 +784,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 1, "name": "Process creation", "outcome": "success", - "properties": [ - { - "ParentImage": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", - "opcode": 0 - } - ], - "record_id": 120166, - "type": "Microsoft-Windows-Sysmon/Operational" - }, - "azure_windows": { - "event_data": { + "properties": { "CommandLine": "\"C:\\windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", "Company": "Microsoft Corporation", "CurrentDirectory": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary Files 3\\507\\", @@ -735,6 +795,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "IntegrityLevel": "System", "LogonGuid": "{f67648d5-e752-5d68-0000-0020e7030000}", "LogonId": "0x3e7", + "Opcode": 0, "OriginalFileName": "cscript.exe", "ParentCommandLine": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", "ParentImage": "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", @@ -748,6 +809,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "User": "NT AUTHORITY\\SYSTEM", "UtcTime": "2019-08-30 14:53:03.012" }, + "record_id": 120166, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "azure_windows": { "opcode": "0", "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", "provider_name": "Microsoft-Windows-Sysmon", @@ -821,24 +886,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 11, "name": "FileCreate", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 121811, - "type": "Microsoft-Windows-Sysmon/Operational" - }, - "azure_windows": { - "event_data": { + "properties": { "CreationUtcTime": "2019-11-27 15:25:45.117", "Image": "C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", + "Opcode": 0, "ProcessGuid": "{4A43FA81-9578-5DDE-0000-0010490B8303}", "ProcessId": "4000", "RuleName": null, "TargetFilename": "C:\\Windows\\Temp\\__PSScriptPolicyTest_tnklb3sm.oxn.ps1", "UtcTime": "2019-11-27 15:25:45.117" }, + "record_id": 121811, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "azure_windows": { "opcode": "0", "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", "provider_name": "Microsoft-Windows-Sysmon", @@ -897,25 +958,21 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 13, "name": "RegistryEvent (Value Set)", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 530135, - "type": "Microsoft-Windows-Sysmon/Operational" - }, - "azure_windows": { - "event_data": { + "properties": { "Details": "Microsoft Print to PDF (redirected 5)", "EventType": "SetValue", "Image": "System", + "Opcode": 0, "ProcessGuid": "{4A43FA81-9258-5E74-0000-0010EB030000}", "ProcessId": "4", "RuleName": null, "TargetObject": "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\PRINTENUM\\{8D2AEEAE-D27D-4E4D-8F57-A3DA76648B01}\\FriendlyName", "UtcTime": "2020-04-01 06:34:15.158" }, + "record_id": 530135, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "azure_windows": { "opcode": "0", "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", "provider_name": "Microsoft-Windows-Sysmon", @@ -980,17 +1037,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 22, "name": "DNS query", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 136242, - "type": "Microsoft-Windows-Sysmon/Operational" - }, - "azure_windows": { - "event_data": { + "properties": { "Image": "C:\\Windows\\System32\\svchost.exe", + "Opcode": 0, "ProcessGuid": "{f67648d5-4d39-5e56-0000-0010ec220200}", "ProcessId": "3676", "QueryName": "v10.events.data.microsoft.com", @@ -999,6 +1048,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "RuleName": null, "UtcTime": "2020-02-26 11:08:09.059" }, + "record_id": 136242, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "azure_windows": { "opcode": "0", "provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9", "provider_name": "Microsoft-Windows-Sysmon", @@ -1078,17 +1131,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 3, "name": "Network connection", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 189923, - "target": "network-traffic", - "type": "Microsoft-Windows-Sysmon/Operational" - }, - "azure_windows": { - "event_data": { + "properties": { "DestinationHostname": null, "DestinationIp": "169.254.169.254", "DestinationIsIpv6": "false", @@ -1096,6 +1139,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DestinationPortName": "http", "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "Initiated": "true", + "Opcode": 0, "ProcessGuid": "{4A43FA81-5A68-5DFA-0000-0010A992AC18}", "ProcessId": "4364", "Protocol": "tcp", @@ -1108,6 +1152,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "User": "NT AUTHORITY\\SYSTEM", "UtcTime": "2019-12-18 16:57:18.516" }, + "record_id": 189923, + "target": "network-traffic", + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "azure_windows": { "opcode": "0", "provider_guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9", "provider_name": "Microsoft-Windows-Sysmon", @@ -1189,19 +1238,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4688, "name": "A new process has been created", "outcome": "success", - "properties": [ - { - "opcode": 0 - } - ], - "record_id": 13259890, - "type": "Security" - }, - "azure_windows": { - "event_data": { + "properties": { "CommandLine": "C:\\Windows\\system32\\svchost.exe -k wsappx", "NewProcessId": "0x12f0", "NewProcessName": "C:\\Windows\\System32\\svchost.exe", + "Opcode": 0, "ProcessId": "0x25c", "SubjectDomainName": "ACME", "SubjectLogonId": "0x3e7", @@ -1213,6 +1254,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "TargetUserSid": "S-1-0-0", "TokenElevationType": "%%1936" }, + "record_id": 13259890, + "type": "Security" + }, + "azure_windows": { "opcode": "0", "provider_guid": "54849625-5478-4994-A5BA-3E3B0328C30D", "provider_name": "Microsoft-Windows-Security-Auditing", @@ -1270,8 +1315,11 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`action.properties` | `object` | A list of objects | +|`action.properties.Domain` | `keyword` | The domain of user | +|`action.properties.Name` | `keyword` | The username | +|`action.properties.Opcode` | `number` | The opcode | +|`action.properties.Type` | `keyword` | The type of user | |`action.target` | `keyword` | The target of the action | -|`azure_windows.event_data` | `object` | The event-specific data | |`azure_windows.opcode` | `keyword` | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | |`azure_windows.provider_guid` | `keyword` | A globally unique identifier that identifies the provider that logged the event | |`azure_windows.provider_name` | `keyword` | The source of the event log record (the application or service that logged the record). | @@ -1280,6 +1328,7 @@ The following table lists the fields that are extracted, normalized under the EC |`azure_windows.user.identifier` | `keyword` | The Windows security identifier (SID) of the account associated with this event | |`azure_windows.user.name` | `keyword` | Name of the user associated with this event | |`azure_windows.user.type` | `keyword` | The type of account associated with this event | +|`destination.address` | `keyword` | Destination network address. | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | @@ -1319,6 +1368,7 @@ The following table lists the fields that are extracted, normalized under the EC |`registry.key` | `keyword` | Hive-relative path of keys. | |`registry.path` | `keyword` | Full path, including hive, key and value | |`registry.value` | `keyword` | Name of the value written. | +|`source.address` | `keyword` | Source network address. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md index 376cc30460..582c95da61 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md @@ -33,6 +33,35 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_5156" + + + ```json + { + "time": "2024-08-05T09:42:02.6748562Z", + "category": "WindowsEventLogsTable", + "level": "Informational", + "properties": { + "DeploymentId": "6abbdff3-a82c-4089-9953-44123e5f2400", + "Role": "IaaS", + "RoleInstance": "ROLE01", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "ProviderName": "Microsoft-Windows-Security-Auditing", + "EventId": 5156, + "Level": 0, + "Pid": 4, + "Tid": 304100, + "Opcode": 0, + "Task": 12810, + "Channel": "Security", + "Description": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t2652\r\n\tApplication Name:\t\\device\\harddisk\\program files\\test agent\\test_agentd.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t1.2.3.4\r\n\tSource Port:\t\t1\r\n\tDestination Address:\t5.6.7.8\r\n\tDestination Port:\t\t2\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t163770\r\n\tLayer Name:\t\tReceive/Accept\r\n\tLayer Run-Time ID:\t44", + "RawXml": "5156101281000x8020000000000000646405017Securitytest.fr.domain.dom2652\\device\\harddisk\\program files\\test agent\\test_agentd.exe%%145921.2.3.415.6.7.826163770%%1461044S-1-0-0S-1-0-0" + } + } + ``` + + + === "event_4648" diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 5719781c07..2421455e6a 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -66,9 +66,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 1, "port": 53 }, - "host": { - "name": "/SUBSCRIPTIONS/12345674-1234-1234-1234-12345646546875/RESOURCEGROUPS/FOO/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZNTDC02-NSG" - }, "network": { "direction": "inbound", "transport": "udp" @@ -130,9 +127,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "5.6.7.8", "port": 23 }, - "host": { - "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" - }, "network": { "direction": "inbound", "transport": "tcp" @@ -194,9 +188,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 1, "port": 8086 }, - "host": { - "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" - }, "network": { "direction": "outbound", "transport": "tcp" @@ -257,9 +248,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "5.6.7.8", "port": 443 }, - "host": { - "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" - }, "network": { "direction": "outbound", "transport": "tcp" @@ -307,7 +295,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.code` | `keyword` | Identification code for this event. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | -|`host.name` | `keyword` | Name of the host. | |`rule.name` | `keyword` | Rule name | |`source.bytes` | `long` | Bytes sent from the source to the destination. | |`source.ip` | `ip` | IP address of the source. | diff --git a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md new file mode 100644 index 0000000000..d4f8565446 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md @@ -0,0 +1,753 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Anti-virus` | PradeoSecurity analyses applications to prevent malicious actions. | +| `Network device configuration` | PradeoSecurity analyses device network configuration to prevent malicious actions. | +| `Data loss prevention` | PradeoSecurity analyses applications to identify data leaks. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `configuration`, `process` | +| Type | `change`, `info` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "admin-initiator.json" + + ```json + + { + "message": "{\"id\":\"jyFgy57XQGm0oEk6V_6tdA\",\"creationDate\":\"2024-07-23T13:28:32.594Z\",\"source\":\"admin\",\"category\":null,\"type\":\"MessageCreated\",\"content\":{\"message\":{\"id\":\"u7GTsigSS1CWtS_y80zpgw\",\"title\":\"test\",\"content\":\"envoye a 15:28\",\"creationDate\":\"2024-07-23T13:28:32.578Z\"}},\"user\":{\"id\":\"gA0jK6lCSBWZ3-ZMR9IoFw\",\"email\":\"alan.smithee@pradeo.com\",\"firstName\":\"Alan\",\"lastName\":\"Smithee\",\"jobTitle\":null,\"phoneNumber\":null,\"language\":\"English\",\"isDeactivated\":false,\"isFirstConnection\":true,\"toNotify\":false,\"lastConnectionDate\":\"2024-07-23T14:56:26.000Z\",\"creationDate\":\"2024-07-03T12:24:48.924Z\",\"lastModificationDate\":\"2024-07-23T14:56:26.000Z\"},\"device\":null,\"company\":{\"id\":\"bufQJXK_RNamdgiPmXzpFg\",\"name\":\"Mobile boat\",\"creationDate\":\"2024-07-03T10:01:02.043Z\",\"lastModificationDate\":\"2024-07-04T07:19:50.000Z\",\"deletedAt\":null}}", + "event": { + "action": "MessageCreated" + }, + "@timestamp": "2024-07-23T13:28:32.594000Z", + "pradeo": { + "metadata": { + "creationDate": "2024-07-23T13:28:32.594000Z", + "id": "jyFgy57XQGm0oEk6V_6tdA", + "source": "admin", + "type": "MessageCreated" + } + }, + "user": { + "email": "alan.smithee@pradeo.com", + "full_name": "Alan Smithee", + "id": "gA0jK6lCSBWZ3-ZMR9IoFw" + } + } + + ``` + + +=== "application-created.json" + + ```json + + { + "message": "{\"id\":\"8bnDz9zBI0S25lsXD22nxg\",\"creationDate\":\"2024-07-02T07:02:15.721Z\",\"source\":\"device\",\"category\":null,\"type\":\"ApplicationCreated\",\"content\":{\"application\":{\"id\":\"6DN0jTLmX8-958o-fa3pnQ\",\"version\":\"1.10.2\",\"md5\":\"673937eab709d3e3999b25bc564902c4\",\"sha1\":\"639f1ebc03aac79374e70123d15bd00fc68d37af\",\"sha256\":\"8ddb8f0098f6159fba0a56444fe67634adb7903770eaa646ef202f8d8f32d3df\",\"name\":\"Sonic 2\",\"versionCode\":\"217\",\"size\":83816851,\"package\":{\"id\":\"N4N-N9ByVrKDs-WCpxSj6Q\",\"package\":\"com.sega.sonic2.runner\",\"system\":\"Android\"}}}}", + "event": { + "action": "ApplicationCreated" + }, + "@timestamp": "2024-07-02T07:02:15.721000Z", + "pradeo": { + "metadata": { + "creationDate": "2024-07-02T07:02:15.721000Z", + "id": "8bnDz9zBI0S25lsXD22nxg", + "source": "device", + "type": "ApplicationCreated" + } + } + } + + ``` + + +=== "detection-policy-updated.json" + + ```json + + { + "message": "{\"id\":\"_czh5ptATAa0TDv8cCR75g\",\"creationDate\":\"2024-07-02T12:20:01.795Z\",\"source\":\"system\",\"category\":null,\"type\":\"DetectionPolicyUpdated\",\"content\":{\"detectionPolicy\":{\"id\":\"R-cZz0iUSyujQ954d3qytw\",\"name\":\"iO Si Senor\",\"creationDate\":\"2023-11-13T17:58:03.000Z\",\"lastModificationDate\":\"2024-05-27T08:14:01.531Z\",\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"inheritable\":false,\"dataRules\":[],\"featureRules\":[],\"communicationRules\":[],\"systemStatusLevels\":[],\"networkStatusLevels\":[],\"deviceGroups\":[],\"handledCompanies\":[],\"version\":1}}}", + "event": { + "action": "DetectionPolicyUpdated" + }, + "@timestamp": "2024-07-02T12:20:01.795000Z", + "pradeo": { + "metadata": { + "creationDate": "2024-07-02T12:20:01.795000Z", + "id": "_czh5ptATAa0TDv8cCR75g", + "source": "system", + "type": "DetectionPolicyUpdated" + } + } + } + + ``` + + +=== "device-compliance-updated.json" + + ```json + + { + "message": "{\"id\":\"XjR27UNPT7ixTAV6M4YBEA\",\"creationDate\":\"2024-07-01T17:24:54.784Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceComplianceUpdated\",\"content\":{\"deviceCompliance\":{\"id\":\"tw0T69jkS1SOdBc-QFat8A\",\"status\":\"Approved\",\"computed\":true,\"creationDate\":\"2024-07-01T17:01:20.075Z\",\"lastModificationDate\":\"2024-07-01T17:02:02.000Z\",\"device\":{\"id\":\"kfvsh37xT2GUUlQHBZSIZw\",\"serialNumber\":null,\"imei\":\"356568109376877\",\"name\":\"remy iPhone iOS 17.5.1 N736\",\"email\":null,\"singleEnrollmentKey\":\"00008030-0006404C2EE1802E\",\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"group\":{\"id\":\"NndTZCHjSMyUKP3XlCBosQ\",\"name\":\"R&D\",\"createdAt\":\"2024-04-18T12:31:32.000Z\",\"emmGroupInfo\":null,\"detectionPolicy\":{\"id\":\"JIiW6eyUWoe9COTVCR4rww\",\"name\":\"Standard\",\"type\":\"Application and device threat\",\"creationDate\":\"2024-01-21T22:47:37.034Z\",\"lastModificationDate\":\"2024-01-21T22:47:37.034Z\",\"inheritable\":true,\"version\":1}},\"enrollmentStatus\":{\"id\":\"FchrtdT-QT-xknMShye0eQ\",\"lastConnection\":null,\"coupled\":false},\"emmDeviceInfo\":{\"id\":\"2vZdUKtuRCWHl4TDp8uTaw\",\"externalId\":\"00008030-0006404C2EE1802E\",\"emm\":\"airwatch\"}},\"matchedResponseRules\":[]}}}", + "event": { + "action": "DeviceComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-07-01T17:24:54.784000Z", + "pradeo": { + "compliance": { + "matchedResponseRules": [] + }, + "detection": { + "status": "Approved" + }, + "device": { + "byod": false, + "coupled": false, + "emm": "airwatch", + "id": "kfvsh37xT2GUUlQHBZSIZw", + "imei": "356568109376877", + "mdmId": "00008030-0006404C2EE1802E", + "name": "remy iPhone iOS 17.5.1 N736" + }, + "metadata": { + "creationDate": "2024-07-01T17:24:54.784000Z", + "id": "XjR27UNPT7ixTAV6M4YBEA", + "source": "system", + "type": "DeviceComplianceUpdated" + } + } + } + + ``` + + +=== "device-correlation-updated.json" + + ```json + + { + "message": "{\"id\":\"QFtxnwWFCERsCvYI599bSv\",\"creationDate\":\"2024-07-01T14:28:11.000Z\",\"source\":\"system\",\"category\":\"null\",\"type\":\"DeviceCorrelationUpdated\",\"content\":{\"id\":\"android:p-2MTZU_S1jQsqz9Ommy_A\",\"last_name\":\"m\",\"first_name\":\"m\",\"email\":\"\",\"metric\":\"match_bluetooth\",\"type\":\"BlueTooth activation\",\"status\":\"END\"}}", + "event": { + "action": "DeviceCorrelationUpdated", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-01T14:28:11Z", + "pradeo": { + "correlation": { + "applicationThreatLevel": "Red", + "matchedNetworkStatusLevels": [ + { + "deviceNetworkStatusRecord": { + "id": "6EByUpV4R9qcggk9mQGylA", + "value": 3 + }, + "id": "6_WYPd5hRp2ZKteAx_KUhw", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "hbaZqAT-VSG-6BWCL2ec0w", + "name": "ARPPoisoning" + }, + "id": "YgTHvrQqQUyIZTysaK_heQ", + "level": "Green" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "n5gtT-ORQImbp3dql_SlHw", + "value": 0 + }, + "id": "8-WULaesQQSEbVyYk7_WAQ", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "WgEwwyksUIS2T5AFjKtGvg", + "name": "Bluetooth" + }, + "id": "uHvq4MBERPuVAk3luwphrg", + "level": "Green" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "06Hv_Fw-TC-ZRGbkoIWSkg", + "value": 0 + }, + "id": "alN6SbtoTk-39N9H7IEzrg", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "pwxiTO7iW0inGsISgmFxMQ", + "name": "NFC" + }, + "id": "y0CHemAGROCpswd5vu7BGQ", + "level": "Orange" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "bAeDvPxoTJ-5hLGUKHgpWw", + "value": 0 + }, + "id": "D0piRvT4QbutQljPMalXsQ", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "fPrbn1lHXwuQAhrRgMvSTg", + "name": "RogueCellTower" + }, + "id": "GO7UOVytQX-78Tzk5IOvjg", + "level": "Red" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "xev8ikm5SX-s4zNVzbd9Cw", + "value": 0 + }, + "id": "DZi_-u7HRl-zN_jP-MAlSw", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "5H_waBpbX6-W5Zg0SDQhIA", + "name": "ConnectionToUntrustedHotspots" + }, + "id": "myxc8oiYTAWZEEwHvwbIEQ", + "level": "Orange" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "naAO765rRtyHscwBD3RrZg", + "value": 0 + }, + "id": "gkrrmUKsSeiEvqgUr5IfUg", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "YWXiVq4SUnimRuDEzzDb_w", + "name": "RogueAccessPoint" + }, + "id": "G-pFFmnsSWe-LXZEkSqhBA", + "level": "Green" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "6y2ToOEXQmCyI2kHhxd7Eg", + "value": 0 + }, + "id": "kj2F5qhIQzGMdPerO-Y3Lw", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "TSss4UX3XweuFnLLGSbR1w", + "name": "ManInTheMiddle" + }, + "id": "O43t_Zq2SkeM6TZiFmM8jQ", + "level": "Red" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "YNJfP2b7QdW3ULYB_CbIGw", + "value": 1 + }, + "id": "TSfDjjttS-GYG_NS4rSKPg", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "f4nzGKc5UF-0Ow_uz0_jHQ", + "name": "GPS" + }, + "id": "i0GslqZcR4K3k6k1S6EWHQ", + "level": "Green" + } + }, + { + "deviceNetworkStatusRecord": { + "id": "08ZvMtm5TNOHTTkXujWD2w", + "value": 0 + }, + "id": "zeCc8trcQciYY4rLZce54w", + "networkStatusLevel": { + "deviceNetworkStatus": { + "id": "WRrA_3G0WZOdV52312piYA", + "name": "VPN" + }, + "id": "13GU2c4vTxC2QylhQtWpPg", + "level": "Orange" + } + } + ], + "matchedSystemStatusLevels": [ + { + "deviceSystemStatusRecord": { + "id": "57jwjBD9SLCnfh5bSWmzSA", + "value": 0 + }, + "id": "-Beyvn0rTOmgqC1rs3XaEw", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "92Xbb2HhW02s85yh33nHfg", + "name": "SystemNotUpToDate" + }, + "id": "oYdBmpvDT0aUz1dCzRGYDw", + "level": "Orange" + } + }, + { + "deviceSystemStatusRecord": { + "id": "zrUxC90pTFOdDtfWlq_Mow", + "value": 1 + }, + "id": "1YiiEuuATR2rB7nKinFU5g", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "EmL050CAW-65ogu3GRSAsg", + "name": "ApplicationInstalledFromUnknownSource" + }, + "id": "SX5zOVZoTWOn7oRTv8cNdw", + "level": "Orange" + } + }, + { + "deviceSystemStatusRecord": { + "id": "_qLcu7a_TTatBWvbWRy8cA", + "value": 3 + }, + "id": "5vljuTwJQhSFWGOD3EF-aQ", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "s6wK_SInU42K_g2bGsPbhg", + "name": "SELinuxPermissive" + }, + "id": "_ukzZc57QouY7kudIIrEsw", + "level": "Orange" + } + }, + { + "deviceSystemStatusRecord": { + "id": "QMyc35a8TI27t5SFtvs_0A", + "value": 1 + }, + "id": "6HGN94xFQPm6f6UXr5jPdw", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "FjkqaultWs-HBFWzHq3C8Q", + "name": "AccessibilityOption" + }, + "id": "gSIPIL0kSk62XlQuoelXDQ", + "level": "Green" + } + }, + { + "deviceSystemStatusRecord": { + "id": "5ft9cwvGTI-Cnee1u-F9Aw", + "value": 0 + }, + "id": "bH-NDdsATluwj6VZn-ZBzA", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "iEqcWkTpW8yARFKCv8MBYQ", + "name": "CustomHosts" + }, + "id": "Nbnd9EGxQMuqkF0KXysA4A", + "level": "Red" + } + }, + { + "deviceSystemStatusRecord": { + "id": "aZUmMZ3cTNG3RfYhjpd8tQ", + "value": 1 + }, + "id": "d9CKeAvCT9Sb3vP06MOq4Q", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "sMLlZzy8WFKDp8xev58LpA", + "name": "DebugMode" + }, + "id": "jWr0_EQpSj2z_JrkD2WOyQ", + "level": "Red" + } + }, + { + "deviceSystemStatusRecord": { + "id": "yyQGNf7sT_KVRGUFdtnygw", + "value": 0 + }, + "id": "juI58xKrSrK16Rk787RsnA", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "UzAgUIoDXLioT8Xca4q9UA", + "name": "DeviceNotEncrypted" + }, + "id": "hgwHAMvZTImT151inM8vYg", + "level": "Red" + } + }, + { + "deviceSystemStatusRecord": { + "id": "-drVU9tpS1qugsU-1d0EDA", + "value": 1 + }, + "id": "VnfcT_lgRHurAfaGjym-rA", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "AV84fYHQXbyKjXZ52iuHLg", + "name": "DeveloperMode" + }, + "id": "lB0d6wk8TJWpmJ-96Fi02Q", + "level": "Orange" + } + }, + { + "deviceSystemStatusRecord": { + "id": "mM3q-uXmR1-TJflwC-C72w", + "value": 0 + }, + "id": "w0rOFu5STim869zy6aHs3w", + "systemStatusLevel": { + "deviceSystemStatus": { + "id": "cAwR35npXkmkg7IF3KnCgg", + "name": "Root" + }, + "id": "oRJbjuE2Sl2P8exMrFQTHw", + "level": "Red" + } + } + ], + "networkThreatLevel": "Green", + "systemThreatLevel": "Red" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "SM-A536B", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2023-08-01T00:00:00Z", + "declaredOperatingSystemVersion": "13", + "email": "test@pradeo.dev", + "emm": "unknown", + "id": "iowEjn9PR2WlrIIBR2_FPQ", + "imei": "xxxxx", + "lastConnection": "2024-07-05T14:58:48Z", + "mdmId": "xxxxx", + "name": "Test device", + "serialNumber": "unknown" + }, + "metadata": { + "category": "null", + "creationDate": "2024-07-01T14:28:11Z", + "id": "QFtxnwWFCERsCvYI599bSv", + "source": "system", + "type": "DeviceCorrelationUpdated" + }, + "policy": { + "id": "JIiW6eyUWoe9COTVCR4rww", + "name": "Standard" + } + } + } + + ``` + + +=== "device-detection.json" + + ```json + + { + "message": "{\"id\":\"QFtxnwWFCERsCvYI599bSv\",\"creationDate\":\"2024-07-01T14:28:11.000Z\",\"source\":\"admin\",\"category\":\"Network\",\"type\":\"DeviceDetection\",\"content\":{\"id\":\"android:p-2MTZU_S1jQsqz9Ommy_A\",\"last_name\":\"m\",\"first_name\":\"m\",\"email\":\"\",\"metric\":\"match_bluetooth\",\"type\":\"BlueTooth activation\",\"status\":\"END\"}}", + "event": { + "action": "DeviceDetection", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-01T14:28:11Z", + "pradeo": { + "detection": { + "status": "match_bluetooth", + "value": "END" + }, + "device": { + "id": "android:p-2MTZU_S1jQsqz9Ommy_A" + }, + "metadata": { + "category": "Network", + "creationDate": "2024-07-01T14:28:11Z", + "id": "QFtxnwWFCERsCvYI599bSv", + "source": "admin", + "type": "DeviceDetection" + } + } + } + + ``` + + +=== "device-initiator.json" + + ```json + + { + "message": "{\"id\":\"---tmfIPM0q8uo0bGtreRA\",\"creationDate\":\"2024-07-05T08:58:43.325Z\",\"source\":\"device\",\"category\":null,\"type\":\"DeviceStatusHistoryUpdated\",\"content\":{\"deviceId\":\"3DGAsW2pRhKZLArNUGBo4Q\",\"event\":{\"kind\":\"RogueCellTower\",\"value\":2}},\"user\":null,\"device\":{\"id\":\"3DGAsW2pRhKZLArNUGBo4Q\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":null,\"email\":null,\"singleEnrollmentKey\":\"{sa?LW]p:gWoGR}),ishy@)7XPoMI-)LH&n)g5v{aY{Wqi4b\",\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":\"Android\",\"declaredOperatingSystemVersion\":\"13\",\"declaredOperatingSystemSecurityPatchDate\":\"2023-11-05T00:00:00.000Z\",\"declaredModel\":\"EB2103\",\"enrollmentStatus\":{\"id\":\"etw6fGIcQtyKQDB3hbpXUQ\",\"lastConnection\":\"2024-07-05T13:05:05.000Z\",\"coupled\":false},\"emmDeviceInfo\":null},\"company\":{\"id\":\"bufQJXK_RNamdgiPmXzpFg\",\"name\":\"Mobile boat\",\"creationDate\":\"2024-07-03T10:01:02.043Z\",\"lastModificationDate\":\"2024-07-04T07:19:50.000Z\",\"deletedAt\":null}}", + "event": { + "action": "DeviceStatusHistoryUpdated", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-05T08:58:43.325000Z", + "pradeo": { + "detection": { + "status": "RogueCellTower", + "value": 2 + }, + "device": { + "id": "3DGAsW2pRhKZLArNUGBo4Q" + }, + "initiator": { + "byod": false, + "coupled": false, + "declaredModel": "EB2103", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2023-11-05T00:00:00.000Z", + "declaredOperatingSystemVersion": "13", + "id": "3DGAsW2pRhKZLArNUGBo4Q", + "lastConnection": "2024-07-05T13:05:05Z", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-07-05T08:58:43.325000Z", + "id": "---tmfIPM0q8uo0bGtreRA", + "source": "device", + "type": "DeviceStatusHistoryUpdated" + } + } + } + + ``` + + +=== "device-network-status-record-updated.json" + + ```json + + { + "message": "{\"id\":\"SQU4ZdbZSxqEIi1ioYP6mw\",\"creationDate\":\"2024-07-01T14:28:20.233Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceNetworkStatusRecordUpdated\",\"content\":{\"deviceNetworkStatusRecord\":{\"id\":\"7tUjB6riQGqo2Tqz4AmVPw\",\"device\":{\"id\":\"R96VSXfLT4i1UDNKioactw\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":\"m m\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"2GxYOm6GR8qXdDRMrCjJwQ\",\"lastConnection\":\"2024-07-01T09:54:07.000Z\",\"coupled\":true},\"emmDeviceInfo\":null,\"configuration\":{\"id\":\"XXWAKzLmTIydNDbSbpLuWw\",\"advancedMode\":false,\"notificationPermission\":\"Undefined\",\"geolocationPermission\":\"Undefined\",\"callPermission\":\"Undefined\",\"knoxPermission\":\"Undefined\",\"vpnPermission\":\"Undefined\",\"bluetoothPermission\":\"Undefined\",\"deviceAdminPermission\":\"Undefined\",\"overlayPermission\":\"Undefined\",\"usageStatisticsPermission\":\"Undefined\",\"accessibilityPermission\":\"Undefined\",\"ignoreBatteryOptimizationPermission\":\"Undefined\"}},\"deviceNetworkStatus\":{\"id\":\"WgEwwyksUIS2T5AFjKtGvg\",\"name\":\"Bluetooth\"},\"value\":0}}}", + "event": { + "action": "DeviceNetworkStatusRecordUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-07-01T14:28:20.233000Z", + "pradeo": { + "detection": { + "status": "Bluetooth", + "value": 0 + }, + "device": { + "byod": false, + "coupled": true, + "id": "R96VSXfLT4i1UDNKioactw", + "lastConnection": "2024-07-01T09:54:07Z", + "name": "m m", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-07-01T14:28:20.233000Z", + "id": "SQU4ZdbZSxqEIi1ioYP6mw", + "source": "system", + "type": "DeviceNetworkStatusRecordUpdated" + } + } + } + + ``` + + +=== "device-status-history-updated.json" + + ```json + + { + "message": "{\"id\":\"Chp2bFsQTEGAJd67m_Na2w\",\"creationDate\":\"2024-07-01T14:28:20.139Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceStatusHistoryUpdated\",\"content\":{\"deviceId\":\"R96VSXfLT4i1UDNKioactw\",\"event\":{\"id\":\"Aw9PSSUpT0idoAdhaiACbg\",\"device\":{\"id\":\"R96VSXfLT4i1UDNKioactw\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":\"m m\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"2GxYOm6GR8qXdDRMrCjJwQ\",\"lastConnection\":\"2024-07-01T09:54:07.000Z\",\"coupled\":true},\"emmDeviceInfo\":null},\"kind\":\"Bluetooth\",\"value\":0,\"eventDate\":\"2024-07-01T14:28:20.124Z\"}}}", + "event": { + "action": "DeviceStatusHistoryUpdated", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-01T14:28:20.139000Z", + "pradeo": { + "detection": { + "status": "Bluetooth", + "value": 0 + }, + "device": { + "id": "R96VSXfLT4i1UDNKioactw" + }, + "metadata": { + "creationDate": "2024-07-01T14:28:20.139000Z", + "id": "Chp2bFsQTEGAJd67m_Na2w", + "source": "system", + "type": "DeviceStatusHistoryUpdated" + } + } + } + + ``` + + +=== "device-system-status-record-updated.json" + + ```json + + { + "message": "{\"id\":\"hWjVNq-WRiefU1vqfrbeyQ\",\"creationDate\":\"2024-06-27T11:24:13.592Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceSystemStatusRecordUpdated\",\"content\":{\"deviceSystemStatusRecord\":{\"id\":\"2jA8-gQ6TCuGIgR9EMcbYQ\",\"device\":{\"id\":\"EeFFJKtPS0Gl52z5uzijKg\",\"serialNumber\":null,\"imei\":null,\"name\":\" cs Ivanti EID2\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":true,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"ZWxQtoMWTKegjcvMinHaZg\",\"lastConnection\":\"2024-06-21T12:07:57.000Z\",\"coupled\":true},\"emmDeviceInfo\":null,\"configuration\":{\"id\":\"4oQgfWybS46D2huT1ggWLA\",\"advancedMode\":false,\"notificationPermission\":\"Undefined\",\"geolocationPermission\":\"Undefined\",\"callPermission\":\"Undefined\",\"knoxPermission\":\"Undefined\",\"vpnPermission\":\"Undefined\",\"bluetoothPermission\":\"Undefined\",\"deviceAdminPermission\":\"Undefined\",\"overlayPermission\":\"Undefined\",\"usageStatisticsPermission\":\"Undefined\",\"accessibilityPermission\":\"Undefined\",\"ignoreBatteryOptimizationPermission\":\"Undefined\"}},\"deviceSystemStatus\":{\"id\":\"AV84fYHQXbyKjXZ52iuHLg\",\"name\":\"DeveloperMode\"},\"value\":1}}}", + "event": { + "action": "DeviceSystemStatusRecordUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-06-27T11:24:13.592000Z", + "pradeo": { + "detection": { + "status": "DeveloperMode", + "value": 1 + }, + "device": { + "byod": true, + "coupled": true, + "id": "EeFFJKtPS0Gl52z5uzijKg", + "lastConnection": "2024-06-21T12:07:57Z", + "name": " cs Ivanti EID2" + }, + "metadata": { + "creationDate": "2024-06-27T11:24:13.592000Z", + "id": "hWjVNq-WRiefU1vqfrbeyQ", + "source": "system", + "type": "DeviceSystemStatusRecordUpdated" + } + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`pradeo.application.id` | `string` | id of the application | +|`pradeo.application.md5` | `string` | md5 of the application | +|`pradeo.application.name` | `string` | name of the application | +|`pradeo.application.package` | `string` | package of the application | +|`pradeo.application.sha1` | `string` | sha1 of the application | +|`pradeo.application.sha256` | `string` | sha256 of the application | +|`pradeo.application.system` | `string` | operating system of the application | +|`pradeo.application.version` | `string` | version of the application | +|`pradeo.application.versionCode` | `integer` | version code of the application | +|`pradeo.compliance.matchedResponseRules` | `string` | compliance matched response rules level of a device or device application | +|`pradeo.correlation.applicationThreatLevel` | `keyword` | application threat level of the device | +|`pradeo.correlation.matchedNetworkStatusLevels` | `string` | matched network status level of a device | +|`pradeo.correlation.matchedSystemStatusLevels` | `string` | matched system status level of a device | +|`pradeo.correlation.networkThreatLevel` | `keyword` | network threat level of the device | +|`pradeo.correlation.systemThreatLevel` | `keyword` | system threat level of the device | +|`pradeo.detection.status` | `keyword` | device status name affected by the event | +|`pradeo.detection.value` | `integer` | device status value affected by the event | +|`pradeo.device.byod` | `boolean` | byod state of the device | +|`pradeo.device.coupled` | `boolean` | coupling status of the device | +|`pradeo.device.declaredModel` | `string` | declared model of the device | +|`pradeo.device.declaredOperatingSystem` | `keyword` | declared operating system of the device | +|`pradeo.device.declaredOperatingSystemSecurityPatchDate` | `datetime` | declared operating system security patch date of the device | +|`pradeo.device.declaredOperatingSystemVersion` | `string` | declared operating system version of the device | +|`pradeo.device.email` | `string` | email of the device | +|`pradeo.device.emm` | `string` | emm of the device | +|`pradeo.device.id` | `string` | id of the device | +|`pradeo.device.imei` | `string` | imei of the device | +|`pradeo.device.lastConnection` | `datetime` | last connection date of the device | +|`pradeo.device.mdmId` | `string` | mdm id of the device | +|`pradeo.device.name` | `string` | name of the device | +|`pradeo.device.serialNumber` | `string` | serial mumber of the device | +|`pradeo.initiator.byod` | `boolean` | byod state of the initiator of the action (device) | +|`pradeo.initiator.coupled` | `boolean` | coupling status of the initiator of the action (device) | +|`pradeo.initiator.declaredModel` | `string` | declared model of the initiator of the action (device) | +|`pradeo.initiator.declaredOperatingSystem` | `keyword` | declared operating system of the initiator of the action (device) | +|`pradeo.initiator.declaredOperatingSystemSecurityPatchDate` | `string` | declared operating system security patch date of the initiator of the action (device) | +|`pradeo.initiator.declaredOperatingSystemVersion` | `string` | declared operating system version of the initiator of the action (device) | +|`pradeo.initiator.email` | `string` | email of the initiator of the action (device or admin) | +|`pradeo.initiator.emm` | `keyword` | emm of the initiator of the action (device) | +|`pradeo.initiator.id` | `string` | id of the initiator of the action (device or admin) | +|`pradeo.initiator.imei` | `string` | imei of the initiator of the action (device) | +|`pradeo.initiator.lastConnection` | `datetime` | last connection date of the initiator of the action (device) | +|`pradeo.initiator.mdmId` | `string` | mdm id of the initiator of the action (device) | +|`pradeo.initiator.name` | `string` | name of the initiator of the action (device) | +|`pradeo.initiator.serialNumber` | `string` | serial mumber of the initiator of the action (device) | +|`pradeo.metadata.category` | `keyword` | event category (application, device, system or network) | +|`pradeo.metadata.creationDate` | `datetime` | Cretaion date of the event | +|`pradeo.metadata.id` | `string` | Pradeo unique event id | +|`pradeo.metadata.source` | `keyword` | event origin (system or admin) | +|`pradeo.metadata.type` | `keyword` | type of event (e.g AccountCreated, DeviceCreated, DeviceDetection) | +|`pradeo.permission.name` | `string` | permission name | +|`pradeo.permission.value` | `string` | permission value | +|`pradeo.policy.id` | `string` | policy id used for correlation | +|`pradeo.policy.name` | `string` | policy name used for correlation | +|`user.email` | `keyword` | User email address. | +|`user.full_name` | `keyword` | User's full name, if available. | +|`user.id` | `keyword` | Unique identifier of the user. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Pradeo/pradeo-mtd). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md new file mode 100644 index 0000000000..6c756a0f59 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827_sample.md @@ -0,0 +1,475 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "admin-initiator" + + + ```json + { + "id": "jyFgy57XQGm0oEk6V_6tdA", + "creationDate": "2024-07-23T13:28:32.594Z", + "source": "admin", + "category": null, + "type": "MessageCreated", + "content": { + "message": { + "id": "u7GTsigSS1CWtS_y80zpgw", + "title": "test", + "content": "envoye a 15:28", + "creationDate": "2024-07-23T13:28:32.578Z" + } + }, + "user": { + "id": "gA0jK6lCSBWZ3-ZMR9IoFw", + "email": "alan.smithee@pradeo.com", + "firstName": "Alan", + "lastName": "Smithee", + "jobTitle": null, + "phoneNumber": null, + "language": "English", + "isDeactivated": false, + "isFirstConnection": true, + "toNotify": false, + "lastConnectionDate": "2024-07-23T14:56:26.000Z", + "creationDate": "2024-07-03T12:24:48.924Z", + "lastModificationDate": "2024-07-23T14:56:26.000Z" + }, + "device": null, + "company": { + "id": "bufQJXK_RNamdgiPmXzpFg", + "name": "Mobile boat", + "creationDate": "2024-07-03T10:01:02.043Z", + "lastModificationDate": "2024-07-04T07:19:50.000Z", + "deletedAt": null + } + } + ``` + + + +=== "application-created" + + + ```json + { + "id": "8bnDz9zBI0S25lsXD22nxg", + "creationDate": "2024-07-02T07:02:15.721Z", + "source": "device", + "category": null, + "type": "ApplicationCreated", + "content": { + "application": { + "id": "6DN0jTLmX8-958o-fa3pnQ", + "version": "1.10.2", + "md5": "673937eab709d3e3999b25bc564902c4", + "sha1": "639f1ebc03aac79374e70123d15bd00fc68d37af", + "sha256": "8ddb8f0098f6159fba0a56444fe67634adb7903770eaa646ef202f8d8f32d3df", + "name": "Sonic 2", + "versionCode": "217", + "size": 83816851, + "package": { + "id": "N4N-N9ByVrKDs-WCpxSj6Q", + "package": "com.sega.sonic2.runner", + "system": "Android" + } + } + } + } + ``` + + + +=== "detection-policy-updated" + + + ```json + { + "id": "_czh5ptATAa0TDv8cCR75g", + "creationDate": "2024-07-02T12:20:01.795Z", + "source": "system", + "category": null, + "type": "DetectionPolicyUpdated", + "content": { + "detectionPolicy": { + "id": "R-cZz0iUSyujQ954d3qytw", + "name": "iO Si Senor", + "creationDate": "2023-11-13T17:58:03.000Z", + "lastModificationDate": "2024-05-27T08:14:01.531Z", + "company": { + "id": "JmidYbyCRpegHOjnpK4uag", + "name": "Pradeo", + "creationDate": "2023-09-11T13:15:14.000Z", + "lastModificationDate": "2024-04-19T10:03:30.000Z", + "deletedAt": null + }, + "inheritable": false, + "dataRules": [], + "featureRules": [], + "communicationRules": [], + "systemStatusLevels": [], + "networkStatusLevels": [], + "deviceGroups": [], + "handledCompanies": [], + "version": 1 + } + } + } + ``` + + + +=== "device-compliance-updated" + + + ```json + { + "id": "XjR27UNPT7ixTAV6M4YBEA", + "creationDate": "2024-07-01T17:24:54.784Z", + "source": "system", + "category": null, + "type": "DeviceComplianceUpdated", + "content": { + "deviceCompliance": { + "id": "tw0T69jkS1SOdBc-QFat8A", + "status": "Approved", + "computed": true, + "creationDate": "2024-07-01T17:01:20.075Z", + "lastModificationDate": "2024-07-01T17:02:02.000Z", + "device": { + "id": "kfvsh37xT2GUUlQHBZSIZw", + "serialNumber": null, + "imei": "356568109376877", + "name": "remy iPhone iOS 17.5.1 N736", + "email": null, + "singleEnrollmentKey": "00008030-0006404C2EE1802E", + "byod": false, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": null, + "declaredOperatingSystemVersion": null, + "declaredOperatingSystemSecurityPatchDate": null, + "declaredModel": null, + "group": { + "id": "NndTZCHjSMyUKP3XlCBosQ", + "name": "R&D", + "createdAt": "2024-04-18T12:31:32.000Z", + "emmGroupInfo": null, + "detectionPolicy": { + "id": "JIiW6eyUWoe9COTVCR4rww", + "name": "Standard", + "type": "Application and device threat", + "creationDate": "2024-01-21T22:47:37.034Z", + "lastModificationDate": "2024-01-21T22:47:37.034Z", + "inheritable": true, + "version": 1 + } + }, + "enrollmentStatus": { + "id": "FchrtdT-QT-xknMShye0eQ", + "lastConnection": null, + "coupled": false + }, + "emmDeviceInfo": { + "id": "2vZdUKtuRCWHl4TDp8uTaw", + "externalId": "00008030-0006404C2EE1802E", + "emm": "airwatch" + } + }, + "matchedResponseRules": [] + } + } + } + ``` + + + +=== "device-correlation-updated" + + + ```json + { + "id": "QFtxnwWFCERsCvYI599bSv", + "creationDate": "2024-07-01T14:28:11.000Z", + "source": "system", + "category": "null", + "type": "DeviceCorrelationUpdated", + "content": { + "id": "android:p-2MTZU_S1jQsqz9Ommy_A", + "last_name": "m", + "first_name": "m", + "email": "", + "metric": "match_bluetooth", + "type": "BlueTooth activation", + "status": "END" + } + } + ``` + + + +=== "device-detection" + + + ```json + { + "id": "QFtxnwWFCERsCvYI599bSv", + "creationDate": "2024-07-01T14:28:11.000Z", + "source": "admin", + "category": "Network", + "type": "DeviceDetection", + "content": { + "id": "android:p-2MTZU_S1jQsqz9Ommy_A", + "last_name": "m", + "first_name": "m", + "email": "", + "metric": "match_bluetooth", + "type": "BlueTooth activation", + "status": "END" + } + } + ``` + + + +=== "device-initiator" + + + ```json + { + "id": "---tmfIPM0q8uo0bGtreRA", + "creationDate": "2024-07-05T08:58:43.325Z", + "source": "device", + "category": null, + "type": "DeviceStatusHistoryUpdated", + "content": { + "deviceId": "3DGAsW2pRhKZLArNUGBo4Q", + "event": { + "kind": "RogueCellTower", + "value": 2 + } + }, + "user": null, + "device": { + "id": "3DGAsW2pRhKZLArNUGBo4Q", + "serialNumber": "unknown", + "imei": null, + "name": null, + "email": null, + "singleEnrollmentKey": "{sa?LW]p:gWoGR}),ishy@)7XPoMI-)LH&n)g5v{aY{Wqi4b", + "byod": false, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": "Android", + "declaredOperatingSystemVersion": "13", + "declaredOperatingSystemSecurityPatchDate": "2023-11-05T00:00:00.000Z", + "declaredModel": "EB2103", + "enrollmentStatus": { + "id": "etw6fGIcQtyKQDB3hbpXUQ", + "lastConnection": "2024-07-05T13:05:05.000Z", + "coupled": false + }, + "emmDeviceInfo": null + }, + "company": { + "id": "bufQJXK_RNamdgiPmXzpFg", + "name": "Mobile boat", + "creationDate": "2024-07-03T10:01:02.043Z", + "lastModificationDate": "2024-07-04T07:19:50.000Z", + "deletedAt": null + } + } + ``` + + + +=== "device-network-status-record-updated" + + + ```json + { + "id": "SQU4ZdbZSxqEIi1ioYP6mw", + "creationDate": "2024-07-01T14:28:20.233Z", + "source": "system", + "category": null, + "type": "DeviceNetworkStatusRecordUpdated", + "content": { + "deviceNetworkStatusRecord": { + "id": "7tUjB6riQGqo2Tqz4AmVPw", + "device": { + "id": "R96VSXfLT4i1UDNKioactw", + "serialNumber": "unknown", + "imei": null, + "name": "m m", + "email": null, + "singleEnrollmentKey": null, + "byod": false, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": null, + "declaredOperatingSystemVersion": null, + "declaredOperatingSystemSecurityPatchDate": null, + "declaredModel": null, + "company": { + "id": "JmidYbyCRpegHOjnpK4uag", + "name": "Pradeo", + "creationDate": "2023-09-11T13:15:14.000Z", + "lastModificationDate": "2024-04-19T10:03:30.000Z", + "deletedAt": null + }, + "enrollmentStatus": { + "id": "2GxYOm6GR8qXdDRMrCjJwQ", + "lastConnection": "2024-07-01T09:54:07.000Z", + "coupled": true + }, + "emmDeviceInfo": null, + "configuration": { + "id": "XXWAKzLmTIydNDbSbpLuWw", + "advancedMode": false, + "notificationPermission": "Undefined", + "geolocationPermission": "Undefined", + "callPermission": "Undefined", + "knoxPermission": "Undefined", + "vpnPermission": "Undefined", + "bluetoothPermission": "Undefined", + "deviceAdminPermission": "Undefined", + "overlayPermission": "Undefined", + "usageStatisticsPermission": "Undefined", + "accessibilityPermission": "Undefined", + "ignoreBatteryOptimizationPermission": "Undefined" + } + }, + "deviceNetworkStatus": { + "id": "WgEwwyksUIS2T5AFjKtGvg", + "name": "Bluetooth" + }, + "value": 0 + } + } + } + ``` + + + +=== "device-status-history-updated" + + + ```json + { + "id": "Chp2bFsQTEGAJd67m_Na2w", + "creationDate": "2024-07-01T14:28:20.139Z", + "source": "system", + "category": null, + "type": "DeviceStatusHistoryUpdated", + "content": { + "deviceId": "R96VSXfLT4i1UDNKioactw", + "event": { + "id": "Aw9PSSUpT0idoAdhaiACbg", + "device": { + "id": "R96VSXfLT4i1UDNKioactw", + "serialNumber": "unknown", + "imei": null, + "name": "m m", + "email": null, + "singleEnrollmentKey": null, + "byod": false, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": null, + "declaredOperatingSystemVersion": null, + "declaredOperatingSystemSecurityPatchDate": null, + "declaredModel": null, + "company": { + "id": "JmidYbyCRpegHOjnpK4uag", + "name": "Pradeo", + "creationDate": "2023-09-11T13:15:14.000Z", + "lastModificationDate": "2024-04-19T10:03:30.000Z", + "deletedAt": null + }, + "enrollmentStatus": { + "id": "2GxYOm6GR8qXdDRMrCjJwQ", + "lastConnection": "2024-07-01T09:54:07.000Z", + "coupled": true + }, + "emmDeviceInfo": null + }, + "kind": "Bluetooth", + "value": 0, + "eventDate": "2024-07-01T14:28:20.124Z" + } + } + } + ``` + + + +=== "device-system-status-record-updated" + + + ```json + { + "id": "hWjVNq-WRiefU1vqfrbeyQ", + "creationDate": "2024-06-27T11:24:13.592Z", + "source": "system", + "category": null, + "type": "DeviceSystemStatusRecordUpdated", + "content": { + "deviceSystemStatusRecord": { + "id": "2jA8-gQ6TCuGIgR9EMcbYQ", + "device": { + "id": "EeFFJKtPS0Gl52z5uzijKg", + "serialNumber": null, + "imei": null, + "name": " cs Ivanti EID2", + "email": null, + "singleEnrollmentKey": null, + "byod": true, + "lockPassword": null, + "knoxVersion": null, + "declaredOperatingSystem": null, + "declaredOperatingSystemVersion": null, + "declaredOperatingSystemSecurityPatchDate": null, + "declaredModel": null, + "company": { + "id": "JmidYbyCRpegHOjnpK4uag", + "name": "Pradeo", + "creationDate": "2023-09-11T13:15:14.000Z", + "lastModificationDate": "2024-04-19T10:03:30.000Z", + "deletedAt": null + }, + "enrollmentStatus": { + "id": "ZWxQtoMWTKegjcvMinHaZg", + "lastConnection": "2024-06-21T12:07:57.000Z", + "coupled": true + }, + "emmDeviceInfo": null, + "configuration": { + "id": "4oQgfWybS46D2huT1ggWLA", + "advancedMode": false, + "notificationPermission": "Undefined", + "geolocationPermission": "Undefined", + "callPermission": "Undefined", + "knoxPermission": "Undefined", + "vpnPermission": "Undefined", + "bluetoothPermission": "Undefined", + "deviceAdminPermission": "Undefined", + "overlayPermission": "Undefined", + "usageStatisticsPermission": "Undefined", + "accessibilityPermission": "Undefined", + "ignoreBatteryOptimizationPermission": "Undefined" + } + }, + "deviceSystemStatus": { + "id": "AV84fYHQXbyKjXZ52iuHLg", + "name": "DeveloperMode" + }, + "value": 1 + } + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index ee65fdf60e..b7bda8c6c2 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -192,6 +192,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ip": "1.2.3.4" }, + "tls": { + "client": { + "ja3": "68b329da9893e34099c7d8ad5cb9c940" + } + }, "url": { "original": "/console/", "path": "/console/", @@ -597,6 +602,104 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "allow3.json" + + ```json + + { + "message": "{\"timestamp\":1724172306949,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:eu-west-3:736484235634:regional/webacl/ACME/1dbb6fab-3713-4b94-be2b-a53d4c914b3d\",\"terminatingRuleId\":\"Default_Action\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"ALLOW\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"ALB\",\"httpSourceId\":\"736484235634-app/acme-ALB/a7d22dfa27083e64\",\"ruleGroupList\":[{\"ruleGroupId\":\"arn:aws:wafv2:eu-west-3:736484235634:regional/rulegroup/rule/75c436b4-0143-4bfa-8045-d333529e78f0\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":[{\"exclusionType\":\"EXCLUDED_AS_COUNT\",\"ruleId\":\"root-url\",\"ruleMatchDetails\":null}],\"customerConfig\":null},{\"ruleGroupId\":\"arn:aws:wafv2:eu-west-3:736484235634:regional/rulegroup/urls/9d38afd6-5664-46ca-96d1-491f3ee6de6a\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"arn:aws:wafv2:eu-west-3:411563154075:regional/rulegroup/RuleGroup_736484235634_1dbb6fab-3713-4b94-be2b-a53d4c914b3d_3a330c86-7311-4ba0-81cc-eec955280694/cb3c287e-5fe1-4c63-8c6a-f4a7f1f0f905\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesAmazonIpReputationList\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesAnonymousIpList\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[{\"ruleId\":\"HostingProviderIPList\",\"action\":\"COUNT\",\"overriddenAction\":\"BLOCK\",\"ruleMatchDetails\":[]}],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesKnownBadInputsRuleSet\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesSQLiRuleSet\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesUnixRuleSet\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null},{\"ruleGroupId\":\"AWS#AWSManagedRulesLinuxRuleSet\",\"terminatingRule\":null,\"nonTerminatingMatchingRules\":[],\"excludedRules\":null,\"customerConfig\":null}],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"1.2.3.4\",\"country\":\"FR\",\"headers\":[{\"name\":\"Host\",\"value\":\"host\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Content-Length\",\"value\":\"70\"},{\"name\":\"Content-Type\",\"value\":\"application/x-www-form-urlencoded\"},{\"name\":\"X-From-Automation\",\"value\":\"something\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/geoserver/TestPost\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"1-66c4c812-09a4093421d49fca0ec8565f\"},\"ja3Fingerprint\":\"d4e5b18d6b55c71272893221c96ba240\",\"labels\":[{\"name\":\"awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList\"}],\"requestBodySize\":70,\"requestBodySizeInspectedByWAF\":70}", + "event": { + "action": "ALLOW", + "category": [ + "network" + ], + "module": "aws.waf", + "type": [ + "access" + ] + }, + "@timestamp": "2024-08-20T16:45:06.949000Z", + "action": { + "target": "network-traffic" + }, + "aws": { + "waf": { + "rule": { + "arn": "arn:aws:wafv2:eu-west-3:736484235634:regional/webacl/ACME/1dbb6fab-3713-4b94-be2b-a53d4c914b3d" + } + } + }, + "cloud": { + "provider": "aws", + "region": "eu-west-3", + "service": { + "name": "waf" + } + }, + "destination": { + "address": "host", + "domain": "host", + "top_level_domain": "host" + }, + "http": { + "request": { + "body": { + "bytes": 70 + }, + "id": "1-66c4c812-09a4093421d49fca0ec8565f", + "method": "POST", + "mime_type": "application/x-www-form-urlencoded" + }, + "version": "HTTP/1.1" + }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "host" + ], + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "category": "REGULAR", + "name": "Default_Action" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "FR" + }, + "ip": "1.2.3.4" + }, + "tls": { + "client": { + "ja3": "d4e5b18d6b55c71272893221c96ba240" + } + }, + "url": { + "original": "/geoserver/TestPost", + "path": "/geoserver/TestPost" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0", + "os": { + "name": "Mac OS X", + "version": "10.15" + }, + "version": "98.0" + } + } + + ``` + + === "user_agent.json" ```json @@ -820,6 +923,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.name` | `keyword` | Rule name | |`source.geo.country_iso_code` | `keyword` | Country ISO code. | |`source.ip` | `ip` | IP address of the source. | +|`tls.client.ja3` | `keyword` | A hash that identifies clients based on how they perform an SSL/TLS handshake. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.query` | `keyword` | Query string of the request. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0_sample.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0_sample.md index 4ecbe3cd1c..9eda6a7c2b 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0_sample.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0_sample.md @@ -461,6 +461,154 @@ In this section, you will find examples of raw logs as generated natively by the +=== "allow3" + + + ```json + { + "timestamp": 1724172306949, + "formatVersion": 1, + "webaclId": "arn:aws:wafv2:eu-west-3:736484235634:regional/webacl/ACME/1dbb6fab-3713-4b94-be2b-a53d4c914b3d", + "terminatingRuleId": "Default_Action", + "terminatingRuleType": "REGULAR", + "action": "ALLOW", + "terminatingRuleMatchDetails": [], + "httpSourceName": "ALB", + "httpSourceId": "736484235634-app/acme-ALB/a7d22dfa27083e64", + "ruleGroupList": [ + { + "ruleGroupId": "arn:aws:wafv2:eu-west-3:736484235634:regional/rulegroup/rule/75c436b4-0143-4bfa-8045-d333529e78f0", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": [ + { + "exclusionType": "EXCLUDED_AS_COUNT", + "ruleId": "root-url", + "ruleMatchDetails": null + } + ], + "customerConfig": null + }, + { + "ruleGroupId": "arn:aws:wafv2:eu-west-3:736484235634:regional/rulegroup/urls/9d38afd6-5664-46ca-96d1-491f3ee6de6a", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "arn:aws:wafv2:eu-west-3:411563154075:regional/rulegroup/RuleGroup_736484235634_1dbb6fab-3713-4b94-be2b-a53d4c914b3d_3a330c86-7311-4ba0-81cc-eec955280694/cb3c287e-5fe1-4c63-8c6a-f4a7f1f0f905", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesAmazonIpReputationList", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesAnonymousIpList", + "terminatingRule": null, + "nonTerminatingMatchingRules": [ + { + "ruleId": "HostingProviderIPList", + "action": "COUNT", + "overriddenAction": "BLOCK", + "ruleMatchDetails": [] + } + ], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesKnownBadInputsRuleSet", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesUnixRuleSet", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + }, + { + "ruleGroupId": "AWS#AWSManagedRulesLinuxRuleSet", + "terminatingRule": null, + "nonTerminatingMatchingRules": [], + "excludedRules": null, + "customerConfig": null + } + ], + "rateBasedRuleList": [], + "nonTerminatingMatchingRules": [], + "requestHeadersInserted": null, + "responseCodeSent": null, + "httpRequest": { + "clientIp": "1.2.3.4", + "country": "FR", + "headers": [ + { + "name": "Host", + "value": "host" + }, + { + "name": "User-Agent", + "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0" + }, + { + "name": "Connection", + "value": "close" + }, + { + "name": "Content-Length", + "value": "70" + }, + { + "name": "Content-Type", + "value": "application/x-www-form-urlencoded" + }, + { + "name": "X-From-Automation", + "value": "something" + }, + { + "name": "Accept-Encoding", + "value": "gzip" + } + ], + "uri": "/geoserver/TestPost", + "args": "", + "httpVersion": "HTTP/1.1", + "httpMethod": "POST", + "requestId": "1-66c4c812-09a4093421d49fca0ec8565f" + }, + "ja3Fingerprint": "d4e5b18d6b55c71272893221c96ba240", + "labels": [ + { + "name": "awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList" + } + ], + "requestBodySize": 70, + "requestBodySizeInspectedByWAF": 70 + } + ``` + + + === "user_agent" diff --git a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md index cf353fe630..402f2642b3 100644 --- a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md +++ b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert` | -| Category | `malware`, `web` | +| Category | `email`, `malware`, `web` | | Type | `info` | @@ -34,7 +34,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"direction\": \"OUTBOUND\", \"class\": \"EVENT\", \"version\": \"1.0\", \"type\": \"MTA\", \"ts\": \"2021-05-18 16:50:30 +0200\", \"host\": \"events.retarus.com\", \"customer\": \"45987FR\", \"metaData\": {}, \"sender\": \"utilisateur@mail.fr\", \"status\": \"ACCEPTED\", \"mimeId\": \"\", \"rmxId\": \"20210518-32464-yvrfukcZEcd-0@out33.fg\", \"sourceIp\": \"255.255.255.1\", \"recipient\": \"recepient@mail.com\"}", "event": { - "outcome": "success" + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] }, "action": { "name": "EVENT", @@ -47,8 +53,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "mail.com", "top_level_domain": "com" }, + "email": { + "from": { + "address": [ + "null" + ] + }, + "sender": { + "address": [ + "recepient@mail.com" + ] + } + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -94,7 +114,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"customer\": \"CuNo\",\"metaData\": {\"authentication\": {\"dkim\": {\"status\": \"dkim=none\",\"details\": \"dkim=none reason=\\\"no signature\\\"\"}},\"transportEncryption\": {\"requested\": false,\"established\": false},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"},\"contentEncryption\": false},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"xxx.xxx.xxx.xxx\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"INBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}", "event": { - "outcome": "success" + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] }, "action": { "name": "EVENT", @@ -107,8 +133,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "sender@example.com" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + }, + "subject": "This is a test mail" + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -123,6 +164,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "retarus": { "class": "EVENT", + "dkim": { + "result": "dkim=none reason=\"no signature\"" + }, "email_direction": "INBOUND", "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27", "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>", @@ -150,7 +194,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"version\":\"1.0\",\"rmxId\":\"20220912-000000-111111111111-0@example\",\"sender\":\"\",\"ts\":\"2022-09-12 16:30:58 +0200\",\"metaData\":{\"transportEncryption\":{\"protocol\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)\",\"established\":true,\"requested\":true},\"authentication\":{\"dkim\":{\"status\":\"dkim=none\",\"details\":\"dkim=none reason=\\\"no signature\\\"\"},\"spf\":{\"status\":\"spf=none\",\"details\":\"spf=none smtp.helo=mailer.com\"}},\"header\":{\"from\":\"MAILER-DAEMON (Mail Delivery System)\",\"subject\":\"Undelivered Mail Returned to Sender\"},\"contentEncryption\":false},\"recipient\":\"user@example.org\",\"sourceIp\":\"1.2.3.4\",\"type\":\"MTA\",\"subtype\":\"INCOMING\",\"host\":\"events.retarus.com\",\"direction\":\"INBOUND\",\"status\":\"ACCEPTED\",\"customer\":\"15752FR\",\"class\":\"EVENT\",\"mimeId\":\"<00000000@mailer.com>\"}\n", "event": { - "outcome": "success" + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] }, "action": { "name": "EVENT", @@ -163,8 +213,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "example.org", "top_level_domain": "org" }, + "email": { + "from": { + "address": [ + "MAILER-DAEMON (Mail Delivery System)" + ] + }, + "sender": { + "address": [ + "user@example.org" + ] + }, + "subject": "Undelivered Mail Returned to Sender" + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -181,10 +246,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "retarus": { "class": "EVENT", + "dkim": { + "result": "dkim=none reason=\"no signature\"" + }, "email_direction": "INBOUND", "message_id": "20220912-000000-111111111111-0@example", "mime_message_id": "<00000000@mailer.com>", "recipient": "user@example.org", + "spf": { + "status": "spf=none" + }, "status": "ACCEPTED", "timestamp": "2022-09-12 16:30:58 +0200", "type": "MTA" @@ -205,7 +276,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"customer\": \"CuNo\",\"metaData\": {\"transportEncryption\": {\"requested\": true,\"established\": true,\"protocol\": \"TLSv1.2\",\"cipherSuite\": \"ECDHE-RSA-AES128-SHA256(128/128bits)\"},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"}},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"255.255.255.1\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"OUTBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}", "event": { - "outcome": "success" + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] }, "action": { "name": "EVENT", @@ -218,8 +295,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "sender@example.com" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + }, + "subject": "This is a test mail" + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -264,14 +356,37 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"class\": \"EVENT\", \"rmxId\": \"0001\", \"sourceIp\": \"1.1.1.1\", \"metaData\": {\"header\": {\"from\": \"sender \", \"subject\": \"This is a subject\"}, \"transportEncryption\": {\"requested\": true, \"established\": true, \"protocol\": \"TLSv1.2\", \"cipherSuite\": \"ecdhe-ecdsa-aes128-gcm-sha256\"}}, \"recipient\": \"recipient@recipientdomain.fr\", \"mimeId\": \"<11111111>\", \"sender\": \"sender@senderdomain.fr\", \"version\": \"1.0\", \"customer\": \"1\", \"host\": \"host.fr\", \"subtype\": \"INCOMING\", \"type\": \"AAA\", \"ts\": \"2021-10-1 09:00:00 +0200\", \"direction\": \"OUTBOUND\", \"status\": \"ACCEPTED\"}", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, "destination": { "address": "recipientdomain.fr", "domain": "recipientdomain.fr", "registered_domain": "recipientdomain.fr", "top_level_domain": "fr" }, + "email": { + "from": { + "address": [ + "sender " + ] + }, + "sender": { + "address": [ + "recipient@recipientdomain.fr" + ] + }, + "subject": "This is a subject" + }, "observer": { "hostname": "host.fr", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -336,8 +451,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "null" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + } + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -398,8 +527,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "null" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + } + }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -461,6 +604,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "null" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + } + }, "file": { "hash": { "sha256": "sha256" @@ -469,6 +624,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -532,6 +689,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "registered_domain": "retarus.de", "top_level_domain": "de" }, + "email": { + "from": { + "address": [ + "null" + ] + }, + "sender": { + "address": [ + "xxxxxxx@retarus.de" + ] + } + }, "file": { "hash": { "sha256": "sha256" @@ -539,6 +708,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "observer": { "hostname": "events.retarus.com", + "product": "Email Security", + "vendor": "Retarus", "version": "1.0" }, "organization": { @@ -586,6 +757,9 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`destination.domain` | `keyword` | The domain name of the destination. | +|`email.from.address` | `keyword` | The sender's email address. | +|`email.sender.address` | `keyword` | Address of the message sender. | +|`email.subject` | `keyword` | The subject of the email message. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | @@ -596,15 +770,20 @@ The following table lists the fields that are extracted, normalized under the EC |`file.hash.ssdeep` | `keyword` | SSDEEP hash. | |`file.mimeType` | `keyword` | MIME type of the detected file (only included if threat type is VIRUS) | |`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | |`observer.version` | `keyword` | Observer version. | |`organization.id` | `keyword` | Unique identifier for the organization. | |`retarus.class` | `keyword` | Classification of the event | +|`retarus.dkim.result` | `keyword` | DKIM result | |`retarus.email_direction` | `keyword` | Possible values are: INBOUND | OUTBOUND | |`retarus.message_id` | `keyword` | Retarus unique message ID | |`retarus.mime_message_id` | `keyword` | Mime message ID | |`retarus.phishing_identifier` | `long` | Phishing identifier (if threat type is “URL”) | |`retarus.recipient` | `keyword` | Recipient of the message (envTo) | |`retarus.sender` | `keyword` | Sender of the message (envFrom) | +|`retarus.spf.record` | `keyword` | SPF record | +|`retarus.spf.status` | `keyword` | SPF result | |`retarus.status` | `keyword` | Possible values are: - for threat events: INFECTED | DETECTED | SUSPICIOUS, - for MTA events: ACCEPTED | |`retarus.timestamp` | `keyword` | Timestamp of the message in YYYY-MM-DD hh:mm:ss +hhmm | |`retarus.type` | `keyword` | Feature which the event is for possible values are: MultiScan, CxO, Sandboxing, PZD, MTA | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index a2dbf0c83b..073d8b0976 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -2696,6 +2696,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "ip": [ "1.2.3.4", + "4.3.2.1", "5.6.7.8" ], "user": [ @@ -2711,6 +2712,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "bytes": 160972, "ip": "1.2.3.4", "mac": "00:00:00:00:00:00", + "nat": { + "ip": "4.3.2.1" + }, "packets": 333, "port": 52272 }, @@ -3579,6 +3583,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "ip": [ "1.2.3.4", + "4.5.6.7", "5.6.7.8" ] }, @@ -3592,6 +3597,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "bytes": 285, "ip": "1.2.3.4", "mac": "54:13:79:a3:8a:a3", + "nat": { + "ip": "4.5.6.7" + }, "packets": 5, "port": 62979 } diff --git a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md index b8e1dc093f..d0b071a296 100644 --- a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md +++ b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md @@ -174,11 +174,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "AROAUR6F6MOZQBRKBX6RG:3e0ac0bf-fa18-4e70-8aa4-44debb525a10" + "AROAUR6F6MOZQBRKBX6RG" ] }, "user": { - "name": "AROAUR6F6MOZQBRKBX6RG:3e0ac0bf-fa18-4e70-8aa4-44debb525a10" + "id": "3e0ac0bf-fa18-4e70-8aa4-44debb525a10", + "name": "AROAUR6F6MOZQBRKBX6RG" } } @@ -228,11 +229,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "AROAUR6F6MOZ7YRJNRFJB:LACEWORK-CFG-external" + "AROAUR6F6MOZ7YRJNRFJB" ] }, "user": { - "name": "AROAUR6F6MOZ7YRJNRFJB:LACEWORK-CFG-external" + "name": "AROAUR6F6MOZ7YRJNRFJB" } } @@ -282,11 +283,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "AROAUR6F6MOZQBRKBX6RG:a7913090-862e-4cfa-ad11-80508825167e" + "AROAUR6F6MOZQBRKBX6RG" ] }, "user": { - "name": "AROAUR6F6MOZQBRKBX6RG:a7913090-862e-4cfa-ad11-80508825167e" + "id": "a7913090-862e-4cfa-ad11-80508825167e", + "name": "AROAUR6F6MOZQBRKBX6RG" } } @@ -401,6 +403,312 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_aws_account_access.json" + + ```json + + { + "message": "{\"alertId\":233783,\"alertName\":\"AWS account accessed from a new geolocation\",\"startTime\":\"2024-08-05T07:00:00.000Z\",\"alertType\":\"LoginFromSourceUsingCalltype\",\"severity\":\"Low\",\"derivedFields\":{\"category\":\"Anomaly\",\"sub_category\":\"Cloud Activity\",\"source\":\"AWS\"},\"endTime\":\"2024-08-05T08:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\"For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location.\",\"subject\":\"AWS account accessed from a new geolocation: For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location.\",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "LoginFromSourceUsingCalltype", + "end": "2024-08-05T08:00:00Z", + "kind": "alert", + "reason": "AWS account accessed from a new geolocation", + "start": "2024-08-05T07:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T07:00:00Z", + "lacework": { + "cloud_security": { + "account": { + "name": "123456789" + }, + "alert": { + "id": 233783, + "info": { + "description": "For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location.", + "subject": "AWS account accessed from a new geolocation: For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location." + }, + "severity": "Low", + "sight": 1, + "status": "Open" + }, + "company": { + "name": "company" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@company.com" + } + } + + ``` + + +=== "test_gcp_user_logged.json" + + ```json + + { + "message": "{\"alertId\":233849,\"alertName\":\"GCP user logged in from new source\",\"startTime\":\"2024-08-05T11:00:00.000Z\",\"alertType\":\"GcpUserLoggedInFromSource\",\"severity\":\"Low\",\"derivedFields\":{\"category\":\"Anomaly\",\"sub_category\":\"Cloud Activity\",\"source\":\"GCP\"},\"endTime\":\"2024-08-05T12:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\" john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time \",\"subject\":\"GCP user logged in from new source: john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time \",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"policyId\":\"203135697\",\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "GcpUserLoggedInFromSource", + "end": "2024-08-05T12:00:00Z", + "kind": "alert", + "reason": "GCP user logged in from new source", + "start": "2024-08-05T11:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T11:00:00Z", + "lacework": { + "cloud_security": { + "alert": { + "id": 233849, + "info": { + "description": " john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time ", + "subject": "GCP user logged in from new source: john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time " + }, + "severity": "Low", + "sight": 1, + "status": "Open" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "user": { + "email": "john.doe@company.com" + } + } + + ``` + + +=== "test_new_gcp_service.json" + + ```json + + { + "message": "{\"alertId\":233782,\"alertName\":\"New GCP service\",\"startTime\":\"2024-08-05T07:00:00.000Z\",\"alertType\":\"NewGcpService\",\"severity\":\"Medium\",\"derivedFields\":{\"category\":\"Anomaly\",\"sub_category\":\"Cloud Activity\",\"source\":\"GCP\"},\"endTime\":\"2024-08-05T08:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\"For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)\",\"subject\":\"New GCP service: For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)\",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"policyId\":\"203101916\",\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "NewGcpService", + "end": "2024-08-05T08:00:00Z", + "kind": "alert", + "reason": "New GCP service", + "start": "2024-08-05T07:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T07:00:00Z", + "lacework": { + "cloud_security": { + "alert": { + "id": 233782, + "info": { + "description": "For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)", + "subject": "New GCP service: For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)" + }, + "severity": "Medium", + "sight": 1, + "status": "Open" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "service": { + "name": "service.apis.com" + }, + "user": { + "email": "john.doe@company.com" + } + } + + ``` + + +=== "test_new_gcp_source.json" + + ```json + + { + "message": "{\"alertId\":233726,\"alertName\":\"New GCP source\",\"startTime\":\"2024-08-05T00:00:00.000Z\",\"alertType\":\"NewGcpSource\",\"severity\":\"Low\",\"derivedFields\":{\"category\":\"Anomaly\",\"sub_category\":\"Cloud Activity\",\"source\":\"GCP\"},\"endTime\":\"2024-08-05T01:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\" A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time\",\"subject\":\"New GCP source: A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time\",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"policyId\":\"203059776\",\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "NewGcpSource", + "end": "2024-08-05T01:00:00Z", + "kind": "alert", + "reason": "New GCP source", + "start": "2024-08-05T00:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T00:00:00Z", + "lacework": { + "cloud_security": { + "alert": { + "id": 233726, + "info": { + "description": " A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time", + "subject": "New GCP source: A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time" + }, + "severity": "Low", + "sight": 1, + "status": "Open" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "user": { + "email": "john.doe@company.com" + } + } + + ``` + + +=== "test_new_gcp_user.json" + + ```json + + { + "message": "{\"alertId\":233825,\"alertName\":\"New GCP user\",\"startTime\":\"2024-08-05T10:00:00.000Z\",\"alertType\":\"NewGcpUser\",\"severity\":\"Info\",\"derivedFields\":{\"category\":\"Anomaly\",\"sub_category\":\"Cloud Activity\",\"source\":\"GCP\"},\"endTime\":\"2024-08-05T11:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\" User john.doe@company.com using GCP for the first time\",\"subject\":\"New GCP user: User john.doe@company.com using GCP for the first time\",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"policyId\":\"203126334\",\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "NewGcpUser", + "end": "2024-08-05T11:00:00Z", + "kind": "alert", + "reason": "New GCP user", + "start": "2024-08-05T10:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T10:00:00Z", + "lacework": { + "cloud_security": { + "alert": { + "id": 233825, + "info": { + "description": " User john.doe@company.com using GCP for the first time", + "subject": "New GCP user: User john.doe@company.com using GCP for the first time" + }, + "severity": "Info", + "sight": 1, + "status": "Open" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "user": { + "email": "john.doe@company.com" + } + } + + ``` + + +=== "test_security_group_change.json" + + ```json + + { + "message": "{\"alertId\":233808,\"alertName\":\"Security Group Change\",\"startTime\":\"2024-08-05T09:00:00.000Z\",\"alertType\":\"SecurityGroupChange\",\"severity\":\"Info\",\"derivedFields\":{\"category\":\"Policy\",\"sub_category\":\"Cloud Activity\",\"source\":\"AWS\"},\"endTime\":\"2024-08-05T10:00:00.000Z\",\"lastUserUpdatedTime\":\"\",\"status\":\"Open\",\"alertInfo\":{\"description\":\" For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com \",\"subject\":\"Security Group Change: For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com \",\"customerCount\":0,\"isExpectedLWBehavior\":false},\"policyId\":\"lacework-global-2\",\"evolvingAlert\":false,\"tagMetadata\":[],\"internetExposure\":\"UnknownInternetExposure\",\"reachability\":\"UnknownReachability\"}", + "event": { + "category": [ + "configuration" + ], + "code": "SecurityGroupChange", + "end": "2024-08-05T10:00:00Z", + "kind": "alert", + "reason": "Security Group Change", + "start": "2024-08-05T09:00:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-05T09:00:00Z", + "lacework": { + "cloud_security": { + "account": { + "name": "1234567890" + }, + "alert": { + "id": 233808, + "info": { + "description": " For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com ", + "subject": "Security Group Change: For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com " + }, + "severity": "Info", + "sight": 5, + "status": "Open" + }, + "company": { + "name": "company" + } + } + }, + "observer": { + "product": "Lacework Cloud Security", + "vendor": "Lacework" + }, + "related": { + "user": [ + "USER01" + ] + }, + "user": { + "email": "john.doe@company.com", + "name": "USER01" + } + } + + ``` + + @@ -425,10 +733,14 @@ The following table lists the fields that are extracted, normalized under the EC |`lacework.cloud_security.alert.severity` | `keyword` | Alert severity | |`lacework.cloud_security.alert.sight` | `long` | Number of times an alert have been seen | |`lacework.cloud_security.alert.status` | `keyword` | Alert status | +|`lacework.cloud_security.company.name` | `keyword` | Company name | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`rule.name` | `keyword` | Rule name | +|`service.name` | `keyword` | Name of the service. | |`source.ip` | `ip` | IP address of the source. | +|`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650_sample.md b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650_sample.md index 9f3629a6ef..39276d8433 100644 --- a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650_sample.md +++ b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650_sample.md @@ -249,3 +249,206 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_aws_account_access" + + + ```json + { + "alertId": 233783, + "alertName": "AWS account accessed from a new geolocation", + "startTime": "2024-08-05T07:00:00.000Z", + "alertType": "LoginFromSourceUsingCalltype", + "severity": "Low", + "derivedFields": { + "category": "Anomaly", + "sub_category": "Cloud Activity", + "source": "AWS" + }, + "endTime": "2024-08-05T08:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": "For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location.", + "subject": "AWS account accessed from a new geolocation: For account: 123456789 (company) : Unknown/123456789:john.doe@company.com logged in from an IP address 1.2.3.4 in a new location Rennes,Bretagne,France using the AWS event type AwsServiceEvent . This is the first time this AWS account has been accessed from this location.", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + +=== "test_gcp_user_logged" + + + ```json + { + "alertId": 233849, + "alertName": "GCP user logged in from new source", + "startTime": "2024-08-05T11:00:00.000Z", + "alertType": "GcpUserLoggedInFromSource", + "severity": "Low", + "derivedFields": { + "category": "Anomaly", + "sub_category": "Cloud Activity", + "source": "GCP" + }, + "endTime": "2024-08-05T12:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": " john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time ", + "subject": "GCP user logged in from new source: john.doe@company.com logged in from a new source Rennes,Bretagne,France for the first time ", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "policyId": "203135697", + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + +=== "test_new_gcp_service" + + + ```json + { + "alertId": 233782, + "alertName": "New GCP service", + "startTime": "2024-08-05T07:00:00.000Z", + "alertType": "NewGcpService", + "severity": "Medium", + "derivedFields": { + "category": "Anomaly", + "sub_category": "Cloud Activity", + "source": "GCP" + }, + "endTime": "2024-08-05T08:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": "For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)", + "subject": "New GCP service: For project: project-001 (test-projects) : A new service service.apis.com was used for the first time (by user john.doe@company.com)", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "policyId": "203101916", + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + +=== "test_new_gcp_source" + + + ```json + { + "alertId": 233726, + "alertName": "New GCP source", + "startTime": "2024-08-05T00:00:00.000Z", + "alertType": "NewGcpSource", + "severity": "Low", + "derivedFields": { + "category": "Anomaly", + "sub_category": "Cloud Activity", + "source": "GCP" + }, + "endTime": "2024-08-05T01:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": " A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time", + "subject": "New GCP source: A user (john.doe@company.com) logged in from a new source Rennes,Bretagne,France for the first time", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "policyId": "203059776", + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + +=== "test_new_gcp_user" + + + ```json + { + "alertId": 233825, + "alertName": "New GCP user", + "startTime": "2024-08-05T10:00:00.000Z", + "alertType": "NewGcpUser", + "severity": "Info", + "derivedFields": { + "category": "Anomaly", + "sub_category": "Cloud Activity", + "source": "GCP" + }, + "endTime": "2024-08-05T11:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": " User john.doe@company.com using GCP for the first time", + "subject": "New GCP user: User john.doe@company.com using GCP for the first time", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "policyId": "203126334", + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + +=== "test_security_group_change" + + + ```json + { + "alertId": 233808, + "alertName": "Security Group Change", + "startTime": "2024-08-05T09:00:00.000Z", + "alertType": "SecurityGroupChange", + "severity": "Info", + "derivedFields": { + "category": "Policy", + "sub_category": "Cloud Activity", + "source": "AWS" + }, + "endTime": "2024-08-05T10:00:00.000Z", + "lastUserUpdatedTime": "", + "status": "Open", + "alertInfo": { + "description": " For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com ", + "subject": "Security Group Change: For account: 1234567890 (company) : SecurityGroup sg-012345 created/deleted/changed 5 times by user USER01:john.doe@company.com ", + "customerCount": 0, + "isExpectedLWBehavior": false + }, + "policyId": "lacework-global-2", + "evolvingAlert": false, + "tagMetadata": [], + "internetExposure": "UnknownInternetExposure", + "reachability": "UnknownReachability" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md new file mode 100644 index 0000000000..5618e9f5b2 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md @@ -0,0 +1,2873 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | Web logs coming from Clavister Next-Gen Firewall devices provide information about the connected client and the requested resource. | +| `DNS records` | Clavister Next-Gen Firewall provides detailed logs on handled DNS queries | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `metric` | +| Category | `authentication`, `configuration`, `database`, `network`, `session` | +| Type | `change`, `connection`, `denied`, `end`, `info`, `start` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "alg_session_closed.json" + + ```json + + { + "message": "id=200002 event=alg_session_closed message=ALG session closed [alg algmod=lw-http algsesid=111111111 ]", + "event": { + "category": [ + "session" + ], + "code": "200002", + "reason": "ALG", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + } + } + + ``` + + +=== "alg_session_open.json" + + ```json + + { + "message": "id=200001 event=alg_session_open [message=ALG session opened conndestzone=\"Zone_INTERNET\" connrecvzone=\"Zone_T0\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=TCP connsrcport=53264 conndestport=443 newconnsrcport=48703 newconndestport=443 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "session" + ], + "code": "200001", + "reason": "ALG session opened", + "type": [ + "start" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5" + }, + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 48703 + }, + "port": 53264 + } + } + + ``` + + +=== "application_end.json" + + ```json + + { + "message": "id=7200003 event=application_end [message=Application ended. Application: microsoft. connrecvzone=\"Zone_T0\" family=web application=microsoft risk=\"Very low\" origsent=314 conndestzone=\"Zone_INTERNET\" termsent=143 ssl_inspected=no ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58967 conndestport=443 newconnsrcport=47929 newconndestport=443 origsent=695 termsent=4.52 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "7200003", + "reason": "Application ended. Application: microsoft.", + "type": [ + "end" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 47929 + }, + "port": 58967 + } + } + + ``` + + +=== "application_identified.json" + + ```json + + { + "message": "id=7200001 event=application_identified action=allow [message=Application identified. Application: http2. application=http2 connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58732 conndestport=443 newconnsrcport=18314 newconndestport=443 origsent=414 termsent=3.09 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "7200001", + "reason": "Application identified. Application: http2.", + "type": [ + "end" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ] + }, + "rule": { + "name": "Nat_APPC_MICROSOFT_443" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 18314 + }, + "port": 58732 + } + } + + ``` + + +=== "application_identified_1.json" + + ```json + + { + "message": "id=7200002 event=application_identified action=close [message=Application identified. Application: windows_update. application=windows_update applicationpath=\"tcp.http.akamai.windows_update\" connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58871 conndestport=80 newconnsrcport=54739 newconndestport=80 origsent=334 termsent=52.0 connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "7200002", + "reason": "Application identified. Application: windows_update.", + "type": [ + "end" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 80 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ] + }, + "rule": { + "name": "Nat_APPC_MICROSOFT_443" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 54739 + }, + "port": 58871 + } + } + + ``` + + +=== "conn_close.json" + + ```json + + { + "message": "id=600002 event=conn_close action=close [message=Connection closed reason=\"\" connrecvzone=\"Zone_INTRA\" conndestzone=\"Zone_T0\" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=64650 conndestport=53 origsent=59.0 termsent=75.0 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]", + "event": { + "category": [ + "network" + ], + "code": "600002", + "reason": "Connection closed", + "type": [ + "end" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_T0", + "recvzone": "Zone_INTRA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 53 + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "Alw_GRP_NET-T11__EXA-T0_VB" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64650 + } + } + + ``` + + +=== "conn_open.json" + + ```json + + { + "message": "id=600001 event=conn_open [message=Connection opened conndestzone=\"Zone_T0\" connrecvzone=\"Zone_INTRA\" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn conn=Open connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=63182 conndestport=53 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]", + "event": { + "category": [ + "network" + ], + "code": "600001", + "reason": "Connection opened", + "type": [ + "start" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_T0", + "recvzone": "Zone_INTRA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 53 + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "Alw_GRP_NET-T11__EXA-T0_VB" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63182 + } + } + + ``` + + +=== "directed_broadcasts.json" + + ```json + + { + "message": "id=6000031 event=directed_broadcasts action=drop [message=Packet directed to the broadcast address of the destination network. Dropping recvzone=\"Zone_OneConnect\" ][rules rule=DirectedBroadcasts ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=78 ipproto=UDP ttl=128 fragid=27544 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC425 srcip=1.2.3.4 destip=255.255.255.255 ][udp packet srcport=137 destport=137 chksum=0xE3A9 iptotlen=58 ]", + "event": { + "category": [ + "network" + ], + "code": "6000031", + "reason": "Packet directed to the broadcast address of the destination network. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_OneConnect" + } + }, + "destination": { + "address": "255.255.255.255", + "ip": "255.255.255.255", + "port": 137 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "255.255.255.255" + ] + }, + "rule": { + "name": "DirectedBroadcasts" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 137 + } + } + + ``` + + +=== "disallowed_on_sync_iface.json" + + ```json + + { + "message": "id=1200400 event=disallowed_on_sync_iface action=drop [message=Received non-HA traffic on sync iface. Dropping recvzone=\"\" ][rules rule=HA_RestrictSyncIf ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=39 ]", + "event": { + "category": [ + "network" + ], + "code": "1200400", + "reason": "Received non-HA traffic on sync iface. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "39" + } + }, + "destination": { + "mac": "111111111111" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "HA_RestrictSyncIf" + }, + "source": { + "mac": "000000000000" + } + } + + ``` + + +=== "disallowed_sender.json" + + ```json + + { + "message": "id=3100001 event=disallowed_sender action=drop [message=Disallowed SNMP from 1.2.3.4, disallowed sender IP conndestzone=\"\" connrecvzone=\"Zone_INTERNET\" peer=1.2.3.4 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=55506 conndestport=161 connrecvif=AGG-VLAN_FO conndestif=core ]]", + "event": { + "category": [ + "network" + ], + "code": "3100001", + "reason": "Disallowed SNMP from 1.2.3.4, disallowed sender IP", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 161 + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 55506 + } + } + + ``` + + +=== "dns_cache_freeip4entry.json" + + ```json + + { + "message": "id=8000004 event=dns_cache_freeip4entry action=ignore [message=Removing an IP address from an FQDN object. fqdn=\"example.org\" removed_address=\"5.6.7.8\" ]", + "event": { + "category": [ + "database" + ], + "code": "8000004", + "reason": "Removing an IP address from an FQDN object.", + "type": [ + "change" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + } + } + + ``` + + +=== "hwaddr_change.json" + + ```json + + { + "message": "id=300008 event=hwaddr_change action=allow_processing [message=1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing. knownhw=00-11-22-33-44-55 knownip=1.2.3.4 recvzone=\"Zone_INTRA\" newhw=00-00-00-00-00-00 ][rules rule=ARPChanges ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]", + "event": { + "category": [ + "network" + ], + "code": "300008", + "reason": "1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing.", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Arp", + "knownhw": "00-11-22-33-44-55", + "knownip": "1.2.3.4", + "newhw": "00-00-00-00-00-00", + "recvzone": "Zone_INTRA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "ARPChanges" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111" + } + } + + ``` + + +=== "ike_sa_deleted.json" + + ```json + + { + "message": "id=1800906 event=ike_sa_deleted [message=IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]", + "event": { + "category": [ + "network" + ], + "code": "1800906", + "reason": "IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8.", + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "ike_sa_failed.json" + + ```json + + { + "message": "id=1802022 event=ike_sa_failed action=no_ike_sa [message=IKE SA negotiation failed: \"Timed out\" \"\",Local IKE peer: \"1.2.3.4:500 ID (null)\", Remote IKE peer: \"5.6.7.8:500 ID (null)\", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000. spi_i=0x0000000000000000 local_peer=\"1.2.3.4:500 ID (null)\" ipsec_if=VPN_JOHN_DOE remote_peer=\"5.6.7.8:500 ID (null)\" statusmsg=\"Timed out\" reason=\"\" spi_r=0x0000000000000000 initiator=TRUE ]", + "event": { + "category": [ + "network" + ], + "code": "1802022", + "reason": "IKE SA negotiation failed: \"Timed out\" \"\",Local IKE peer: \"1.2.3.4:500 ID (null)\", Remote IKE peer: \"5.6.7.8:500 ID (null)\", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000.", + "type": [ + "denied" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + } + } + + ``` + + +=== "ike_sa_rekeyed.json" + + ```json + + { + "message": "id=1800905 event=ike_sa_rekeyed [message=IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]", + "event": { + "category": [ + "network" + ], + "code": "1800905", + "reason": "IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8.", + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "ike_sa_statistics.json" + + ```json + + { + "message": "id=1802023 event=ike_sa_statistics [message=IKE SA negotiations: 757130 done, 17808 successful, 739322 failed done=757130 failed=739322 success=17808 ]", + "event": { + "category": [ + "network" + ], + "code": "1802023", + "kind": "metric", + "reason": "IKE SA negotiations: 757130 done, 17808 successful, 739322 failed", + "type": [ + "info" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + } + } + + ``` + + +=== "invalid_clienthello_server_name.json" + + ```json + + { + "message": "id=200275 event=invalid_clienthello_server_name [message=HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension (\"Pointer outside buffer (15)\"). cause=\"Pointer outside buffer (15)\" algname=DATACENTERS_EXA/71_NAT_SRV1111_ connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=6.7.8.9 connipproto=TCP connsrcport=59510 conndestport=443 newconnsrcport=31616 newconndestport=443 origsent=330 termsent=60.0 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "200275", + "reason": "HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension (\"Pointer outside buffer (15)\").", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "6.7.8.9" + }, + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "6.7.8.9" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 31616 + }, + "port": 59510 + } + } + + ``` + + +=== "invalid_http_syntax.json" + + ```json + + { + "message": "id=200144 event=invalid_http_syntax action=close [message=HTTPALG: Invalid HTTP syntax seen in request. reason=\"invalid HTTP method\" algname=DATACENTERS_EXA/780_INTERNET type=request connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=63745 conndestport=443 newconnsrcport=15969 newconndestport=443 origsent=196 termsent=52.0 connrecvif=IF_VLAN241_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "200144", + "reason": "HTTPALG: Invalid HTTP syntax seen in request.", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 15969 + }, + "port": 63745 + } + } + + ``` + + +=== "ip4_address_added.json" + + ```json + + { + "message": "id=6000070 event=ip4_address_added action=policy_updated [message=IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]", + "event": { + "category": [ + "configuration" + ], + "code": "6000070", + "reason": "IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter.", + "type": [ + "change" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "Nat_SRV1_FQDN-NTP_123" + } + } + + ``` + + +=== "ip4_address_removed.json" + + ```json + + { + "message": "id=6000072 event=ip4_address_removed action=policy_updated [message=IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]", + "event": { + "category": [ + "configuration" + ], + "code": "6000072", + "reason": "IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter.", + "type": [ + "change" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "Nat_SRV1_FQDN-NTP_123" + } + } + + ``` + + +=== "ip_reputation.json" + + ```json + + { + "message": "id=600120 event=ip_reputation action=none [message=IP address reputation query result. categories=\"none\" score=80 ip=5.6.7.8 connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=UDP connsrcport=59428 conndestport=53 newconnsrcport=15661 newconndestport=53 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "600120", + "reason": "IP address reputation query result.", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5" + }, + "port": 53 + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 15661 + }, + "port": 59428 + } + } + + ``` + + +=== "ipreputation_server_connect.json" + + ```json + + { + "message": "id=8200005 event=ipreputation_server_connect action=none [message=Connected to IP Reputation server 5.6.7.8. server=5.6.7.8 ]", + "event": { + "category": [ + "session" + ], + "code": "8200005", + "reason": "Connected to IP Reputation server 5.6.7.8.", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + +=== "ipreputation_server_disconnect.json" + + ```json + + { + "message": "id=8200015 event=ipreputation_server_disconnect action=none [message=Disconnected from IP Reputation server 5.6.7.8. server=5.6.7.8 ]", + "event": { + "category": [ + "session" + ], + "code": "8200015", + "reason": "Disconnected from IP Reputation server 5.6.7.8.", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + +=== "ipsec_sa_rekeyed.json" + + ```json + + { + "message": "id=1800908 event=ipsec_sa_rekeyed [message=IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222). dh_bits=3072 imsi=\"\" esp_spi_in=0x11111111 esp_spi_out=0x22222222 esp_mac=hmac-sha256-128 local_ip=1.2.3.4 esp_cipher=aes-cbc initiator=FALSE ike_spi_r=0x0011223344556677 esp_mac_keysize=0 old_spi=0x00000000 remote_ts=\"0.0.0.0/0\" esp_cipher_keysize=0 life_seconds=3600 ike_spi_i=0x0011223344556677 local_ts=\"0.0.0.0/0\" dh_group=15 remote_ip=1.2.3.4 life_kilobytes=0 ipsec_if=VPN_EXAMPLE_INTRANET ]", + "event": { + "category": [ + "network" + ], + "code": "1800908", + "reason": "IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222).", + "type": [ + "info" + ] + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "max_http_sessions_reached.json" + + ```json + + { + "message": "id=200110 event=max_http_sessions_reached action=close [message=HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection max_sessions=200 ]algmod=lw-http", + "event": { + "category": [ + "network" + ], + "code": "200110", + "reason": "HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection", + "type": [ + "info" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + } + } + + ``` + + +=== "mismatching_tcp_window_scale.json" + + ```json + + { + "message": "id=3400019 event=mismatching_tcp_window_scale action=adjust [message=Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used connrecvzone=\"Zone_EXA\" effective=not_used new=not_used old=8 conndestzone=\"Zone_EXA\" recvzone=\"Zone_INTRANET\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=58157 conndestport=445 connrecvif=VPN_EXAMPLE conndestif=AGG-VLAN_EXA ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=48 ipproto=TCP ttl=127 fragid=9367 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x20BB srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=58157 destport=445 seqno=2939096905 ackno=0 chksum=0xC995 window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=28 tcpopt=8 mss=1380 NOP=NOP NOP=NOP sackpermit ]]", + "event": { + "category": [ + "network" + ], + "code": "3400019", + "reason": "Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_EXA", + "recvzone": "Zone_INTRANET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 445 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 58157 + } + } + + ``` + + +=== "no_new_conn_for_this_packet.json" + + ```json + + { + "message": "id=600012 event=no_new_conn_for_this_packet action=reject [message=State inspector would not open a new connection for this TCP packet, rejecting protocol=tcp recvzone=\"Zone_INTERNET\" ][rules rule=LogOpenFails ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=40 ipproto=TCP ttl=119 fragid=36135 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x4A8D srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=53255 destport=443 seqno=3259249701 ackno=1747743363 chksum=0xE0D8 window=0 urgentpointer=0 rsv=4 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=1 SYN=0 FIN=0 dataoffset=20 ]]", + "event": { + "category": [ + "network" + ], + "code": "600012", + "reason": "State inspector would not open a new connection for this TCP packet, rejecting", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 443 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "LogOpenFails" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 53255 + } + } + + ``` + + +=== "no_sender_ip.json" + + ```json + + { + "message": "id=300003 event=no_sender_ip action=drop [message=ARP query sender IP is 0.0.0.0. Dropping recvzone=\"Zone_T0\" ][rules rule=ARPQueryNoSenderIP ][ethernet hwsender=000000000000 hwdest=FFFFFFFFFFFF ipproto=Arp ][arp opcode=Request hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=000000000000 hwdest=FFFFFFFFFFFF srcip=0.0.0.0 destip=5.6.7.8 ]]", + "event": { + "category": [ + "network" + ], + "code": "300003", + "reason": "ARP query sender IP is 0.0.0.0. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Arp", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "FFFFFFFFFFFF" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "0.0.0.0", + "5.6.7.8" + ] + }, + "rule": { + "name": "ARPQueryNoSenderIP" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "mac": "000000000000" + } + } + + ``` + + +=== "oneconnect_connection_attempt.json" + + ```json + + { + "message": "id=9000032 event=oneconnect_connection_attempt [message=OneConnect Client connection attempt device_id=win av_enabled=TRUE os_info=\"Microsoft Windows NT 10.0.19045.0\" oneconnect_version=3.9.9.0 ipaddr=1.2.3.4 av_updated=TRUE uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b iface=IF_OneConnect arch=X64 ]", + "event": { + "category": [ + "network" + ], + "code": "9000032", + "outcome": "failure", + "reason": "OneConnect Client connection attempt", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "oneconnect_dtls_conn_failed.json" + + ```json + + { + "message": "id=9000029 event=oneconnect_dtls_conn_failed [message=OneConnect DTLS connection failed error=\"DTLS connection negotiation aborted\" iface=IF_OneConnect ipaddr=1.2.3.4 ]", + "event": { + "category": [ + "network" + ], + "code": "9000029", + "outcome": "failure", + "reason": "OneConnect DTLS connection failed", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "oneconnect_dtls_read_error.json" + + ```json + + { + "message": "id=9000030 event=oneconnect_dtls_read_error [message=OneConnect DTLS packet read error errors=26 first_error=2 ipaddr=1.2.3.4 ]", + "event": { + "category": [ + "network" + ], + "code": "9000030", + "outcome": "failure", + "reason": "OneConnect DTLS packet read error", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "oneconnect_session_closed.json" + + ```json + + { + "message": "id=9000003 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=JDOE ipaddr=1.2.3.4 iface=IF_OneConnect connrecvzone=\"Zone_INTERNET\" conndestzone=\"\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=31713 conndestport=443 origsent=7.62 K termsent=7.67 K connrecvif=AGG-VLAN_FO conndestif=core ]]", + "event": { + "category": [ + "session" + ], + "code": "9000003", + "reason": "OneConnect session closed at IF_OneConnect", + "type": [ + "end" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 31713 + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "oneconnect_session_closed_1.json" + + ```json + + { + "message": "id=9000004 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=jdoe iface=IF_OneConnect ipaddr=1.2.3.4 ]", + "event": { + "category": [ + "session" + ], + "code": "9000004", + "reason": "OneConnect session closed at IF_OneConnect", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "oneconnect_session_created.json" + + ```json + + { + "message": "id=9000001 event=oneconnect_session_created [message=OneConnect Session created at IF_OneConnect connrecvzone=\"Zone_INTERNET\" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone=\"\" uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=5181 conndestport=443 origsent=5.79 K termsent=4.95 K connrecvif=AGG-VLAN_FO conndestif=core ]]", + "event": { + "category": [ + "session" + ], + "code": "9000001", + "reason": "OneConnect Session created at IF_OneConnect", + "type": [ + "start" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 5181 + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "oneconnect_session_disconnected.json" + + ```json + + { + "message": "id=9000005 event=oneconnect_session_disconnected [message=OneConnect session disconnected at IF_OneConnect username=JDOE iface=IF_OneConnect ipaddr=1.2.3.4 ]", + "event": { + "category": [ + "session" + ], + "code": "9000005", + "reason": "OneConnect session disconnected at IF_OneConnect", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "oneconnect_session_reconnected.json" + + ```json + + { + "message": "id=9000002 event=oneconnect_session_reconnected [message=OneConnect Session reconnected at IF_OneConnect connrecvzone=\"Zone_INTERNET\" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone=\"\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=51249 conndestport=443 origsent=1.24 K termsent=2.86 K connrecvif=AGG-VLAN_FO conndestif=core ]]", + "event": { + "category": [ + "session" + ], + "code": "9000002", + "reason": "OneConnect Session reconnected at IF_OneConnect", + "type": [ + "start" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51249 + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "radius_auth_timeout.json" + + ```json + + { + "message": "id=3700105 event=radius_auth_timeout message=Timeout during RADIUS user authentication, contact with RADIUS server not established [userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Disallowed srcip=1.2.3.4 ]", + "event": { + "category": [ + "authentication" + ], + "code": "3700105", + "reason": "Timeout", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "request_url.json" + + ```json + + { + "message": "id=200125 event=request_url action=allow [message=HTTPALG: Requesting URL \"aaa.example.org/\". Categories: \"whitelist\". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH. connrecvzone=\"Zone_T0\" categories=\"whitelist\" audit=off url=\"aaa.example.org/\" domain=example.org override=no conndestzone=\"Zone_INTERNET\" algname=DATACENTERS_EXA/189_NAT_POWERSH ][alg algmod=lw-http algsesid=132209793 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=53879 conndestport=443 newconnsrcport=38330 newconndestport=443 origsent=337 termsent=52.0 connrecvif=IF_VLAN248_T0 conndestif=AGG-VLAN_FO ]]", + "event": { + "category": [ + "network" + ], + "code": "200125", + "reason": "HTTPALG: Requesting URL \"aaa.example.org/\". Categories: \"whitelist\". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH.", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_INTERNET", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 38330 + }, + "port": 53879 + } + } + + ``` + + +=== "route_exported_to_ospf_as.json" + + ```json + + { + "message": "id=1100002 event=route_exported_to_ospf_as [message=Route exported to OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.0.0.1-10.0.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]", + "event": { + "category": [ + "network" + ], + "code": "1100002", + "reason": "Route exported to OSPF AS", + "type": [ + "info" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "ExportRoute-VPN-OneConnect" + } + } + + ``` + + +=== "route_unexported_from_ospf_as.json" + + ```json + + { + "message": "id=1100003 event=route_unexported_from_ospf_as [message=Route unexported from OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.1.0.1-10.1.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]", + "event": { + "category": [ + "network" + ], + "code": "1100003", + "reason": "Route unexported from OSPF AS", + "type": [ + "info" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "ExportRoute-VPN-OneConnect" + } + } + + ``` + + +=== "ruleset_drop_packet.json" + + ```json + + { + "message": "id=6000051 event=ruleset_drop_packet action=drop [message=Packet dropped by rule-set. Dropping recvzone=\"Zone_INTRA\" ][rules rule=Default_Rule ][ethernet hwsender=0000000000000 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=123 fragid=4107 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x21D8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=57168 destport=9100 seqno=389322187 ackno=0 chksum=0xF5CB window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]", + "event": { + "category": [ + "network" + ], + "code": "6000051", + "reason": "Packet dropped by rule-set. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTRA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 9100 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "Default_Rule" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "0000000000000", + "port": 57168 + } + } + + ``` + + +=== "sesmgr_session_created.json" + + ```json + + { + "message": "id=4900001 event=sesmgr_session_created action=none [message=Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]", + "event": { + "category": [ + "session" + ], + "code": "4900001", + "reason": "Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon.", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "user": [ + "jdoe1.2.3.4:54912" + ] + }, + "user": { + "name": "jdoe1.2.3.4:54912" + } + } + + ``` + + +=== "sesmgr_session_removed.json" + + ```json + + { + "message": "id=4900003 event=sesmgr_session_removed action=none [message=Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]", + "event": { + "category": [ + "session" + ], + "code": "4900003", + "reason": "Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon.", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "user": [ + "jdoe1.2.3.4:54912" + ] + }, + "user": { + "name": "jdoe1.2.3.4:54912" + } + } + + ``` + + +=== "ssl_error.json" + + ```json + + { + "message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=341 client_ip=1.2.3.4 error_message=\"record layer length error\" ]", + "event": { + "category": [ + "network" + ], + "code": "8800100", + "outcome": "failure", + "reason": "Detected SSL Error. Closing down SSL connection", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "nat": { + "ip": "1.2.3.4" + } + } + } + + ``` + + +=== "ssl_error_1.json" + + ```json + + { + "message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=352 client_ip=1.2.3.4 error_message=\"Bad ECC Peer Key\" ]", + "event": { + "category": [ + "network" + ], + "code": "8800100", + "outcome": "failure", + "reason": "Detected SSL Error. Closing down SSL connection", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "nat": { + "ip": "1.2.3.4" + } + } + } + + ``` + + +=== "ssl_error_2.json" + + ```json + + { + "message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=501 client_ip=1.2.3.4 error_message=\"can't match cipher suite\" ]", + "event": { + "category": [ + "network" + ], + "code": "8800100", + "outcome": "failure", + "reason": "Detected SSL Error. Closing down SSL connection", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "nat": { + "ip": "1.2.3.4" + } + } + } + + ``` + + +=== "tcp_flag_set.json" + + ```json + + { + "message": "id=3300004 event=tcp_flag_set action=strip_flag [message=The TCP URG flag is set. Stripping recvzone=\"Zone_T0\" bad_flag=URG ][rules rule=TCPUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=41 ipproto=TCP ttl=128 fragid=11924 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF2B9 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=64358 destport=1521 seqno=279418381 ackno=3379362693 chksum=0x4428 window=1026 urgentpointer=1 rsv=8 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=0 SYN=0 FIN=0 dataoffset=20 ]]", + "event": { + "category": [ + "network" + ], + "code": "3300004", + "reason": "The TCP URG flag is set. Stripping", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_T0" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 1521 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TCPUrg" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 64358 + } + } + + ``` + + +=== "tcp_flags_set.json" + + ```json + + { + "message": "id=3300008 event=tcp_flags_set action=drop [message=The TCP SYN and URG flags are set. Dropping recvzone=\"Zone_INTERNET\" good_flag=SYN bad_flag=URG ][rules rule=TCPSynUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=47 fragid=22760 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC1C8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=9751 destport=65023 seqno=3200649084 ackno=0 chksum=0x43A5 window=0 urgentpointer=20148 rsv=15 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=1 SYN=1 FIN=1 dataoffset=40 tcpopt=20 mss=1400 sackpermit tsopt=S:0xa349f6f7 R:0x0 NOP=NOP wsopt shift=6 ]]", + "event": { + "category": [ + "network" + ], + "code": "3300008", + "reason": "The TCP SYN and URG flags are set. