From b3fbc4e6c5de0680d74e3b41b657291a1e0170ac Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 13:51:06 +0100 Subject: [PATCH 1/6] fix: fix broken links and anchor warnings, bumping mkdocs to 1.6 so that we can use absolute links in markdown --- _shared_content/automate/actions.md | 84 +- _shared_content/automate/build-playbooks.md | 2 +- .../automate/navigate-playbooks.md | 6 +- .../automate/playbooks-on-premises.md | 34 +- .../develop/rest_api/quickstart.md | 9 +- .../integration/connector_configuration.md | 4 +- .../integration/detection_section.md | 2 +- .../integration/forwarder_configuration.md | 8 +- .../integration/intake_configuration.md | 2 +- .../intelligence_center/consume/feeds.md | 2 +- .../consume/intelligence.md | 59 +- .../intelligence_center/consume/telemetry.md | 2 +- .../intelligence_center/integrations/api.md | 4 +- .../intelligence_center/integrations/misp.md | 2 +- .../integrations/splunk.md | 18 +- .../00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md | 2 +- .../021e9def-5a55-4369-941e-af269b45bef1.md | 2 +- .../02a74ceb-a9b0-467c-97d1-588319e39d71.md | 2 +- .../033cd098-b21b-4c9b-85c4-c8174c307e48.md | 2 +- .../041e915e-2fb6-4604-9b24-902c9daa2d3c.md | 2 +- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 47 +- ...6706-ee4a-419b-906d-f92f3a46bcdd_sample.md | 29 + .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 363 ++++++-- ...f36d-cee0-4f06-b575-9e43af779f9f_sample.md | 251 ++++++ .../0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md | 2 +- .../064f7e8b-ce5f-474d-802e-e88fe2193365.md | 2 +- .../07c0cac8-f68f-11ea-adc1-0242ac120002.md | 2 +- .../07c556c0-0675-478c-9803-e7990afe78b6.md | 2 +- .../09754cc4-e247-4712-9a76-25529ba11b8b.md | 2 +- .../0ba58f32-7dba-4084-ab17-90c0be6b1f10.md | 2 +- .../0de050fb-3f56-4c7a-a9b6-76bf5298a617.md | 2 +- .../10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md | 4 +- .../162064f0-c594-455e-ac24-2d7129137688.md | 430 --------- ...64f0-c594-455e-ac24-2d7129137688_sample.md | 269 ------ .../16676d72-463e-4b8a-b13a-f8dd48cddc8c.md | 2 +- .../19cd2ed6-f90c-47f7-a46b-974354a107bb.md | 2 +- .../1d172ee6-cdc0-4713-9cfd-43f7d9595777.md | 2 +- .../1df44c62-33d3-41d4-8176-f1fa13589eea.md | 2 +- .../20876735-c423-4bbc-9d19-67edc91fb063.md | 2 +- .../2259adc3-9d93-4150-9c1c-46804e636084.md | 2 +- .../22f2afd2-c858-443d-8e06-7b335e439c29.md | 2 +- .../23813540-b658-48dd-b030-e9b92168bbf4.md | 2 +- .../23b75d0c-2026-4d3e-b916-636c27ba4931.md | 2 +- .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 2 +- .../255764ef-eaf6-4964-958e-81b9418e6584.md | 2 +- .../270777d7-0c5a-42fb-b901-b7fadfb0ba48.md | 2 +- .../2815eaab-2425-4eff-8038-3f7d5a3b8b11.md | 2 +- .../2886cd2d-f686-4e7d-9976-250cba2eaf5b.md | 2 +- .../2b13307b-7439-4973-900a-2b58303cac90.md | 2 +- .../2e9d87ed-6606-445a-90d1-9c7695b28335.md | 2 +- .../2ee6048e-8322-4575-8e47-1574946412b6.md | 2 +- .../2f28e4f9-a4f3-40a6-9909-b69f3df32535.md | 2 +- .../2ffff1fd-fed7-4a24-927a-d619f2bb584a.md | 2 +- .../325369ba-8515-45b4-b750-5db882ea1266.md | 2 +- .../331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md | 2 +- .../340e3bc7-2b76-48e4-9833-e971451b2979.md | 2 +- .../35855de3-0728-4a83-ae19-e38e167432a1.md | 2 +- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 108 ++- ...57d3-4689-4fae-8033-6f1f887a70f2_sample.md | 80 ++ .../3cedbe29-02f8-42bf-9ec2-0158186c2827.md | 2 +- .../3e060900-4004-4754-a597-d2944a601930.md | 2 +- .../3f330d19-fdea-48ac-96bd-91a447bb26bd.md | 2 +- .../3f99cdd8-aeca-4860-a846-6f2a794583e1.md | 2 +- .../40bac399-2d8e-40e3-af3b-f73a622c9687.md | 2 +- .../40deb162-6bb1-4635-9c99-5c2de7e1d340.md | 2 +- .../419bd705-fa61-496c-94fa-28d6c1f2e2a8.md | 2 +- .../41e3ca4e-a714-41aa-ad69-684a0b3835fc.md | 2 +- .../44439212-c2d8-4645-ad60-8fd5e39140b3.md | 2 +- .../44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md | 2 +- .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 2 +- .../469bd3ae-61c9-4c39-9703-7452882e70da.md | 2 +- .../46ca6fc8-3d30-434c-92ff-0e1cde564161.md | 2 +- .../46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md | 2 +- .../46e45417-187b-45bb-bf81-30df7b1963a0.md | 2 +- .../46fe3905-9e38-4fb2-be09-44d31626b694.md | 2 +- .../4760d0bc-2194-44e5-a876-85102b18d832.md | 2 +- .../4a3bb630-951a-40d9-be5e-5c712b37248e.md | 2 +- .../4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md | 2 +- .../515ed00f-bf70-4fce-96cc-0ca31abd5d24.md | 2 +- .../547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md | 2 +- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 2 +- .../57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md | 2 +- .../5803f97d-b324-4452-b861-0253b15de650.md | 2 +- .../588a448b-c08d-4139-a746-b2b9f366e34b.md | 2 +- .../591feb54-1d1f-4453-b780-b225c59e9f99.md | 2 +- .../59991ced-c2a0-4fb0-91f3-49e3993c16f5.md | 2 +- .../5a8ef52f-d143-4735-8546-98539fc07725.md | 2 +- .../5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md | 2 +- .../5d9e261a-944c-4a76-8c61-6794fd44d9a8.md | 2 +- .../60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md | 2 +- .../622999fe-d383-4d41-9f2d-eed5013fe463.md | 2 +- .../63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md | 2 +- .../64d118f0-84a5-4f46-ab05-7776bd6d0eed.md | 2 +- .../6967b0ca-f27e-480a-b124-fa4ab0b9d889.md | 2 +- .../69b52166-b804-4f47-860f-2d3fd0b46987.md | 2 +- .../6b8cb346-6605-4240-ac15-3828627ba899.md | 2 +- .../6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md | 2 +- .../6dbdd199-77ae-4705-a5de-5c2722fa020e.md | 2 +- .../700f332f-d515-4bc5-8a62-49fa5f2c9206.md | 2 +- .../70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md | 2 +- .../76d767ed-5431-4db1-b893-a48b6903d871.md | 2 +- .../79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md | 2 +- .../7954ae6f-eafa-404d-8e15-4b99a12b754c.md | 2 +- .../7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md | 2 +- .../7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md | 2 +- .../7b75d498-4a65-4d44-aa81-31090d723a60.md | 84 +- ...d498-4a65-4d44-aa81-31090d723a60_sample.md | 8 + .../80b8382e-0667-4469-bbc9-74be1e0ca1c1.md | 2 +- .../80de6ccb-7246-40de-bcbb-bc830118c1f9.md | 2 +- .../838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md | 2 +- .../8461aabe-6eba-4044-ad7f-a0c39a2b2279.md | 2 +- .../8510051d-c7cf-4b0c-a398-031afe91faa0.md | 2 +- .../864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md | 2 +- .../890207d2-4878-440d-9079-3dd25d472e0a.md | 2 +- .../89346697-b64b-45d4-a456-72fd8a2be5d8.md | 2 +- .../8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md | 2 +- .../8d024a2b-3627-4909-818d-26e1e3b2409c.md | 2 +- .../8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md | 2 +- .../8f472113-ba5b-45b9-9a2c-944834396333.md | 2 +- .../90179796-f949-490c-8729-8cbc9c65be55.md | 2 +- .../903ec1b8-f206-4ba5-8563-db21da09cafd.md | 262 +++++- ...c1b8-f206-4ba5-8563-db21da09cafd_sample.md | 36 + .../9044ba46-2b5d-4ebd-878a-51d62e84c8df.md | 2 +- .../915a119c-2ec8-4482-a3c6-4d4cae62b671.md | 2 +- .../916c13a8-c109-49f0-94db-d6a2300f5580.md | 2 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 81 +- ...438c-f7c3-4001-9bcc-45fd108ba1be_sample.md | 37 + .../954a6488-6394-4385-8427-621541e881d5.md | 2 +- .../98fa7079-41ae-4033-a93f-bbd70d114188.md | 112 ++- ...7079-41ae-4033-a93f-bbd70d114188_sample.md | 177 ++++ .../995d7daf-4e4a-42ec-b90d-9af2f7be7019.md | 2 +- .../99da26fc-bf7b-4e5b-a76c-408472fcfebb.md | 109 ++- ...26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md | 104 +++ .../9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md | 2 +- .../9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md | 2 +- .../9f89b634-0531-437b-b060-a9d9f2d270db.md | 2 +- .../a0716ffd-5f9e-4b97-add4-30f1870e3d03.md | 2 +- .../a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md | 2 +- .../a14b1141-2d61-414b-bf79-da99b487b1af.md | 23 +- .../a199fbde-508e-4cb9-ae37-842703494be0.md | 2 +- .../a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md | 2 +- .../a2915a14-d1e9-4397-86fc-8f8b2c617466.md | 2 +- .../a406a8c1-e1e0-4fe9-835b-3607d01150e6.md | 2 +- .../a9c959ac-78ec-47a4-924e-8156a77cebf5.md | 41 +- ...59ac-78ec-47a4-924e-8156a77cebf5_sample.md | 96 ++ .../ab25af2e-4916-40ba-955c-34d2301c1f51.md | 2 +- .../acd3374a-9738-4650-9d20-bd0a22daac40.md | 2 +- .../ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md | 2 +- .../aeb7d407-db57-44b2-90b6-7df6738d5d7f.md | 2 +- .../b1545bb3-6f55-4ba4-ac80-d649040a127c.md | 2 +- .../b23668b2-5716-4432-9af7-bc4f81ad6df3.md | 2 +- .../b28db14b-e3a7-463e-8659-9bf0e577944f.md | 2 +- .../b2d961ae-0f7e-400b-879a-f97be24cc02d.md | 2 +- .../ba40ab72-1456-11ee-be56-0242ac120002.md | 2 +- .../bae128bb-98c6-45f7-9763-aad3451821e5.md | 2 +- .../bba2bed2-d925-440f-a0ce-dbcae04eaf26.md | 2 +- .../bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md | 2 +- .../bf8867ee-43b7-444c-9475-a7f43754ab6d.md | 2 +- .../c10307ea-5dd1-45c6-85aa-2a6a900df99b.md | 2 +- .../c20528c1-621e-4959-83ba-652eca2e8ed0.md | 2 +- .../c2faea65-1eb3-4f3f-b895-c8769a749d45.md | 2 +- .../c3888137-b34e-4526-ab61-836b2d45a742.md | 2 +- .../c6a43439-7b9d-4678-804b-ebda6756db60.md | 2 +- .../caa13404-9243-493b-943e-9848cadb1f99.md | 753 +++++++++++++++- ...3404-9243-493b-943e-9848cadb1f99_sample.md | 340 +++++++- .../ccf942fe-c839-42be-a081-5c3f946e80f5.md | 2 +- .../cf5c916e-fa26-11ed-a844-f7f4d7348199.md | 2 +- .../d0383e87-e054-4a21-8a2c-6a89635d8615.md | 2 +- .../d11df984-840d-4c29-a6dc-b9195c3a24e3.md | 232 +++++ ...f984-840d-4c29-a6dc-b9195c3a24e3_sample.md | 30 + .../d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md | 2 +- .../d2725f97-0c7b-4942-a847-983f38efb8ff.md | 175 +++- ...5f97-0c7b-4942-a847-983f38efb8ff_sample.md | 82 ++ .../d3a813ac-f9b5-451c-a602-a5994544d9ed.md | 2 +- .../d626fec3-473a-44b3-9e3d-587fdd99a421.md | 2 +- .../d6d15297-e977-4584-9bb3-f0290b99f014.md | 2 +- .../d6f69e04-6ab7-40c0-9723-84060aeb5529.md | 2 +- .../d719e8b5-85a1-4dad-bf71-46155af56570.md | 2 +- .../d9f337a4-1303-47d4-b15f-1f83807ff3cc.md | 2 +- .../da3555f9-8213-41b8-8659-4cb814431e29.md | 2 +- .../dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md | 2 +- .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 2 +- .../dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md | 2 +- .../de9ca004-991e-4f5c-89c5-e075f3fb3216.md | 2 +- .../e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md | 2 +- .../e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md | 2 +- .../e6bb2404-8fc8-4124-a785-c1276277b5d7.md | 68 +- .../e8ca856f-8a58-490b-bea4-247b12b3d74b.md | 2 +- .../e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md | 2 +- .../ea265b9d-fb48-4e92-9c26-dcfbf937b630.md | 2 +- .../eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md | 2 +- .../ee0b3023-524c-40f6-baf5-b69c7b679887.md | 2 +- .../ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md | 2 +- .../ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md | 2 +- .../f0a10c21-37d1-419f-8671-77903dc8de69.md | 2 +- .../f0f95532-9928-4cde-a399-ddd992d48472.md | 2 +- .../f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md | 2 +- .../f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md | 2 +- .../f95fea50-533c-4897-9272-2f8361e63644.md | 2 +- .../fc03f783-5039-415e-915a-a4b010d9a872.md | 2 +- .../fc99c983-3e6c-448c-97e6-7e0948e12415.md | 2 +- .../ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md | 2 +- .../ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md | 2 +- docs/getting_started/best_practices.md | 48 +- .../get_troubleshooting_tips.md | 2 +- docs/getting_started/invite_users.md | 25 +- docs/getting_started/sso/azure.md | 2 +- docs/getting_started/sso/okta.md | 2 +- docs/getting_started/sso/openid_connect.md | 2 +- .../categories/applicative/azure_files.md | 2 +- .../applicative/github_audit_logs.md | 21 +- .../categories/applicative/salesforce.md | 2 +- .../applicative/sekoiaio_forwarder_logs.md | 8 +- .../applicative/systancia_cleanroom.md | 5 +- .../categories/applicative/veeam_backup.md | 2 +- .../categories/email/message_trace.md | 3 +- docs/integration/categories/email/o365.md | 2 +- docs/integration/categories/email/postfix.md | 2 +- .../categories/email/proofpoint_pod.md | 2 +- .../categories/email/proofpoint_tap.md | 4 +- docs/integration/categories/email/vade.md | 2 +- .../endpoint/checkpoint_harmony_mobile.md | 2 +- .../categories/endpoint/crowdstrike_falcon.md | 2 +- .../endpoint/crowdstrike_falcon_telemetry.md | 2 +- .../categories/endpoint/cybereason_malop.md | 8 +- .../endpoint/cybereason_malop_activity.md | 2 +- .../categories/endpoint/eset_protect.md | 3 +- .../endpoint/google_kubernetes_engine.md | 4 +- docs/integration/categories/endpoint/ibm_i.md | 2 +- .../endpoint/kaspersky_endpoint_security.md | 3 - .../endpoint/log_insight_windows.md | 2 +- .../endpoint/panda_security_aether.md | 2 +- .../categories/endpoint/sentinelone.md | 8 +- .../endpoint/sentinelone_cloudfunnel2.0.md | 6 +- .../categories/endpoint/sophos_edr.md | 4 +- .../categories/endpoint/stormshield_ses.md | 10 +- .../integration/categories/endpoint/tanium.md | 2 +- .../categories/endpoint/tehtris_edr.md | 4 +- .../categories/endpoint/trellix_edr.md | 5 +- .../endpoint/trend_micro_apex_one.md | 2 +- .../categories/endpoint/vmware_esxi.md | 2 +- .../categories/endpoint/vmware_vcenter.md | 2 +- .../categories/endpoint/windows.md | 10 +- .../categories/endpoint/winlogbeat.md | 2 +- .../endpoint/withsecure_elements.md | 2 +- docs/integration/categories/generic/cef.md | 2 +- docs/integration/categories/iam/alsid.md | 2 +- .../categories/iam/azure_key_vault.md | 2 +- .../iam/jumpcloud_directory_insights.md | 2 +- .../iam/manageengine_adauditplus.md | 3 +- .../categories/iam/okta_system_log.md | 2 +- docs/integration/categories/iam/openldap.md | 2 +- .../integration/categories/iam/rsa_securid.md | 2 +- .../categories/network/aws_flow_logs.md | 4 +- .../network/azure_application_gateway.md | 5 +- .../categories/network/cato_sase.md | 4 +- docs/integration/categories/network/dhcpd.md | 3 - .../network/efficientip_solidserver_ddi.md | 10 +- .../categories/network/ekinops_oneos.md | 2 +- .../network/forcepoint_web_gateway.md | 5 +- .../categories/network/juniper_switches.md | 2 +- .../network/microsoft_always_on_vpn.md | 2 +- .../categories/network/netfilter.md | 2 +- .../integration/categories/network/openssh.md | 2 +- .../integration/categories/network/openvpn.md | 2 +- .../categories/network/opnsense.md | 2 +- docs/integration/categories/network/pulse.md | 5 +- .../categories/network/sesameit_jizo.md | 8 +- docs/integration/categories/network/squid.md | 2 +- .../categories/network/umbrella_dns.md | 2 +- .../integration/categories/network/unbound.md | 2 +- .../network_security/aws_cloudfront.md | 2 +- .../network_security/aws_cloudtrail.md | 2 +- .../network_security/aws_guardduty.md | 2 +- .../categories/network_security/aws_waf.md | 2 +- .../network_security/azure_front_door.md | 2 +- .../network_security/clavister_ng_fw.md | 2 +- .../categories/network_security/fortiproxy.md | 3 - .../network_security/gatewatcher_aioniq.md | 3 - .../skyhigh_secure_web_gateway.md | 4 +- .../network_security/sonicwall_fw.md | 2 +- .../network_security/sonicwall_sma.md | 2 +- .../categories/network_security/sophos_fw.md | 2 +- .../stormshield_network_security.md | 2 +- .../network_security/trellix_epo.md | 3 +- .../categories/network_security/trellix_nx.md | 2 +- .../trend_micro_deep_security.md | 2 +- .../categories/network_security/ubika_waap.md | 2 +- .../network_security/varonis_data_security.md | 5 +- .../categories/network_security/vectra.md | 2 +- .../network_security/watchguard_firebox.md | 2 +- .../network_security/zscaler_zia.md | 2 +- docs/integration/categories/overview.md | 2 +- .../develop_integration/automation/action.md | 12 +- .../develop_integration/automation/trigger.md | 3 - .../develop_integration/overview.md | 22 +- .../bug_and_improvement_requests.md | 6 +- docs/integration/index.md | 8 +- .../ingestion_methods/cloud_saas/overview.md | 4 +- .../ingestion_methods/https/logstash.md | 8 +- docs/integration/ingestion_methods/index.md | 16 +- .../syslog/sekoiaio_forwarder.md | 42 +- docs/xdr/FAQ/Alerts_qa.md | 12 +- docs/xdr/features/collect/assets.md | 2 +- docs/xdr/features/collect/intakes.md | 18 +- .../detect/built_in_detection_rules.md | 2 +- docs/xdr/features/detect/iocdetection.md | 26 +- docs/xdr/features/detect/rules_catalog.md | 62 +- .../interconnect_sekoia_with_xsoar.md | 12 +- docs/xdr/features/investigate/alerts.md | 2 +- docs/xdr/features/investigate/cases.md | 10 +- docs/xdr/features/investigate/events.md | 2 +- .../xdr/features/investigate/query_builder.md | 14 +- docs/xdr/features/report/dashboards.md | 24 +- docs/xdr/index.md | 4 +- .../playbook/Add_UserAgent_in_comment.md | 10 +- .../playbook/ExtractIP_from_Url_country.md | 10 +- .../Get_events_information_from_alert.md | 2 +- mkdocs.yml | 6 +- plugins/intakes_by_uuid.py | 34 +- poetry.lock | 823 +++++++++--------- pyproject.toml | 2 +- .../update_mkdocs/templates/intake.md.jinja | 2 +- 323 files changed, 4633 insertions(+), 1914 deletions(-) delete mode 100644 _shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md delete mode 100644 _shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688_sample.md create mode 100644 _shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3.md create mode 100644 _shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3_sample.md diff --git a/_shared_content/automate/actions.md b/_shared_content/automate/actions.md index a713928379..f3803e07e5 100644 --- a/_shared_content/automate/actions.md +++ b/_shared_content/automate/actions.md @@ -8,7 +8,7 @@ An `Action` helps you execute specific tasks depending on your needs. There are - Extract data: [data collection enrichers](#data-collection) - Connect and use [third-party applications](#third-party-applications) - Set up [notifications](#notifications) -- Use [helpers](#Helpers) to build your own actions +- Use [helpers](#helpers) to build your own actions The Actions Library lists all available actions in playbooks with their detailed configuration. @@ -18,11 +18,11 @@ The Actions Library lists all available actions in playbooks with their detailed | Name | Description | | --- | --- | -| [Get Event Field Common Values](/integration/action_library/generic/sekoia-io/#get-event-field-common-values) | Retrieve the most common values of an ECS field based on the time window | -| [List Assets](/integration/action_library/generic/sekoia-io/#list-assets) | Retrieve detailed information about assets based on a filter | -| [Search Alerts](/integration/action_library/generic/sekoia-io/#search-alerts) | Retrieve detailed information about alerts (such as the urgency, name of the rule, etc… except events) based on a filter. | -| [Get Alert](/integration/action_library/generic/sekoia-io/#get-alert) | Retrieve detailed alert information such as the urgency, name of the rule, pattern, etc… except events. | -| [Get Events](/integration/action_library/generic/sekoia-io/#get-events) | Retrieve events based on a search. This action is equivalent to a search on the event page and takes into consideration 3 parameters: a query with filters (`source.ip=xx.xxx.xx`), and earliest time/latest time: two dates to determine the date range of the search. | +| [Get Event Field Common Values](/integration/action_library/sekoia-io.md#get-event-field-common-values) | Retrieve the most common values of an ECS field based on the time window | +| [List Assets](/integration/action_library/sekoia-io.md#list-assets) | Retrieve detailed information about assets based on a filter | +| [Search Alerts](/integration/action_library/sekoia-io.md#search-alerts) | Retrieve detailed information about alerts (such as the urgency, name of the rule, etc… except events) based on a filter. | +| [Get Alert](/integration/action_library/sekoia-io.md#get-alert) | Retrieve detailed alert information such as the urgency, name of the rule, pattern, etc… except events. | +| [Get Events](/integration/action_library/sekoia-io.md#get-events) | Retrieve events based on a search. This action is equivalent to a search on the event page and takes into consideration 3 parameters: a query with filters (`source.ip=xx.xxx.xx`), and earliest time/latest time: two dates to determine the date range of the search. | !!!note `Get Events` can be used to retrieve events from an alert. Events associated to an alert contain the key `alert_short_ids` with the value of the ID of the alert. @@ -31,15 +31,15 @@ The Actions Library lists all available actions in playbooks with their detailed | Name | Description | | --- | --- | -| [Create an asset](/integration/action_library/generic/sekoia-io/#create-asset) | Create an asset | -| [Delete an asset](/integration/action_library/generic/sekoia-io/#delete-an-asset) | Delete an asset | -| [Add attribute to asset](/integration/action_library/generic/sekoia-io/#add-attribute-to-asset) | Add attribute to asset | -| [Add key to asset](/integration/action_library/generic/sekoia-io/#add-key-to-asset) | Add key to asset | -| [Edit alert](/integration/action_library/generic/sekoia-io/#edit-alert) | Edit an alert details such as the urgency or the alert category | -| [Comment alert](/integration/action_library/generic/sekoia-io/#comment-alert) | Add a comment to the alert | -| [Update alert status](/integration/action_library/generic/sekoia-io/#update-alert-status) | Change the status of an alert | -| [Push Events to Intake](/integration/action_library/generic/sekoia-io/#push-events-to-intake) | Push one or more events to an Intake | -| [Attach Alerts to Case](/integration/action_library/generic/sekoia-io/#attach-alerts-to-case) | Attach one or more alerts to a case. | +| [Create an asset](/integration/action_library/sekoia-io.md#create-asset) | Create an asset | +| [Delete an asset](/integration/action_library/sekoia-io.md#delete-an-asset) | Delete an asset | +| [Add attribute to asset](/integration/action_library/sekoia-io.md#add-attribute-to-asset) | Add attribute to asset | +| [Add key to asset](/integration/action_library/sekoia-io.md#add-key-to-asset) | Add key to asset | +| [Edit alert](/integration/action_library/sekoia-io.md#edit-alert) | Edit an alert details such as the urgency or the alert category | +| [Comment alert](/integration/action_library/sekoia-io.md#comment-alert) | Add a comment to the alert | +| [Update alert status](/integration/action_library/sekoia-io.md#update-alert-status) | Change the status of an alert | +| [Push Events to Intake](/integration/action_library/sekoia-io.md#push-events-to-intake) | Push one or more events to an Intake | +| [Attach Alerts to Case](/integration/action_library/sekoia-io.md#attach-alerts-to-case) | Attach one or more alerts to a case. | #### How to update an alert status @@ -58,53 +58,53 @@ To update an alert status, you need to copy the `status_uuid` corresponding to t To get notified, you can rely on these tools: -- [Mandrill](/integration/action_library/applicative/mandrill.md): Send Message -- [Mattermost](/integration/action_library/applicative/mattermost.md): Post message / Post Sekoia.io alert -- [Pagerduty](/integration/action_library/applicative/pagerduty.md): Trigger Alert -- [The Hive](/integration/action_library/collaboration_tools/the-hive.md): Create an alert in the Hive +- [Mandrill](/integration/action_library/mandrill.md): Send Message +- [Mattermost](/integration/action_library/mattermost.md): Post message / Post Sekoia.io alert +- [Pagerduty](/integration/action_library/pagerduty.md): Trigger Alert +- [The Hive](/integration/action_library/the-hive.md): Create an alert in the Hive - ... ## Data collection If you have an account in one of the listed tools below, you can easily extract data from there and import it to Sekoia.io. This is made possible with an API key. -- [BinaryEdge](/integration/action_library/threat_intelligence/binaryedge-s-api.md) -- [Censys](/integration/action_library/threat_intelligence/censys.md) -- [GLIMPS](/integration/action_library/threat_intelligence/glimps.md) -- [IKnowWhatYouDownloaded](/integration/action_library/threat_intelligence/iknowwhatyoudownload.md) -- [Onyphe](/integration/action_library/threat_intelligence/onyphe.md) -- [Public