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 65023 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TCPSynUrg" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 9751 + } + } + + ``` + + +=== "tcp_mss_above_log_level.json" + + ```json + + { + "message": "id=3400005 event=tcp_mss_above_log_level action=log [message=TCP MSS 8960 higher than log level. TCPMSSLogLevel=7000 recvzone=\"Zone_EXA\" mss=8960 mssloglevel=7000 tcpopt=2 ][rules rule=TCPMSSLogLevel ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=64 fragid=15048 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x94B srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=50512 destport=2051 seqno=4048667863 ackno=0 chksum=0x3CBC window=26880 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=40 tcpopt=20 mss=8960 sackpermit tsopt=S:0xcb0fe1f R:0x0 NOP=NOP wsopt shift=8 ]]", + "event": { + "category": [ + "network" + ], + "code": "3400005", + "reason": "TCP MSS 8960 higher than log level.", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_EXA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 2051 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TCPMSSLogLevel" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 50512 + } + } + + ``` + + +=== "tcp_option_strip.json" + + ```json + + { + "message": "id=3400007 event=tcp_option_strip action=strip [message=Packet has a type 254 TCP option. Stripping it tcpopt=254 recvzone=\"Zone_INTERNET\" ][rules rule=TCPOPT_OTHER ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=64 ipproto=TCP ttl=111 fragid=52547 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x5CE srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=22 destport=23753 seqno=2894526312 ackno=2184314881 chksum=0xDC3B window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=44 tcpopt=24 mss=1460 sackpermit tsopt=S:0x327b23c6 R:0x327b23c6 opt=254 len=4 END=END ]]", + "event": { + "category": [ + "network" + ], + "code": "3400007", + "reason": "Packet has a type 254 TCP option. Stripping it", + "type": [ + "info" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 23753 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TCPOPT_OTHER" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 22 + } + } + + ``` + + +=== "tcp_syn_data.json" + + ```json + + { + "message": "id=3300029 event=tcp_syn_data action=drop [message=SYN packet contains data. Dropping recvzone=\"Zone_INTERNET\" ][rules rule=TCP_SYN_Data ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=54 fragid=12818 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xD49 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=37751 destport=443 seqno=294625335 ackno=0 chksum=0x639C window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=20 ]]", + "event": { + "category": [ + "network" + ], + "code": "3300029", + "reason": "SYN packet contains data. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 443 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TCP_SYN_Data" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 37751 + } + } + + ``` + + +=== "ttl_low.json" + + ```json + + { + "message": "id=7000014 event=ttl_low action=drop [message=Received packet with too low TTL of 1. Min TTL is 3. Dropping ttlmin=3 ttl=1 recvzone=\"Zone_OneConnect\" ][rules rule=TTLOnLowMulticast ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=UDP ttl=1 fragid=13147 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x9A66 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=5353 destport=5353 chksum=0xC116 iptotlen=40 ]", + "event": { + "category": [ + "network" + ], + "code": "7000014", + "reason": "Received packet with too low TTL of 1. Min TTL is 3. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "recvzone": "Zone_OneConnect" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 5353 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "TTLOnLowMulticast" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 5353 + } + } + + ``` + + +=== "unable_to_find_iface_to_stub_net.json" + + ```json + + { + "message": "id=2400400 event=unable_to_find_iface_to_stub_net [message=Internal error: Unable to find my interface attached to stub network 10.0.0.1/27 stub=10.0.0.1/27 ][rules rule=ospfarea ]", + "event": { + "category": [ + "network" + ], + "code": "2400400", + "outcome": "failure", + "reason": "Internal error: Unable to find my interface attached to stub network 10.0.0.1/27", + "type": [ + "info" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "ospfarea" + } + } + + ``` + + +=== "unexpected_tcp_flags.json" + + ```json + + { + "message": "id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags \"SYN ECE CWR\" from originator during state FIN_RCVD. Dropping connrecvzone=\"Zone_EXA\" flags=\"SYN ECE CWR\" state=FIN_RCVD endpoint=originator conndestzone=\"Zone_T0\" recvzone=\"Zone_EXA\" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=55080 conndestport=88 origsent=2.08 K termsent=2.09 K connrecvif=IF_VLAN1_T0 conndestif=IF_VLAN2_T0 ]][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=128 fragid=11369 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xEE34 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=55080 destport=88 seqno=2465177740 ackno=0 chksum=0x632F window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]", + "event": { + "category": [ + "network" + ], + "code": "3300010", + "reason": "Unexpected tcp flags \"SYN ECE CWR\" from originator during state FIN_RCVD. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_T0", + "ipproto": "Ip4", + "recvzone": "Zone_EXA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 88 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "LogStateViolations" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111", + "port": 55080 + } + } + + ``` + + +=== "unexpected_tcp_flags_1.json" + + ```json + + { + "message": "id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping connrecvzone=\"Zone_EXA\" flags=SYN state=FIN_RCVD endpoint=originator conndestzone=\"Zone_EXA\" recvzone=\"Zone_EXA\" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=61799 conndestport=58080 origsent=144 termsent=40.0 connrecvif=VPN_EXAMPLE_INTRANET conndestif=AGG-VLAN_EXAMPLE ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=127 fragid=24895 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xA2D6 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=61799 destport=58080 seqno=2709173819 ackno=0 chksum=0x10C2 window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1380 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]", + "event": { + "category": [ + "network" + ], + "code": "3300010", + "reason": "Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "destzone": "Zone_EXA", + "recvzone": "Zone_EXA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 58080 + }, + "network": { + "transport": "tcp" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "LogStateViolations" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 61799 + } + } + + ``` + + +=== "unhandled_local.json" + + ```json + + { + "message": "id=6000060 event=unhandled_local action=drop [message=Allowed but unhandled packet to the firewall. Dropping recvzone=\"Zone_INTERNET\" ][rules rule=LocalUndelivered ][ethernet hwsender=1111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=71 ipproto=UDP ttl=250 fragid=54321 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF3B4 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=55506 destport=161 chksum=0x0 iptotlen=51 ]", + "event": { + "category": [ + "network" + ], + "code": "6000060", + "reason": "Allowed but unhandled packet to the firewall. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Ip4", + "recvzone": "Zone_INTERNET" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000", + "port": 161 + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "LocalUndelivered" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "1111111111111", + "port": 55506 + } + } + + ``` + + +=== "unknown_vlantag.json" + + ```json + + { + "message": "id=6000040 event=unknown_vlantag action=drop [message=Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping vlanid=271 type=0x8100 recvzone=\"\" ][rules rule=UnknownVLANTags ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=Vlan ]", + "event": { + "category": [ + "network" + ], + "code": "6000040", + "reason": "Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Vlan" + } + }, + "destination": { + "mac": "111111111111" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "rule": { + "name": "UnknownVLANTags" + }, + "source": { + "mac": "000000000000" + } + } + + ``` + + +=== "unsolicited_reply_drop.json" + + ```json + + { + "message": "id=300001 event=unsolicited_reply_drop [message=Unsolicited ARP reply received and dropped recvzone=\"Zone_INTRA\" ][rules rule=UnsolicitedARPReplies ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]", + "event": { + "category": [ + "network" + ], + "code": "300001", + "reason": "Unsolicited ARP reply received and dropped", + "type": [ + "denied" + ] + }, + "clavister": { + "ngfw": { + "ipproto": "Arp", + "recvzone": "Zone_INTRA" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "000000000000" + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "UnsolicitedARPReplies" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "111111111111" + } + } + + ``` + + +=== "user_disconnected.json" + + ```json + + { + "message": "id=9000011 event=user_disconnected [message=User JDOE is forcibly disconnected. Client: 1.2.3.4 username=JDOE client_ip=4.3.2.1 ipaddr=1.2.3.4 ]", + "event": { + "category": [ + "authentication" + ], + "code": "9000011", + "reason": "User JDOE is forcibly disconnected. Client: 1.2.3.4", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "user_login.json" + + ```json + + { + "message": "id=3700102 event=user_login [message=User logged in. Idle timeout: 1800, Session timeout: 0 groups=\"GROUP1,GROUP2\" idle_timeout=1800 session_timeout=0 ][userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Login srcip=1.2.3.4 ]", + "event": { + "category": [ + "authentication" + ], + "code": "3700102", + "reason": "User logged in. Idle timeout: 1800, Session timeout: 0", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "user_logout.json" + + ```json + + { + "message": "id=3700110 event=user_logout message=User logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]", + "event": { + "category": [ + "authentication" + ], + "code": "3700110", + "reason": "User", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "user_timeout.json" + + ```json + + { + "message": "id=3700020 event=user_timeout action=user_removed message=User timeout expired, user is automatically logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]", + "event": { + "category": [ + "authentication" + ], + "code": "3700020", + "reason": "User", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "wcf_connecting.json" + + ```json + + { + "message": "id=200122 event=wcf_connecting action=connecting [message=HTTPALG:Connecting to web content server 5.6.7.8 server=5.6.7.8 ]algmod=http", + "event": { + "category": [ + "network" + ], + "code": "200122", + "reason": "HTTPALG:Connecting to web content server 5.6.7.8", + "type": [ + "connection" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + +=== "wcf_server_connected.json" + + ```json + + { + "message": "id=200123 event=wcf_server_connected action=none [message=HTTPALG: Web content server 5.6.7.8 connected server=5.6.7.8 ]algmod=http", + "event": { + "category": [ + "network" + ], + "code": "200123", + "reason": "HTTPALG: Web content server 5.6.7.8 connected", + "type": [ + "start" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + +=== "wcf_server_disconnected.json" + + ```json + + { + "message": "id=200134 event=wcf_server_disconnected action=none [message=HTTPALG: Web content server 164.132.83.85 disconnected server=164.132.83.85 ]algmod=http", + "event": { + "category": [ + "network" + ], + "code": "200134", + "reason": "HTTPALG: Web content server 164.132.83.85 disconnected", + "type": [ + "end" + ] + }, + "observer": { + "product": "NGFW", + "vendor": "Clavister" + }, + "related": { + "ip": [ + "164.132.83.85" + ] + }, + "server": { + "ip": "164.132.83.85" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`clavister.ngfw.destzone` | `keyword` | Destination zone | +|`clavister.ngfw.ipproto` | `keyword` | Data link layer protocol | +|`clavister.ngfw.knownhw` | `keyword` | Known hardware | +|`clavister.ngfw.knownip` | `keyword` | Known IP | +|`clavister.ngfw.newhw` | `keyword` | New hardware | +|`clavister.ngfw.recvzone` | `keyword` | Receive zone | +|`client.ip` | `ip` | IP address of the client. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.mac` | `keyword` | MAC address of the destination. | +|`destination.nat.ip` | `ip` | Destination NAT ip | +|`destination.nat.port` | `long` | Destination NAT Port | +|`destination.port` | `long` | Port of the destination. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.code` | `keyword` | Identification code for this event. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`rule.name` | `keyword` | Rule name | +|`server.ip` | `ip` | IP address of the server. | +|`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | +|`source.nat.ip` | `ip` | Source NAT ip | +|`source.nat.port` | `long` | Source NAT port | +|`source.port` | `long` | Port of the source. | +|`user.name` | `keyword` | Short name or login of the user. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Clavister/clavister-ngfw). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed_sample.md b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed_sample.md new file mode 100644 index 0000000000..c0318bb8c1 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed_sample.md @@ -0,0 +1,526 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "alg_session_closed" + + ``` + id=200002 event=alg_session_closed message=ALG session closed [alg algmod=lw-http algsesid=111111111 ] + ``` + + + +=== "alg_session_open" + + ``` + id=200001 event=alg_session_open [message=ALG session opened conndestzone="Zone_INTERNET" connrecvzone="Zone_T0" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=TCP connsrcport=53264 conndestport=443 newconnsrcport=48703 newconndestport=443 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "application_end" + + ``` + id=7200003 event=application_end [message=Application ended. Application: microsoft. connrecvzone="Zone_T0" family=web application=microsoft risk="Very low" origsent=314 conndestzone="Zone_INTERNET" termsent=143 ssl_inspected=no ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58967 conndestport=443 newconnsrcport=47929 newconndestport=443 origsent=695 termsent=4.52 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "application_identified" + + ``` + id=7200001 event=application_identified action=allow [message=Application identified. Application: http2. application=http2 connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58732 conndestport=443 newconnsrcport=18314 newconndestport=443 origsent=414 termsent=3.09 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "application_identified_1" + + ``` + id=7200002 event=application_identified action=close [message=Application identified. Application: windows_update. application=windows_update applicationpath="tcp.http.akamai.windows_update" connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58871 conndestport=80 newconnsrcport=54739 newconndestport=80 origsent=334 termsent=52.0 connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "conn_close" + + ``` + id=600002 event=conn_close action=close [message=Connection closed reason="" connrecvzone="Zone_INTRA" conndestzone="Zone_T0" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=64650 conndestport=53 origsent=59.0 termsent=75.0 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]] + ``` + + + +=== "conn_open" + + ``` + id=600001 event=conn_open [message=Connection opened conndestzone="Zone_T0" connrecvzone="Zone_INTRA" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn conn=Open connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=63182 conndestport=53 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]] + ``` + + + +=== "directed_broadcasts" + + ``` + id=6000031 event=directed_broadcasts action=drop [message=Packet directed to the broadcast address of the destination network. Dropping recvzone="Zone_OneConnect" ][rules rule=DirectedBroadcasts ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=78 ipproto=UDP ttl=128 fragid=27544 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC425 srcip=1.2.3.4 destip=255.255.255.255 ][udp packet srcport=137 destport=137 chksum=0xE3A9 iptotlen=58 ] + ``` + + + +=== "disallowed_on_sync_iface" + + ``` + id=1200400 event=disallowed_on_sync_iface action=drop [message=Received non-HA traffic on sync iface. Dropping recvzone="" ][rules rule=HA_RestrictSyncIf ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=39 ] + ``` + + + +=== "disallowed_sender" + + ``` + id=3100001 event=disallowed_sender action=drop [message=Disallowed SNMP from 1.2.3.4, disallowed sender IP conndestzone="" connrecvzone="Zone_INTERNET" peer=1.2.3.4 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=55506 conndestport=161 connrecvif=AGG-VLAN_FO conndestif=core ]] + ``` + + + +=== "dns_cache_freeip4entry" + + ``` + id=8000004 event=dns_cache_freeip4entry action=ignore [message=Removing an IP address from an FQDN object. fqdn="example.org" removed_address="5.6.7.8" ] + ``` + + + +=== "hwaddr_change" + + ``` + id=300008 event=hwaddr_change action=allow_processing [message=1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing. knownhw=00-11-22-33-44-55 knownip=1.2.3.4 recvzone="Zone_INTRA" newhw=00-00-00-00-00-00 ][rules rule=ARPChanges ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]] + ``` + + + +=== "ike_sa_deleted" + + ``` + id=1800906 event=ike_sa_deleted [message=IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ] + ``` + + + +=== "ike_sa_failed" + + ``` + id=1802022 event=ike_sa_failed action=no_ike_sa [message=IKE SA negotiation failed: "Timed out" "",Local IKE peer: "1.2.3.4:500 ID (null)", Remote IKE peer: "5.6.7.8:500 ID (null)", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000. spi_i=0x0000000000000000 local_peer="1.2.3.4:500 ID (null)" ipsec_if=VPN_JOHN_DOE remote_peer="5.6.7.8:500 ID (null)" statusmsg="Timed out" reason="" spi_r=0x0000000000000000 initiator=TRUE ] + ``` + + + +=== "ike_sa_rekeyed" + + ``` + id=1800905 event=ike_sa_rekeyed [message=IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ] + ``` + + + +=== "ike_sa_statistics" + + ``` + id=1802023 event=ike_sa_statistics [message=IKE SA negotiations: 757130 done, 17808 successful, 739322 failed done=757130 failed=739322 success=17808 ] + ``` + + + +=== "invalid_clienthello_server_name" + + ``` + id=200275 event=invalid_clienthello_server_name [message=HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension ("Pointer outside buffer (15)"). cause="Pointer outside buffer (15)" algname=DATACENTERS_EXA/71_NAT_SRV1111_ connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=6.7.8.9 connipproto=TCP connsrcport=59510 conndestport=443 newconnsrcport=31616 newconndestport=443 origsent=330 termsent=60.0 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "invalid_http_syntax" + + ``` + id=200144 event=invalid_http_syntax action=close [message=HTTPALG: Invalid HTTP syntax seen in request. reason="invalid HTTP method" algname=DATACENTERS_EXA/780_INTERNET type=request connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=63745 conndestport=443 newconnsrcport=15969 newconndestport=443 origsent=196 termsent=52.0 connrecvif=IF_VLAN241_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "ip4_address_added" + + ``` + id=6000070 event=ip4_address_added action=policy_updated [message=IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ] + ``` + + + +=== "ip4_address_removed" + + ``` + id=6000072 event=ip4_address_removed action=policy_updated [message=IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ] + ``` + + + +=== "ip_reputation" + + ``` + id=600120 event=ip_reputation action=none [message=IP address reputation query result. categories="none" score=80 ip=5.6.7.8 connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=UDP connsrcport=59428 conndestport=53 newconnsrcport=15661 newconndestport=53 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "ipreputation_server_connect" + + ``` + id=8200005 event=ipreputation_server_connect action=none [message=Connected to IP Reputation server 5.6.7.8. server=5.6.7.8 ] + ``` + + + +=== "ipreputation_server_disconnect" + + ``` + id=8200015 event=ipreputation_server_disconnect action=none [message=Disconnected from IP Reputation server 5.6.7.8. server=5.6.7.8 ] + ``` + + + +=== "ipsec_sa_rekeyed" + + ``` + id=1800908 event=ipsec_sa_rekeyed [message=IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222). dh_bits=3072 imsi="" esp_spi_in=0x11111111 esp_spi_out=0x22222222 esp_mac=hmac-sha256-128 local_ip=1.2.3.4 esp_cipher=aes-cbc initiator=FALSE ike_spi_r=0x0011223344556677 esp_mac_keysize=0 old_spi=0x00000000 remote_ts="0.0.0.0/0" esp_cipher_keysize=0 life_seconds=3600 ike_spi_i=0x0011223344556677 local_ts="0.0.0.0/0" dh_group=15 remote_ip=1.2.3.4 life_kilobytes=0 ipsec_if=VPN_EXAMPLE_INTRANET ] + ``` + + + +=== "max_http_sessions_reached" + + ``` + id=200110 event=max_http_sessions_reached action=close [message=HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection max_sessions=200 ]algmod=lw-http + ``` + + + +=== "mismatching_tcp_window_scale" + + ``` + id=3400019 event=mismatching_tcp_window_scale action=adjust [message=Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used connrecvzone="Zone_EXA" effective=not_used new=not_used old=8 conndestzone="Zone_EXA" recvzone="Zone_INTRANET" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=58157 conndestport=445 connrecvif=VPN_EXAMPLE conndestif=AGG-VLAN_EXA ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=48 ipproto=TCP ttl=127 fragid=9367 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x20BB srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=58157 destport=445 seqno=2939096905 ackno=0 chksum=0xC995 window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=28 tcpopt=8 mss=1380 NOP=NOP NOP=NOP sackpermit ]] + ``` + + + +=== "no_new_conn_for_this_packet" + + ``` + id=600012 event=no_new_conn_for_this_packet action=reject [message=State inspector would not open a new connection for this TCP packet, rejecting protocol=tcp recvzone="Zone_INTERNET" ][rules rule=LogOpenFails ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=40 ipproto=TCP ttl=119 fragid=36135 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x4A8D srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=53255 destport=443 seqno=3259249701 ackno=1747743363 chksum=0xE0D8 window=0 urgentpointer=0 rsv=4 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=1 SYN=0 FIN=0 dataoffset=20 ]] + ``` + + + +=== "no_sender_ip" + + ``` + id=300003 event=no_sender_ip action=drop [message=ARP query sender IP is 0.0.0.0. Dropping recvzone="Zone_T0" ][rules rule=ARPQueryNoSenderIP ][ethernet hwsender=000000000000 hwdest=FFFFFFFFFFFF ipproto=Arp ][arp opcode=Request hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=000000000000 hwdest=FFFFFFFFFFFF srcip=0.0.0.0 destip=5.6.7.8 ]] + ``` + + + +=== "oneconnect_connection_attempt" + + ``` + id=9000032 event=oneconnect_connection_attempt [message=OneConnect Client connection attempt device_id=win av_enabled=TRUE os_info="Microsoft Windows NT 10.0.19045.0" oneconnect_version=3.9.9.0 ipaddr=1.2.3.4 av_updated=TRUE uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b iface=IF_OneConnect arch=X64 ] + ``` + + + +=== "oneconnect_dtls_conn_failed" + + ``` + id=9000029 event=oneconnect_dtls_conn_failed [message=OneConnect DTLS connection failed error="DTLS connection negotiation aborted" iface=IF_OneConnect ipaddr=1.2.3.4 ] + ``` + + + +=== "oneconnect_dtls_read_error" + + ``` + id=9000030 event=oneconnect_dtls_read_error [message=OneConnect DTLS packet read error errors=26 first_error=2 ipaddr=1.2.3.4 ] + ``` + + + +=== "oneconnect_session_closed" + + ``` + id=9000003 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=JDOE ipaddr=1.2.3.4 iface=IF_OneConnect connrecvzone="Zone_INTERNET" conndestzone="" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=31713 conndestport=443 origsent=7.62 K termsent=7.67 K connrecvif=AGG-VLAN_FO conndestif=core ]] + ``` + + + +=== "oneconnect_session_closed_1" + + ``` + id=9000004 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=jdoe iface=IF_OneConnect ipaddr=1.2.3.4 ] + ``` + + + +=== "oneconnect_session_created" + + ``` + id=9000001 event=oneconnect_session_created [message=OneConnect Session created at IF_OneConnect connrecvzone="Zone_INTERNET" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone="" uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=5181 conndestport=443 origsent=5.79 K termsent=4.95 K connrecvif=AGG-VLAN_FO conndestif=core ]] + ``` + + + +=== "oneconnect_session_disconnected" + + ``` + id=9000005 event=oneconnect_session_disconnected [message=OneConnect session disconnected at IF_OneConnect username=JDOE iface=IF_OneConnect ipaddr=1.2.3.4 ] + ``` + + + +=== "oneconnect_session_reconnected" + + ``` + id=9000002 event=oneconnect_session_reconnected [message=OneConnect Session reconnected at IF_OneConnect connrecvzone="Zone_INTERNET" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone="" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=51249 conndestport=443 origsent=1.24 K termsent=2.86 K connrecvif=AGG-VLAN_FO conndestif=core ]] + ``` + + + +=== "radius_auth_timeout" + + ``` + id=3700105 event=radius_auth_timeout message=Timeout during RADIUS user authentication, contact with RADIUS server not established [userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Disallowed srcip=1.2.3.4 ] + ``` + + + +=== "request_url" + + ``` + id=200125 event=request_url action=allow [message=HTTPALG: Requesting URL "aaa.example.org/". Categories: "whitelist". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH. connrecvzone="Zone_T0" categories="whitelist" audit=off url="aaa.example.org/" domain=example.org override=no conndestzone="Zone_INTERNET" algname=DATACENTERS_EXA/189_NAT_POWERSH ][alg algmod=lw-http algsesid=132209793 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=53879 conndestport=443 newconnsrcport=38330 newconndestport=443 origsent=337 termsent=52.0 connrecvif=IF_VLAN248_T0 conndestif=AGG-VLAN_FO ]] + ``` + + + +=== "route_exported_to_ospf_as" + + ``` + id=1100002 event=route_exported_to_ospf_as [message=Route exported to OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.0.0.1-10.0.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]] + ``` + + + +=== "route_unexported_from_ospf_as" + + ``` + id=1100003 event=route_unexported_from_ospf_as [message=Route unexported from OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.1.0.1-10.1.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]] + ``` + + + +=== "ruleset_drop_packet" + + ``` + id=6000051 event=ruleset_drop_packet action=drop [message=Packet dropped by rule-set. Dropping recvzone="Zone_INTRA" ][rules rule=Default_Rule ][ethernet hwsender=0000000000000 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=123 fragid=4107 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x21D8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=57168 destport=9100 seqno=389322187 ackno=0 chksum=0xF5CB window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]] + ``` + + + +=== "sesmgr_session_created" + + ``` + id=4900001 event=sesmgr_session_created action=none [message=Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ] + ``` + + + +=== "sesmgr_session_removed" + + ``` + id=4900003 event=sesmgr_session_removed action=none [message=Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ] + ``` + + + +=== "ssl_error" + + ``` + id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=341 client_ip=1.2.3.4 error_message="record layer length error" ] + ``` + + + +=== "ssl_error_1" + + ``` + id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=352 client_ip=1.2.3.4 error_message="Bad ECC Peer Key" ] + ``` + + + +=== "ssl_error_2" + + ``` + id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=501 client_ip=1.2.3.4 error_message="can't match cipher suite" ] + ``` + + + +=== "tcp_flag_set" + + ``` + id=3300004 event=tcp_flag_set action=strip_flag [message=The TCP URG flag is set. Stripping recvzone="Zone_T0" bad_flag=URG ][rules rule=TCPUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=41 ipproto=TCP ttl=128 fragid=11924 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF2B9 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=64358 destport=1521 seqno=279418381 ackno=3379362693 chksum=0x4428 window=1026 urgentpointer=1 rsv=8 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=0 SYN=0 FIN=0 dataoffset=20 ]] + ``` + + + +=== "tcp_flags_set" + + ``` + id=3300008 event=tcp_flags_set action=drop [message=The TCP SYN and URG flags are set. Dropping recvzone="Zone_INTERNET" good_flag=SYN bad_flag=URG ][rules rule=TCPSynUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=47 fragid=22760 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC1C8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=9751 destport=65023 seqno=3200649084 ackno=0 chksum=0x43A5 window=0 urgentpointer=20148 rsv=15 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=1 SYN=1 FIN=1 dataoffset=40 tcpopt=20 mss=1400 sackpermit tsopt=S:0xa349f6f7 R:0x0 NOP=NOP wsopt shift=6 ]] + ``` + + + +=== "tcp_mss_above_log_level" + + ``` + id=3400005 event=tcp_mss_above_log_level action=log [message=TCP MSS 8960 higher than log level. TCPMSSLogLevel=7000 recvzone="Zone_EXA" mss=8960 mssloglevel=7000 tcpopt=2 ][rules rule=TCPMSSLogLevel ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=64 fragid=15048 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x94B srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=50512 destport=2051 seqno=4048667863 ackno=0 chksum=0x3CBC window=26880 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=40 tcpopt=20 mss=8960 sackpermit tsopt=S:0xcb0fe1f R:0x0 NOP=NOP wsopt shift=8 ]] + ``` + + + +=== "tcp_option_strip" + + ``` + id=3400007 event=tcp_option_strip action=strip [message=Packet has a type 254 TCP option. Stripping it tcpopt=254 recvzone="Zone_INTERNET" ][rules rule=TCPOPT_OTHER ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=64 ipproto=TCP ttl=111 fragid=52547 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x5CE srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=22 destport=23753 seqno=2894526312 ackno=2184314881 chksum=0xDC3B window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=44 tcpopt=24 mss=1460 sackpermit tsopt=S:0x327b23c6 R:0x327b23c6 opt=254 len=4 END=END ]] + ``` + + + +=== "tcp_syn_data" + + ``` + id=3300029 event=tcp_syn_data action=drop [message=SYN packet contains data. Dropping recvzone="Zone_INTERNET" ][rules rule=TCP_SYN_Data ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=54 fragid=12818 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xD49 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=37751 destport=443 seqno=294625335 ackno=0 chksum=0x639C window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=20 ]] + ``` + + + +=== "ttl_low" + + ``` + id=7000014 event=ttl_low action=drop [message=Received packet with too low TTL of 1. Min TTL is 3. Dropping ttlmin=3 ttl=1 recvzone="Zone_OneConnect" ][rules rule=TTLOnLowMulticast ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=UDP ttl=1 fragid=13147 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x9A66 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=5353 destport=5353 chksum=0xC116 iptotlen=40 ] + ``` + + + +=== "unable_to_find_iface_to_stub_net" + + ``` + id=2400400 event=unable_to_find_iface_to_stub_net [message=Internal error: Unable to find my interface attached to stub network 10.0.0.1/27 stub=10.0.0.1/27 ][rules rule=ospfarea ] + ``` + + + +=== "unexpected_tcp_flags" + + ``` + id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags "SYN ECE CWR" from originator during state FIN_RCVD. Dropping connrecvzone="Zone_EXA" flags="SYN ECE CWR" state=FIN_RCVD endpoint=originator conndestzone="Zone_T0" recvzone="Zone_EXA" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=55080 conndestport=88 origsent=2.08 K termsent=2.09 K connrecvif=IF_VLAN1_T0 conndestif=IF_VLAN2_T0 ]][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=128 fragid=11369 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xEE34 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=55080 destport=88 seqno=2465177740 ackno=0 chksum=0x632F window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]] + ``` + + + +=== "unexpected_tcp_flags_1" + + ``` + id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping connrecvzone="Zone_EXA" flags=SYN state=FIN_RCVD endpoint=originator conndestzone="Zone_EXA" recvzone="Zone_EXA" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=61799 conndestport=58080 origsent=144 termsent=40.0 connrecvif=VPN_EXAMPLE_INTRANET conndestif=AGG-VLAN_EXAMPLE ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=127 fragid=24895 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xA2D6 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=61799 destport=58080 seqno=2709173819 ackno=0 chksum=0x10C2 window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1380 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]] + ``` + + + +=== "unhandled_local" + + ``` + id=6000060 event=unhandled_local action=drop [message=Allowed but unhandled packet to the firewall. Dropping recvzone="Zone_INTERNET" ][rules rule=LocalUndelivered ][ethernet hwsender=1111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=71 ipproto=UDP ttl=250 fragid=54321 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF3B4 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=55506 destport=161 chksum=0x0 iptotlen=51 ] + ``` + + + +=== "unknown_vlantag" + + ``` + id=6000040 event=unknown_vlantag action=drop [message=Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping vlanid=271 type=0x8100 recvzone="" ][rules rule=UnknownVLANTags ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=Vlan ] + ``` + + + +=== "unsolicited_reply_drop" + + ``` + id=300001 event=unsolicited_reply_drop [message=Unsolicited ARP reply received and dropped recvzone="Zone_INTRA" ][rules rule=UnsolicitedARPReplies ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]] + ``` + + + +=== "user_disconnected" + + ``` + id=9000011 event=user_disconnected [message=User JDOE is forcibly disconnected. Client: 1.2.3.4 username=JDOE client_ip=4.3.2.1 ipaddr=1.2.3.4 ] + ``` + + + +=== "user_login" + + ``` + id=3700102 event=user_login [message=User logged in. Idle timeout: 1800, Session timeout: 0 groups="GROUP1,GROUP2" idle_timeout=1800 session_timeout=0 ][userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Login srcip=1.2.3.4 ] + ``` + + + +=== "user_logout" + + ``` + id=3700110 event=user_logout message=User logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ] + ``` + + + +=== "user_timeout" + + ``` + id=3700020 event=user_timeout action=user_removed message=User timeout expired, user is automatically logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ] + ``` + + + +=== "wcf_connecting" + + ``` + id=200122 event=wcf_connecting action=connecting [message=HTTPALG:Connecting to web content server 5.6.7.8 server=5.6.7.8 ]algmod=http + ``` + + + +=== "wcf_server_connected" + + ``` + id=200123 event=wcf_server_connected action=none [message=HTTPALG: Web content server 5.6.7.8 connected server=5.6.7.8 ]algmod=http + ``` + + + +=== "wcf_server_disconnected" + + ``` + id=200134 event=wcf_server_disconnected action=none [message=HTTPALG: Web content server 164.132.83.85 disconnected server=164.132.83.85 ]algmod=http + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index 43157371cb..4684354d0c 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -96,6 +96,56 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "access_extended.json" + + ```json + + { + "message": "24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384", + "event": { + "category": [ + "web" + ], + "outcome": "success", + "type": [ + "access" + ] + }, + "action": { + "name": "GET", + "outcome": "success", + "properties": { + "timestamp": "31/Jul/2024:16:41:52 +0200" + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 5771, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "24.202.202.247" + ] + }, + "source": { + "address": "24.202.202.247", + "ip": "24.202.202.247" + }, + "url": { + "original": "/test/integration/abcdefgh123456.js", + "path": "/test/integration/abcdefgh123456.js" + } + } + + ``` + + === "common_log_format.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md index 5a84e8b40a..ea514ace69 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md @@ -12,6 +12,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "access_extended" + + ``` + 24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] "GET /test/integration/abcdefgh123456.js HTTP/1.1" 200 5771 "https://www.website.fr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384 + ``` + + + === "common_log_format" ``` diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 99043dfd48..212dd5fd91 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -50,14 +50,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "port": 0 }, - "host": { - "name": "hostexample" - }, "log": { "hostname": "hostexample", "logger": "userid" }, "observer": { + "name": "hostexample", "product": "PAN-OS", "serial_number": "016401002222" }, @@ -114,14 +112,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "port": 0 }, - "host": { - "name": "hostname_example" - }, "log": { "hostname": "hostname_example", "logger": "userid" }, "observer": { + "name": "hostname_example", "product": "PAN-OS", "serial_number": "01640103000" }, @@ -401,6 +397,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "version": "2.0" }, "paloalto": { + "DirectionOfAttack": "client to server", "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx", "PanOSSourceLocation": "1.1.1.1-1.1.1.1", "URLCategory": "any", @@ -472,9 +469,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "userdest" } }, - "host": { - "name": "FWPA01" - }, "log": { "hostname": "FWPA01", "logger": "traffic" @@ -486,6 +480,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "FWPA01", "product": "PAN-OS", "serial_number": "001701003551" }, @@ -570,9 +565,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "destuser" } }, - "host": { - "name": "FWPA01" - }, "log": { "hostname": "FWPA01", "logger": "traffic" @@ -584,6 +576,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "FWPA01", "product": "PAN-OS", "serial_number": "001701003551" }, @@ -966,9 +959,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 0, "port": 0 }, - "host": { - "name": "PA" - }, "log": { "hostname": "PA", "logger": "traffic" @@ -980,6 +970,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "icmp" }, "observer": { + "name": "PA", "product": "PAN-OS", "serial_number": "1801017000" }, @@ -1100,6 +1091,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "5.6.7.8", + "domain": "www.example.org", "geo": { "country_iso_code": "NL" }, @@ -1110,14 +1102,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 443 }, - "host": { - "name": "DN-EUWEST-F2" - }, - "http": { - "request": { - "method": "unknown" - } - }, "log": { "hostname": "DN-EUWEST-F2", "level": "Informational", @@ -1137,6 +1121,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "INSIDE" } }, + "name": "DN-EUWEST-F2", "product": "PAN-OS", "serial_number": "000011111112222" }, @@ -1145,6 +1130,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel2": "117", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "DirectionOfAttack": "client to server", "Threat_ContentType": "url", "URLCategory": "computer-and-internet-info", "VirtualLocation": "vsys1" @@ -1173,6 +1159,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 51501 }, + "threat": { + "indicator": { + "name": "www.example.org" + } + }, "url": { "domain": "www.example.org", "registered_domain": "example.org", @@ -1209,6 +1200,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "5.6.7.8", + "domain": "www.example.com", "geo": { "country_iso_code": "US" }, @@ -1219,9 +1211,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 80 }, - "host": { - "name": "ZR-EUWS-1" - }, "http": { "request": { "method": "get" @@ -1246,6 +1235,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "ZR-EUWS-1" } }, + "name": "ZR-EUWS-1", "product": "PAN-OS", "serial_number": "no-serial" }, @@ -1255,6 +1245,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel2": "525", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "DirectionOfAttack": "client to server", "Threat_ContentType": "url", "URLCategory": "computer-and-internet-info", "VirtualLocation": "vsys1" @@ -1290,6 +1281,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "jdoe@example.org" } }, + "threat": { + "indicator": { + "name": "www.example.com/connecttest.txt" + } + }, "url": { "domain": "www.example.com", "path": "connecttest.txt", @@ -1425,15 +1421,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "auth-success", "type": "auth" }, - "host": { - "name": "fw1" - }, "log": { "hostname": "fw1", "level": "informational", "logger": "system" }, "observer": { + "name": "fw1", "product": "PAN-OS", "serial_number": "11111114444" }, @@ -1500,9 +1494,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 1, "port": 80 }, - "host": { - "name": "PP" - }, "log": { "hostname": "PP", "logger": "traffic" @@ -1514,6 +1505,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "PP", "product": "PAN-OS", "serial_number": "1801016000" }, @@ -1706,6 +1698,70 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_dns_response.json" + + ```json + + { + "message": "{\"VendorName\":\"test networks\",\"DeviceSN\":\"7FD26D6XXXXXXXX\",\"TimeReceived\":\"2024-07-08T09:01:10.502737Z\",\"LogType\":\"DNS\",\"Subtype\":\"realtime_dns_telemetry_response\",\"SubType\":\"realtime_dns_telemetry_response\",\"TimeGenerated\":\"2024-07-08T09:01:10.000000Z\",\"RecordType\":\"a\",\"DNSResolverIP\":\"1.2.3.4\",\"ThreatID\":0,\"DNSCategory\":\"benign\",\"ThreatName\":null,\"SourceAddress\":\"5.6.7.8\",\"FromZone\":\"trust\",\"Action\":\"Allow\",\"DNSResponse\":[\"8.9.1.2\"],\"ToZone\":null,\"DestinationUser\":null}", + "event": { + "action": "Allow", + "category": [ + "network" + ], + "dataset": "dns", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-08T09:01:10Z", + "action": { + "name": "Allow", + "outcome": "success", + "type": "realtime_dns_telemetry_response" + }, + "dns": { + "question": { + "type": "a" + }, + "resolved_ip": [ + "8.9.1.2" + ] + }, + "log": { + "logger": "dns" + }, + "observer": { + "ingress": { + "interface": { + "alias": "trust" + } + }, + "product": "PAN-OS", + "serial_number": "7FD26D6XXXXXXXX" + }, + "paloalto": { + "Threat_ContentType": "realtime_dns_telemetry_response", + "dns": { + "category": "benign" + } + }, + "related": { + "ip": [ + "5.6.7.8", + "8.9.1.2" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + } + } + + ``` + + === "test_file_alert_json.json" ```json @@ -1744,9 +1800,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "file": { "name": "some_file_name" }, - "host": { - "name": "GP cloud service" - }, "log": { "hostname": "GP cloud service", "level": "Low", @@ -1766,6 +1819,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "trust" } }, + "name": "GP cloud service", "product": "PAN-OS", "serial_number": "no-serial" }, @@ -1774,6 +1828,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel2": "467", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "DirectionOfAttack": "server to client", "Threat_ContentType": "file", "URLCategory": "computer-and-internet-info", "VirtualLocation": "vsys1" @@ -1802,139 +1857,603 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 53514, "user": { - "name": "john.doe@example.com" + "name": "john.doe@example.com" + } + }, + "user": { + "domain": "john.doe", + "email": "john.doe@example.com", + "name": "example.com" + } + } + + ``` + + +=== "test_globalprotect.json" + + ```json + + { + "message": "1,2024/01/12 11:41:42,015451000023232323,GLOBALPROTECT,0,2562,2024/01/12 11:41:42,vsys1,gateway-switch-to-ssl,tunnel,,SSLVPN,test.fr\\JDOE,FR,2023-01724,1.2.3.4,0.0.0.0,1.2.3.4,0.0.0.0,662f0b44-e024-4a70,PF000000,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,CD78_VPN_GP_GATEWAY,5555555555555555555,0x8000000000000000,2024-01-12T11:41:43.895+02:00,,,,,,0,0,0,0,,test-01-01,1", + "event": { + "category": [ + "session" + ], + "dataset": "globalprotect", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-12T09:41:43.895000Z", + "action": { + "name": "gateway-switch-to-ssl", + "outcome": "success", + "type": "0" + }, + "host": { + "name": "2023-01724", + "os": { + "version": "Microsoft Windows 10 Enterprise , 64-bit" + } + }, + "log": { + "logger": "globalprotect" + }, + "network": { + "type": "SSLVPN" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "PF000000" + }, + "paloalto": { + "EventID": "gateway-switch-to-ssl", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "connection": { + "stage": "tunnel" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "FR" + }, + "ip": "1.2.3.4", + "user": { + "domain": "test.fr", + "name": "JDOE" + } + }, + "user": { + "domain": "test.fr", + "name": "JDOE" + }, + "user_agent": { + "os": { + "name": "Windows", + "version": "Microsoft Windows 10 Enterprise , 64-bit" + } + } + } + + ``` + + +=== "test_installed_package_json.json" + + ```json + + { + "message": "{\"LogTime\":\"2023-02-16T15:49:04.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:48:57.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Installed contents package: panupv2-all-contents-8676-7858.tgz\",\"SequenceNo\":7200776623254143152,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:48:57.395000Z\"}\n", + "event": { + "category": [ + "host" + ], + "dataset": "system", + "module": "contents", + "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz", + "type": [ + "info" + ] + }, + "@timestamp": "2023-02-16T15:48:57Z", + "action": { + "type": "general" + }, + "file": { + "name": "panupv2-all-contents-8676-7858.tgz" + }, + "host": { + "name": "PA-VM" + }, + "log": { + "level": "Informational", + "logger": "system" + }, + "observer": { + "product": "PAN-OS" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "general" + } + } + + ``` + + +=== "test_ldap_brute_force.json" + + ```json + + { + "message": "1,2024/08/03 12:16:42,012001002253,THREAT,vulnerability,2561,2024/08/03 12:17:45,5.6.7.8,1.2.3.4,0.0.0.0,0.0.0.0,IN_VPN-AZURE-ALSID,,paloaltonetwork\\\\username,ldap,vsys1,VPN,LAN,tunnel.3,ethernet1/4,default,2024/08/03 12:17:45,110079,1,62074,389,0,0,0x80002000,tcp,alert,,LDAP: User Login Brute Force Attempt(40005),any,high,client-to-server,7395125856205392467,0x8000000000000000,192.168.0.0-192.168.255.255,172.16.0.0-172.31.255.255,,,1210225322167894624,,,0,,,,,,,,0,24,315,0,0,,hostname_example,,,,,0,,0,,N/A,brute-force,AppThreat-8877-8886,0x0,0,4294967295,,,2c146dd4-d96a-455f-96fc-7f3e2c37c70d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-03T12:17:45.360+02:00,,,,auth-service,business-systems,client-server,2,\\\"has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,untunneled,no,no,", + "event": { + "action": "alert", + "category": [ + "vulnerability" + ], + "code": "40005", + "dataset": "threat", + "outcome": "success", + "reason": "LDAP: User Login Brute Force Attempt", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-03T10:17:45.360000Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "vulnerability" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 389, + "user": { + "domain": "paloaltonetwork", + "name": "username" + } + }, + "log": { + "hostname": "hostname_example", + "level": "high", + "logger": "threat" + }, + "network": { + "application": "ldap", + "transport": "tcp" + }, + "observer": { + "name": "hostname_example", + "product": "PAN-OS", + "serial_number": "012001002253" + }, + "paloalto": { + "DGHierarchyLevel1": "24", + "DGHierarchyLevel2": "315", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "vulnerability", + "VirtualLocation": "vsys1", + "threat": { + "id": "40005", + "name": "LDAP: User Login Brute Force Attempt", + "type": "vulnerability exploit detection" + } + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "username" + ] + }, + "rule": { + "name": "IN_VPN-AZURE-ALSID", + "uuid": "2c146dd4-d96a-455f-96fc-7f3e2c37c70d" + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 62074 + } + } + + ``` + + +=== "test_new_file_type.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-07-08T08:33:33.000000Z\",\"DeviceSN\":\"007954000XXXXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"file\",\"SubType\":\"file\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:30:04.000000Z\",\"SourceAddress\":\"4.3.2.1\",\"DestinationAddress\":\"5.2.1.8\",\"NATSource\":\"2.2.1.6\",\"NATDestination\":\"5.2.1.8\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"DTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/1.111\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":6111111,\"RepeatCount\":1,\"SourcePort\":42222,\"DestinationPort\":80,\"NATSourcePort\":22408,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"FileName\":\"test_file.bin\",\"URLCategory\":\"business-and-economy\",\"VendorSeverity\":\"Low\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":73503956876,\"SourceLocation\":\"1.2.0.0-1.2.255.255\",\"DestinationLocation\":\"US\",\"PacketID\":0,\"FileHash\":null,\"ReportID\":0,\"DGHierarchyLevel1\":999,\"DGHierarchyLevel2\":1111,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST-F2\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStartTime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ContentVersion\":\"581116536\",\"SigFlags\":0,\"RuleUUID\":\"6935060f-6443-4257-91f8\",\"HTTP2Connection\":0,\"DynamicUserGroup\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":\"1.0.0\",\"SourceDeviceHost\":\"Test-device\",\"SourceDeviceMac\":\"11.22.33.44.55.66\",\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:30:04.855000Z\",\"ReasonForDataFilteringAction\":null,\"Justification\":null,\"NSSAINetworkSliceType\":null}", + "event": { + "action": "alert", + "category": [ + "file" + ], + "dataset": "threat", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-08T15:30:04Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "file" + }, + "destination": { + "address": "5.2.1.8", + "geo": { + "country_iso_code": "US" + }, + "ip": "5.2.1.8", + "nat": { + "ip": "5.2.1.8", + "port": 80 + }, + "port": 80 + }, + "file": { + "name": "test_file.bin" + }, + "host": { + "mac": "11.22.33.44.55.66", + "name": "Test-device", + "os": { + "version": "1.0.0" + } + }, + "log": { + "hostname": "DN-TEST-F2", + "level": "Low", + "logger": "threat" + }, + "network": { + "application": "web-browsing" + }, + "observer": { + "egress": { + "interface": { + "alias": "Untrust" + } + }, + "ingress": { + "interface": { + "alias": "DTT" + } + }, + "name": "DN-TEST-F2", + "product": "PAN-OS", + "serial_number": "007954000XXXXXX" + }, + "paloalto": { + "DGHierarchyLevel1": "999", + "DGHierarchyLevel2": "1111", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "DirectionOfAttack": "server to client", + "Threat_ContentType": "file", + "URLCategory": "business-and-economy", + "VirtualLocation": "vsys1" + }, + "related": { + "ip": [ + "2.2.1.6", + "4.3.2.1", + "5.2.1.8" + ] + }, + "rule": { + "name": "Guest_Mobile_Internet Access", + "uuid": "6935060f-6443-4257-91f8" + }, + "source": { + "address": "4.3.2.1", + "ip": "4.3.2.1", + "nat": { + "ip": "2.2.1.6", + "port": 22408 + }, + "port": 42222 + } + } + + ``` + + +=== "test_new_globalprotect.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-07-08T09:01:14.000000Z\",\"DeviceSN\":\"00795700000000\",\"LogType\":\"GLOBALPROTECT\",\"Subtype\":\"globalprotect\",\"LogSubtype\":\"globalprotect\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T09:01:14.000000Z\",\"VirtualSystem\":\"vsys1\",\"EventIDValue\":\"gateway-logout\",\"Stage\":\"logout\",\"AuthMethod\":null,\"TunnelType\":null,\"SourceUserName\":\"joe.doe@test.com\",\"SourceRegion\":\"1.0.0.0-1.255.255.255\",\"EndpointDeviceName\":\"LNL-test\",\"PublicIPv4\":\"1.5.7.3\",\"PublicIPv6\":\"\",\"PrivateIPv4\":\"1.2.3.4\",\"PrivateIPv6\":\"\",\"HostID\":\"e4f14dfd-bd3c-40e5-9c4e\",\"EndpointSN\":\"5CD4153333\",\"GlobalProtectClientVersion\":\"0.0.-1\",\"EndpointOSType\":\"Windows\",\"EndpointOSVersion\":\"Microsoft Windows 11 Enterprise , 64-bit\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"QuarantineReason\":null,\"ConnectionError\":null,\"Description\":\"client logout\",\"EventStatus\":\"success\",\"GlobalProtectGatewayLocation\":null,\"LoginDuration\":3625,\"ConnectionMethod\":null,\"ConnectionErrorID\":0,\"Portal\":\"Internal_test\",\"SequenceNo\":7359635570821640000,\"TimeGeneratedHighResolution\":\"2024-07-08T09:01:14.449000Z\",\"GatewaySelectionType\":\"\",\"SSLResponseTime\":-1,\"GatewayPriority\":null,\"AttemptedGateways\":null,\"Gateway\":null,\"DGHierarchyLevel1\":556,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DG-test\",\"VirtualSystemID\":1}", + "event": { + "category": [ + "session" + ], + "dataset": "globalprotect", + "reason": "client logout", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-08T09:01:14Z", + "action": { + "type": "globalprotect" + }, + "host": { + "name": "LNL-test" + }, + "log": { + "hostname": "DG-test", + "logger": "globalprotect" + }, + "observer": { + "name": "DG-test", + "product": "PAN-OS", + "serial_number": "00795700000000", + "version": "0.0.