Suffix](/integration/action_library/threat_intelligence/public-suffix.md) -- [RiskIQ](/integration/action_library/threat_intelligence/riskiq.md) -- [Shodan](/integration/action_library/threat_intelligence/shodan.md) -- [VirusTotal](/integration/action_library/threat_intelligence/virustotal.md) -- [Whois](/integration/action_library/threat_intelligence/whois.md) +- [BinaryEdge](/integration/action_library/binaryedge-s-api.md) +- [Censys](/integration/action_library/censys.md) +- [GLIMPS](/integration/action_library/glimps.md) +- [IKnowWhatYouDownloaded](/integration/action_library/iknowwhatyoudownload.md) +- [Onyphe](/integration/action_library/onyphe.md) +- [Public Suffix](/integration/action_library/public-suffix.md) +- [RiskIQ](/integration/action_library/riskiq.md) +- [Shodan](/integration/action_library/shodan.md) +- [VirusTotal](/integration/action_library/virustotal.md) +- [Whois](/integration/action_library/whois.md) - ... ## Helpers | Name | Description | | --- | --- | -| [fileutils](/integration/action_library/generic/fileutils.md) | Extract data from XML or JSON files | -| [http](/integration/action_library/generic/http.md) | Request HTTP resources (download file, request URL) | -| [STIX](/integration/action_library/threat_intelligence/stix.md) | Add source, add tags, create relationships, cryptolaemus to STIX, CVE to STIX, filter bundle, JSON objects to observables, VirusTotal LiveHunt to observables, MISP to STIX, observables to contextualized indicators, observables to indicators, remove orphan objects, STIX to MISP, string to observables | +| [fileutils](/integration/action_library/fileutils.md) | Extract data from XML or JSON files | +| [http](/integration/action_library/http.md) | Request HTTP resources (download file, request URL) | +| [STIX](/integration/action_library/stix.md) | Add source, add tags, create relationships, cryptolaemus to STIX, CVE to STIX, filter bundle, JSON objects to observables, VirusTotal LiveHunt to observables, MISP to STIX, observables to contextualized indicators, observables to indicators, remove orphan objects, STIX to MISP, string to observables | These helpers need their associated trigger to function properly: | Name | Description | | --- | --- | -| [MISP](/integration/action_library/threat_intelligence/misp.md) | Gather, store, share and correlate threat intelligence. Convert from MISP to STIX, publish MISP event | -| [MWDB](/integration/action_library/threat_intelligence/mwdb.md) | Convert a MWDB config to a bundle of observables | -| [Triage](/integration/action_library/threat_intelligence/triage.md) | Triage raw results to observables | +| [MISP](/integration/action_library/misp.md) | Gather, store, share and correlate threat intelligence. Convert from MISP to STIX, publish MISP event | +| [MWDB](/integration/action_library/mwdb.md) | Convert a MWDB config to a bundle of observables | +| [Triage](/integration/action_library/triage.md) | Triage raw results to observables | ## Third-party applications -- [Microsoft Entra ID (Azure AD) ](/integration/action_library/iam/microsoft-entra-id.md) -- [Microsoft Remote Server](/integration/action_library/applicative/microsoft-remote-server.md) -- [Fortigate Firewalls](/integration/action_library/network/fortigate-firewalls.md) -- [HarfangLab](/integration/action_library/endpoint/harfanglab.md) -- [Panda Security](/integration/action_library/endpoint/panda-security.md) -- [Sentinel One](/integration/action_library/endpoint/sentinelone.md) -- [ServiceNow](/integration/action_library/collaboration_tools/servicenow.md) +- [Microsoft Entra ID (Azure AD) ](/integration/action_library/microsoft-entra-id.md) +- [Microsoft Remote Server](/integration/action_library/microsoft-remote-server.md) +- [Fortigate Firewalls](/integration/action_library/fortigate-firewalls.md) +- [HarfangLab](/integration/action_library/harfanglab.md) +- [Panda Security](/integration/action_library/panda-security.md) +- [Sentinel One](/integration/action_library/sentinelone.md) +- [ServiceNow](/integration/action_library/servicenow.md) - ... More actions are available in the Actions Library. To learn how to set up an action, please refer to its documentation. diff --git a/_shared_content/automate/build-playbooks.md b/_shared_content/automate/build-playbooks.md index 4e4cf60cf3..a5ea77bbaf 100644 --- a/_shared_content/automate/build-playbooks.md +++ b/_shared_content/automate/build-playbooks.md @@ -60,7 +60,7 @@ To create a playbook from scratch, you will need to create an empty playbook, go Please refer to the documentation for each of these types to learn how to use them efficiently. -You can refer to our [playbook templates](https://github.com/SEKOIA-IO/Community/tree/main/playbooks/templates) and [use cases](/xdr/usecases/playbook/synchronize_alerts/) for inspiration. +You can refer to our [playbook templates](https://github.com/SEKOIA-IO/Community/tree/main/playbooks/templates) and [use cases](/xdr/usecases/playbook/synchronize_alerts.md) for inspiration. ## Meta-playbook creation diff --git a/_shared_content/automate/navigate-playbooks.md b/_shared_content/automate/navigate-playbooks.md index 68ce17fda6..d591809daa 100644 --- a/_shared_content/automate/navigate-playbooks.md +++ b/_shared_content/automate/navigate-playbooks.md @@ -53,7 +53,7 @@ The workflow view is composed of three main sections: #### Actions library -Accessible in a side panel that appears when clicking on the `+` on the left of the screen, this library provides you with a set of [triggers](https://docs.sekoia.io/xdr/features/automate/triggers/), [actions](https://docs.sekoia.io/xdr/features/automate/actions/) and [operators](https://docs.sekoia.io/xdr/features/automate/operators/) to help automate your workflow. +Accessible in a side panel that appears when clicking on the `+` on the left of the screen, this library provides you with a set of [triggers](/xdr/features/automate/triggers.md), [actions](/xdr/features/automate/actions.md) and [operators](/xdr/features/automate/operators.md) to help automate your workflow. These actions are regrouped in apps and services that are interconnected with Sekoia.io. @@ -65,7 +65,7 @@ To find actions in the listing, you can either: To add these actions to your graph, click on the dots next to the action name and drag it to the graph area. Dropping actions into this area will form a **block**. !!! note - Configuration for each of these blocks is detailed in the [Library section](https://docs.sekoia.io/xdr/features/automate/library/aws/) of this documentation. + Configuration for each of these blocks is detailed in the [Library section](/xdr/features/automate/library/aws.md) of this documentation. #### Graph area @@ -229,7 +229,7 @@ This tab includes filters for sorting by Status. Additionally, 'Meta-Playbooks' #### Run results -Run results are accessible either from the tab `Runs` in the playbook or in the panel that details a [playbook's details](#details-panel). +Run results are accessible either from the tab `Runs` in the playbook or in the panel that details a [playbook's details](#playbook-details). This panel contains the following information: diff --git a/_shared_content/automate/playbooks-on-premises.md b/_shared_content/automate/playbooks-on-premises.md index a44f8803a5..6c7ff45e86 100644 --- a/_shared_content/automate/playbooks-on-premises.md +++ b/_shared_content/automate/playbooks-on-premises.md @@ -1,12 +1,12 @@ # Playbooks On-premises -Our clients may find it necessary to execute Playbook actions within a local network that remains isolated from external internet access or rejects inbound connections. To meet this particular need, we enable users to select actions they want to perform on their local network directly from the Playbooks' user interface. +Our clients may find it necessary to execute Playbook actions within a local network that remains isolated from external internet access or rejects inbound connections. To meet this particular need, we enable users to select actions they want to perform on their local network directly from the Playbooks' user interface. -Clients must undertake a short installation process to harness the full potential of this security-enhancing feature. This involves installing our [dedicated agent](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/) and Docker onto a Linux machine within their local network. The meticulous setup ensures that Playbook actions can be executed with the utmost reliability and security, maintaining the integrity of the local network environment. +Clients must undertake a short installation process to harness the full potential of this security-enhancing feature. This involves installing our [dedicated agent](/integration/categories/endpoint/sekoiaio.md) and Docker onto a Linux machine within their local network. The meticulous setup ensures that Playbook actions can be executed with the utmost reliability and security, maintaining the integrity of the local network environment. Below, we provide detailed instructions on how to accomplish the installation process. -!!! warning +!!! warning The Playbook runner supports only action, not trigger, execution on-premises. !!! INFO @@ -36,15 +36,15 @@ Playbooks On-prem rely on `docker` to execute actions. For instructions on how t #### podman -In certain Linux distributions, such as RHEL and CentOS, podman may come pre-installed, potentially preventing `docker`from working correctly. +In certain Linux distributions, such as RHEL and CentOS, podman may come pre-installed, potentially preventing `docker`from working correctly. Plus, podman can also inadvertently intercept and execute docker commands if the `podman-docker` package is installed. -Because of this, the playbook runner agent **requires the presence of both the Docker client and the Docker engine**. +Because of this, the playbook runner agent **requires the presence of both the Docker client and the Docker engine**. To uninstall `podman` and resolve any compatibility issues, follow the instructions below: -1. Remove packages +1. Remove packages ``` sudo yum remove buildah skopeo podman containers-common atomic-registries docker container-tools ``` @@ -54,7 +54,7 @@ To uninstall `podman` and resolve any compatibility issues, follow the instructi sudo rm -rf /etc/containers/* /var/lib/containers/* /etc/docker /etc/subuid* /etc/subgid* ``` -3. Delete any associated container storage +3. Delete any associated container storage ``` cd ~ && rm -rf /.local/share/containers/ ``` @@ -66,7 +66,7 @@ To ensure a bug-free installation, the Sekoia Endpoint Agent must be able to com - To pull module images: - ghcr.io - githubusercontent.com - + - To send execution results and store files: - sekoia.io - app.sekoia.io @@ -74,7 +74,7 @@ To ensure a bug-free installation, the Sekoia Endpoint Agent must be able to com - minio-symphony.prod.sekoia.io - ... -### Testing the prerequisites +### Testing the prerequisites We've prepared a Docker image to facilitate the validation process and ensure the environment is properly configured for agent installation. @@ -103,14 +103,14 @@ Checking connectivity with the object storage ... OK * Proxy information: `-e https_proxy={proxy_url}` -## Playbook runners +## Playbook runners -A playbook runner is a local relay that launches playbook actions on a local network. -It can be used with any action in Sekoia.io playbooks. +A playbook runner is a local relay that launches playbook actions on a local network. +It can be used with any action in Sekoia.io playbooks. ### Create a playbook runner -To create a playbook runner, follow these steps: +To create a playbook runner, follow these steps: 1. On the playbooks listing page, select the `Playbook runners` button in the upper-right corner ![create playbook runner](/assets/playbooks/create_runner.png){: style="max-width:100%"} @@ -129,18 +129,18 @@ Your newly created playbook runner should now appear in the list. It will also b ![playbook runner instructions](/assets/playbooks/playbook_runner_action_on_premise.png){: align="right", width="280"} -Playbook runners can be used in any action in the playbook catalog. You can add them in the configuration panel that is shown when selecting an action in the playbook. +Playbook runners can be used in any action in the playbook catalog. You can add them in the configuration panel that is shown when selecting an action in the playbook. -To use a playbook runner for a specific action, follow these steps: +To use a playbook runner for a specific action, follow these steps: 1. Go to a playbook and select the action that should be executed on-premises 2. Open the configuration sidebar for this action and change "How to execute this action" to "On-premises" 3. In the "Which playbook runner" section, select the runner you want to use to execute this action -4. After selecting the playbook runner and completing the configuration, save the playbook +4. After selecting the playbook runner and completing the configuration, save the playbook ## Proxy support -The playbook runner can use a proxy server when executing actions if needed. +The playbook runner can use a proxy server when executing actions if needed. If you want to enable this feature, edit the configuration file at `/etc/endpoint-agent/config.yaml` and add the following line: diff --git a/_shared_content/develop/rest_api/quickstart.md b/_shared_content/develop/rest_api/quickstart.md index b6c68f2be4..3cfe707387 100644 --- a/_shared_content/develop/rest_api/quickstart.md +++ b/_shared_content/develop/rest_api/quickstart.md @@ -30,20 +30,13 @@ Authentication is done by Bearer Token which means that in all requests, the hea curl -XGET -H "Authorization: Bearer YOUR_API_KEY" https://api.sekoia.io/v1/sic/conf/rules-catalog/rules ``` -To create an API key, follow our guide [here](https://docs.sekoia.io/getting_started/manage_api_keys/). +To create an API key, follow our guide [here](/getting_started/manage_api_keys.md). The roles needed for your key will depend on what you want to achieve. If you plan to only get information from Sekoia.io, read only permissions will be enough. If you want to perform actions on Sekoia.io, you will also need to add write permissions. Our documentation provides information on each endpoint and specifies the required permissions. ## Documentation organization -### Guides - -The documentation offers a few guides: - -* A small page on [filtering](/xdr/develop/guides/filtering/) -* A guide on [how to create automation modules](/xdr/develop/guides/automation/overview/) - ### APIs Our API documentation is divided according to the different functionalities the platform offers: diff --git a/_shared_content/integration/connector_configuration.md b/_shared_content/integration/connector_configuration.md index c7274cef57..1178d77868 100644 --- a/_shared_content/integration/connector_configuration.md +++ b/_shared_content/integration/connector_configuration.md @@ -9,7 +9,7 @@ This section will assist you in pulling remote logs from Sekoia and sending them 5. Choose a trigger from the list by searching for the name of the product, and click `Create`. 6. A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon. 7. On the right panel, click on the `Configuration` tab. -8. Select an existing Trigger Configuration (from the [account menu](/xdr/features/automate/manage-accounts/)) or create a new one by clicking on `+ Create new configuration`. -9. Configure the Trigger based on the Actions Library (for instance, see [here](/integration/action_library/cloud_providers/aws/) for AWS modules), then click `Save`. +8. Select an existing Trigger Configuration (from the [account menu](/xdr/features/automate/manage-accounts.md)) or create a new one by clicking on `+ Create new configuration`. +9. Configure the Trigger based on the Actions Library (for instance, see [here](/integration/action_library/aws.md) for AWS modules), then click `Save`. 10. Click on `Save` at the top right of the playbook page. 11. Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page. diff --git a/_shared_content/integration/detection_section.md b/_shared_content/integration/detection_section.md index 51450919ee..14dd941314 100644 --- a/_shared_content/integration/detection_section.md +++ b/_shared_content/integration/detection_section.md @@ -1,3 +1,3 @@ ## Detection section -The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create [custom detection rules](/xdr/features/detect/rules_catalog/#create-custom-rules), perform hunting activities, or pivot in the [events page](/xdr/features/investigate/events). \ No newline at end of file +The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create [custom detection rules](/xdr/features/detect/rules_catalog.md#create-custom-rules), perform hunting activities, or pivot in the [events page](/xdr/features/investigate/events.md). \ No newline at end of file diff --git a/_shared_content/integration/forwarder_configuration.md b/_shared_content/integration/forwarder_configuration.md index 9699a63f07..705d5d5476 100644 --- a/_shared_content/integration/forwarder_configuration.md +++ b/_shared_content/integration/forwarder_configuration.md @@ -10,11 +10,11 @@ and after <%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE ``` -To achieve this you can: +To achieve this you can: -- Use the [Sekoia.io forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter. -- Use your own [Syslog service](/integration/ingestion_methods/syslog/syslog_service/) instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format. +- Use the [Sekoia.io forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter. +- Use your own [Syslog service](/integration/ingestion_methods/syslog/syslog_service.md) instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format. -!!! warning +!!! warning Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support. \ No newline at end of file diff --git a/_shared_content/integration/intake_configuration.md b/_shared_content/integration/intake_configuration.md index 40df58e55d..b0ad301f44 100644 --- a/_shared_content/integration/intake_configuration.md +++ b/_shared_content/integration/intake_configuration.md @@ -10,4 +10,4 @@ This section will guide you through creating the intake object in Sekoia, which 6. You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake. !!! Note - For more details on how to use the Intake page and to find the Intake key you just created, refer to [this documentation](https://docs.sekoia.io/xdr/features/automate/manage-accounts/). + For more details on how to use the Intake page and to find the Intake key you just created, refer to [this documentation](/xdr/features/automate/manage-accounts.md). diff --git a/_shared_content/intelligence_center/consume/feeds.md b/_shared_content/intelligence_center/consume/feeds.md index 5e52606e96..3808854c08 100644 --- a/_shared_content/intelligence_center/consume/feeds.md +++ b/_shared_content/intelligence_center/consume/feeds.md @@ -47,7 +47,7 @@ The special feed ID to use is `d6092c37-d8d7-45c3-8aff-c4dc26030608`. ### Create new feed -There are two ways to create a feed: either from the TIP interface or by using the API and the [feeds](../../../develop/rest_api/intelligence/#tag/Outgoing-Feeds/operation/post_feeds_resource) endpoint. +There are two ways to create a feed: either from the TIP interface or by using the `POST /api/v2/inthreat/feeds` API endpoint. To create a new feed: diff --git a/_shared_content/intelligence_center/consume/intelligence.md b/_shared_content/intelligence_center/consume/intelligence.md index b668b221c2..5104f35a42 100644 --- a/_shared_content/intelligence_center/consume/intelligence.md +++ b/_shared_content/intelligence_center/consume/intelligence.md @@ -2,20 +2,20 @@ ## Introduction -Looking for a Threat actor? A specific Malware? A report on a topic of interest? Or a URL that looks suspicious? The Intelligence page possesses a search engine with complex filtering capabilities to navigate through millions of data. This threat knowledge base is updated on a daily basis by Sekoia.io analysts to make sure all kinds of threats are covered. +Looking for a Threat actor? A specific Malware? A report on a topic of interest? Or a URL that looks suspicious? The Intelligence page possesses a search engine with complex filtering capabilities to navigate through millions of data. This threat knowledge base is updated on a daily basis by Sekoia.io analysts to make sure all kinds of threats are covered. ## How to search ### Search bars -The two ways to find what you need in the knowledge base is to: +The two ways to find what you need in the knowledge base is to: -1. Use the search bar embedded in the menu. It’s accessible from any page of the app and enables a quick search in the database. +1. Use the search bar embedded in the menu. It’s accessible from any page of the app and enables a quick search in the database. 