-1" + }, + "paloalto": { + "DGHierarchyLevel1": "556", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "globalprotect", + "VirtualSystemID": "1", + "connection": { + "stage": "logout" + }, + "source": { + "private": { + "ip": "1.2.3.4" + }, + "region": "1.0.0.0-1.255.255.255" + } + }, + "related": { + "ip": [ + "1.5.7.3" + ], + "user": [ + "joe.doe@test.com" + ] + }, + "source": { + "address": "1.5.7.3", + "ip": "1.5.7.3", + "user": { + "name": "joe.doe@test.com" } - }, - "user": { - "domain": "john.doe", - "email": "john.doe@example.com", - "name": "example.com" } } ``` -=== "test_globalprotect.json" +=== "test_new_threat_type.json" ```json { - "message": "1,2024/01/12 11:41:42,015451000023232323,GLOBALPROTECT,0,2562,2024/01/12 11:41:42,vsys1,gateway-switch-to-ssl,tunnel,,SSLVPN,test.fr\\JDOE,FR,2023-01724,1.2.3.4,0.0.0.0,1.2.3.4,0.0.0.0,662f0b44-e024-4a70,PF000000,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,CD78_VPN_GP_GATEWAY,5555555555555555555,0x8000000000000000,2024-01-12T11:41:43.895+02:00,,,,,,0,0,0,0,,test-01-01,1", + "message": "{\"TimeReceived\":\"2024-07-08T08:55:38.000000Z\",\"DeviceSN\":\"007954000370000\",\"LogType\":\"THREAT\",\"Subtype\":\"vulnerability\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:52:09.000000Z\",\"SourceAddress\":\"1.2.1.3\",\"DestinationAddress\":\"2.2.1.4\",\"NATSource\":\"\",\"NATDestination\":\"\",\"Rule\":\"Public_TTT_Mgmt\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssh\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"TTT\",\"InboundInterface\":\"ethernet1/8\",\"OutboundInterface\":\"ethernet1/4.124\",\"LogSetting\":\"test_setting\",\"SessionID\":72837,\"RepeatCount\":1,\"SourcePort\":52000,\"DestinationPort\":21,\"NATSourcePort\":0,\"NATDestinationPort\":0,\"Protocol\":\"tcp\",\"Action\":\"reset-both\",\"FileName\":null,\"ThreatID\":\"SSH User Authentication Brute Force Attempt(40015)\",\"VendorSeverity\":\"High\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":7350395687601,\"SourceLocation\":\"1.0.0.0-1.255.255.255\",\"DestinationLocation\":\"ID\",\"PacketID\":12103464791027,\"FileHash\":null,\"ApplianceOrCloud\":null,\"URLCounter\":0,\"FileType\":null,\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":0,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"brute-force\",\"ContentVersion\":\"581116536\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"496a138d-6515-4043-b7c7\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:52:09.934000Z\",\"NSSAINetworkSliceType\":null}", "event": { + "action": "reset-both", "category": [ - "session" + "vulnerability" ], - "dataset": "globalprotect", + "dataset": "threat", "outcome": "success", "type": [ "info" ] }, - "@timestamp": "2024-01-12T09:41:43.895000Z", + "@timestamp": "2024-07-08T15:52:09Z", "action": { - "name": "gateway-switch-to-ssl", + "name": "reset-both", "outcome": "success", - "type": "0" + "type": "vulnerability" }, - "host": { - "name": "2023-01724", - "os": { - "version": "Microsoft Windows 10 Enterprise , 64-bit" - } + "destination": { + "address": "2.2.1.4", + "geo": { + "country_iso_code": "ID" + }, + "ip": "2.2.1.4", + "nat": { + "port": 0 + }, + "port": 21 }, "log": { - "logger": "globalprotect" + "hostname": "DN-TEST", + "level": "High", + "logger": "threat" }, "network": { - "type": "SSLVPN" + "application": "ssh" }, "observer": { + "egress": { + "interface": { + "alias": "TTT" + } + }, + "ingress": { + "interface": { + "alias": "Trust" + } + }, + "name": "DN-TEST", "product": "PAN-OS", - "serial_number": "PF000000" + "serial_number": "007954000370000" }, "paloalto": { - "EventID": "gateway-switch-to-ssl", - "Threat_ContentType": "0", + "DGHierarchyLevel1": "997", + "DGHierarchyLevel2": "1169", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "DirectionOfAttack": "client to server", + "Threat_ContentType": "vulnerability", "VirtualLocation": "vsys1", - "connection": { - "stage": "tunnel" + "threat": { + "category": "brute-force", + "id": "SSH User Authentication Brute Force Attempt(40015)" } }, "related": { "ip": [ - "1.2.3.4" - ], - "user": [ - "JDOE" + "1.2.1.3", + "2.2.1.4" ] }, - "source": { - "address": "1.2.3.4", - "geo": { - "country_iso_code": "FR" - }, - "ip": "1.2.3.4", - "user": { - "domain": "test.fr", - "name": "JDOE" - } - }, - "user": { - "domain": "test.fr", - "name": "JDOE" + "rule": { + "name": "Public_TTT_Mgmt", + "uuid": "496a138d-6515-4043-b7c7" }, - "user_agent": { - "os": { - "name": "Windows", - "version": "Microsoft Windows 10 Enterprise , 64-bit" - } + "source": { + "address": "1.2.1.3", + "ip": "1.2.1.3", + "port": 52000 } } ``` -=== "test_installed_package_json.json" +=== "test_new_url_type.json" ```json { - "message": "{\"LogTime\":\"2023-02-16T15:49:04.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:48:57.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Installed contents package: panupv2-all-contents-8676-7858.tgz\",\"SequenceNo\":7200776623254143152,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:48:57.395000Z\"}\n", + "message": "{\"TimeReceived\":\"2024-07-08T06:17:04.000000Z\",\"DeviceSN\":\"00795400037XXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"url\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T13:13:27.000000Z\",\"SourceAddress\":\"19.16.1.6\",\"DestinationAddress\":\"17.25.11.9\",\"NATSource\":\"210.210.140.61\",\"NATDestination\":\"17.25.11.9\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssl\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"TTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/6.997\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Test_setting\",\"SessionID\":816808,\"RepeatCount\":1,\"SourcePort\":35000,\"DestinationPort\":443,\"NATSourcePort\":28500,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"URL\":\"test.gstatic.com/\",\"URLCategory\":\"computer-and-internet-info\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":73503956876009,\"SourceLocation\":\"19.18.0.0-19.18.255.255\",\"DestinationLocation\":\"US\",\"ContentType\":null,\"PacketID\":0,\"URLCounter\":0,\"UserAgent\":null,\"X-Forwarded-For\":null,\"Referer\":null,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"HTTPMethod\":\"unknown\",\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"InlineMLVerdict\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":0,\"HTTPHeaders\":null,\"URLCategoryList\":\"computer-and-internet-info,low-risk\",\"RuleUUID\":\"6935060f-6443-4257\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-07-08T13:13:27.233000Z\",\"NSSAINetworkSliceType\":null}", "event": { + "action": "alert", "category": [ - "host" + "network" ], - "dataset": "system", - "module": "contents", - "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz", + "dataset": "threat", + "outcome": "success", "type": [ "info" ] }, - "@timestamp": "2023-02-16T15:48:57Z", + "@timestamp": "2024-07-08T13:13:27Z", "action": { - "type": "general" - }, - "file": { - "name": "panupv2-all-contents-8676-7858.tgz" + "name": "alert", + "outcome": "success", + "type": "url" }, - "host": { - "name": "PA-VM" + "destination": { + "address": "17.25.11.9", + "domain": "test.gstatic.com", + "geo": { + "country_iso_code": "US" + }, + "ip": "17.25.11.9", + "nat": { + "ip": "17.25.11.9", + "port": 443 + }, + "port": 443 }, "log": { + "hostname": "DN-TEST", "level": "Informational", - "logger": "system" + "logger": "threat" + }, + "network": { + "application": "ssl" }, "observer": { - "product": "PAN-OS" + "egress": { + "interface": { + "alias": "Untrust" + } + }, + "ingress": { + "interface": { + "alias": "TTT" + } + }, + "name": "DN-TEST", + "product": "PAN-OS", + "serial_number": "00795400037XXXX" }, "paloalto": { - "DGHierarchyLevel1": "0", - "DGHierarchyLevel2": "0", + "DGHierarchyLevel1": "997", + "DGHierarchyLevel2": "1169", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", - "Threat_ContentType": "general" + "DirectionOfAttack": "client to server", + "Threat_ContentType": "url", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "test.gstatic.com" + ], + "ip": [ + "17.25.11.9", + "19.16.1.6", + "210.210.140.61" + ] + }, + "rule": { + "name": "Guest_Mobile_Internet Access", + "uuid": "6935060f-6443-4257" + }, + "source": { + "address": "19.16.1.6", + "ip": "19.16.1.6", + "nat": { + "ip": "210.210.140.61", + "port": 28500 + }, + "port": 35000 + }, + "threat": { + "indicator": { + "name": "test.gstatic.com/" + } + }, + "url": { + "domain": "test.gstatic.com", + "registered_domain": "gstatic.com", + "subdomain": "test", + "top_level_domain": "com" } } @@ -2110,15 +2629,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "test-event", "type": "vpn" }, - "host": { - "name": "test-1" - }, "log": { "hostname": "test-1", "level": "informational", "logger": "system" }, "observer": { + "name": "test-1", "product": "PAN-OS", "serial_number": "016201000000" }, @@ -2712,9 +3229,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], + "code": "9999", "dataset": "threat", "outcome": "success", - "reason": "(9999)", "type": [ "info" ] @@ -2727,6 +3244,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "5.6.7.8", + "domain": "test.fr", "ip": "5.6.7.8", "nat": { "ip": "0.0.0.0", @@ -2734,9 +3252,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 2222 }, - "host": { - "name": "TEST-01" - }, "log": { "hostname": "TEST-01", "level": "informational", @@ -2747,6 +3262,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "TEST-01", "product": "PAN-OS", "serial_number": "016201000000" }, @@ -2756,7 +3272,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "Threat_ContentType": "url", - "VirtualLocation": "vsys1" + "VirtualLocation": "vsys1", + "threat": { + "id": "9999", + "type": "URL filtering log" + } }, "related": { "hosts": [ @@ -2796,6 +3316,95 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_threat_02.json" + + ```json + + { + "message": "1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,\"login.esp\",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,", + "event": { + "action": "reset-both", + "category": [ + "vulnerability" + ], + "code": "95187", + "dataset": "threat", + "outcome": "success", + "reason": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-12T13:57:04.614000Z", + "action": { + "name": "reset-both", + "outcome": "success", + "type": "vulnerability" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "5.6.7.8", + "port": 20077 + }, + "port": 443 + }, + "file": { + "name": "login.esp", + "path": "login.esp" + }, + "log": { + "hostname": "site1-FW01", + "level": "critical", + "logger": "threat" + }, + "network": { + "application": "web-browsing", + "transport": "tcp" + }, + "observer": { + "name": "site1-FW01", + "product": "PAN-OS", + "serial_number": "012345678910" + }, + "paloalto": { + "DGHierarchyLevel1": "320", + "DGHierarchyLevel2": "90", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "vulnerability", + "VirtualLocation": "vsys1", + "threat": { + "id": "95187", + "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability", + "type": "custom threat" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "Access_Portal-GW_GP", + "uuid": "abcdefgh-1234-5678-abcd-01234567890" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "1.2.3.4", + "port": 56731 + }, + "port": 56731 + } + } + + ``` + + === "test_timestamp_palo.json" ```json @@ -2817,15 +3426,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "general", "type": "general" }, - "host": { - "name": "test-01" - }, "log": { "hostname": "test-01", "level": "informational", "logger": "system" }, "observer": { + "name": "test-01", "product": "PAN-OS", "serial_number": "026701002348" }, @@ -2878,9 +3485,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 443 }, - "host": { - "name": "PA-VM" - }, "log": { "hostname": "PA-VM", "logger": "traffic" @@ -2901,6 +3505,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "untrusted" } }, + "name": "PA-VM", "product": "PAN-OS", "serial_number": "007954000351998" }, @@ -2970,9 +3575,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 443 }, - "host": { - "name": "PA-VM" - }, "log": { "hostname": "PA-VM", "logger": "traffic" @@ -2993,6 +3595,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "untrusted" } }, + "name": "PA-VM", "product": "PAN-OS", "serial_number": "007954000351998" }, @@ -3205,14 +3808,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "port": 0 }, - "host": { - "name": "test-01" - }, "log": { "hostname": "test-01", "logger": "userid" }, "observer": { + "name": "test-01", "product": "PAN-OS", "serial_number": "01545100000000" }, @@ -3374,9 +3975,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], + "code": "9999", "dataset": "threat", "outcome": "success", - "reason": "(9999)", "type": [ "info" ] @@ -3389,6 +3990,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "192.168.0.1", + "domain": "www.sekoia.io", "ip": "192.168.0.1", "nat": { "ip": "0.0.0.0", @@ -3396,9 +3998,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 80 }, - "host": { - "name": "FW" - }, "http": { "request": { "method": "get" @@ -3415,6 +4014,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "FW", "product": "PAN-OS", "serial_number": "016401004874" }, @@ -3425,7 +4025,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel4": "0", "Threat_ContentType": "url", "VirtualLocation": "vsys", - "VirtualSystemName": "VSYS" + "VirtualSystemName": "VSYS", + "threat": { + "id": "9999", + "type": "URL filtering log" + } }, "related": { "hosts": [ @@ -3525,15 +4129,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "observer": { "egress": { "interface": { - "alias": "ethernet4Zone-test4", - "id": "unknown", - "name": "unknown" + "alias": "ethernet4Zone-test4" } }, "ingress": { "interface": { "alias": "datacenter", - "id": "unknown", "name": "n" } }, @@ -3543,6 +4144,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "version": "2.0" }, "paloalto": { + "DirectionOfAttack": "server to client", "PanOSContainerNameSpace": "pns_default", "PanOSDestinationDeviceCategory": "X-Phone", "PanOSDestinationDeviceHost": "pan-622", @@ -3612,9 +4214,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "vulnerability" ], + "code": "34805", "dataset": "threat", "outcome": "success", - "reason": "PDF Exploit Evasion Found(34805)", + "reason": "PDF Exploit Evasion Found", "type": [ "info" ] @@ -3638,9 +4241,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "EXAMPLE.PDF", "path": "EXAMPLE.PDF" }, - "host": { - "name": "FW" - }, "log": { "hostname": "FW", "level": "informational", @@ -3651,6 +4251,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "FW", "product": "PAN-OS", "serial_number": "001701000000" }, @@ -3660,7 +4261,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "Threat_ContentType": "vulnerability", - "VirtualLocation": "vsys" + "VirtualLocation": "vsys", + "threat": { + "id": "34805", + "name": "PDF Exploit Evasion Found", + "type": "vulnerability exploit detection" + } }, "related": { "ip": [ @@ -3925,7 +4531,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "traffic", "duration": 56, - "reason": "unknown", "severity": 3, "start": "2021-02-27T20:16:17Z", "timezone": "UTC", @@ -3978,15 +4583,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "observer": { "egress": { "interface": { - "alias": "ethernet4Zone-test1", - "id": "unknown", - "name": "unknown" + "alias": "ethernet4Zone-test1" } }, "ingress": { "interface": { "alias": "untrust", - "id": "unknown", "name": "n" } }, @@ -4096,9 +4698,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 7, "port": 443 }, - "host": { - "name": "PA2314-CD" - }, "log": { "hostname": "PA2314-CD", "logger": "traffic" @@ -4110,6 +4709,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "observer": { + "name": "PA2314-CD", "product": "PAN-OS", "serial_number": "026701002040" }, @@ -4179,9 +4779,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 0, "port": 53 }, - "host": { - "name": "PA-1" - }, "log": { "hostname": "PA-1", "logger": "traffic" @@ -4193,6 +4790,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "udp" }, "observer": { + "name": "PA-1", "product": "PAN-OS", "serial_number": "1801017000" }, @@ -4305,6 +4903,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "version": "2.0" }, "paloalto": { + "DirectionOfAttack": "server to client", "PanOSContainerName": "pan-dp-77754f4", "PanOSContainerNameSpace": "pns_default", "PanOSDestinationDeviceCategory": "L-Phone", @@ -4482,9 +5081,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "file": { "name": "mp3.exe" }, - "host": { - "name": "MyDevice" - }, "log": { "hostname": "MyDevice", "level": "Informational", @@ -4504,6 +5100,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alias": "Trust" } }, + "name": "MyDevice", "product": "PAN-OS", "serial_number": "111111111111" }, @@ -4512,6 +5109,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel2": "738", "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", + "DirectionOfAttack": "server to client", "Threat_ContentType": "wildfire", "VirtualLocation": "vsys1", "endpoint": { @@ -4582,11 +5180,14 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`destination.user.domain` | `keyword` | Name of the directory the user is a member of. | |`destination.user.name` | `keyword` | Short name or login of the user. | +|`dns.question.type` | `keyword` | The type of record being queried. | +|`dns.resolved_ip` | `ip` | Array containing all IPs seen in answers.data | |`email.from.address` | `keyword` | Email address from | |`email.subject` | `keyword` | Subject | |`email.to.address` | `keyword` | Email address to | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.code` | `keyword` | Identification code for this event. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | |`event.module` | `keyword` | Name of the module this data is coming from. | @@ -4622,18 +5223,26 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.ingress.interface.alias` | `keyword` | Interface alias | |`observer.ingress.interface.id` | `keyword` | Interface ID | |`observer.ingress.interface.name` | `keyword` | Interface name | +|`observer.name` | `keyword` | Custom name of the observer. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.serial_number` | `keyword` | Observer serial number. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`observer.version` | `keyword` | Observer version. | |`paloalto` | `dict` | Root of paloalto custom fields | +|`paloalto.DirectionOfAttack` | `keyword` | Attack direction | |`paloalto.Threat_ContentType` | `keyword` | Type associated with the threat | |`paloalto.authentication.method` | `keyword` | The authentication method for the GlobalProtect connection | |`paloalto.connection.method` | `keyword` | Identifies how the GlobalProtect app connected to the the Gateway | |`paloalto.connection.stage` | `keyword` | The stage of the GlobalProtect connection | +|`paloalto.dns.category` | `keyword` | Classify DNS requests in terms of security or relevance | |`paloalto.endpoint.serial_number` | `keyword` | Unique device identifier | +|`paloalto.source.private.ip` | `keyword` | Private IP address | +|`paloalto.source.region` | `keyword` | IP address range | +|`paloalto.threat.category` | `keyword` | Threat Category | |`paloalto.threat.id` | `keyword` | The identifier of the threat | +|`paloalto.threat.name` | `keyword` | The name of the threat | +|`paloalto.threat.type` | `keyword` | The type of the threat | |`rule.name` | `keyword` | Rule name | |`rule.uuid` | `keyword` | Rule UUID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index db40769711..4ca1bda5f4 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -444,6 +444,36 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_dns_response" + + + ```json + { + "VendorName": "test networks", + "DeviceSN": "7FD26D6XXXXXXXX", + "TimeReceived": "2024-07-08T09:01:10.502737Z", + "LogType": "DNS", + "Subtype": "realtime_dns_telemetry_response", + "SubType": "realtime_dns_telemetry_response", + "TimeGenerated": "2024-07-08T09:01:10.000000Z", + "RecordType": "a", + "DNSResolverIP": "1.2.3.4", + "ThreatID": 0, + "DNSCategory": "benign", + "ThreatName": null, + "SourceAddress": "5.6.7.8", + "FromZone": "trust", + "Action": "Allow", + "DNSResponse": [ + "8.9.1.2" + ], + "ToZone": null, + "DestinationUser": null + } + ``` + + + === "test_file_alert_json" @@ -583,6 +613,377 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ldap_brute_force" + + + ```json + 1,2024/08/03 12:16:42,012001002253,THREAT,vulnerability,2561,2024/08/03 12:17:45,5.6.7.8,1.2.3.4,0.0.0.0,0.0.0.0,IN_VPN-AZURE-ALSID,,paloaltonetwork\\username,ldap,vsys1,VPN,LAN,tunnel.3,ethernet1/4,default,2024/08/03 12:17:45,110079,1,62074,389,0,0,0x80002000,tcp,alert,,LDAP: User Login Brute Force Attempt(40005),any,high,client-to-server,7395125856205392467,0x8000000000000000,192.168.0.0-192.168.255.255,172.16.0.0-172.31.255.255,,,1210225322167894624,,,0,,,,,,,,0,24,315,0,0,,hostname_example,,,,,0,,0,,N/A,brute-force,AppThreat-8877-8886,0x0,0,4294967295,,,2c146dd4-d96a-455f-96fc-7f3e2c37c70d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-03T12:17:45.360+02:00,,,,auth-service,business-systems,client-server,2,\"has-known-vulnerability,tunnel-other-application,pervasive-use\",,untunneled,no,no, + ``` + + + +=== "test_new_file_type" + + + ```json + { + "TimeReceived": "2024-07-08T08:33:33.000000Z", + "DeviceSN": "007954000XXXXXX", + "LogType": "THREAT", + "Subtype": "file", + "SubType": "file", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-07-08T15:30:04.000000Z", + "SourceAddress": "4.3.2.1", + "DestinationAddress": "5.2.1.8", + "NATSource": "2.2.1.6", + "NATDestination": "5.2.1.8", + "Rule": "Guest_Mobile_Internet Access", + "SourceUser": null, + "DestinationUser": null, + "Application": "web-browsing", + "VirtualLocation": "vsys1", + "FromZone": "DTT", + "ToZone": "Untrust", + "InboundInterface": "ethernet1/1.111", + "OutboundInterface": "ethernet1/1", + "LogSetting": "Panorama_CDL", + "SessionID": 6111111, + "RepeatCount": 1, + "SourcePort": 42222, + "DestinationPort": 80, + "NATSourcePort": 22408, + "NATDestinationPort": 80, + "Protocol": "tcp", + "Action": "alert", + "FileName": "test_file.bin", + "URLCategory": "business-and-economy", + "VendorSeverity": "Low", + "DirectionOfAttack": "server to client", + "SequenceNo": 73503956876, + "SourceLocation": "1.2.0.0-1.2.255.255", + "DestinationLocation": "US", + "PacketID": 0, + "FileHash": null, + "ReportID": 0, + "DGHierarchyLevel1": 999, + "DGHierarchyLevel2": 1111, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "DN-TEST-F2", + "SourceUUID": null, + "DestinationUUID": null, + "IMSI": 0, + "IMEI": null, + "ParentSessionID": 0, + "ParentStartTime": "1970-01-01T00:00:00.000000Z", + "Tunnel": "N/A", + "ContentVersion": "581116536", + "SigFlags": 0, + "RuleUUID": "6935060f-6443-4257-91f8", + "HTTP2Connection": 0, + "DynamicUserGroup": null, + "X-Forwarded-ForIP": null, + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": "1.0.0", + "SourceDeviceHost": "Test-device", + "SourceDeviceMac": "11.22.33.44.55.66", + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "HostID": null, + "EndpointSerialNumber": null, + "DomainEDL": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "PartialHash": 0, + "TimeGeneratedHighResolution": "2024-07-08T15:30:04.855000Z", + "ReasonForDataFilteringAction": null, + "Justification": null, + "NSSAINetworkSliceType": null + } + ``` + + + +=== "test_new_globalprotect" + + + ```json + { + "TimeReceived": "2024-07-08T09:01:14.000000Z", + "DeviceSN": "00795700000000", + "LogType": "GLOBALPROTECT", + "Subtype": "globalprotect", + "LogSubtype": "globalprotect", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-07-08T09:01:14.000000Z", + "VirtualSystem": "vsys1", + "EventIDValue": "gateway-logout", + "Stage": "logout", + "AuthMethod": null, + "TunnelType": null, + "SourceUserName": "joe.doe@test.com", + "SourceRegion": "1.0.0.0-1.255.255.255", + "EndpointDeviceName": "LNL-test", + "PublicIPv4": "1.5.7.3", + "PublicIPv6": "", + "PrivateIPv4": "1.2.3.4", + "PrivateIPv6": "", + "HostID": "e4f14dfd-bd3c-40e5-9c4e", + "EndpointSN": "5CD4153333", + "GlobalProtectClientVersion": "0.0.-1", + "EndpointOSType": "Windows", + "EndpointOSVersion": "Microsoft Windows 11 Enterprise , 64-bit", + "RepeatCount": 1, + "CountOfRepeats": 1, + "QuarantineReason": null, + "ConnectionError": null, + "Description": "client logout", + "EventStatus": "success", + "GlobalProtectGatewayLocation": null, + "LoginDuration": 3625, + "ConnectionMethod": null, + "ConnectionErrorID": 0, + "Portal": "Internal_test", + "SequenceNo": 7359635570821640000, + "TimeGeneratedHighResolution": "2024-07-08T09:01:14.449000Z", + "GatewaySelectionType": "", + "SSLResponseTime": -1, + "GatewayPriority": null, + "AttemptedGateways": null, + "Gateway": null, + "DGHierarchyLevel1": 556, + "DGHierarchyLevel2": 0, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "DG-test", + "VirtualSystemID": 1 + } + ``` + + + +=== "test_new_threat_type" + + + ```json + { + "TimeReceived": "2024-07-08T08:55:38.000000Z", + "DeviceSN": "007954000370000", + "LogType": "THREAT", + "Subtype": "vulnerability", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-07-08T15:52:09.000000Z", + "SourceAddress": "1.2.1.3", + "DestinationAddress": "2.2.1.4", + "NATSource": "", + "NATDestination": "", + "Rule": "Public_TTT_Mgmt", + "SourceUser": null, + "DestinationUser": null, + "Application": "ssh", + "VirtualLocation": "vsys1", + "FromZone": "Trust", + "ToZone": "TTT", + "InboundInterface": "ethernet1/8", + "OutboundInterface": "ethernet1/4.124", + "LogSetting": "test_setting", + "SessionID": 72837, + "RepeatCount": 1, + "SourcePort": 52000, + "DestinationPort": 21, + "NATSourcePort": 0, + "NATDestinationPort": 0, + "Protocol": "tcp", + "Action": "reset-both", + "FileName": null, + "ThreatID": "SSH User Authentication Brute Force Attempt(40015)", + "VendorSeverity": "High", + "DirectionOfAttack": "client to server", + "SequenceNo": 7350395687601, + "SourceLocation": "1.0.0.0-1.255.255.255", + "DestinationLocation": "ID", + "PacketID": 12103464791027, + "FileHash": null, + "ApplianceOrCloud": null, + "URLCounter": 0, + "FileType": null, + "SenderEmail": null, + "EmailSubject": null, + "RecipientEmail": null, + "ReportID": 0, + "DGHierarchyLevel1": 997, + "DGHierarchyLevel2": 1169, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "DN-TEST", + "SourceUUID": null, + "DestinationUUID": null, + "IMSI": 0, + "IMEI": null, + "ParentSessionID": 0, + "ParentStarttime": "1970-01-01T00:00:00.000000Z", + "Tunnel": "N/A", + "ThreatCategory": "brute-force", + "ContentVersion": "581116536", + "SigFlags": "0x0", + "RuleUUID": "496a138d-6515-4043-b7c7", + "HTTP2Connection": 0, + "DynamicUserGroupName": null, + "X-Forwarded-ForIP": null, + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "HostID": null, + "EndpointSerialNumber": null, + "DomainEDL": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "PartialHash": 0, + "TimeGeneratedHighResolution": "2024-07-08T15:52:09.934000Z", + "NSSAINetworkSliceType": null + } + ``` + + + +=== "test_new_url_type" + + + ```json + { + "TimeReceived": "2024-07-08T06:17:04.000000Z", + "DeviceSN": "00795400037XXXX", + "LogType": "THREAT", + "Subtype": "url", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-07-08T13:13:27.000000Z", + "SourceAddress": "19.16.1.6", + "DestinationAddress": "17.25.11.9", + "NATSource": "210.210.140.61", + "NATDestination": "17.25.11.9", + "Rule": "Guest_Mobile_Internet Access", + "SourceUser": null, + "DestinationUser": null, + "Application": "ssl", + "VirtualLocation": "vsys1", + "FromZone": "TTT", + "ToZone": "Untrust", + "InboundInterface": "ethernet1/6.997", + "OutboundInterface": "ethernet1/1", + "LogSetting": "Test_setting", + "SessionID": 816808, + "RepeatCount": 1, + "SourcePort": 35000, + "DestinationPort": 443, + "NATSourcePort": 28500, + "NATDestinationPort": 443, + "Protocol": "tcp", + "Action": "alert", + "URL": "test.gstatic.com/", + "URLCategory": "computer-and-internet-info", + "VendorSeverity": "Informational", + "DirectionOfAttack": "client to server", + "SequenceNo": 73503956876009, + "SourceLocation": "19.18.0.0-19.18.255.255", + "DestinationLocation": "US", + "ContentType": null, + "PacketID": 0, + "URLCounter": 0, + "UserAgent": null, + "X-Forwarded-For": null, + "Referer": null, + "DGHierarchyLevel1": 997, + "DGHierarchyLevel2": 1169, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "DN-TEST", + "SourceUUID": null, + "DestinationUUID": null, + "HTTPMethod": "unknown", + "IMSI": 0, + "IMEI": null, + "ParentSessionID": 0, + "ParentStarttime": "1970-01-01T00:00:00.000000Z", + "Tunnel": "N/A", + "InlineMLVerdict": "unknown", + "ContentVersion": "0", + "SigFlags": 0, + "HTTPHeaders": null, + "URLCategoryList": "computer-and-internet-info,low-risk", + "RuleUUID": "6935060f-6443-4257", + "HTTP2Connection": 0, + "DynamicUserGroupName": null, + "X-Forwarded-ForIP": null, + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "HostID": null, + "EndpointSerialNumber": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "TimeGeneratedHighResolution": "2024-07-08T13:13:27.233000Z", + "NSSAINetworkSliceType": null + } + ``` + + + === "test_ntp_sync_json" @@ -1066,6 +1467,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_threat_02" + + + ```json + 1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,"login.esp",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no, + ``` + + + === "test_timestamp_palo" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 8af1c56fc1..38ffaae9a9 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -1399,6 +1399,85 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_5156.json" + + ```json + + { + "message": "{\"EventTime\":\"2024-08-05 11:38:06\",\"Hostname\":\"hostname.test.com\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":5156,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"Version\":1,\"Task\":12810,\"OpcodeValue\":0,\"RecordNumber\":3909688690,\"ProcessID\":4,\"ThreadID\":6140,\"Channel\":\"Security\",\"Message\":\"The Windows Filtering Platform has permitted a connection.