2. Click `Intelligence` from the app menu and use the main search bar to browse the knowledge you need. ![Intelligence-search](/assets/intelligence_center/intelligence%20search.png){: style="max-width:100%"} -You can search for **multiple items at the same time**. To skip a line and paste multiple items, press `Shift-Enter` and paste your content. +You can search for **multiple items at the same time**. To skip a line and paste multiple items, press `Shift-Enter` and paste your content. !!! tip @@ -24,13 +24,13 @@ You can search for **multiple items at the same time**. To skip a line and paste ### Tabs -After you’ve typed your search and clicked on `enter`, two or three tabs appear under the search bar: one for **objects**, one for **observables** and one for **unknown observables**. +After you’ve typed your search and clicked on `enter`, two or three tabs appear under the search bar: one for **objects**, one for **observables** and one for **unknown observables**. -You can refer to [this page](/_shared_content/intelligence_center/data_model.md) to understand what objects and observables are and how our data model works. +You can refer to [this page](/cti/features/data_model.md) to understand what objects and observables are and how our data model works. -Each tab has a counter that informs users about the **number of items** in the database for each category. +Each tab has a counter that informs users about the **number of items** in the database for each category. -For instance, if you search for `Google`, you will find numerous objects (reports, Intrusion sets, Indicators…) but only two observables. +For instance, if you search for `Google`, you will find numerous objects (reports, Intrusion sets, Indicators…) but only two observables. !!! tip Always check all tabs to be sure to get all information needed on a topic. Observables may not be harmful but they can be helpful in an investigation. @@ -39,9 +39,9 @@ For instance, if you search for `Google`, you will find numerous objects (report ### How the search engine works -When searching for a term or multiple terms, Sekoia.io will list objects with fields that match the term(s). +When searching for a term or multiple terms, Sekoia.io will list objects with fields that match the term(s). -The following fields are taken into consideration by the search engine: +The following fields are taken into consideration by the search engine: - Name - Description @@ -55,16 +55,16 @@ By default, search results are sorted by **pertinence**, but you can choose to d !!! Tip When the search contains multiple words, it can be useful to see the results matching exactly what has been entered. Putting the search between quotes (`" "`) will search for objects containing the exact term in one of their fields. -!!! Note +!!! Note The search bar is **tokenized**. It means that if the user searches for `FLINT 2022-05` it will look for `FLINT`, `2022` and `05` and then apply scoring depending on the attribute the value was found in and the number of times it was found. - + To get only the item where the name starts with `FLINT 2022-05`, this dork search can be performed: `name:^"FLINT 2022-05"` #### Search for specific sectors -In the STIX format, a Sector is an **Identity object** that represents a broad business sector or industry. Sectors are used to contextualize threat actors, campaigns, and other CTI entities based on their targeting of specific sectors. For example, a Sector object could represent the Finance sector, Healthcare sector, or Government sector. +In the STIX format, a Sector is an **Identity object** that represents a broad business sector or industry. Sectors are used to contextualize threat actors, campaigns, and other CTI entities based on their targeting of specific sectors. For example, a Sector object could represent the Finance sector, Healthcare sector, or Government sector. -The table below lists all sectors present in Sekoia.io as well as their sub-types: +The table below lists all sectors present in Sekoia.io as well as their sub-types: | **Sector** | **Subtypes** | |-----------------------------|-----------------------------------------------| @@ -140,23 +140,23 @@ The table below lists all sectors present in Sekoia.io as well as their sub-type !!! Note Note that **Media** is a subtype of Entertainement. -!!!tip +!!!tip Select the object type `Identity` in the filter `By object type` on top of the Intelligence table to refine your search and list only Identity objects. #### Search for a country -In STIX format, a Country is a **Location** object that represents a geographical region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. Countries are used to contextualize threat actors, campaigns, and other CTI entities based on their geographic targeting. +In STIX format, a Country is a **Location** object that represents a geographical region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. Countries are used to contextualize threat actors, campaigns, and other CTI entities based on their geographic targeting. -There are two ways to look for Intelligence related to a specific country: +There are two ways to look for Intelligence related to a specific country: -- Search for the country’s name in English -- Use the location’s country code (2 letters) following the **[ISO 3166-1](https://www.iso.org/obp/ui/#iso:pub:PUB500001:en)** referential. For instance, FR for France, AE for United Arab Emirates, NG for Nigeria... +- Search for the country’s name in English +- Use the location’s country code (2 letters) following the **[ISO 3166-1](https://www.iso.org/obp/ui/#iso:pub:PUB500001:en)** referential. For instance, FR for France, AE for United Arab Emirates, NG for Nigeria... ### Table Columns -Search results are listed in a table with multiple columns. These columns can be shown or hidden in the filters panel, and users can change their order by dragging them using the `:` icon. +Search results are listed in a table with multiple columns. These columns can be shown or hidden in the filters panel, and users can change their order by dragging them using the `:` icon. -By default, these columns are: +By default, these columns are: | Column | Description | | --- | --- | @@ -174,7 +174,7 @@ To show or hide these columns, click on the icon on the top right of the table a ### Pagination -Depending on your screen size, you can change the pagination of this data table. It is set to 25 results per page by default, but you can increase or decrease this number to 10, 15, 50 or 100. +Depending on your screen size, you can change the pagination of this data table. It is set to 25 results per page by default, but you can increase or decrease this number to 10, 15, 50 or 100. ### Revoked objects @@ -182,9 +182,9 @@ When an object name is red in the table, it means that the object has been revok ### Filters for objects -To filter results in the Intelligence table, multiple filters are available to users. When a filter is selected, a tag is added on top of the table. +To filter results in the Intelligence table, multiple filters are available to users. When a filter is selected, a tag is added on top of the table. -This table lists all filters for objects in the Intelligence page. +This table lists all filters for objects in the Intelligence page. | Filter | Description | | --- | --- | @@ -206,7 +206,7 @@ To remove a filter, just click on the `cross` inside the tag. To remove all filt When searching for observables, Sekoia.io will investigate the field `x_inthreat_short_display`, a custom attribute that is equal to the main value of the observable (`value` for IP, `name` for organizations, ...). -If the search is a hash, the search engine will consider the number of characters and look for the right hashes. +If the search is a hash, the search engine will consider the number of characters and look for the right hashes. | Type of Hash | Characters | | --- | --- | @@ -220,9 +220,9 @@ If the search is an IP CIDR, the search engine will look for the IPs contained i ### Known and unknown observables -If you paste a list of observables in the search bar, chances are Sekoia.io will recognize some of them, but some may be unknown. +If you paste a list of observables in the search bar, chances are Sekoia.io will recognize some of them, but some may be unknown. -To differentiate between the two, a tab with `Known` and `Unknown` helps understand which observables are in the database and which ones are not. +To differentiate between the two, a tab with `Known` and `Unknown` helps understand which observables are in the database and which ones are not. ### Filters @@ -234,13 +234,12 @@ To differentiate between the two, a tab with `Known` and `Unknown` helps underst ### Bulk actions -When you have a list of observables in your search results, you can select two or more of them by ticking the checkbox on the left of the value. Once selected, you can copy their values using the `copy` button that appears on top of the table. +When you have a list of observables in your search results, you can select two or more of them by ticking the checkbox on the left of the value. Once selected, you can copy their values using the `copy` button that appears on top of the table. -### Tags on observables +### Tags on observables The validity of observables is determined by our analysts and indicated by a specific date (valid from, valid until). You can locate this date in the .json file associated with the observable, as well as on the observable's detailed page. When an observable is accompanied by a **blue tag**, it means that the observable is currently valid. On the other hand, if an observable is marked with an **orange tag**, it means that the validity date has passed, rendering the observable invalid. - diff --git a/_shared_content/intelligence_center/consume/telemetry.md b/_shared_content/intelligence_center/consume/telemetry.md index 06ba3c8c0f..f5ff656df9 100644 --- a/_shared_content/intelligence_center/consume/telemetry.md +++ b/_shared_content/intelligence_center/consume/telemetry.md @@ -87,7 +87,7 @@ The telemetry data provides a valuable resource to scrutinize the observable's h In this case, the telemetry heatmap serves as a dynamic timeline, allowing security analysts to efficiently assess the observable's credibility. -Since you can import external IOCs to the platform by using the [IOC collections](/xdr/features/detect/ioccollections) feature, it's possible to generate a `telemetry report` to help verify the viability of the imported IOCs. +Since you can import external IOCs to the platform by using the [IOC collections](/xdr/features/detect/ioccollections.md) feature, it's possible to generate a `telemetry report` to help verify the viability of the imported IOCs. !!! Warning The generated telemetry report contains the associated observable telemetry, not the threat telemetry. This telemetry is calculated based on the occurence of a value, not a threat ID. diff --git a/_shared_content/intelligence_center/integrations/api.md b/_shared_content/intelligence_center/integrations/api.md index a85c11480f..a1e6b483fc 100644 --- a/_shared_content/intelligence_center/integrations/api.md +++ b/_shared_content/intelligence_center/integrations/api.md @@ -37,7 +37,7 @@ The easiest way to create feed configurations is to use the Intelligence Center ![Sekoia.io Intelligence Center Feeds](/assets/intelligence_center/feeds.png){: style="width: 100%; max-width: 100%"} -If you would prefer creating the feed with the API, you can use the [feeds](/cti/develop/rest_api/intelligence/#operation/post_feeds_resource) endpoint. +If you would prefer creating the feed with the API, you can use the `POST v2/inthreat/feeds` endpoint. The result should contain the feed `id` that may be used to consume the feed. @@ -169,7 +169,7 @@ For relationships, use the `GET v2/inthreat/relationships/{relationship_id}` end ## Looking for an IOC -It is possible to look for a specific indicator of compromise in the Intelligence Center and get its context with the `GET v2/inthreat/indicators/context` endpoint (see [documentation](/cti/develop/rest_api/intelligence/#tag/Indicators/operation/get_indicator_context_resource)). +It is possible to look for a specific indicator of compromise in the Intelligence Center and get its context with the `GET v2/inthreat/indicators/context` endpoint. ```python diff --git a/_shared_content/intelligence_center/integrations/misp.md b/_shared_content/intelligence_center/integrations/misp.md index ac1075d1c7..79f3f12f39 100644 --- a/_shared_content/intelligence_center/integrations/misp.md +++ b/_shared_content/intelligence_center/integrations/misp.md @@ -4,7 +4,7 @@ The default feed is available as a MISP feed. It can be added to an existing MISP instance by following [MISP's documentation](https://www.circl.lu/doc/misp/managing-feeds/). -To fetch Sekoia.io’s MISP feed, you’ll have to generate an API key with the `INTHREAT_READ_OBJECTS` permission. Please read the “[Generate API keys](../../../../getting_started/manage_api_keys)“ page to understand how to create a new API key with the proper permissions. +To fetch Sekoia.io’s MISP feed, you’ll have to generate an API key with the `INTHREAT_READ_OBJECTS` permission. Please read the “[Generate API keys](/getting_started/manage_api_keys.md)“ page to understand how to create a new API key with the proper permissions. The following field values are required for the feed to work properly: diff --git a/_shared_content/intelligence_center/integrations/splunk.md b/_shared_content/intelligence_center/integrations/splunk.md index de143c2692..a5e1bb737e 100644 --- a/_shared_content/intelligence_center/integrations/splunk.md +++ b/_shared_content/intelligence_center/integrations/splunk.md @@ -1,12 +1,12 @@ # External Integrations: Splunk Sekoia is providing an application for Splunk to detect threats in your logs based on Sekoia.io CTI feed. - + ## Prerequisites - An operational Splunk instance with administrator privileges (**Enterprise** for OnPrem or **Cloud** for the SaaS version) - An active Sekoia.io license with access to the CTI -- An access to Sekoia.io User Center with the role that contains the permission to [create an API key](https://docs.sekoia.io/getting_started/manage_api_keys/) (e.g. Built-in [Analyst Role](https://docs.sekoia.io/getting_started/roles/#functionality-of-built-in-roles) or create a custom role with [ic_viewer permissions](https://docs.sekoia.io/getting_started/roles/#legacy-roles) +- An access to Sekoia.io User Center with the role that contains the permission to [create an API key](/getting_started/manage_api_keys.md) (e.g. Built-in [Analyst Role](/getting_started/roles.md#functionality-of-built-in-roles) or create a custom role with [ic_viewer permissions](/getting_started/roles.md#legacy-roles) !!!note This following guide is for Splunk solutions (**Enterprise** (OnPrem) or Splunk **Cloud** (Cloud)). @@ -18,7 +18,7 @@ Sekoia is providing an application for Splunk to detect threats in your logs bas !!!note For Cloud version, only the next step is required - + 2. Enter your login and password of your Splunk Enterprise instance ![Splunk-Login](/assets/intelligence_center/Splunk/Splunk-Login.png){: style="width: 60%; max-width: 60%"} @@ -26,10 +26,10 @@ Sekoia is providing an application for Splunk to detect threats in your logs bas 1. Go to Application Setup Page by clicking on `Apps` > `Find more Apps` ![Splunk_Applications_access](/assets/intelligence_center/Splunk/Splunk_Applications_access.png){: style="width: 40%; max-width: 40%"} - + 2. Search for `Sekoia.io` application and install it ![Splunk-Sekoia_in_App](/assets/intelligence_center/Splunk/Splunk-Sekoia_in_App.png) - + 3. Configure your Sekoia application for Splunk by completing fields ![Splunk-Sekoia_API_key_in_Sekoia_application](/assets/intelligence_center/Splunk/Splunk-Sekoia_API_key_in_Sekoia_application.png) @@ -63,11 +63,11 @@ In the following section, here are the Sekoia IOC types available in Splunk: ` (`` is to be replaced by the **Sekoia IOCs types** listed [above](#sourcetype)). When installing Sekoia application for Splunk, a message will be displayed requesting to configure the lookup table. @@ -119,4 +119,4 @@ Search in the Internal logs for errors. Please consult [Splunk documentation](ht [https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/InstallSplunk](https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/InstallSplunk) -[https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/NavigatingSplunk](https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/NavigatingSplunk) +[https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/NavigatingSplunk](https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchTutorial/NavigatingSplunk) diff --git a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md index c7511a24b0..8052deffd3 100644 --- a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md +++ b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "gke_container_runtime2.json" diff --git a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md index 0cb5b1af08..bce1fca6ea 100644 --- a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md +++ b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "auth-action-changed-login-id-to.json" diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 2ab2186c72..58e8a7b9ea 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_aaatm.json" diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md index a9490b2ac0..83f07be6cb 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "amsi_detected_harmful_content.json" diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md index 086d07efa1..98aba189bf 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_journal.json" diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index ad6946d884..8dc3e4606b 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_admin_sample1.json" @@ -987,6 +987,51 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_vault_service.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}", + "event": { + "action": "view_cross_matter_litigation_hold_report", + "dataset": "admin#reports#activity", + "type": [ + "access" + ] + }, + "@timestamp": "2024-10-24T12:15:09.887000Z", + "cloud": { + "account": { + "id": "C020000000" + } + }, + "google": { + "report": { + "actor": { + "email": "joe.done@test.cloud" + } + } + }, + "network": { + "application": "vault" + }, + "related": { + "user": [ + "joe.done" + ] + }, + "user": { + "domain": "test.cloud", + "email": "joe.done@test.cloud", + "id": "10055276727227777777777", + "name": "joe.done" + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md index 87d34bd726..7b964ab560 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md @@ -1302,3 +1302,32 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_vault_service" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-10-24T12:15:09.887Z", + "uniqueQualifier": "38392508037850000000", + "applicationName": "vault", + "customerId": "C020000000" + }, + "etag": "\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\"", + "actor": { + "callerType": "USER", + "email": "joe.done@test.cloud", + "profileId": "10055276727227777777777" + }, + "events": [ + { + "type": "user_action", + "name": "view_cross_matter_litigation_hold_report" + } + ] + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 2f00c14e9b..4dacb4fa88 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -43,7 +43,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_additional_fields_error1.json" @@ -597,6 +597,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "type": "Run" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "report": { "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1" } @@ -757,6 +763,61 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_deivce_events_2.json" + + ```json + + { + "message": "{\"time\": \"2024-10-22T15:10:29.9681180Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:20.5220737Z\", \"properties\": {\"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 65306, \"InitiatingProcessId\": 417271, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:08.62407Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n for i, item in enumerate(l):\\\\n if i > n:\\\\n break\\\\n yield item\\\\n\\\\nclass Jar:\\\\n def __init__(self, path):\\\\n self.path = path\\\\n self._manifest = {}\\\\n self._dirlist = []\\\\n\\\\n def _parse_manifest(self, lines):\\\\n version_indication = \\\\\\\"version=\\\\\\\"\\\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n if len(version_lines) > 0:\\\\n version = version_lines[0][len(version_indication):]\\\\n yield 'Version', version.strip()\\\\n\\\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n for line in lines:\\\\n if any(line.startswith(field_name) for field_name in field_names):\\\\n key, value = line.split(':')\\\\n yield key.strip(), value.strip()\\\\n\\\\n def _open(self):\\\\n if not zipfile.is_zipfile(self.path):\\\\n raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n return zipfile.ZipFile(self.path)\\\\n\\\\n def _read_dirlist(self):\\\\n with self._open() as zf:\\\\n filenames = dict(p for p in zf.namelist())\\\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n def _get_manifest_path(self, zf):\\\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n if path in zf.namelist():\\\\n return path\\\\n\\\\n def _read_manifest(self, throw_on_error=False):\\\\n try:\\\\n with self._open() as zf:\\\\n manifest_path = self._get_manifest_path(zf)\\\\n if not manifest_path:\\\\n # Not found manifest file\\\\n return {}\\\\n\\\\n manifest_info = zf.getinfo(manifest_path)\\\\n if manifest_info.file_size > MAX_FILE_SIZE:\\\\n raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n with zf.open(manifest_path) as f:\\\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n manifest = self._parse_manifest(manifest_lines)\\\\n return dict((k, v) for k, v in manifest\\\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n except:\\\\n sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n if throw_on_error:\\\\n raise\\\\n\\\\n return {}\\\\n\\\\n def manifest(self, throw_on_error=False):\\\\n if not self._manifest:\\\\n self._manifest = self._read_manifest(throw_on_error)\\\\n return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:08.851712Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-22T15:09:08.851712Z", + "action": { + "properties": { + "InitiatingProcessLogonId": "0" + }, + "type": "ScriptContent" + }, + "file": { + "hash": { + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + }, + "host": { + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" + }, + "microsoft": { + "defender": { + "report": { + "id": "65306" + } + } + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" + }, + "related": { + "hash": [ + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] + } + } + + ``` + + === "test_detection_source.json" ```json @@ -856,22 +917,35 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "--sandboxed-process-id=2", "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", "parent": { - "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", "name": "software_reporter_tool.exe", - "pid": 1664, - "start": "2022-09-01T06:56:23.788784Z", - "user": { - "domain": "intranet", - "email": "user@example.org", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "name": "group1" - }, - "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" - } + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" }, "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], "ip": [ "1.2.3.4", "5.6.7.8" @@ -1600,11 +1674,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "process": { - "parent": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" - } + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" } } } @@ -1688,32 +1760,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "subject_name": "OsVendor" }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0\\MpCmdRun.exe", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", "hash": { - "md5": "17bd5d291205f95eb9ede9e75d5641d7", - "sha1": "81ea1283c9c328fef3ea93e92dc827f1280b32aa", - "sha256": "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf" + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" }, - "name": "MpCmdRun.exe", + "name": "MsMpEng.exe", "parent": { - "command_line": "\"MsMpEng.exe\"", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "name": "MsMpEng.exe", - "pid": 5456, - "start": "2023-01-03T08:51:29.269279Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "name": "services.exe", + "pid": 1032, + "start": "2023-01-03T08:51:26.740241Z" }, "pid": 37788, - "start": "2023-01-04T14:15:10.355033Z" + "start": "2023-01-04T14:15:10.355033Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "related": { "hash": [ "17bd5d291205f95eb9ede9e75d5641d7", + "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e", + "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "5d5608654828cf052ba013b3c37cbb61", "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf", "81ea1283c9c328fef3ea93e92dc827f1280b32aa" ], @@ -1730,6 +1803,91 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_process_events_2.json" + + ```json + + { + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "process" + ], + "dataset": "device_process_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-22T15:09:44.594155Z", + "action": { + "properties": { + "InitiatingProcessLogonId": "0", + "LogonId": "0" + }, + "type": "ProcessCreated" + }, + "file": { + "directory": "/usr/bin/ps", + "hash": { + "md5": "098f6bcd4621d373cade4e832627b4f6", + "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "name": "ps", + "size": 144632 + }, + "host": { + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" + }, + "microsoft": { + "defender": { + "report": { + "id": "67417" + } + } + }, + "process": { + "args": [ + "--no-headers", + "-A", + "-o", + "comm,pid,pcpu,pmem,rss,etimes" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "parent": { + "pid": 0 + }, + "pid": 423627, + "start": "2024-10-22T15:09:44.594155Z", + "user": { + "domain": "computer", + "name": "root" + } + }, + "related": { + "hash": [ + "098f6bcd4621d373cade4e832627b4f6", + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" + ], + "user": [ + "root" + ] + }, + "user": { + "domain": "computer", + "name": "root" + } + } + + ``` + + === "test_device_registry_events.json" ```json @@ -1816,6 +1974,61 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_devices_events_script_content.json" + + ```json + + { + "message": "{\"time\": \"2024-10-22T15:10:32.7309209Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:55.6358865Z\", \"properties\": {\"DeviceId\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 67420, \"InitiatingProcessId\": 423638, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:47.165481Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n for i, item in enumerate(l):\\\\n if i > n:\\\\n break\\\\n yield item\\\\n\\\\nclass Jar:\\\\n def __init__(self, path):\\\\n self.path = path\\\\n self._manifest = {}\\\\n self._dirlist = []\\\\n\\\\n def _parse_manifest(self, lines):\\\\n version_indication = \\\\\\\"version=\\\\\\\"\\\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n if len(version_lines) > 0:\\\\n version = version_lines[0][len(version_indication):]\\\\n yield 'Version', version.strip()\\\\n\\\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n for line in lines:\\\\n if any(line.startswith(field_name) for field_name in field_names):\\\\n key, value = line.split(':')\\\\n yield key.strip(), value.strip()\\\\n\\\\n def _open(self):\\\\n if not zipfile.is_zipfile(self.path):\\\\n raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n return zipfile.ZipFile(self.path)\\\\n\\\\n def _read_dirlist(self):\\\\n with self._open() as zf:\\\\n filenames = dict(p for p in zf.namelist())\\\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n def _get_manifest_path(self, zf):\\\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n if path in zf.namelist():\\\\n return path\\\\n\\\\n def _read_manifest(self, throw_on_error=False):\\\\n try:\\\\n with self._open() as zf:\\\\n manifest_path = self._get_manifest_path(zf)\\\\n if not manifest_path:\\\\n # Not found manifest file\\\\n return {}\\\\n\\\\n manifest_info = zf.getinfo(manifest_path)\\\\n if manifest_info.file_size > MAX_FILE_SIZE:\\\\n raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n with zf.open(manifest_path) as f:\\\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n manifest = self._parse_manifest(manifest_lines)\\\\n return dict((k, v) for k, v in manifest\\\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n except:\\\\n sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n if throw_on_error:\\\\n raise\\\\n\\\\n return {}\\\\n\\\\n def manifest(self, throw_on_error=False):\\\\n if not self._manifest:\\\\n self._manifest = self._read_manifest(throw_on_error)\\\\n return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:47.246794Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-22T15:09:47.246794Z", + "action": { + "properties": { + "InitiatingProcessLogonId": "0" + }, + "type": "ScriptContent" + }, + "file": { + "hash": { + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + }, + "host": { + "id": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "name": "computer.intranet.example" + }, + "microsoft": { + "defender": { + "report": { + "id": "67420" + } + } + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" + }, + "related": { + "hash": [ + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] + } + } + + ``` + + === "test_email_attachment_info.json" ```json @@ -2888,20 +3101,35 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "--sandboxed-process-id=2", "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", "parent": { - "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", "name": "software_reporter_tool.exe", - "pid": 1664, - "start": "2022-09-01T06:56:23.788784Z", - "user": { - "domain": "intranet", - "email": "user@example.org", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "name": "group1" - }, - "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" - } + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ] } } @@ -2964,32 +3192,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "subject_name": "Unknown" }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/bin/grep", + "executable": "/usr/test/platform-python3.6", "hash": { - "md5": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6", - "sha1": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "8def33333333643356354032379388263138839b9503f269f82e978413d669a0" + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" }, - "name": "grep", + "name": "platform-python3.6", "parent": { - "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "executable": "/usr/test/platform-python3.6", "name": "platform-python3.6", - "pid": 408996, - "start": "2024-09-24T14:18:11.850000Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "pid": 408229, + "start": "2024-09-24T14:17:34.790000Z" }, "pid": 408996, - "start": "2024-09-24T14:18:11.864114Z" + "start": "2024-09-24T14:18:11.864114Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "related": { "hash": [ + "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565", "8def33333333643356354032379388263138839b9503f269f82e978413d669a0", - "ff000000000aaaaaaaaaffb100000c0fb25ccccc6" + "eeeee2999444ddaaaaa08598b06eafe7", + "ff000000000aaaaaaaaaffb100000c0fb25ccccc6", + "ff77777000aaaaaaaaaffb100000c0fb25ccccc6" ], "user": [ "testaccount" @@ -3237,6 +3466,7 @@ The following table lists the fields that are extracted, normalized under the EC |`microsoft.defender.observer.interface.networks` | `keyword` | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | |`microsoft.defender.observer.interface.status` | `keyword` | Operational status of the network adapter. For the possible values, refer to this enumeration | |`microsoft.defender.observer.interface.type` | `keyword` | Network adapter type. For the possible values, refer to this enumeration | +|`microsoft.defender.operation.properties` | `object` | Additional properties of the operation | |`microsoft.defender.report.id` | `keyword` | Unique identifier for the event | |`microsoft.defender.threat.category` | `keyword` | Type of threat indicator or breach activity identified by the alert | |`microsoft.defender.threat.detection` | `keyword` | Methods used to detect malware, phishing, or other threats found in the email | @@ -3254,16 +3484,9 @@ The following table lists the fields that are extracted, normalized under the EC |`process.hash.sha1` | `keyword` | SHA1 hash. | |`process.hash.sha256` | `keyword` | SHA256 hash. | |`process.name` | `keyword` | Process name. | -|`process.parent.command_line` | `wildcard` | Full command line that started the process. | -|`process.parent.executable` | `keyword` | Absolute path to the process executable. | |`process.parent.name` | `keyword` | Process name. | |`process.parent.pid` | `long` | Process id. | |`process.parent.start` | `date` | The time the process started. | -|`process.parent.user.domain` | `keyword` | Domain of the account that ran the parent process responsible for the event | -|`process.parent.user.email` | `keyword` | User principal name (UPN) of the account that ran the parent process responsible for the event | -|`process.parent.user.id` | `keyword` | Security Identifier (SID) of the account that ran the parent process responsible for the event | -|`process.parent.user.name` | `keyword` | User name of the account that ran the parent process responsible for the event | -|`process.parent.working_directory` | `keyword` | The working directory of the process. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | |`process.user.domain` | `keyword` | Domain of the account that ran the process responsible for the event | diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index ae3acc2e27..ec7685a3fc 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -748,6 +748,89 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_deivce_events_2" + + + ```json + { + "time": "2024-10-22T15:10:29.9681180Z", + "tenantId": "793abec2-9e48-4d04-b341-59b054c49348", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-10-22T15:09:20.5220737Z", + "properties": { + "DeviceId": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "DeviceName": "computer.intranet.example", + "ReportId": 65306, + "InitiatingProcessId": 417271, + "InitiatingProcessCreationTime": "2024-10-22T15:09:08.62407Z", + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentFileName": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFileName": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "SHA1": null, + "MD5": null, + "FileName": null, + "FolderPath": null, + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"ScriptContent\":\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\"log4j,LOG4J,spring-core\\\" --filter-command \\\"java,javaw\\\" --manifest-path \\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\"log4j,LOG4J,spring-core\\\" --filter-command \\\"java,javaw\\\" --manifest-path \\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\n\\nfrom genericpath import isdir\\nimport os\\nimport re\\nimport sys\\nimport json\\nfrom datetime import datetime as dt\\nimport zipfile\\nimport string\\nimport argparse\\nimport traceback\\nimport functools\\nimport itertools\\nimport subprocess as sb\\n\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\nMANIFEST_OLD_PATH = \\\"META-INF/MANIFEST.MF\\\"\\n\\ndef take(n, l):\\n for i, item in enumerate(l):\\n if i > n:\\n break\\n yield item\\n\\nclass Jar:\\n def __init__(self, path):\\n self.path = path\\n self._manifest = {}\\n self._dirlist = []\\n\\n def _parse_manifest(self, lines):\\n version_indication = \\\"version=\\\"\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\n\\n if len(version_lines) > 0:\\n version = version_lines[0][len(version_indication):]\\n yield 'Version', version.strip()\\n\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\n for line in lines:\\n if any(line.startswith(field_name) for field_name in field_names):\\n key, value = line.split(':')\\n yield key.strip(), value.strip()\\n\\n def _open(self):\\n if not zipfile.is_zipfile(self.path):\\n raise ValueError(\\\"path is not a zip file: {}\\\".format(self.path))\\n return zipfile.ZipFile(self.path)\\n\\n def _read_dirlist(self):\\n with self._open() as zf:\\n filenames = dict(p for p in zf.namelist())\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\n\\n\\n\\n def _get_manifest_path(self, zf):\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\n if path in zf.namelist():\\n return path\\n\\n def _read_manifest(self, throw_on_error=False):\\n try:\\n with self._open() as zf:\\n manifest_path = self._get_manifest_path(zf)\\n if not manifest_path:\\n # Not found manifest file\\n return {}\\n\\n manifest_info = zf.getinfo(manifest_path)\\n if manifest_info.file_size > MAX_FILE_SIZE:\\n raise IOError(\\\"manifest file is too big\\\")\\n\\n with zf.open(manifest_path) as f:\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\n manifest = self._parse_manifest(manifest_lines)\\n return dict((k, v) for k, v in manifest\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\n except:\\n sys.stderr.write(\\\"error while reading manifest of '{}': {}\\\\n\\\".format(self.path, traceback.format_exc()))\\n\\n if throw_on_error:\\n raise\\n\\n return {}\\n\\n def manifest(self, throw_on_error=False):\\n if not self._manifest:\\n self._manifest = self._read_manifest(throw_on_error)\\n return self._\"}", + "InitiatingProcessAccountSid": null, + "AppGuardContainerId": null, + "InitiatingProcessSHA256": null, + "SHA256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "ScriptContent", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 0, + "AccountSid": null, + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "FileSize": null, + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-10-22T15:09:08.851712Z", + "MachineGroup": "Linux Servers - remediate threats automatically" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_detection_source" @@ -1469,6 +1552,91 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_process_events_2" + + + ```json + { + "time": "2024-10-22T15:10:39.1954172Z", + "tenantId": "793abec2-9e48-4d04-b341-59b054c49348", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceProcessEvents", + "_TimeReceivedBySvc": "2024-10-22T15:10:13.8421815Z", + "properties": { + "InitiatingProcessSHA1": null, + "InitiatingProcessFileSize": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFileName": "", + "InitiatingProcessParentFileName": "", + "InitiatingProcessFolderPath": null, + "InitiatingProcessCommandLine": "", + "SHA1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "FileSize": 144632, + "MD5": "098f6bcd4621d373cade4e832627b4f6", + "FolderPath": "/usr/bin/ps", + "ProcessCommandLine": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "FileName": "ps", + "ProcessId": 423627, + "InitiatingProcessId": 423627, + "ProcessCreationTime": "2024-10-22T15:09:44.594155Z", + "DeviceName": "computer.intranet.example", + "DeviceId": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "InitiatingProcessCreationTime": "2024-10-22T15:09:44.59Z", + "InitiatingProcessAccountName": "root", + "InitiatingProcessAccountDomain": "computer", + "InitiatingProcessAccountSid": null, + "InitiatingProcessSignatureStatus": "Unknown", + "InitiatingProcessSignerType": "Unknown", + "InitiatingProcessParentId": 0, + "ReportId": 67417, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessTokenElevation": "None", + "InitiatingProcessIntegrityLevel": null, + "AccountDomain": "computer", + "AccountName": "root", + "ProcessTokenElevation": "None", + "ProcessIntegrityLevel": null, + "AccountSid": null, + "AppGuardContainerId": null, + "SHA256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "InitiatingProcessSHA256": null, + "InitiatingProcessLogonId": 0, + "LogonId": 0, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AccountUpn": null, + "AccountObjectId": null, + "AdditionalFields": "{\"InitiatingProcessPosixEffectiveUser\":{\"Name\":\"root\",\"DomainName\":\"computer\",\"LogonId\":0,\"PosixUserId\":0,\"PrimaryPosixGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591}},\"InitiatingProcessPosixEffectiveGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591},\"InitiatingProcessPosixProcessGroupId\":423627,\"InitiatingProcessPosixSessionId\":180264,\"InitiatingProcessCurrentWorkingDirectory\":\"/opt/microsoft/mdatp/sbin\",\"InitiatingProcessPosixRealUser\":{\"Name\":\"root\",\"DomainName\":\"computer\",\"LogonId\":0,\"PosixUserId\":0,\"PrimaryPosixGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591}},\"ProcessPosixEffectiveUser\":{\"Name\":\"root\",\"DomainName\":\"computer\",\"LogonId\":0,\"PosixUserId\":0,\"PrimaryPosixGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591}},\"ProcessPosixEffectiveGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591},\"ProcessPosixProcessGroupId\":423627,\"ProcessPosixSessionId\":180264,\"ProcessCurrentWorkingDirectory\":\"/opt/microsoft/mdatp/sbin\",\"ProcessPosixFilePermissions\":[\"OthersExecute\",\"OthersRead\",\"GroupExecute\",\"GroupRead\",\"UserExecute\",\"UserWrite\",\"UserRead\",\"UserAll\"],\"ProcessPosixFileUserOwner\":{\"Name\":\"root\",\"DomainName\":\"computer\",\"LogonId\":0,\"PosixUserId\":0,\"PrimaryPosixGroup\":{\"Name\":\"mdatp\",\"PosixGroupId\":591}},\"ProcessPosixFileGroupOwner\":{\"Name\":\"root\",\"PosixGroupId\":0}}", + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "ProcessVersionInfoCompanyName": null, + "ProcessVersionInfoProductName": null, + "ProcessVersionInfoProductVersion": null, + "ProcessVersionInfoInternalFileName": null, + "ProcessVersionInfoOriginalFileName": null, + "ProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "CreatedProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "ActionType": "ProcessCreated", + "Timestamp": "2024-10-22T15:09:44.594155Z", + "MachineGroup": "Linux Servers - remediate threats automatically" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_registry_events" @@ -1525,6 +1693,89 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_devices_events_script_content" + + + ```json + { + "time": "2024-10-22T15:10:32.7309209Z", + "tenantId": "793abec2-9e48-4d04-b341-59b054c49348", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-10-22T15:09:55.6358865Z", + "properties": { + "DeviceId": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "DeviceName": "computer.intranet.example", + "ReportId": 67420, + "InitiatingProcessId": 423638, + "InitiatingProcessCreationTime": "2024-10-22T15:09:47.165481Z", + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentFileName": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFileName": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "SHA1": null, + "MD5": null, + "FileName": null, + "FolderPath": null, + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"ScriptContent\":\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\"log4j,LOG4J,spring-core\\\" --filter-command \\\"java,javaw\\\" --manifest-path \\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\"log4j,LOG4J,spring-core\\\" --filter-command \\\"java,javaw\\\" --manifest-path \\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\n\\nfrom genericpath import isdir\\nimport os\\nimport re\\nimport sys\\nimport json\\nfrom datetime import datetime as dt\\nimport zipfile\\nimport string\\nimport argparse\\nimport traceback\\nimport functools\\nimport itertools\\nimport subprocess as sb\\n\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\nMANIFEST_OLD_PATH = \\\"META-INF/MANIFEST.MF\\\"\\n\\ndef take(n, l):\\n for i, item in enumerate(l):\\n if i > n:\\n break\\n yield item\\n\\nclass Jar:\\n def __init__(self, path):\\n self.path = path\\n self._manifest = {}\\n self._dirlist = []\\n\\n def _parse_manifest(self, lines):\\n version_indication = \\\"version=\\\"\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\n\\n if len(version_lines) > 0:\\n version = version_lines[0][len(version_indication):]\\n yield 'Version', version.strip()\\n\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\n for line in lines:\\n if any(line.startswith(field_name) for field_name in field_names):\\n key, value = line.split(':')\\n yield key.strip(), value.strip()\\n\\n def _open(self):\\n if not zipfile.is_zipfile(self.path):\\n raise ValueError(\\\"path is not a zip file: {}\\\".format(self.path))\\n return zipfile.ZipFile(self.path)\\n\\n def _read_dirlist(self):\\n with self._open() as zf:\\n filenames = dict(p for p in zf.namelist())\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\n\\n\\n\\n def _get_manifest_path(self, zf):\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\n if path in zf.namelist():\\n return path\\n\\n def _read_manifest(self, throw_on_error=False):\\n try:\\n with self._open() as zf:\\n manifest_path = self._get_manifest_path(zf)\\n if not manifest_path:\\n # Not found manifest file\\n return {}\\n\\n manifest_info = zf.getinfo(manifest_path)\\n if manifest_info.file_size > MAX_FILE_SIZE:\\n raise IOError(\\\"manifest file is too big\\\")\\n\\n with zf.open(manifest_path) as f:\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\n manifest = self._parse_manifest(manifest_lines)\\n return dict((k, v) for k, v in manifest\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\n except:\\n sys.stderr.write(\\\"error while reading manifest of '{}': {}\\\\n\\\".format(self.path, traceback.format_exc()))\\n\\n if throw_on_error:\\n raise\\n\\n return {}\\n\\n def manifest(self, throw_on_error=False):\\n if not self._manifest:\\n self._manifest = self._read_manifest(throw_on_error)\\n return self._\"}", + "InitiatingProcessAccountSid": null, + "AppGuardContainerId": null, + "InitiatingProcessSHA256": null, + "SHA256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "ScriptContent", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 0, + "AccountSid": null, + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "FileSize": null, + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-10-22T15:09:47.246794Z", + "MachineGroup": "Linux Servers - remediate threats automatically" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_email_attachment_info" diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md index c5baf2fdfa..fd59ce12eb 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md @@ -21,7 +21,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "connections_logs.json" diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md index 3e6a97fc33..d6b1939c78 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "attack_discovery_detection_event.json" diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index fbb532cebf..932fa8fc80 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "accept.json" diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 1a4e8638b4..1c3b70a77d 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "activities.json" diff --git a/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md index e495a9142c..196e053a4f 100644 --- a/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md +++ b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_audit_events.json" diff --git a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md index ada69810ce..9e39cd40a8 100644 --- a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md +++ b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "http.json" diff --git a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md index c43b82f61c..509cba5b75 100644 --- a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md +++ b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "malop_connection.json" diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 614e049ea4..4f19add9e6 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "telemetry_event.json" @@ -1165,6 +1165,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "111111111111111" }, "crowdstrike": { + "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { @@ -2395,6 +2396,7 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`agent.id` | `keyword` | Unique identifier of this agent. | |`agent.version` | `keyword` | Version of the agent. | +|`crowdstrike.base_filename` | `keyword` | Base Filename | |`crowdstrike.customer_id` | `keyword` | Customer ID (cid) | |`crowdstrike.gateway_ip` | `ip` | Gateway IP | |`crowdstrike.gateway_mac` | `keyword` | Gateway MAC | diff --git a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md deleted file mode 100644 index 6efe761e6e..0000000000 --- a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md +++ /dev/null @@ -1,430 +0,0 @@ - -### Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Authentication logs` | PAM authentication mechanism | -| `Process command-line parameters` | Common Linux processes (cron, ssh, sudo) | -| `Process use of network` | SSH and PAM daemon | - - - - - - - - -### Transformed Events Samples after Ingestion - -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. - -=== "auth_conversation_failed.json" - - ```json - - { - "message": "{ \"time\" : \"2019-07-02T13:45:50.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"err\",\"EventTime\" : \"2019-07-02T13:45:50+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): conversation failed\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:45:50Z\"},\"category\" : \"authpriv\",\"level\" : \"err\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "failure" - }, - "@timestamp": "2019-07-02T13:45:50Z", - "action": { - "name": "sudo:auth", - "outcome": "failure", - "type": "open" - }, - "azure_linux": { - "message": "pam_unix(sudo:auth): conversation failed" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "error" - }, - "os": { - "family": "linux", - "platform": "linux" - } - } - - ``` - - -=== "auth_no_identity.json" - - ```json - - { - "message": "{ \"time\" : \"2019-07-02T13:46:32.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"crit\",\"EventTime\" : \"2019-07-02T13:46:32+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): auth could not identify password for [omsagent]\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:32Z\"},\"category\" : \"authpriv\",\"level\" : \"crit\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "failure" - }, - "@timestamp": "2019-07-02T13:46:32Z", - "action": { - "name": "sudo:auth", - "outcome": "failure", - "type": "open" - }, - "azure_linux": { - "message": "pam_unix(sudo:auth): auth could not identify password for [omsagent]" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "critical" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "related": { - "user": [ - "omsagent" - ] - }, - "user": { - "name": "omsagent" - } - } - - ``` - - -=== "cron_command1.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:50:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"21188\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD (/usr/lib64/sa/sa1 1 1)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "@timestamp": "2019-06-27T14:50:01Z", - "azure_linux": { - "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "process": { - "command_line": "/usr/lib64/sa/sa1 1 1", - "executable": "/usr/lib64/sa/sa1", - "parent": { - "pid": 21188 - } - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "cron_command2.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:29:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"16373\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:29:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD ([ -f /etc/krb5.keytab ] && [ \\\\( ! -f /etc/opt/omi/creds/omi.keytab \\\\) -o \\\\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\\\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:29:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "@timestamp": "2019-06-27T14:29:01Z", - "azure_linux": { - "message": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "process": { - "command_line": "[ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true", - "parent": { - "pid": 16373 - } - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "disconnected.