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t832\\r\\n\\tApplication Name:\\t\\\\device\\\\harddisk\\\\windows\\\\system32\\\\test.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tDirection:\\t\\tInbound\\r\\n\\tSource Address:\\t\\t1.2.3.4\\r\\n\\tSource Port:\\t\\t1\\r\\n\\tDestination Address:\\t5.6.7.8\\r\\n\\tDestination Port:\\t\\t2\\r\\n\\tProtocol:\\t\\t6\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t0\\r\\n\\tLayer Name:\\t\\tReceive/Accept\\r\\n\\tLayer Run-Time ID:\\t44\",\"Category\":\"Filtering Platform Connection\",\"Opcode\":\"Info\",\"Application\":\"\\\\device\\\\harddisk\\\\windows\\\\system32\\\\test.exe\",\"Direction\":\"%%14592\",\"SourceAddress\":\"1.2.3.4\",\"SourcePort\":\"1\",\"DestAddress\":\"5.6.7.8\",\"DestPort\":\"2\",\"Protocol\":\"6\",\"FilterRTID\":\"0\",\"LayerName\":\"%%14610\",\"LayerRTID\":\"44\",\"RemoteUserID\":\"S-1-0-0\",\"RemoteMachineID\":\"S-1-0-0\",\"EventReceivedTime\":\"2024-08-05 11:38:47\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}", + "event": { + "code": "5156", + "message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t832\r\n\tApplication Name:\t\\device\\harddisk\\windows\\system32\\test.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t1.2.3.4\r\n\tSource Port:\t\t1\r\n\tDestination Address:\t5.6.7.8\r\n\tDestination Port:\t\t2\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t0\r\n\tLayer Name:\t\tReceive/Accept\r\n\tLayer Run-Time ID:\t44", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 5156, + "name": "The Windows Filtering Platform has allowed a connection", + "outcome": "success", + "properties": { + "Application": "\\device\\harddisk\\windows\\system32\\test.exe", + "Category": "Filtering Platform Connection", + "DestinationPort": "2", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Task": 12810 + }, + "record_id": 3909688690, + "target": "network-traffic", + "type": "Security" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 2 + }, + "host": { + "hostname": "hostname.test.com", + "name": "hostname.test.com" + }, + "log": { + "hostname": "hostname.test.com", + "level": "info" + }, + "network": { + "transport": "6" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 4, + "name": "test.exe", + "pid": 4, + "thread": { + "id": 6140 + } + }, + "related": { + "hosts": [ + "hostname.test.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 + } + } + + ``` + + === "Event_5408_event_message_is_json.json" ```json @@ -1763,6 +1842,93 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Process_4688_new.json" + + ```json + + { + "message": "{\"EventTime\":\"2024-08-05 17:56:15\",\"Hostname\":\"Hostname.test.com\",\"Keywords\":-921436483760000000,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":4688,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{54849625-5478-4994}\",\"Version\":2,\"Task\":13312,\"OpcodeValue\":0,\"RecordNumber\":255073557,\"ProcessID\":4,\"ThreadID\":22092,\"Channel\":\"Security\",\"Message\":\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tSE-1-1-1\\r\\n\\tAccount Name:\\t\\tJOEDOE$\\r\\n\\tAccount Domain:\\t\\tTEST\\r\\n\\tLogon ID:\\t\\t0x388\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tSE-0-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x5878\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\Sys\\\\test.exe\\r\\n\\tToken Elevation Type:\\t%%1936\\r\\n\\tMandatory Label:\\t\\tSE-1-1-14\\r\\n\\tCreator Process ID:\\t0x4534\\r\\n\\tCreator Process Name:\\tC:\\\\Program Files (x86)\\\\TEST\\\\TEST Client\\\\TEST.exe\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance always program using Run as administrator.\",\"Category\":\"Process Creation\",\"Opcode\":\"Info\",\"SubjectUserSid\":\"SE-1-5-1\",\"SubjectUserName\":\"JOEDOE$\",\"SubjectDomainName\":\"TEST\",\"SubjectLogonId\":\"0x3e7\",\"NewProcessId\":\"0x5878\",\"NewProcessName\":\"C:\\\\Windows\\\\Sys\\\\TEST.exe\",\"TokenElevationType\":\"%%1936\",\"TargetUserSid\":\"SE-1-0-0\",\"TargetUserName\":\"-\",\"TargetDomainName\":\"-\",\"TargetLogonId\":\"0x0\",\"ParentProcessName\":\"C:\\\\Program Files (x86)\\\\TEST\\\\TEST Client\\\\TEST.exe\",\"MandatoryLabel\":\"SE-1-16-16384\",\"EventReceivedTime\":\"2024-08-05 17:56:17\",\"SourceModuleName\":\"sourcemoduletest\",\"SourceModuleType\":\"testlog\"}\n", + "event": { + "code": "4688", + "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tSE-1-1-1\r\n\tAccount Name:\t\tJOEDOE$\r\n\tAccount Domain:\t\tTEST\r\n\tLogon ID:\t\t0x388\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tSE-0-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x5878\r\n\tNew Process Name:\tC:\\Windows\\Sys\\test.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tSE-1-1-14\r\n\tCreator Process ID:\t0x4534\r\n\tCreator Process Name:\tC:\\Program Files (x86)\\TEST\\TEST Client\\TEST.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance always program using Run as administrator.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4688, + "name": "A new process has been created", + "outcome": "success", + "properties": { + "Category": "Process Creation", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-921436483760000000", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "JOEDOE$", + "SubjectUserSid": "SE-1-5-1", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "SE-1-0-0", + "Task": 13312 + }, + "record_id": 255073557, + "type": "Security" + }, + "host": { + "hostname": "Hostname.test.com", + "name": "Hostname.test.com" + }, + "log": { + "hostname": "Hostname.test.com", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "C:\\Windows\\Sys\\TEST.exe", + "id": 22648, + "name": "TEST.exe", + "parent": { + "command_line": "C:\\Program Files (x86)\\TEST\\TEST Client\\TEST.exe", + "executable": "C:\\Program Files (x86)\\TEST\\TEST Client\\TEST.exe", + "name": "TEST.exe", + "pid": 17716, + "working_directory": "C:\\Program Files (x86)\\TEST\\TEST Client\\" + }, + "pid": 22648, + "thread": { + "id": 22092 + }, + "working_directory": "C:\\Windows\\Sys\\" + }, + "related": { + "hosts": [ + "Hostname.test.com" + ], + "user": [ + "JOEDOE$" + ] + }, + "user": { + "domain": "TEST", + "id": "SE-1-5-1", + "name": "JOEDOE$", + "target": { + "id": "SE-1-0-0" + } + } + } + + ``` + + === "ad_fs_auditing.json" ```json @@ -3462,7 +3628,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 11260, "name": "WMIC.exe", "parent": { - "pid": 4 + "pid": 10792 }, "pid": 11260, "thread": { @@ -4366,7 +4532,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Windows\\System32\\svchost.exe", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "pid": 4, "working_directory": "C:\\Windows\\System32\\" }, "pid": 3648, @@ -4894,6 +5059,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "family": "windows", "platform": "windows" }, + "process": { + "name": "python.exe" + }, "related": { "hosts": [ "WORKSTATION5" @@ -4966,6 +5134,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "process": { "id": 4, + "name": "nxlog.exe", "pid": 4, "thread": { "id": 148 @@ -5207,7 +5376,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", - "pid": 4, "working_directory": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" }, "pid": 3920, @@ -5293,7 +5461,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 4, "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\" }, "pid": 5004, @@ -7347,9 +7514,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "executable": "C:\\Windows\\System32\\qwinsta.exe", "id": 12980, "name": "qwinsta.exe", - "parent": { - "pid": 4 - }, "pid": 12980, "thread": { "id": 92 @@ -7421,7 +7585,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4380, "name": "conhost.exe", "parent": { - "pid": 4 + "pid": 516 }, "pid": 4380, "thread": { diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index 12f07bd4b9..ecf947c738 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -742,6 +742,49 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_5156" + + ``` + { + "EventTime": "2024-08-05 11:38:06", + "Hostname": "hostname.test.com", + "Keywords": -9214364837600034816, + "EventType": "AUDIT_SUCCESS", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 5156, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Version": 1, + "Task": 12810, + "OpcodeValue": 0, + "RecordNumber": 3909688690, + "ProcessID": 4, + "ThreadID": 6140, + "Channel": "Security", + "Message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t832\r\n\tApplication Name:\t\\device\\harddisk\\windows\\system32\\test.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t1.2.3.4\r\n\tSource Port:\t\t1\r\n\tDestination Address:\t5.6.7.8\r\n\tDestination Port:\t\t2\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t0\r\n\tLayer Name:\t\tReceive/Accept\r\n\tLayer Run-Time ID:\t44", + "Category": "Filtering Platform Connection", + "Opcode": "Info", + "Application": "\\device\\harddisk\\windows\\system32\\test.exe", + "Direction": "%%14592", + "SourceAddress": "1.2.3.4", + "SourcePort": "1", + "DestAddress": "5.6.7.8", + "DestPort": "2", + "Protocol": "6", + "FilterRTID": "0", + "LayerName": "%%14610", + "LayerRTID": "44", + "RemoteUserID": "S-1-0-0", + "RemoteMachineID": "S-1-0-0", + "EventReceivedTime": "2024-08-05 11:38:47", + "SourceModuleName": "eventlog", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "Event_5408_event_message_is_json" ``` @@ -968,6 +1011,50 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Process_4688_new" + + ``` + { + "EventTime": "2024-08-05 17:56:15", + "Hostname": "Hostname.test.com", + "Keywords": -921436483760000000, + "EventType": "AUDIT_SUCCESS", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 4688, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProviderGuid": "{54849625-5478-4994}", + "Version": 2, + "Task": 13312, + "OpcodeValue": 0, + "RecordNumber": 255073557, + "ProcessID": 4, + "ThreadID": 22092, + "Channel": "Security", + "Message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tSE-1-1-1\r\n\tAccount Name:\t\tJOEDOE$\r\n\tAccount Domain:\t\tTEST\r\n\tLogon ID:\t\t0x388\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tSE-0-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x5878\r\n\tNew Process Name:\tC:\\Windows\\Sys\\test.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tSE-1-1-14\r\n\tCreator Process ID:\t0x4534\r\n\tCreator Process Name:\tC:\\Program Files (x86)\\TEST\\TEST Client\\TEST.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance always program using Run as administrator.", + "Category": "Process Creation", + "Opcode": "Info", + "SubjectUserSid": "SE-1-5-1", + "SubjectUserName": "JOEDOE$", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "NewProcessId": "0x5878", + "NewProcessName": "C:\\Windows\\Sys\\TEST.exe", + "TokenElevationType": "%%1936", + "TargetUserSid": "SE-1-0-0", + "TargetUserName": "-", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "ParentProcessName": "C:\\Program Files (x86)\\TEST\\TEST Client\\TEST.exe", + "MandatoryLabel": "SE-1-16-16384", + "EventReceivedTime": "2024-08-05 17:56:17", + "SourceModuleName": "sourcemoduletest", + "SourceModuleType": "testlog" + } + ``` + + + === "ad_fs_auditing" ``` diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 100b07da0d..3c39998c3c 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -1534,6 +1534,198 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_vpn_1.json" + + ```json + + { + "message": "01580002:5: /VPN/APM_VPN_prod:Common:870db929: discard ACL: /VPN/ACL_DENY:0 packet: tcp 1.2.3.4:59407 -> 5.6.7.8:443", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "name": "discard" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "/VPN/ACL_DENY" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 59407 + } + } + + ``` + + +=== "test_vpn_2.json" + + ```json + + { + "message": "01580002:5: /VPN/APM_VPN_prod:Common:0f47932d: allow ACL: /VPN/ACL_EAP_users:59 packet: tcp 1.2.3.4:50992 -> 5.6.7.8:135", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "name": "allow" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 135 + }, + "network": { + "transport": "tcp" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "/VPN/ACL_EAP_users" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50992 + } + } + + ``` + + +=== "test_vpn_3.json" + + ```json + + { + "message": "01580002:5: /VPN/APM_VPN_prod:Common:5f56a46c: discard ACL: /VPN/ACL_DENY:0 packet: tcp 1.2.3.4:63694 -> 5.6.7.8:443", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "name": "discard" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "network": { + "transport": "tcp" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "/VPN/ACL_DENY" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63694 + } + } + + ``` + + +=== "test_vpn_4.json" + + ```json + + { + "message": "01580002:5: /VPN/APM_VPN_prod:Common:0f47932d: allow ACL: /VPN/ACL_EAP_users:60 packet: tcp 1.2.3.4:50997 -> 5.6.7.8:88", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "name": "allow" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 88 + }, + "network": { + "transport": "tcp" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "/VPN/ACL_EAP_users" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50997 + } + } + + ``` + + === "test_wget.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md index dc4d1db2e8..1c4ff1f993 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md @@ -227,6 +227,38 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_vpn_1" + + ``` + 01580002:5: /VPN/APM_VPN_prod:Common:870db929: discard ACL: /VPN/ACL_DENY:0 packet: tcp 1.2.3.4:59407 -> 5.6.7.8:443 + ``` + + + +=== "test_vpn_2" + + ``` + 01580002:5: /VPN/APM_VPN_prod:Common:0f47932d: allow ACL: /VPN/ACL_EAP_users:59 packet: tcp 1.2.3.4:50992 -> 5.6.7.8:135 + ``` + + + +=== "test_vpn_3" + + ``` + 01580002:5: /VPN/APM_VPN_prod:Common:5f56a46c: discard ACL: /VPN/ACL_DENY:0 packet: tcp 1.2.3.4:63694 -> 5.6.7.8:443 + ``` + + + +=== "test_vpn_4" + + ``` + 01580002:5: /VPN/APM_VPN_prod:Common:0f47932d: allow ACL: /VPN/ACL_EAP_users:60 packet: tcp 1.2.3.4:50997 -> 5.6.7.8:88 + ``` + + + === "test_wget" ``` diff --git a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md index f0754f5641..6621644430 100644 --- a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md +++ b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md @@ -112,6 +112,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "id": "06334044-1a53-47d6-b6f8-ec9dcba8fa93", + "name": "DESKTOP-086N6KI", "os": { "full": "Windows", "version": "10.0.19044.2130" diff --git a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md deleted file mode 100644 index c125e71488..0000000000 --- a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md +++ /dev/null @@ -1,88 +0,0 @@ - -### Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Network device logs` | Pradeo watch network traffic | -| `Process monitoring` | Pradeo analyze running processes | -| `Process use of network` | Pradeo watch network traffic | - - - - - - - - -### Transformed Events Samples after Ingestion - -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. - -=== "match_threats.json" - - ```json - - { - "message": "Nov 15 08:51:42 subdomain.pradeo.net mtd-pradeosecuritysystems[6030]: {\"USER\":\"test_user\",\"SECTION\":\"MTD\\/Apps\",\"ACTION\":\"app_checking\",\"DESCRIPTION\":\"\",\"ITEM\":{\"APPLICATION_ID\":\"55936212\",\"APP_PKG_NAME\":\"com.an_app\",\"APP_VERSION\":\"4.394.10003\",\"APP_SHA1_SIG\":\"a92675ab3dafb37399c47a75ceac8effc4cb401d\"},\"ACTION_VALUES\":{\"ALLOWED\":\"true\",\"ACTION\":\"automatic\",\"POLICY\":\"Green\",\"MATCH_THREATS\":[\"cat_phone_cache_send\",\"cat_phone_device_info_send\",\"cat_phone_hardware_send\",\"cat_user_contact_info_send\",\"match_encrypt_with_key_downloaded_from_network\",\"match_exec_command_downloaded_from_network\",\"match_hide_app_icon_from_launcher\",\"match_priority\",\"match_rootkit\",\"match_rootkit_warning\",\"match_sms\"]}}\n", - "action": { - "name": "app_checking", - "type": "automatic" - }, - "package": { - "checksum": "a92675ab3dafb37399c47a75ceac8effc4cb401d", - "name": "com.an_app", - "version": "4.394.10003" - }, - "pradeo": { - "allowed": "true", - "match_threats": [ - "cat_phone_cache_send", - "cat_phone_device_info_send", - "cat_phone_hardware_send", - "cat_user_contact_info_send", - "match_encrypt_with_key_downloaded_from_network", - "match_exec_command_downloaded_from_network", - "match_hide_app_icon_from_launcher", - "match_priority", - "match_rootkit", - "match_rootkit_warning", - "match_sms" - ], - "policy": "Green" - }, - "related": { - "user": [ - "test_user" - ] - }, - "user": { - "name": "test_user" - } - } - - ``` - - - - - -### Extracted Fields - -The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. - -| Name | Type | Description | -| ---- | ---- | ---------------------------| -|`package.checksum` | `keyword` | Checksum of the installed package for verification. | -|`package.name` | `keyword` | Package name | -|`package.version` | `keyword` | Package version | -|`pradeo.allowed` | `keyword` | Indicates if the application is allowed (green/orange) or denied (red) | -|`pradeo.match_threats` | `keyword` | List of items detected in the application with a moderate/high alert associated. | -|`pradeo.policy` | `keyword` | Name of the policy used to classify the application. | -|`user.name` | `keyword` | Short name or login of the user. | - - - -For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Pradeo/pradeo). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_sample.md b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_sample.md deleted file mode 100644 index 59acf57503..0000000000 --- a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_sample.md +++ /dev/null @@ -1,15 +0,0 @@ - -### Raw Events Samples - -In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. - - -=== "match_threats" - - ``` - Nov 15 08:51:42 subdomain.pradeo.net mtd-pradeosecuritysystems[6030]: {"USER":"test_user","SECTION":"MTD\/Apps","ACTION":"app_checking","DESCRIPTION":"","ITEM":{"APPLICATION_ID":"55936212","APP_PKG_NAME":"com.an_app","APP_VERSION":"4.394.10003","APP_SHA1_SIG":"a92675ab3dafb37399c47a75ceac8effc4cb401d"},"ACTION_VALUES":{"ALLOWED":"true","ACTION":"automatic","POLICY":"Green","MATCH_THREATS":["cat_phone_cache_send","cat_phone_device_info_send","cat_phone_hardware_send","cat_user_contact_info_send","match_encrypt_with_key_downloaded_from_network","match_exec_command_downloaded_from_network","match_hide_app_icon_from_launcher","match_priority","match_rootkit","match_rootkit_warning","match_sms"]}} - - ``` - - - diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md index 1c2b9d8e7b..a0060dafb9 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md @@ -131,6 +131,116 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_transaction_blocked_category.json" + + ```json + + { + "message": " 0|Forcepoint|Security|8.5.5|220|Transaction blocked|7| act=blocked app=https dvc=9.8.7.6 dst=5.6.7.8 dhost=dangerous.xyz dpt=443 src=192.168.1.1 spt=52242 suser=LDAP://intranet.corp OU\\=Users_CC,OU\\=RC,OU\\=France,DC\n\\=intranet,DC\\=corp/DUPONT Jean loginID=USERXXX destinationTranslatedPort=0 rt=1721658958000 in=0 out=0 requestMethod=CONNECT requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0 reason=- cs1Label=Policy cs1=Super Adm** cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1025 cn2Label=ScanDuration cn2=3 request=https://dangerous.xyz:443 logRecordSource=OnPrem\n", + "event": { + "action": "Transaction blocked", + "category": [ + "network" + ], + "code": "1025", + "reason": "Category blocked", + "severity": 7, + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-22T14:35:58Z", + "destination": { + "address": "dangerous.xyz", + "domain": "dangerous.xyz", + "ip": "5.6.7.8", + "port": 443, + "registered_domain": "dangerous.xyz", + "top_level_domain": "xyz" + }, + "forcepoint": { + "cef": { + "version": "0" + }, + "webgateway": { + "category": "0", + "log": { + "source": "OnPrem" + }, + "policies": [ + "Super Adm**" + ] + } + }, + "host": { + "ip": "9.8.7.6" + }, + "http": { + "request": { + "method": "CONNECT" + } + }, + "network": { + "protocol": "https" + }, + "observer": { + "product": "Secure Web Gateway", + "vendor": "Forcepoint", + "version": "8.5.5" + }, + "related": { + "hosts": [ + "dangerous.xyz" + ], + "ip": [ + "192.168.1.1", + "5.6.7.8", + "9.8.7.6" + ], + "user": [ + "DUPONT Jean" + ] + }, + "rule": { + "category": "Compromised Websites", + "id": "220", + "ruleset": "Security" + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 52242 + }, + "url": { + "domain": "dangerous.xyz", + "original": "https://dangerous.xyz:443", + "port": 443, + "registered_domain": "dangerous.xyz", + "scheme": "https", + "top_level_domain": "xyz" + }, + "user": { + "domain": "corp/DUPONT Jean", + "id": "USERXXX", + "name": "DUPONT Jean" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "126.0.0" + } + } + + ``` + + === "test_transaction_permitted.json" ```json @@ -231,7 +341,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "user": { - "domain": "OU\\=MyOrg,OU\\=Users,DC\\=Domain,DC\\=LOCAL", + "domain": "Domain", "id": "n_nini", "name": "User 1" }, diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472_sample.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472_sample.md index 4934a989fd..885ff945bb 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472_sample.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472_sample.md @@ -12,6 +12,16 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_transaction_blocked_category" + + ``` + 0|Forcepoint|Security|8.5.5|220|Transaction blocked|7| act=blocked app=https dvc=9.8.7.6 dst=5.6.7.8 dhost=dangerous.xyz dpt=443 src=192.168.1.1 spt=52242 suser=LDAP://intranet.corp OU\=Users_CC,OU\=RC,OU\=France,DC + \=intranet,DC\=corp/DUPONT Jean loginID=USERXXX destinationTranslatedPort=0 rt=1721658958000 in=0 out=0 requestMethod=CONNECT requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0 reason=- cs1Label=Policy cs1=Super Adm** cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1025 cn2Label=ScanDuration cn2=3 request=https://dangerous.xyz:443 logRecordSource=OnPrem + + ``` + + + === "test_transaction_permitted" ``` diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md index eb0b004d79..d9df5af0d7 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md @@ -133,6 +133,83 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_full_rrsig.json" + + ```json + + { + "message": "client 1.2.3.4#63572 (first.example.com.): answer: first.example.com. IN A (5.6.7.8) -> NOERROR 108 CNAME www.example.com.edgekey.net. 108 RRSIG CNAME 13 3 300 20240823013134 20240820003134 23300 example.com. ZXhhbXBsZTEyMy0xMjM= 32 CNAME example.akamaiedge.net. 20 A 9.10.11.12", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63572 + }, + "dns": { + "answers": [ + { + "data": "www.example.com.edgekey.net.", + "ttl": 108, + "type": "CNAME" + }, + { + "data": "example.akamaiedge.net.", + "ttl": 32, + "type": "CNAME" + }, + { + "data": "9.10.11.12", + "ttl": 20, + "type": "A" + }, + { + "data": "HTTPS", + "ttl": 108, + "type": "RSSIG" + } + ], + "question": { + "class": "IN", + "name": "first.example.com.", + "registered_domain": "example.com", + "subdomain": "first", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "first.example.com." + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + === "dns_guardian_answer1.json" ```json @@ -560,7 +637,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "dns_https_record.json" +=== "dns_https_rrsig_record.json" ```json @@ -627,6 +704,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_https_wo_ipv6.json" + + ```json + + { + "message": "client 1.2.3.4#50426 (example.com.): answer: example.com. IN TYPE65 (1.2.3.4) -> NOERROR 238 HTTPS 1 . alpn=h3,h2 ipv4hint=5.6.7.8,9.10.11.12", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50426 + }, + "dns": { + "answers": [ + { + "data": "alpn=h3,h2 ipv4hint=5.6.7.8,9.10.11.12", + "ttl": 238, + "type": "HTTPS" + } + ], + "question": { + "class": "IN", + "name": "example.com.", + "registered_domain": "example.com", + "top_level_domain": "com", + "type": "TYPE65" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "example.com." + ], + "ip": [ + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.4" + } + } + + ``` + + === "dns_named_query.json" ```json @@ -976,6 +1113,50 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_received_notify.json" + + ```json + + { + "message": "client @0x7ee2b158 1.2.3.4#50426: received notify for zone 'example.org'", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50426 + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.org" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + === "dns_refused.json" ```json @@ -1094,6 +1275,50 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_view_received_notify.json" + + ```json + + { + "message": "client @0xc3709158 1.2.3.4#57618: view outside: received notify for zone 'rpz.example.org'", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 57618 + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.example.org" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + === "test_rpz_notify.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md index 179114150b..3b25becbcf 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md @@ -20,6 +20,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_full_rrsig" + + ``` + client 1.2.3.4#63572 (first.example.com.): answer: first.example.com. IN A (5.6.7.8) -> NOERROR 108 CNAME www.example.com.edgekey.net. 108 RRSIG CNAME 13 3 300 20240823013134 20240820003134 23300 example.com. ZXhhbXBsZTEyMy0xMjM= 32 CNAME example.akamaiedge.net. 20 A 9.10.11.12 + ``` + + + === "dns_guardian_answer1" ``` @@ -84,7 +92,7 @@ In this section, you will find examples of raw logs as generated natively by the -=== "dns_https_record" +=== "dns_https_rrsig_record" ``` 26914:client 1.2.3.4#52283 (cdnjs.cloudflare.com.): answer: cdnjs.cloudflare.com. IN TYPE65 (5.6.7.8) -> NOERROR 205 HTTPS 1 . alpn=h3,h2 ipv4hint=104.17.24.14,104.17.25.14 ipv6hint=2606:4700::6811:180e,2606:4700::6811:190e 205 RRSIG HTTPS 13 @@ -92,6 +100,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_https_wo_ipv6" + + ``` + client 1.2.3.4#50426 (example.com.): answer: example.com. IN TYPE65 (1.2.3.4) -> NOERROR 238 HTTPS 1 . alpn=h3,h2 ipv4hint=5.6.7.8,9.10.11.12 + ``` + + + === "dns_named_query" ``` @@ -140,6 +156,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_received_notify" + + ``` + client @0x7ee2b158 1.2.3.4#50426: received notify for zone 'example.org' + ``` + + + === "dns_refused" ``` @@ -156,6 +180,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_view_received_notify" + + ``` + client @0xc3709158 1.2.3.4#57618: view outside: received notify for zone 'rpz.example.org' + ``` + + + === "test_rpz_notify" ```