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:50:51.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sshd\",\"pid\" : \"14020\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:51+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"Received disconnect from 185.122.161.248 port 39070:11: disconnected by user\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:51Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "@timestamp": "2019-06-27T14:50:51Z", - "azure_linux": { - "message": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "process": { - "pid": 14020 - }, - "related": { - "ip": [ - "185.122.161.248" - ] - }, - "source": { - "address": "185.122.161.248", - "ip": "185.122.161.248", - "port": 39070 - } - } - - ``` - - -=== "omsagent_command.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:48:18.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-06-27T14:48:18+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:18Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "success" - }, - "@timestamp": "2019-06-27T14:48:18Z", - "action": { - "outcome": "success" - }, - "azure_linux": { - "message": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "process": { - "command_line": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh", - "executable": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh", - "working_directory": "/opt/microsoft/omsconfig/Scripts/2.6x-2.7x" - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "omsagent_command2.json" - - ```json - - { - "message": "{ \"time\" : \"2019-07-02T13:46:15.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-07-02T13:46:15+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:15Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "success" - }, - "@timestamp": "2019-07-02T13:46:15Z", - "action": { - "outcome": "success" - }, - "azure_linux": { - "message": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "process": { - "command_line": "/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log", - "executable": "/bin/test", - "working_directory": "/" - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "session_closed.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session closed for user root\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "success" - }, - "@timestamp": "2019-06-27T14:48:28Z", - "action": { - "name": "sudo:session", - "outcome": "success", - "type": "close" - }, - "azure_linux": { - "message": "pam_unix(sudo:session): session closed for user root" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "session_opened.json" - - ```json - - { - "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session opened for user root by (uid=0)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "success" - }, - "@timestamp": "2019-06-27T14:48:28Z", - "action": { - "name": "sudo:session", - "outcome": "success", - "type": "open" - }, - "azure_linux": { - "message": "pam_unix(sudo:session): session opened for user root by (uid=0)" - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "related": { - "user": [ - "root" - ] - }, - "user": { - "name": "root" - } - } - - ``` - - -=== "systemd_session.json" - - ```json - - { - "message": "{ \"time\" : \"2019-07-02T14:15:01.0000000Z\",\"resourceId\": \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"systemd\",\"Ignore\" : \"syslog\",\"Facility\" : \"daemon\",\"Severity\" : \"info\",\"EventTime\" : \"2019-07-02T14:15:01+0000\",\"SendingHost\": \"localhost\",\"Msg\" : \"Started Session 13124 of user omsagent.\",\"hostname\": \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T14:15:01Z\"},\"category\" : \"daemon\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}", - "event": { - "outcome": "success" - }, - "@timestamp": "2019-07-02T14:15:01Z", - "action": { - "name": "systemd:session", - "outcome": "success", - "type": "open" - }, - "azure_linux": { - "message": "Started Session 13124 of user omsagent." - }, - "log": { - "hostname": "LinuxRedhatDesktop", - "level": "info" - }, - "os": { - "family": "linux", - "platform": "linux" - }, - "related": { - "user": [ - "omsagent" - ] - }, - "user": { - "name": "omsagent" - } - } - - ``` - - - - - -### Extracted Fields - -The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. - -| Name | Type | Description | -| ---- | ---- | ---------------------------| -|`@timestamp` | `date` | Date/time when the event originated. | -|`azure_linux.message` | `keyword` | The linux message | -|`log.level` | `keyword` | Log level of the log event. | -|`process.command_line` | `wildcard` | Full command line that started the process. | -|`process.executable` | `keyword` | Absolute path to the process executable. | -|`process.parent.pid` | `long` | Process id. | -|`process.pid` | `long` | Process id. | -|`process.working_directory` | `keyword` | The working directory of the process. | -|`source.domain` | `keyword` | The domain name of the source. | -|`source.ip` | `ip` | IP address of the source. | -|`source.port` | `long` | Port of the source. | -|`user.name` | `keyword` | Short name or login of the user. | - - - -For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Azure/azure-linux). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688_sample.md b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688_sample.md deleted file mode 100644 index 367fd6e1c6..0000000000 --- a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688_sample.md +++ /dev/null @@ -1,269 +0,0 @@ - -### Raw Events Samples - -In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. - - -=== "auth_conversation_failed" - - - ```json - { - "time": "2019-07-02T13:45:50.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "err", - "EventTime": "2019-07-02T13:45:50+0000", - "SendingHost": "localhost", - "Msg": "pam_unix(sudo:auth): conversation failed", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-07-02T13:45:50Z" - }, - "category": "authpriv", - "level": "err", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "auth_no_identity" - - - ```json - { - "time": "2019-07-02T13:46:32.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "crit", - "EventTime": "2019-07-02T13:46:32+0000", - "SendingHost": "localhost", - "Msg": "pam_unix(sudo:auth): auth could not identify password for [omsagent]", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-07-02T13:46:32Z" - }, - "category": "authpriv", - "level": "crit", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "cron_command1" - - - ```json - { - "time": "2019-06-27T14:50:01.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "CROND", - "pid": "21188", - "Ignore": "syslog", - "Facility": "cron", - "Severity": "info", - "EventTime": "2019-06-27T14:50:01+0000", - "SendingHost": "localhost", - "Msg": "(root) CMD (/usr/lib64/sa/sa1 1 1)", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:50:01Z" - }, - "category": "cron", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "cron_command2" - - - ```json - { - "time": "2019-06-27T14:29:01.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "CROND", - "pid": "16373", - "Ignore": "syslog", - "Facility": "cron", - "Severity": "info", - "EventTime": "2019-06-27T14:29:01+0000", - "SendingHost": "localhost", - "Msg": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:29:01Z" - }, - "category": "cron", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "disconnected" - - - ```json - { - "time": "2019-06-27T14:50:51.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sshd", - "pid": "14020", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "info", - "EventTime": "2019-06-27T14:50:51+0000", - "SendingHost": "localhost", - "Msg": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:50:51Z" - }, - "category": "authpriv", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "omsagent_command" - - - ```json - { - "time": "2019-06-27T14:48:18.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "notice", - "EventTime": "2019-06-27T14:48:18+0000", - "SendingHost": "localhost", - "Msg": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:48:18Z" - }, - "category": "authpriv", - "level": "notice", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "omsagent_command2" - - - ```json - { - "time": "2019-07-02T13:46:15.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "notice", - "EventTime": "2019-07-02T13:46:15+0000", - "SendingHost": "localhost", - "Msg": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-07-02T13:46:15Z" - }, - "category": "authpriv", - "level": "notice", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "session_closed" - - - ```json - { - "time": "2019-06-27T14:48:28.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "info", - "EventTime": "2019-06-27T14:48:28+0000", - "SendingHost": "localhost", - "Msg": "pam_unix(sudo:session): session closed for user root", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:48:28Z" - }, - "category": "authpriv", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "session_opened" - - - ```json - { - "time": "2019-06-27T14:48:28.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "sudo", - "Ignore": "syslog", - "Facility": "authpriv", - "Severity": "info", - "EventTime": "2019-06-27T14:48:28+0000", - "SendingHost": "localhost", - "Msg": "pam_unix(sudo:session): session opened for user root by (uid=0)", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-06-27T14:48:28Z" - }, - "category": "authpriv", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - -=== "systemd_session" - - - ```json - { - "time": "2019-07-02T14:15:01.0000000Z", - "resourceId": "/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop", - "properties": { - "ident": "systemd", - "Ignore": "syslog", - "Facility": "daemon", - "Severity": "info", - "EventTime": "2019-07-02T14:15:01+0000", - "SendingHost": "localhost", - "Msg": "Started Session 13124 of user omsagent.", - "hostname": "LinuxRedhatDesktop", - "FluentdIngestTimestamp": "2019-07-02T14:15:01Z" - }, - "category": "daemon", - "level": "info", - "operationName": "LinuxSyslogEvent" - } - ``` - - - diff --git a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md index e965b436bb..779ee9073a 100644 --- a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md +++ b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "403.json" diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index bf6f51db78..84e1fe2e65 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "add_domain.json" diff --git a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md index 4b911c47b2..2219d98cfd 100644 --- a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md +++ b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md @@ -22,7 +22,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "cisco_esa_cef.json" diff --git a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md index ea5896cfbe..1855886ec6 100644 --- a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md +++ b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md index a0dbc0aa21..c1b8a78bb8 100644 --- a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md +++ b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_audit_admin_event.json" diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md index f3cba3c92f..b164ab5893 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "attack.json" diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index 4e80f00d88..4f810ff57e 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "auth_activity_audit.json" diff --git a/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md b/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md index 97ac9ab826..9eb204e9bf 100644 --- a/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md +++ b/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "file_opened.json" diff --git a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md index aa6412b3ff..e3e40af11b 100644 --- a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md +++ b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event1.json" diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index 23103d60b4..b7b6ce8c3b 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -30,7 +30,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "agent_log.json" diff --git a/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md b/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md index a638705a23..eca3619746 100644 --- a/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md +++ b/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_error.json" diff --git a/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md b/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md index 60c0612196..922a00f3c8 100644 --- a/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md +++ b/_shared_content/operations_center/integrations/generated/270777d7-0c5a-42fb-b901-b7fadfb0ba48.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "app-ctrl.json" diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md index 3df5c748bd..e9f6702a4e 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11.md @@ -25,7 +25,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "Event_4719.json" diff --git a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md index 50243211e8..2887e1e9de 100644 --- a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md +++ b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index 7051890eb7..806b333ea2 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -31,7 +31,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "AUTH_CONNECTION_disconnected.json" diff --git a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md index 0348bae27d..0602219e33 100644 --- a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md +++ b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_bounced.json" diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md index de3d50124e..03bc4d75f8 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_attachments_details.json" diff --git a/_shared_content/operations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md b/_shared_content/operations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md index 7a74f9805c..bcae5a2922 100644 --- a/_shared_content/operations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md +++ b/_shared_content/operations_center/integrations/generated/2f28e4f9-a4f3-40a6-9909-b69f3df32535.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "beacon_event.json" diff --git a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md index 7a7a85e8e0..0570c56bcc 100644 --- a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md +++ b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_alert_1.json" diff --git a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md index f0bfeb2b95..0967c7b489 100644 --- a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md +++ b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "denied_connection.json" diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index 0f5dbe160f..f12c090350 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -30,7 +30,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "alert.json" diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 2421455e6a..09d78268e8 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "continue.json" diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md index 66e68bf6e7..7d0acfe367 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_accept.json" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 2c70e20aba..4e1878af87 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -39,7 +39,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "agentlog.json" @@ -722,6 +722,112 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "authentication_2.json" + + ```json + + { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "dataset": "eventlog", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2024-11-05T11:10:19.543000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp", + "LogonType": "3", + "ProcessId": "0x0", + "SubjectLogonId": "0x0", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "EXAMPLE", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "TargetUserName": "johndoe", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "VirtualAccount": "%%1843", + "WorkstationName": "WORKSTATION_NAME" + } + }, + "agent": { + "id": "555555555-9999-9999-9999-3e333333cccc", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "EXAMPLE", + "name": "EXAMPLE", + "os": { + "full": "Windows Server 2022 Datacenter", + "version": "10.0.20348" + } + }, + "log": { + "hostname": "EXAMPLE" + }, + "organization": { + "id": "11111111111111111111" + }, + "related": { + "hosts": [ + "EXAMPLE" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp" + } + }, + "client": { + "name": "WORKSTATION_NAME", + "os": { + "type": "windows" + } + }, + "server": { + "name": "EXAMPLE", + "os": { + "type": "windows" + } + } + }, + "server": { + "domain": "EXAMPLE" + }, + "user": { + "id": "S-1-0-0", + "target": { + "domain": "EXAMPLE", + "id": "S-1-5-21-11111111111-111111111111-11111111-111", + "name": "johndoe" + } + } + } + + ``` + + === "connectionlog.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md index 4df8241f9a..a74c24adfc 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md @@ -738,6 +738,86 @@ In this section, you will find examples of raw logs as generated natively by the +=== "authentication_2" + + + ```json + { + "event_data": { + "RestrictedAdminMode": "-", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetOutboundUserName": "-", + "ElevatedToken": "%%1843", + "VirtualAccount": "%%1843", + "ProcessId": "0x0", + "AuthenticationPackageName": "NTLM", + "LogonProcessName": "NtLmSsp", + "IpPort": "-", + "WorkstationName": "WORKSTATION_NAME", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "IpAddress": "-", + "TargetLinkedLogonId": "0x0", + "SubjectDomainName": "-", + "TargetOutboundDomainName": "-", + "ImpersonationLevel": "%%1833", + "SubjectLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "LogonType": "3", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "LmPackageName": "NTLM V2", + "TargetUserName": "johndoe", + "TransmittedServices": "-", + "TargetDomainName": "EXAMPLE", + "ProcessName": "-", + "KeyLength": "128" + }, + "groups": [], + "type": "wineventlog", + "computer_name": "example.local", + "destination": "syslog", + "record_number": 177355019, + "@Version": "1", + "log_name": "Security", + "@event_create_date": "2024-11-05T11:10:19.543Z", + "level": "log_always", + "timestamp": "2024-11-05T11:10:20.274688148Z", + "process_id": 704, + "user_data": {}, + "log_type": "eventlog", + "keywords": [ + "AuditSuccess", + "ReservedKeyword63" + ], + "user": { + "domain": "", + "identifier": "", + "name": "", + "type": "unknown" + }, + "tenant": "11111111111111111111", + "thread_id": 9168, + "agent": { + "dnsdomainname": "example.local", + "osproducttype": "Windows Server 2022 Datacenter", + "domain": null, + "osversion": "10.0.20348", + "ostype": "windows", + "distroid": null, + "domainname": "EXAMPLE", + "additional_info": {}, + "version": "4.1.6", + "hostname": "EXAMPLE", + "agentid": "555555555-9999-9999-9999-3e333333cccc" + }, + "event_id": 4624, + "provider_guid": "555555555-9999-9999-9999-3e333333cccc", + "source_name": "Microsoft-Windows-Security-Auditing" + } + ``` + + + === "connectionlog" diff --git a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md index d4f8565446..0349ddaeaf 100644 --- a/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md +++ b/_shared_content/operations_center/integrations/generated/3cedbe29-02f8-42bf-9ec2-0158186c2827.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "admin-initiator.json" diff --git a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md index 4347b82ee9..063ef5728a 100644 --- a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md +++ b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event_accesskey_apicall.json" diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index 7b346bee09..9dfe74a51f 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event_application_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md b/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md index edc48d5da1..051429b3ab 100644 --- a/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md +++ b/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "connect.json" diff --git a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md index 9005fec225..60c54071bb 100644 --- a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md +++ b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "mcafee_access_log_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index 3d2f093a22..75fc710646 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "commandscript.json" diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md index fa3dcc4928..edc0df111f 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_activity_logs.json" diff --git a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md index f4c44ba0b6..82b547bda5 100644 --- a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md +++ b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "activity_log_archive_creation.json" diff --git a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md index 275b9fbe3b..d3fad8edd2 100644 --- a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md +++ b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "2sv_disable.json" diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md index 6a049492d4..1d00516dd9 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "alert_certificate.json" diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index a55c7471a3..1c8c7a3be3 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_106001.json" diff --git a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md index 097d0419db..137597c577 100644 --- a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md +++ b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "cato_sase_antimalware_events.json" diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index 3dad5fda80..4e25c06e05 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_click_permitted.json" diff --git a/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md index 3e05cd4fc6..a4f3e5ffba 100644 --- a/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md +++ b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event.json" diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index b7bda8c6c2..1cae34497f 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "Block1.json" diff --git a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md index 402f2642b3..97f6254b7c 100644 --- a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md +++ b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event.json" diff --git a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md index 3f73bda531..1e8b84e7e5 100644 --- a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md +++ b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_conf_events_1.json" diff --git a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md index 77147fa35d..e0ab3b7203 100644 --- a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md +++ b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event_user_exec_in_pod.json" diff --git a/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md index de8b80aad3..35268be10c 100644 --- a/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md +++ b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "accept_with_port.json" diff --git a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md index 3610d52910..fa98073eda 100644 --- a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md +++ b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "flow_logs_gke.json" diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md index e158d4f22e..bf1df69521 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_admin_log.json" diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 63d95a0342..79dab108cc 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -21,7 +21,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "Configuration_changed.CEF.json" diff --git a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md index 8ed58fee42..4144d0185f 100644 --- a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md +++ b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event_1.json" diff --git a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md index d0b071a296..03d9f2fe44 100644 --- a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md +++ b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event_01.json" diff --git a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md index 7b953b1238..b9bb77ee4d 100644 --- a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md +++ b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_access.json" diff --git a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md index acaa7e89b4..b928779ed9 100644 --- a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md +++ b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_arp_src_ip.json" diff --git a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md index f1855bfff0..b68b3675d4 100644 --- a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md +++ b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md @@ -39,7 +39,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "tanium_file_open.json" diff --git a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md index 3b52e78f77..2505a6b1e0 100644 --- a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md +++ b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "1.json" diff --git a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md index 0d95f50dcd..13979b4aca 100644 --- a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md +++ b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test-umbrella-ip.json" diff --git a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md index 22eb0b2607..0329cc2c5a 100644 --- a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md +++ b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "domain.json" diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md index 0cbeca7da1..9bf5107432 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "encrypt.json" diff --git a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md index c703ec1d49..51244a437d 100644 --- a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md +++ b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md index 9999c6beda..411f1b78ca 100644 --- a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md +++ b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "sample.json" diff --git a/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md index 5618e9f5b2..40961355cf 100644 --- a/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md +++ b/_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "alg_session_closed.json" diff --git a/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md index 9702d2d7c6..80ed128678 100644 --- a/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md +++ b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_accesslog_1.json" diff --git a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md index 409d140e1b..6a0b016bad 100644 --- a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md +++ b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_accesslog.json" diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 85b2c44a32..a53c2a6c83 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "cron.json" diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index d5477ff794..6f165b698e 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "access_combined.json" diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index e9c00bfc3b..e12f5dc9d0 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_access_event.json" diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md index 79fee844c5..3cf74d65ac 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_lineproto_down.json" diff --git a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md index 5a4672e794..8ff1902db6 100644 --- a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md +++ b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "storage_delete.json" diff --git a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md index 8983c2d95a..bbf045ed4c 100644 --- a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md +++ b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_gateway_create.json" diff --git a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md index 20483a6a71..af230e2ad4 100644 --- a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md +++ b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "alarm1.json" diff --git a/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md b/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md index 5368c137f8..abd6ca16c0 100644 --- a/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md +++ b/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "dns.json" diff --git a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md index 0a860b452d..b065c3c3f7 100644 --- a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md +++ b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "host_checker_policy_failed.json" diff --git a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md index 6e1bfedf2a..b4eaa5bbbd 100644 --- a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md +++ b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_dns.json" diff --git a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md index 09e070e281..b87d50185d 100644 --- a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md +++ b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_email_event.json" @@ -112,6 +112,77 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_intrusion.json" + + ```json + + { + "message": "0|Varonis Inc.|DatAdvantage|8.6.32|5011|User locked out|3|rt=Oct 14 2024 11:33:57 cat=Alert cs2=Lockout: Multiple account lock-out events cs2Label=RuleName cn1=136 cn1Label=RuleID end=Oct 14 2024 11:33:51 duser=COMPANY.LOCAL\\John Doe dhost=Host filePath=COMPANY.LOCAL/Company/arborescence/John DOE fname=John DOE act=User locked out dvchost= dvc= outcome=Success msg= cs3= cs3Label=AttachmentName cs4=http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345 cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt=5 cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=Oct 14 2024 11:29:48 DescriptionRule=Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users. DescriptionAlert= RuleStoryline= Path=COMPANY.LOCAL/Company/arborescence/John DOE ActingObjectSAM=doe_j ActingObjectDomaineName=COMPANY.LOCAL AlertCategory=Intrusion AffectedObjectSAM=doe_j AffectedObjectDomain=COMPANY.LOCAL DestinationDip= DestinationDeviceName=", + "event": { + "action": "User locked out", + "category": [ + "intrusion_detection" + ], + "dataset": "Alert", + "end": "2024-10-14T11:33:51Z", + "kind": "alert", + "severity": 3, + "type": [ + "info" + ], + "url": "http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345" + }, + "@timestamp": "2024-10-14T11:29:48Z", + "destination": { + "user": { + "domain": "COMPANY.LOCAL", + "name": "doe_j" + } + }, + "file": { + "name": "John DOE", + "path": "COMPANY.LOCAL/Company/arborescence/John DOE" + }, + "host": { + "name": "Host" + }, + "observer": { + "product": "DatAdvantage", + "vendor": "Varonis Inc.", + "version": "8.6.32" + }, + "related": { + "user": [ + "John Doe", + "doe_j" + ] + }, + "rule": { + "description": "Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users.", + "id": "136", + "name": "Lockout: Multiple account lock-out events" + }, + "source": { + "user": { + "domain": "COMPANY.LOCAL", + "name": "doe_j" + } + }, + "user": { + "domain": "COMPANY.LOCAL", + "name": "John Doe" + }, + "varonis": { + "datalert": { + "num_events": 5, + "outcome": "Success" + } + } + } + + ``` + + === "test_network_alert.json" ```json @@ -139,7 +210,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "rule": { "description": "SomeRule", "id": "666", - "name": "Some rule description" + "name": "SomeRule" }, "varonis": { "datalert": { @@ -164,6 +235,9 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.user.domain` | `keyword` | Name of the directory the user is a member of. | +|`destination.user.name` | `keyword` | Short name or login of the user. | |`email.attachments` | `nested` | List of objects describing the attachments. | |`email.delivery_timestamp` | `date` | Date and time when message was delivered. | |`email.from.address` | `keyword` | The sender's email address. | @@ -188,13 +262,19 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.name` | `keyword` | Rule name | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | +|`source.user.domain` | `keyword` | Name of the directory the user is a member of. | +|`source.user.name` | `keyword` | Short name or login of the user. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | +|`varonis.datalert.description` | `keyword` | The description of the triggered alert. | +|`varonis.datalert.destination.device` | `keyword` | The destination device name. | |`varonis.datalert.file.old_permission` | `keyword` | The permissions before the change. Data is not collected for all event types. | |`varonis.datalert.file.permission` | `keyword` | The permissions after the change. Data is not collected for all event types. | |`varonis.datalert.file.permissions_change` | `keyword` | The specified changes in permissions. Data is not collected for all event types. | |`varonis.datalert.id` | `keyword` | The ID of the triggered alert within DatAlert. | |`varonis.datalert.num_events` | `number` | The number of events which triggered the alert. | |`varonis.datalert.outcome` | `keyword` | Whether the event which triggered the alert succeeded or failed. | +|`varonis.datalert.rule.storyline` | `keyword` | The rule storyline of the triggered alert. | diff --git a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60_sample.md b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60_sample.md index d278055ac0..d68d2bf8d8 100644 --- a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60_sample.md +++ b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60_sample.md @@ -12,6 +12,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_intrusion" + + ``` + 0|Varonis Inc.|DatAdvantage|8.6.32|5011|User locked out|3|rt=Oct 14 2024 11:33:57 cat=Alert cs2=Lockout: Multiple account lock-out events cs2Label=RuleName cn1=136 cn1Label=RuleID end=Oct 14 2024 11:33:51 duser=COMPANY.LOCAL\John Doe dhost=Host filePath=COMPANY.LOCAL/Company/arborescence/John DOE fname=John DOE act=User locked out dvchost= dvc= outcome=Success msg= cs3= cs3Label=AttachmentName cs4=http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345 cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt=5 cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=Oct 14 2024 11:29:48 DescriptionRule=Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users. DescriptionAlert= RuleStoryline= Path=COMPANY.LOCAL/Company/arborescence/John DOE ActingObjectSAM=doe_j ActingObjectDomaineName=COMPANY.LOCAL AlertCategory=Intrusion AffectedObjectSAM=doe_j AffectedObjectDomain=COMPANY.LOCAL DestinationDip= DestinationDeviceName= + ``` + + + === "test_network_alert" ``` diff --git a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md index b03037f3ab..6537e3447f 100644 --- a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md +++ b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "access_accept_event.json" diff --git a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md index fd3c76928c..6b0049199f 100644 --- a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md +++ b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_block_user.json" diff --git a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md index 87d7983dff..7fe0fd7dea 100644 --- a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md +++ b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md index 205f3bec3f..369a8e8e7c 100644 --- a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md +++ b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "messagetrace.json" diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md index 8695c64480..fd2f84807f 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_ingest_ipv4_carp_logs.json" diff --git a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md index 4e095dfce4..87d24cf2f9 100644 --- a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md +++ b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "query_log.json" diff --git a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md index 63afcd76dd..25d95e9e0c 100644 --- a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md +++ b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_alert_failed_auth.json" diff --git a/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md index 3eb572d38f..ee7d1034b9 100644 --- a/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md +++ b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_consolidated_network_port_scan.json" diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index ecb78487e2..33840f93d2 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_conf_events.json" diff --git a/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md index 21f3cedc2f..95a8744ec6 100644 --- a/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md +++ b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md index 80010f5bf5..8d2f0b0756 100644 --- a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md +++ b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_antivirus_alert.json" diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md index 4f98f8c835..a878d06419 100644 --- a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "breach_reported_event.json" diff --git a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md index 68410ee73e..3a39cac16a 100644 --- a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md +++ b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "DNS_Tunnel.json" diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 212dd5fd91..56f4ce7963 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "User_id_1_csv.json" @@ -1437,7 +1437,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "EventID": "auth-success", - "Threat_ContentType": "auth" + "Threat_ContentType": "auth", + "authetification": { + "profile": "GP" + }, + "server": { + "profile": "LDAP" + }, + "vsys": "vsys123" }, "related": { "ip": [ @@ -1762,6 +1769,254 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_event_reason.json" + + ```json + + { + "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00", + "event": { + "category": [ + "network" + ], + "dataset": "system", + "reason": "User-ID server monitor test05(vsystest) Access denied", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-25T14:04:52.574000Z", + "action": { + "name": "connect-server-monitor-failure", + "type": "userid" + }, + "host": { + "name": "test05" + }, + "log": { + "hostname": "FFFFF01", + "level": "high", + "logger": "system" + }, + "observer": { + "name": "FFFFF01", + "product": "PAN-OS", + "serial_number": "024101011111" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "connect-server-monitor-failure", + "Threat_ContentType": "userid", + "vsys": "vsystest" + } + } + + ``` + + +=== "test_event_reason1.json" + + ```json + + { + "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00", + "event": { + "category": [ + "network" + ], + "dataset": "system", + "reason": "ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-25T14:10:48.575000Z", + "action": { + "name": "connect-ldap-sever", + "type": "userid" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "log": { + "hostname": "FFFFFF01", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FFFFFF01", + "product": "PAN-OS", + "serial_number": "024101010000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "connect-ldap-sever", + "Threat_ContentType": "userid" + }, + "related": { + "ip": [ + "0.0.1.1", + "5.6.7.8" + ] + }, + "source": { + "address": "0.0.1.1", + "ip": "0.0.1.1" + } + } + + ``` + + +=== "test_event_reason2.json" + + ```json + + { + "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8", + "type": [ + "start" + ] + }, + "@timestamp": "2024-10-22T06:54:17.012000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "log": { + "hostname": "FWPAN01", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN01", + "product": "PAN-OS", + "serial_number": "024101011111" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FFFF" + }, + "server": { + "profile": "SERVER_TEST" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "joe1595" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "joe1595" + } + } + + ``` + + +=== "test_event_reason3.json" + + ```json + + { + "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979. auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "authenticated for user joe979. auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-10-22T07:29:30.605000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.4", + "ip": "1.7.4.4" + }, + "log": { + "hostname": "FFFF01", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FFFF01", + "product": "PAN-OS", + "serial_number": "024101011111" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FFFF" + }, + "server": { + "profile": "server-test" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.2.7", + "1.7.4.4" + ], + "user": [ + "joe979" + ] + }, + "source": { + "address": "1.2.2.7", + "ip": "1.2.2.7" + }, + "user": { + "name": "joe979" + } + } + + ``` + + === "test_file_alert_json.json" ```json @@ -5233,16 +5488,19 @@ The following table lists the fields that are extracted, normalized under the EC |`paloalto.DirectionOfAttack` | `keyword` | Attack direction | |`paloalto.Threat_ContentType` | `keyword` | Type associated with the threat | |`paloalto.authentication.method` | `keyword` | The authentication method for the GlobalProtect connection | +|`paloalto.authetification.profile` | `keyword` | The authentication profile | |`paloalto.connection.method` | `keyword` | Identifies how the GlobalProtect app connected to the the Gateway | |`paloalto.connection.stage` | `keyword` | The stage of the GlobalProtect connection | |`paloalto.dns.category` | `keyword` | Classify DNS requests in terms of security or relevance | |`paloalto.endpoint.serial_number` | `keyword` | Unique device identifier | +|`paloalto.server.profile` | `keyword` | The server profile | |`paloalto.source.private.ip` | `keyword` | Private IP address | |`paloalto.source.region` | `keyword` | IP address range | |`paloalto.threat.category` | `keyword` | Threat Category | |`paloalto.threat.id` | `keyword` | The identifier of the threat | |`paloalto.threat.name` | `keyword` | The name of the threat | |`paloalto.threat.type` | `keyword` | The type of the threat | +|`paloalto.vsys` | `keyword` | The virtual system | |`rule.name` | `keyword` | Rule name | |`rule.uuid` | `keyword` | Rule UUID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index 4ca1bda5f4..11d6261441 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -474,6 +474,42 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_event_reason" + + + ```json + 1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,"User-ID server monitor test05(vsystest) Access denied",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00 + ``` + + + +=== "test_event_reason1" + + + ```json + 1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00 + ``` + + + +=== "test_event_reason2" + + + ```json + 1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0 + ``` + + + +=== "test_event_reason3" + + + ```json + 1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,"authenticated for user joe979. auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00 + ``` + + + === "test_file_alert_json" diff --git a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md index c96eff10a7..0dbd9ed589 100644 --- a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md +++ b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "ack.json" diff --git a/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md index 3d0dc0e26e..94d48d795c 100644 --- a/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md +++ b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "action_log.json" diff --git a/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md index 6f58723739..fb5e199071 100644 --- a/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md +++ b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_sample.json" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 37f2642a8d..b6d8df0b01 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -30,7 +30,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "Event_1117.json" @@ -2713,6 +2713,77 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "defender_1120.json" + + ```json + + { + "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}", + "event": { + "code": "1120", + "provider": "Microsoft-Windows-Windows Defender" + }, + "action": { + "id": 1120, + "name": "Microsoft Defender Antivirus deduced the hashes for a threat resource.", + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "INFO", + "Keywords": "-9223372036854775808", + "OpcodeValue": 0, + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Windows Defender", + "Task": 0 + }, + "record_id": 6255, + "type": "Microsoft-Windows-Windows Defender/Operational" + }, + "host": { + "hostname": "host", + "name": "host" + }, + "log": { + "hostname": "host", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "hash": { + "sha1": "ea2d464a69fd953a98decd2f9c0189d682c54169" + }, + "id": 5864, + "pid": 5864, + "thread": { + "id": 11064 + } + }, + "related": { + "hash": [ + "ea2d464a69fd953a98decd2f9c0189d682c54169" + ], + "hosts": [ + "host" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-2-3", + "name": "SYSTEM" + } + } + + ``` + + === "defender_1151.json" ```json @@ -3269,6 +3340,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "family": "windows", "platform": "windows" }, + "package": { + "description": "LAN Manager package", + "name": "NTLM", + "version": "V2" + }, "process": { "id": 744, "pid": 744, @@ -8058,6 +8134,9 @@ The following table lists the fields that are extracted, normalized under the EC |`log.level` | `keyword` | Log level of the log event. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | +|`package.description` | `keyword` | Description of the package. | +|`package.name` | `keyword` | Package name | +|`package.version` | `keyword` | Package version | |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.executable` | `keyword` | Absolute path to the process executable. | |`process.hash.imphash` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index 80c396ed19..eda91ef2d8 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -1449,6 +1449,43 @@ In this section, you will find examples of raw logs as generated natively by the +=== "defender_1120" + + ``` + { + "EventTime": "2024-08-13 00:27:56", + "Hostname": "host", + "Keywords": -9223372036854775808, + "EventType": "INFO", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 1120, + "SourceName": "Microsoft-Windows-Windows Defender", + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Version": 0, + "Task": 0, + "OpcodeValue": 0, + "RecordNumber": 6255, + "ActivityID": "{12345678-ABCD-1234-EF01-123456ABCDEF}", + "ProcessID": 5864, + "ThreadID": 11064, + "Channel": "Microsoft-Windows-Windows Defender/Operational", + "Domain": "NT AUTHORITY", + "AccountName": "SYSTEM", + "UserID": "S-1-2-3", + "AccountType": "User", + "Product Name": "Microsoft Defender Antivirus", + "Product Version": "4.18.24060.7", + "Threat resource path": "C:\\Users\\JOHNDOE\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_010213", + "Hashes": "SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;", + "EventReceivedTime": "2024-08-13 00:51:17", + "SourceModuleName": "in", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "defender_1151" ``` diff --git a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md index 234b8b327d..84369f639c 100644 --- a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md +++ b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "affectedhost_event.json" diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 17047fb24b..c01b893b79 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_aianalyst.json" @@ -107,6 +107,88 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_aianalyst_2.json" + + ```json + + { + "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}", + "event": { + "category": "threat", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-27T10:02:28.884000Z", + "darktrace": { + "threat_visualizer": { + "acknowledged": false, + "activityId": "da39a3ee", + "aiaScore": 93.67343783378601, + "attackPhases": [ + 3 + ], + "breachDevices": [ + { + "did": 3820, + "hostname": "SaaS::Zoom: john.doe@example.com", + "identifier": "SaaS::Zoom: john.doe@example.com", + "ip": null, + "mac": null, + "sid": -9, + "subnet": null + } + ], + "category": "critical", + "children": [ + "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b" + ], + "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b", + "externalTriggered": false, + "groupCategory": "critical", + "groupScore": 21.063004966718992, + "groupingIds": [ + "3d2a2fc6" + ], + "mitreTactics": [ + "privilege-escalation" + ], + "periods": [ + { + "end": 1730023230000, + "start": 1730023230000 + } + ], + "relatedBreaches": [ + { + "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use", + "pbid": 46769, + "threatScore": 63.0, + "timestamp": 1730023232000 + } + ], + "userTriggered": false + } + }, + "device": { + "id": "3820" + }, + "host": { + "id": "3820" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "user": { + "email": "john.doe@example.com" + } + } + + ``` + + === "test_aianalyst_without_log_type.json" ```json @@ -175,18 +257,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "2635" }, "host": { - "hostname": "SaaS::AzureActiveDirectory: test@test.fr", - "id": "2635", - "name": "SaaS::AzureActiveDirectory: test@test.fr" + "id": "2635" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "hosts": [ - "SaaS::AzureActiveDirectory: test@test.fr" - ] + "user": { + "email": "test@test.fr" } } @@ -353,15 +431,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } @@ -585,15 +659,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } @@ -716,16 +786,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "host": { - "id": "6", - "ip": [] + "id": "6" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "ip": [] - }, "service": { "name": "Slack" }, diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md index a5000939fd..60e0556f48 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188_sample.md @@ -198,6 +198,183 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_aianalyst_2" + + + ```json + { + "summariser": "SaasHijackSummary", + "acknowledged": false, + "pinned": false, + "createdAt": 1730023348884, + "attackPhases": [ + 3 + ], + "mitreTactics": [ + "privilege-escalation" + ], + "title": "Possible Hijack of Zoom Account", + "id": "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b", + "children": [ + "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b" + ], + "category": "critical", + "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b", + "groupCategory": "critical", + "groupScore": 21.063004966718992, + "groupPreviousGroups": [], + "activityId": "da39a3ee", + "groupingIds": [ + "3d2a2fc6" + ], + "groupByActivity": false, + "userTriggered": false, + "externalTriggered": false, + "aiaScore": 93.67343783378601, + "summary": "The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\n\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\n\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\n\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.", + "periods": [ + { + "start": 1730023230000, + "end": 1730023230000 + } + ], + "sender": null, + "breachDevices": [ + { + "identifier": "SaaS::Zoom: john.doe@example.com", + "hostname": "SaaS::Zoom: john.doe@example.com", + "ip": null, + "mac": null, + "subnet": null, + "did": 3820, + "sid": -9 + } + ], + "relatedBreaches": [ + { + "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use", + "pbid": 46769, + "threatScore": 63.0, + "timestamp": 1730023232000 + } + ], + "details": [ + [ + { + "header": "SaaS User Details", + "contents": [ + { + "key": "SaaS account", + "type": "device", + "values": [ + { + "identifier": "SaaS::Zoom: john.doe@example.com", + "hostname": "SaaS::Zoom: john.doe@example.com", + "ip": null, + "mac": null, + "subnet": null, + "did": 3820, + "sid": -9 + } + ] + }, + { + "key": "Actor", + "type": "string", + "values": [ + "john.doe@example.com" + ] + } + ] + } + ], + [ + { + "header": "Agent Carrying out Suspicious Activity", + "contents": [ + { + "key": "Source IP", + "type": "externalHost", + "values": [ + { + "hostname": "1.2.3.4", + "ip": "1.2.3.4" + } + ] + }, + { + "key": "ASN", + "type": "string", + "values": [ + "AS2119 Telenor Norge AS" + ] + }, + { + "key": "City", + "type": "string", + "values": [ + "Stockholm" + ] + }, + { + "key": "Country", + "type": "string", + "values": [ + "Sweden" + ] + } + ] + }, + { + "header": "Summary of Activity", + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "start": 1730023230000, + "end": 1730023230000 + } + ] + }, + { + "key": "Suspicious properties", + "type": "string", + "values": [ + "Unusual time for activity", + "Unusual external source for activity" + ] + } + ] + }, + { + "header": "Activity Details", + "contents": [ + { + "key": "Event", + "type": "string", + "values": [ + "Sign in" + ] + }, + { + "key": "Number of events", + "type": "integer", + "values": [ + 1 + ] + } + ] + } + ] + ], + "log_type": "aianalyst/incidentevents" + } + ``` + + + === "test_aianalyst_without_log_type" diff --git a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md index ddbb2a1c08..96a18b3c3a 100644 --- a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md +++ b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_dhcp_lease.json" diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md index 0e2b90c4c5..2ebca2d308 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "ioc_view_no_pwd_set.json" @@ -1008,6 +1008,113 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "ioc_view_query7.json" + + ```json + + { + "message": "{\n \"upload_size\": 1406,\n \"profile_path\": \"%%XXXX\",\n \"record_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx\",\n \"ioc_severity\": 4,\n \"handler_verdicts_case_descriptions\": {\n \"default\": \"{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"}\"\n },\n \"user_parameters\": \"%%XXXX\",\n \"folded\": 0,\n \"meta_mac_address\": \"c5:1a:64:c1:65:3a\",\n \"endpoint_id\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n \"handler_verdict_suppression_mdr\": false,\n \"meta_public_ip_country_code\": \"FR\",\n \"schema_version\": \"24\",\n \"subject_logon_id\": \"0x3e7\",\n \"ioc_detection_mitre_attack\": \"[]\",\n \"handler_verdicts_entities\": \"[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}]\",\n \"user_workstations\": \"%%XXXX\",\n \"meta_licence\": \"MTR\",\n \"ioc_detection_experiment_level\": 0,\n \"privilege_list\": \"-\",\n \"ioc_created_at\": \"2024-10-22T14:41:22.595Z\",\n \"ingestion_timestamp\": \"2024-10-22T14:41:09.572Z\",\n \"home_directory\": \"%%XXXX\",\n \"ioc_detection_attack\": \"Suspicious Activity\",\n \"numerics\": false,\n \"eventid\": 4738,\n \"meta_public_ip\": \"1.2.3.4\",\n \"counter\": 0,\n \"detection_id_dedup\": \"detectionIdDedup-xxxxxxxxxxxxxxx\",\n \"password_last_set\": \"%%1794\",\n \"meta_hostname\": \"XXXX-XXXXXXXX\",\n \"ioc_detection_references\": \"[\\\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\\\"]\",\n \"ioc_worker_name\": \"Security Event Service\",\n \"ioc_detection_type\": \"Threat\",\n \"ioc_detection_category\": \"Threat\",\n \"ioc_unix_time\": \"2024-10-22T14:40:48.000Z\",\n \"epoch\": 1729607690,\n \"meta_ip_mask\": \"255.255.252.0\",\n \"ioc_worker_id\": \"security-event-service\",\n \"handler_verdict_suppression_xdr\": false,\n \"unix_time\": \"2024-10-22T14:40:48.000Z\",\n \"ioc_log_type\": \"summary\",\n \"query_source\": \"xdr_only\",\n \"host_identifier\": \"hostIdentifier-xxxxxxxxxxxxxxx\",\n \"partition_bucket\": \"87\",\n \"home_path\": \"%%XXXX\",\n \"meta_public_ip_country\": \"France\",\n \"meta_boot_time\": 1729607865,\n \"subject_username\": \"XXXX-XXXXXXXX$\",\n \"handler_verdicts_detection_descriptions\": {\n \"default\": \"{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}\"\n },\n \"meta_os_name\": \"Microsoft Windows 11 Professionnel\",\n \"osquery_action\": \"added\",\n \"script_path\": \"%%XXXX\",\n \"account_expires\": \"%%1794\",\n \"meta_query_pack_version\": \"1.21.26\",\n \"subject_domain\": \"ACOSS\",\n \"handler_verdict_suppression\": false,\n \"calendar_time\": \"2024-10-22T14:40:48.000Z\",\n \"meta_eid\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n \"meta_public_ip_longitude\": 2.3387,\n \"ioc_detection_id\": \"WIN-EVENT-4738\",\n \"meta_os_platform\": \"windows\",\n \"meta_username\": \"\",\n \"detection_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx_detectionIdDedup-xxxxxxxxxxxxxxx\",\n \"handler_verdict_escalation\": false,\n \"query_name\": \"windows_event_user_account_changed\",\n \"provider_name\": \"Microsoft-Windows-Security-Auditing\",\n \"meta_os_type\": \"\",\n \"meta_os_version\": \"10.0.22631\",\n \"sam_account_name\": \"TestUser\",\n \"meta_public_ip_latitude\": 48.8582,\n \"source\": \"Security\",\n \"ioc_detection_licenses\": \"[\\\"MTR\\\",\\\"XDR\\\"]\",\n \"user_principal_name\": \"-\",\n \"description\": \"A User Account was changed\",\n \"meta_aggressive_activity\": \"False\",\n \"meta_ip_address\": \"1.2.3.1\",\n \"handler_verdicts\": \"{\\\"default\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"hostIdentifier-xxxxxxxxxxxxxxx111-xxxx-xxxxx-xxxxxx111111\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"},{\\\"description\\\":\\\"rule to normalize osquery detections\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"normalize_osquery_detections\\\"},{\\\"description\\\":\\\"Update the description in handler verdicts to add detection id\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"add_detection_id\\\"},{\\\"description\\\":\\\"Correlate Osquery detections on customer ID and host ID\\\",\\\"kb\\\":\\\"correlation\\\",\\\"name\\\":\\\"osquery_correlation_id\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}},\\\"entities\\\":[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[\\\"osquery_correlation_id\\\"],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\",\\\"normalize_osquery_detections\\\",\\\"add_detection_id\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"mdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"\\\",\\\"significance_id\\\":\\\"\\\"}},\\\"entities\\\":[],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"xdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"id\\\":\\\"\\\",\\\"correlationIds\\\":null},\\\"mutations\\\":{},\\\"matched_rules\\\":[],\\\"labels\\\":[],\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[],\\\"suppression\\\":[]},\\\"escalation\\\":false,\\\"suppression\\\":false}}\",\n \"ingest_date\": \"2024-10-22\",\n \"target_domain\": \"XXXX-XXXXXXXX\",\n \"uac\": \"-\",\n \"meta_endpoint_type\": \"computer\",\n \"meta_domain_controller\": \"False\",\n \"customer_id\": \"111-xxxx-xxxxx-xxxxxx111111\",\n \"ioc_detection_description\": \"Windows Event User Account Changed.\",\n \"message_identifier\": \"fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d\",\n \"ioc_attack_type\": \"Security Event Service Detections\",\n \"target_username\": \"TestUser\",\n \"display_name\": \"%%XXXX\",\n \"allowed_to_delegate_to\": \"-\",\n \"ioc_detection_weight\": 4\n}", + "event": { + "code": "WIN-EVENT-4738", + "ingested": "2024-10-22T14:41:09.572000Z", + "reason": "A User Account was changed", + "severity": 4 + }, + "@timestamp": "2024-10-22T14:40:48Z", + "destination": { + "address": "XXXX-XXXXXXXX", + "domain": "XXXX-XXXXXXXX" + }, + "host": { + "domain": "ACOSS", + "id": "hostIdentifier-xxxxxxxxxxxxxxx", + "name": "XXXX-XXXXXXXX", + "os": { + "full": "Microsoft Windows 11 Professionnel", + "name": "windows", + "version": "10.0.22631" + } + }, + "process": { + "name": "Security Event Service" + }, + "related": { + "hosts": [ + "XXXX-XXXXXXXX" + ], + "ip": [ + "1.2.3.1", + "1.2.3.4" + ] + }, + "sophos": { + "threat_center": { + "aggressive_activity": "False", + "detection_id_dedup": "detectionIdDedup-xxxxxxxxxxxxxxx", + "endpoint": { + "type": "computer" + }, + "event": { + "id": 4738 + }, + "id": "xxxxxxxx-xxxxxx-xxxxxx-xxxxxx", + "ioc": { + "attack_type": "Security Event Service Detections", + "detection": { + "attack": "Suspicious Activity", + "category": "Threat", + "licences": [ + "MTR", + "XDR" + ], + "type": "Threat", + "weight": "4" + }, + "log_type": "summary", + "unix_time": "2024-10-22T14:40:48.000000Z" + }, + "message": { + "id": "fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d" + }, + "query": { + "action": "added", + "name": "windows_event_user_account_changed", + "pack_version": "1.21.26", + "source": "xdr_only" + }, + "record_identifier": "xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx", + "worker": { + "id": "security-event-service" + } + } + }, + "source": { + "address": "1.2.3.1", + "bytes": 1406, + "geo": { + "country_iso_code": "FR", + "country_name": "France" + }, + "ip": "1.2.3.1", + "mac": "c5:1a:64:c1:65:3a", + "nat": { + "ip": "1.2.3.4" + } + }, + "user": { + "target": { + "name": "TestUser" + } + }, + "vulnerability": { + "description": "Windows Event User Account Changed.", + "reference": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738" + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md index 79ea1520dd..766592310c 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb_sample.md @@ -691,3 +691,107 @@ In this section, you will find examples of raw logs as generated natively by the +=== "ioc_view_query7" + + + ```json + { + "upload_size": 1406, + "profile_path": "%%XXXX", + "record_identifier": "xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx", + "ioc_severity": 4, + "handler_verdicts_case_descriptions": { + "default": "{\"correlated_reason_id\":\"\",\"created_reason_id\":\"\"}" + }, + "user_parameters": "%%XXXX", + "folded": 0, + "meta_mac_address": "c5:1a:64:c1:65:3a", + "endpoint_id": "xxxxxxxx-xxxxxx-xxxxxx-xxxxxx", + "handler_verdict_suppression_mdr": false, + "meta_public_ip_country_code": "FR", + "schema_version": "24", + "subject_logon_id": "0x3e7", + "ioc_detection_mitre_attack": "[]", + "handler_verdicts_entities": "[{\"attributes\":{\"domain_controller\":\"False\",\"endpoint_type\":\"computer\",\"hostname\":\"XXXX-XXXXXXXX\",\"id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"os_platform\":\"windows\",\"os_type\":\"\"},\"id\":\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"device\"},{\"attributes\":{\"address\":\"1.2.3.4\",\"external\":true,\"id\":\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\",\"type\":\"ipv4\"},\"id\":\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"ip_address\"},{\"attributes\":{\"address\":\"1.2.3.1\",\"external\":false,\"id\":\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\",\"type\":\"ipv4\"},\"id\":\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"ip_address\"}]", + "user_workstations": "%%XXXX", + "meta_licence": "MTR", + "ioc_detection_experiment_level": 0, + "privilege_list": "-", + "ioc_created_at": "2024-10-22T14:41:22.595Z", + "ingestion_timestamp": "2024-10-22T14:41:09.572Z", + "home_directory": "%%XXXX", + "ioc_detection_attack": "Suspicious Activity", + "numerics": false, + "eventid": 4738, + "meta_public_ip": "1.2.3.4", + "counter": 0, + "detection_id_dedup": "detectionIdDedup-xxxxxxxxxxxxxxx", + "password_last_set": "%%1794", + "meta_hostname": "XXXX-XXXXXXXX", + "ioc_detection_references": "[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\"]", + "ioc_worker_name": "Security Event Service", + "ioc_detection_type": "Threat", + "ioc_detection_category": "Threat", + "ioc_unix_time": "2024-10-22T14:40:48.000Z", + "epoch": 1729607690, + "meta_ip_mask": "255.255.252.0", + "ioc_worker_id": "security-event-service", + "handler_verdict_suppression_xdr": false, + "unix_time": "2024-10-22T14:40:48.000Z", + "ioc_log_type": "summary", + "query_source": "xdr_only", + "host_identifier": "hostIdentifier-xxxxxxxxxxxxxxx", + "partition_bucket": "87", + "home_path": "%%XXXX", + "meta_public_ip_country": "France", + "meta_boot_time": 1729607865, + "subject_username": "XXXX-XXXXXXXX$", + "handler_verdicts_detection_descriptions": { + "default": "{\"created_reason_id\":\"WIN-EVENT-4738\",\"significance_id\":\"WIN-EVENT-4738\"}" + }, + "meta_os_name": "Microsoft Windows 11 Professionnel", + "osquery_action": "added", + "script_path": "%%XXXX", + "account_expires": "%%1794", + "meta_query_pack_version": "1.21.26", + "subject_domain": "ACOSS", + "handler_verdict_suppression": false, + "calendar_time": "2024-10-22T14:40:48.000Z", + "meta_eid": "xxxxxxxx-xxxxxx-xxxxxx-xxxxxx", + "meta_public_ip_longitude": 2.3387, + "ioc_detection_id": "WIN-EVENT-4738", + "meta_os_platform": "windows", + "meta_username": "", + "detection_identifier": "xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx_detectionIdDedup-xxxxxxxxxxxxxxx", + "handler_verdict_escalation": false, + "query_name": "windows_event_user_account_changed", + "provider_name": "Microsoft-Windows-Security-Auditing", + "meta_os_type": "", + "meta_os_version": "10.0.22631", + "sam_account_name": "TestUser", + "meta_public_ip_latitude": 48.8582, + "source": "Security", + "ioc_detection_licenses": "[\"MTR\",\"XDR\"]", + "user_principal_name": "-", + "description": "A User Account was changed", + "meta_aggressive_activity": "False", + "meta_ip_address": "1.2.3.1", + "handler_verdicts": "{\"default\":{\"correlation\":{\"correlate\":false,\"correlationIds\":null,\"id\":\"hostIdentifier-xxxxxxxxxxxxxxx111-xxxx-xxxxx-xxxxxx111111\"},\"escalation\":false,\"labels\":[],\"matched_rules\":[{\"description\":\"Define the mutation data structure for subsequent mutation rules to reference\",\"kb\":\"mutation\",\"name\":\"define_mutation_structure\"},{\"description\":\"rule to normalize osquery detections\",\"kb\":\"mutation\",\"name\":\"normalize_osquery_detections\"},{\"description\":\"Update the description in handler verdicts to add detection id\",\"kb\":\"mutation\",\"name\":\"add_detection_id\"},{\"description\":\"Correlate Osquery detections on customer ID and host ID\",\"kb\":\"correlation\",\"name\":\"osquery_correlation_id\"}],\"mutations\":{\"descriptions\":{\"case_descriptions\":{\"correlated_reason_id\":\"\",\"created_reason_id\":\"\"},\"detection_descriptions\":{\"created_reason_id\":\"WIN-EVENT-4738\",\"significance_id\":\"WIN-EVENT-4738\"}},\"entities\":[{\"attributes\":{\"domain_controller\":\"False\",\"endpoint_type\":\"computer\",\"hostname\":\"XXXX-XXXXXXXX\",\"id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"os_platform\":\"windows\",\"os_type\":\"\"},\"id\":\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"device\"},{\"attributes\":{\"address\":\"1.2.3.4\",\"external\":true,\"id\":\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\",\"type\":\"ipv4\"},\"id\":\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"ip_address\"},{\"attributes\":{\"address\":\"1.2.3.1\",\"external\":false,\"id\":\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\",\"type\":\"ipv4\"},\"id\":\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\",\"integration_id\":\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\"source_system\":\"osquery\",\"type\":\"ip_address\"}],\"labels\":[]},\"rule_hits\":[],\"rule_hits_summary\":{\"correlation\":[\"osquery_correlation_id\"],\"escalation\":[],\"mutation\":[\"define_mutation_structure\",\"normalize_osquery_detections\",\"add_detection_id\"],\"suppression\":[]},\"suppression\":false},\"mdr\":{\"correlation\":{\"correlate\":false,\"correlationIds\":null,\"id\":\"\"},\"escalation\":false,\"labels\":[],\"matched_rules\":[{\"description\":\"Define the mutation data structure for subsequent mutation rules to reference\",\"kb\":\"mutation\",\"name\":\"define_mutation_structure\"}],\"mutations\":{\"descriptions\":{\"case_descriptions\":{\"correlated_reason_id\":\"\",\"created_reason_id\":\"\"},\"detection_descriptions\":{\"created_reason_id\":\"\",\"significance_id\":\"\"}},\"entities\":[],\"labels\":[]},\"rule_hits\":[],\"rule_hits_summary\":{\"correlation\":[],\"escalation\":[],\"mutation\":[\"define_mutation_structure\"],\"suppression\":[]},\"suppression\":false},\"xdr\":{\"correlation\":{\"correlate\":false,\"id\":\"\",\"correlationIds\":null},\"mutations\":{},\"matched_rules\":[],\"labels\":[],\"rule_hits\":[],\"rule_hits_summary\":{\"correlation\":[],\"escalation\":[],\"mutation\":[],\"suppression\":[]},\"escalation\":false,\"suppression\":false}}", + "ingest_date": "2024-10-22", + "target_domain": "XXXX-XXXXXXXX", + "uac": "-", + "meta_endpoint_type": "computer", + "meta_domain_controller": "False", + "customer_id": "111-xxxx-xxxxx-xxxxxx111111", + "ioc_detection_description": "Windows Event User Account Changed.", + "message_identifier": "fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d", + "ioc_attack_type": "Security Event Service Detections", + "target_username": "TestUser", + "display_name": "%%XXXX", + "allowed_to_delegate_to": "-", + "ioc_detection_weight": 4 + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md index 3fc165585b..869de04119 100644 --- a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md +++ b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "alerts_1.json" diff --git a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md index 59567022a7..b9a9fff22d 100644 --- a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md +++ b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_auth_failed_login.json" diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index 0c6957640c..02b4aef948 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_file_suspect_detail.json" diff --git a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md index d4def80186..9a71abec02 100644 --- a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md +++ b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index c4fc60b8bd..4ca65845e0 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "connect.json" diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 6dd7432c8a..3e3fb5f9e2 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_afm_1.json" @@ -325,7 +325,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "action": { - "target": "network-traffic" + "target": "network-traffic", + "type": "notice" }, "f5": { "bigip": { @@ -373,7 +374,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "action": { - "target": "network-traffic" + "target": "network-traffic", + "type": "notice" }, "f5": { "bigip": { @@ -421,7 +423,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "action": { - "target": "network-traffic" + "target": "network-traffic", + "type": "notice" }, "f5": { "bigip": { @@ -468,7 +471,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "action": { - "target": "network-traffic" + "target": "network-traffic", + "type": "notice" }, "f5": { "bigip": { @@ -526,6 +530,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "johndoe" ] }, + "rule": { + "name": "/Common/SAML_OCTIME" + }, "user": { "name": "johndoe" } @@ -560,6 +567,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "johndoe" ] }, + "rule": { + "name": "/Common/SAML_OCTIME" + }, "user": { "name": "johndoe" } @@ -594,6 +604,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "johndoe" ] }, + "rule": { + "name": "/Common/SAML_OCTIME" + }, "user": { "domain": "EXAMPLE.ORG", "name": "johndoe" diff --git a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md index a082513b87..f9d7060625 100644 --- a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md +++ b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "query_log.json" diff --git a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md index 07c8f5b593..d0e813e9b7 100644 --- a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md +++ b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "admin_login.json" diff --git a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md index b81e9a24d1..63cec6bbcb 100644 --- a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md +++ b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "network_log.json" diff --git a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md index 1c01863696..75828d4f62 100644 --- a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md +++ b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_exchange_added_mailbox.json" diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md index 5261fe52a8..06d47b1885 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_account_change_1.json" @@ -1163,6 +1163,45 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_network_activity_7.json" + + ```json + + { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", + "event": { + "action": "unknown", + "category": [ + "network" + ], + "end": "2024-11-13T20:24:18Z", + "kind": "event", + "severity": 1, + "start": "2024-11-13T20:23:47Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-13T20:23:47Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "euw3-az1", + "provider": "AWS", + "region": "eu-west-3" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Network Activity", + "class_uid": 4001 + } + } + + ``` + + === "test_process_activity_1.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md index bf8e0c146e..54b92259fa 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md @@ -2095,6 +2095,102 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_network_activity_7" + + + ```json + { + "metadata": { + "product": { + "version": "5", + "name": "Amazon VPC", + "feature": { + "name": "Flowlogs" + }, + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "security_control", + "datetime" + ], + "version": "1.1.0" + }, + "cloud": { + "account": { + "uid": "111111111111" + }, + "region": "eu-west-3", + "zone": "euw3-az1", + "provider": "AWS" + }, + "src_endpoint": { + "port": null, + "svc_name": "-", + "ip": "-", + "intermediate_ips": null, + "interface_uid": "eni-11111111111111111", + "vpc_uid": "vpc-11111111111111111", + "instance_uid": "-", + "subnet_uid": "subnet-11111111111111111" + }, + "dst_endpoint": { + "port": null, + "svc_name": "-", + "ip": "-", + "intermediate_ips": null, + "interface_uid": null, + "vpc_uid": null, + "instance_uid": null, + "subnet_uid": null + }, + "connection_info": { + "protocol_num": null, + "tcp_flags": null, + "protocol_ver": "-", + "boundary_id": 99, + "boundary": null, + "direction_id": 99, + "direction": "-" + }, + "traffic": null, + "time": 1731529427000, + "time_dt": 1731529427000, + "start_time_dt": 1731529427000, + "end_time_dt": 1731529458000, + "status_code": "NODATA", + "severity_id": 1, + "severity": "Informational", + "class_name": "Network Activity", + "class_uid": 4001, + "category_name": "Network Activity", + "category_uid": 4, + "activity_name": "Unknown", + "activity_id": 0, + "action": "-", + "action_id": 99, + "disposition": "-", + "type_uid": 400100, + "type_name": "Network Activity: Unknown", + "accountid": null, + "region": null, + "asl_version": null, + "unmapped": [ + [ + "sublocation_id", + "-" + ], + [ + "sublocation_type", + "-" + ] + ], + "observables": null + } + ``` + + + === "test_process_activity_1" diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index 0c0776c80f..3c408d7e12 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "combined.json" diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md index c4988d7403..a1c9609cec 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_alert.json" diff --git a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md index be6f6bff0f..a75478e841 100644 --- a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md +++ b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event_certificate_create.json" diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index 4ad0602d22..2e3c0ec14e 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_ignoring_request.json" diff --git a/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md index cc40eefe0d..cb8ffa042e 100644 --- a/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md +++ b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_network_1_1.json" diff --git a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md index 7335e69047..ef4bcdbbb4 100644 --- a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md +++ b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "ipfix.json" diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md index 4cca3b952f..f9c664d9e6 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "accepted_google_authenticator.json" diff --git a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md index 56e7e664d0..875dab7d62 100644 --- a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md +++ b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "AgentAntiMalware.json" diff --git a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md index 911bd6eb9e..9d0eca7ee1 100644 --- a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "epo_event.json" diff --git a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md index 43afe36c68..530ee883d8 100644 --- a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md +++ b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "domain_match.json" diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md index 1bced097f4..29ea902baa 100644 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "codebreaker.json" diff --git a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md index 45a6615bb6..ff4f2dc58f 100644 --- a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md +++ b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "dns_type_1.json" diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md index 8a7c6bfc2e..9c31b276c3 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "vectra_account_scoring.json" diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index be558f7f25..878f041e5d 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -37,7 +37,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "auth.json" diff --git a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md index 6621644430..8ef5ad1739 100644 --- a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md +++ b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "ActorType1.json" diff --git a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md index ad634bd338..a7b2888260 100644 --- a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md +++ b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_corp_audit_log_1.json" diff --git a/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md b/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md index 5cff811124..9b64544d08 100644 --- a/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md +++ b/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "accept.json" diff --git a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md index 79d5d445b9..17b40483ef 100644 --- a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md +++ b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index a52162c2ea..804eb216e9 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "ad.json" @@ -370,6 +370,179 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "automated_investigation_and_response_1.json" + + ```json + + { + "message": "{\n \"CreationTime\":\"2024-10-31T16:24:41\",\n \"Id\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n \"Operation\":\"AirInvestigationData\",\n \"OrganizationId\":\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\",\n \"RecordType\":64,\n \"UserKey\":\"AirInvestigation\",\n \"UserType\":4,\n \"Version\":1,\n \"Workload\":\"AirInvestigation\",\n \"ObjectId\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n \"UserId\":\"AirInvestigation\",\n \"Actions\":[\n \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:a17bc80a136cbf4f5d4e82f43a9a3d1d\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"RelatedAlertIds\\\":[\\\"fff21c13-c681-7398-1200-08dcf8958252\\\"],\\\"StartTimeUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"TimestampUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"\n ],\n \"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"TestProvider\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"EndTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"TimeGenerated\\\":\\\"2024-10-30T03:52:49.16Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"UrlReputation\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"fff21c13-c681-7398-1200-08dcf8958252\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"bb0ac18c-5081-41e0-8656-f256ba9298d0\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"InvestigationStatus\\\":\\\"Running\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fafff21c13-c681-7398-1200-08dcf8958252\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Url\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":2,\\\"Urn\\\":\\\"urn:UrlEntity:289101bb3aa22cd0464dcd3ffa7116a8\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"4\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Name\\\":\\\"returnLabel_314378736750.pdf\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"6\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":null}],\\\"Recipient\\\":\\\"test.to@ixina.com\\\",\\\"Urls\\\":[\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv\\\",\\\"http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg\\\",\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"https://fr.shein.com/\\\",\\\"https://fr.shein.com/robot\\\",\\\"https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1\\\",\\\"https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1SenderDomain\\\":\\\"gmail.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P2SenderDisplayName\\\":\\\"Fanny Barriol\\\",\\\"P2SenderDomain\\\":\\\"gmail.com\\\",\\\"ReceivedDate\\\":\\\"2024-10-29T21:12:56\\\",\\\"NetworkMessageId\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"UrlReputation\\\"],\\\"Language\\\":\\\"fr\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:79be71f3203d9db81f0076352eca662e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"7\\\",\\\"MailboxPrimaryAddress\\\":\\\"test.to@ixina.com\\\",\\\"Upn\\\":\\\"test.to@ixina.com\\\",\\\"AadId\\\":\\\"2011d28b-3a87-4359-b2a0-7d14f0a83828\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:f182c190672d0194477f316c5f0367e5\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;1.2.3.4;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:0b159e7db54d59b4165e81fb02f6c656\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;gmail.com;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:5e820543f7cce922d13fcc25a0ca2204\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a42bb73f2f36d917364f11fe67f0c39b\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;gmail.com;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a5f65badbcbc2e3c6409625436363a29\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\n \"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n \"EndTimeUtc\":\"2024-10-31T15:26:49\",\n \"InvestigationId\":\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n \"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n \"InvestigationType\":\"ZappedUrlInvestigation\",\n \"LastUpdateTimeUtc\":\"2024-10-31T12:59:19\",\n \"RunningTime\":9022,\n \"StartTimeUtc\":\"2024-10-31T12:58:22\",\n \"Status\":\"Pending Action\"\n }", + "event": { + "action": "AirInvestigationData", + "code": "64", + "end": "2024-10-31T15:26:49Z", + "kind": "event", + "outcome": "success", + "start": "2024-10-31T12:58:22Z" + }, + "@timestamp": "2024-10-31T16:24:41Z", + "action": { + "id": 64, + "name": "AirInvestigationData", + "outcome": "success", + "target": "user" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D" + }, + "name": "returnLabel_314378736750.pdf" + } + } + ], + "from": { + "address": [ + "test.sender@gmail.com" + ] + }, + "to": { + "address": [ + "test.to@ixina.com" + ] + } + }, + "host": { + "name": "MachineNameTest" + }, + "log": { + "level": "Informational" + }, + "office365": { + "audit": { + "object_id": "c3ebef20-fb63-4d14-b3c1-7bfb5937903a" + }, + "investigation": { + "alert": { + "category": "ThreatManagement", + "correlation_key": "bb0ac18c-5081-41e0-8656-f256ba9298d0", + "is_incident": false, + "provider": { + "name": "TestProvider", + "status": "InProgress" + }, + "severity": "Informational", + "source_type": "System", + "type": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88" + }, + "delivery": { + "action": [ + "Blocked" + ] + }, + "email": { + "sender": { + "domains": [ + "gmail.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "subjects": [ + "Fwd: Votre \u00e9tiquette de retour de SHEIN" + ], + "urls": [ + "http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png", + "https://fr.shein.com/", + "https://fr.shein.com/robot", + "https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1", + "https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8", + "https://play.google.com/store/apps/details?id=com.zzkko&hl=en", + "https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg", + "https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg", + "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA", + "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7", + "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2", + "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf", + "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv" + ] + }, + "emails": [ + { + "message_ids": [ + "24b8430c-484d-4ee0-e12b-08dcee99416a", + "2e99f39a-c998-4d94-2085-08dce9cd0b7d", + "0ac4ee3c-7c79-408e-76c2-08dcf4106b65", + "fd400540-8a8d-42ae-d1f9-08dced20c42f", + "31cfca73-f309-4e21-cbc4-08dceed074cf", + "0491b33a-15fc-4503-9dd1-08dced818f57", + "4b620244-917b-4a04-7416-08dcf50af378", + "1abed68d-3b03-46bd-45e2-08dcf43fb625", + "abb4c4a5-7049-4047-5a68-08dcec201c1f", + "92bba720-15bc-4f09-49f2-08dcf8d738a4", + "3d511617-b717-416c-89cf-08dcf90a51c7", + "c3ad4b6b-0fd9-4510-4481-08dcf9043502", + "37b236bd-ad39-41c0-3984-08dcf85e6b44", + "a1d9684c-9982-4f80-880c-08dcf775c1a9" + ] + }, + { + "message_ids": [ + "37b236bd-ad39-41c0-3984-08dcf85e6b44" + ] + }, + { + "delivery": { + "action": "Blocked", + "location": "Quarantine", + "original_location": "Inbox" + }, + "direction": "Inbound", + "language": "fr", + "message_ids": [ + "37b236bd-ad39-41c0-3984-08dcf85e6b44" + ] + } + ], + "id": "urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101", + "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101", + "status": "Pending Action", + "threats": [ + "['ZapPhish', 'HighConfPhish']" + ], + "type": "ZappedUrlInvestigation" + }, + "record_type": 64, + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx" + }, + "related": { + "user": [ + "AirInvestigation" + ] + }, + "rule": { + "name": "Email messages containing malicious URL removed after delivery\u200b" + }, + "service": { + "name": "AirInvestigation" + }, + "user": { + "id": "AirInvestigation", + "name": "AirInvestigation" + } + } + + ``` + + === "automated_investigation_and_response_with_additional_fields.json" ```json @@ -454,6 +627,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "http://1.2.3.7" ] }, + "emails": [], "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86", "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1", "status": "Remediated", @@ -494,7 +668,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:48971b6852ea31ff93989b88b832bca5\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"ggravier@ixina.com\\\",\\\"Upn\\\":\\\"ggravier@ixina.com\\\",\\\"AadId\\\":\\\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (SenderIp:\\\\\\\"40.107.244.101\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"wdezd.ersdz.meradebo.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}", + "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:12345a6789bc01de23456f789ab0\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:012345a6789bcd0e1f23a4b5cd678ef9\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"user@mailbox.com\\\",\\\"Upn\\\":\\\"user@mailbox.com\\\",\\\"AadId\\\":\\\"0123ac45-6c7d-e89f-a0123b45c6d7\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:1a2b3456c7defabc8901d2e3fa456789\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0123a4567b8c9de0fa123bcde4f5a6b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:01a2bc345678de901f2a34b567cdef89\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"test.integration.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;test.integration.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}", "event": { "action": "AirInvestigationData", "code": "64", @@ -514,24 +688,24 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "attachments": [], "from": { "address": [ - "support.33@wdezd.ersdz.meradebo.com" + "sender@test.integration.com" ] }, "to": { "address": [ - "ggravier@ixina.com" + "user@mailbox.com" ] } }, "host": { - "name": "AM7EUR03BG406" + "name": "MACHINE01" }, "log": { "level": "Informational" }, "office365": { "audit": { - "object_id": "8217bd67-1368-4213-b6be-498cdbff1542" + "object_id": "1234ab56-7890-1234-c5de-678fabcd9012" }, "investigation": { "alert": { @@ -554,22 +728,55 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": { "sender": { "domains": [ - "wdezd.ersdz.meradebo.com" + "test.integration.com" ], "ip": [ - "40.107.244.101" + "1.2.3.4" ] }, "subjects": [ - "\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b" + "Subject of the mail" ], "urls": [ - "https://zpr.io/TUZAu6VrAvQT", - "https://zupimages.net/up/24/35/1itk.png" + "https://test.io/TUZAu6VrAvQT", + "https://website.net/up/24/35/image.png" ] }, - "id": "urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", - "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "emails": [ + { + "message_ids": [ + "01a2bcd3-efab-4c56-7890-12defa3bc4d", + "0123a456-b789-0cd1-e23f-45abcd6ef78", + "ab12cde3-f456-789a-01bc-23defa4bc5d", + "01a2b345-67c8-9012-345d-67efabc8d90e", + "01a234b5-6789-012c-3d4e-56fabcd7ef8", + "a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6", + "0a1b23c4-567d-8901-2345-67efabc8d90a", + "0123a4b5-678c-9d0e-1f23-45abcde6fa78", + "0a1b234c-5678-90d1-2efa-34bcdef5a6b7", + "0123a4bc-5d6e-78f9-0123-45abcde67890" + ] + }, + { + "message_ids": [ + "ab12cde3-f456-789a-01bc-23defa4bc5d" + ] + }, + { + "delivery": { + "action": "DeliveredAsSpam", + "location": "JunkFolder", + "original_location": "Inbox" + }, + "direction": "Inbound", + "language": "en", + "message_ids": [ + "ab12cde3-f456-789a-01bc-23defa4bc5d" + ] + } + ], + "id": "urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9", + "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9", "status": "Pending Action", "threats": [ "['ZapPhish', 'NormalPhish']" @@ -583,7 +790,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "organization": { - "id": "275ae857-f201-4a2e-8f43-d48391c56871" + "id": "123abc456-d789-0e1f-2a34-b56789c01234" }, "related": { "user": [ @@ -692,6 +899,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "https://example.org" ] }, + "emails": [ + { + "delivery": { + "action": "Blocked", + "location": "Quarantine", + "original_location": "Inbox" + }, + "direction": "Inbound", + "language": "en", + "message_ids": [ + "3fe5777d-1fb7-4f34-bb1e-035e4df1f96f" + ] + } + ], "id": "urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d", "name": "Mail with malicious file is zapped - urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d", "status": "Investigation Started", @@ -812,6 +1033,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "target": "user" }, "office365": { + "context": { + "client": { + "id": "clientappidxxxx-xxx-xxx-xxxx" + } + }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { @@ -1051,6 +1283,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "context": { "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { @@ -1319,6 +1557,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "subject": "HI" }, "office365": { + "context": { + "client": { + "id": "037fd006-a72b-49ae-4bb0-08dba30c8729" + } + }, "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507" }, @@ -1807,7 +2050,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME" }, "context": { - "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847", + "client": { + "id": "00000002-0000-0ff1-ce00-000000000000" + } }, "exchange_admin": { "parameters": [ @@ -2340,6 +2586,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "service": { "name": "ThreatIntelligence" }, + "url": { + "domain": "malicious.domain.com", + "original": "https://malicious.domain.com", + "port": 443, + "registered_domain": "domain.com", + "scheme": "https", + "subdomain": "malicious", + "top_level_domain": "com" + }, "user": { "email": "human@example.org", "id": "ThreatIntel", @@ -2350,6 +2605,179 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "operation_properties_01.json" + + ```json + + { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T10:34:13Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "john.doe@mail.fr", + "user@email.fr", + "asmithee@mailbox.fr", + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(Exists(ItemClass))}", + "RuleId": -123, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3-4", + "name": "john.doe@mail.fr" + } + } + + ``` + + +=== "operation_properties_02.json" + + ```json + + { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-23T12:26:18Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}", + "RuleId": 4561233110666051585, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3", + "name": "john.doe@mail.fr" + } + } + + ``` + + === "power_bi.json" ```json @@ -2883,6 +3311,182 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "security_compliance_alert_7.json" + + ```json + + { + "message": "{\"CreationTime\":\"2024-10-24T09:10:38\",\"Id\":\"9b1762d6-2667-4c2d-ad8f-5faa9b9dbad8\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"AlertId\":\"6c88ef80-67f0-4a32-b1c9-4696ba48a3e4\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MalwareFamily\\\",\\\"at\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"md\\\":\\\"2024-10-24T07:08:32.0000000Z\\\",\\\"sip\\\":null,\\\"ms\\\":\\\" [TEST] Click on this!!!\\\",\\\"imsgid\\\":\\\"\\\",\\\"ttdt\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"ttr\\\":\\\"Success_MessageQuarantined\\\",\\\"dm\\\":\\\"UrlReputation\\\",\\\"eid\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\\\",\\\"aii\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d\\\",\\\"thn\\\":\\\"Phish, Malicious\\\",\\\"ts\\\":\\\"2024-10-24T09:06:19.0000000Z\\\",\\\"te\\\":\\\"2024-10-24T09:08:19.0000000Z\\\",\\\"fvs\\\":\\\"Filters\\\",\\\"tpt\\\":\\\"HostedContentFilterPolicy\\\",\\\"tpid\\\":\\\"f0749efa-70b1-4420-94f7-9527b4f7f677\\\",\\\"tid\\\":\\\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\\\",\\\"tht\\\":\\\"Phish, Malicious\\\",\\\"trc\\\":\\\"test.user@example.com\\\",\\\"tsd\\\":\\\"evil@bad.com\\\",\\\"zu\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"pud\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"tdc\\\":\\\"1\\\",\\\"cpid\\\":null,\\\"lon\\\":\\\"Protection\\\"}\",\"EntityType\":\"MalwareFamily\",\"Name\":\"Email messages containing malicious URL removed after delivery\u200b\",\"PolicyId\":\"55087523-49bd-4bbd-b269-cda496a06d05\",\"Severity\":\"Informational\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}\n", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-24T09:10:38Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "email": { + "from": { + "address": [ + "evil@bad.com" + ] + }, + "message_id": "AFIA3GCDITNgUgIKlOF5n5oH.1.1729763630549.mail.evil@bad.com", + "subject": " [TEST] Click on this!!!", + "to": { + "address": [ + "test.user@example.com" + ] + } + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Email messages containing malicious URL removed after delivery\u200b", + "entity_type": "MalwareFamily", + "id": "6c88ef80-67f0-4a32-b1c9-4696ba48a3e4", + "severity": "Informational", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "3995fc59-1c0e-4812-b0f1-5308a209ef5e" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "55087523-49bd-4bbd-b269-cda496a06d05" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "url": { + "domain": "clickonthis.example.com", + "original": "//clickonthis.example.com/api/phishing", + "path": "/api/phishing", + "registered_domain": "example.com", + "subdomain": "clickonthis", + "top_level_domain": "com" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + +=== "security_compliance_alert_malicious_url.json" + + ```json + + { + "message": "{\"CreationTime\":\"2024-10-07T20:29:25\",\"Id\":\"33c6081c-a402-49a3-828e-8e6df08c5e90\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b76bf78d-7696-4b17-bbda-e9995c266879\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"AlertId\":\"657fb16a-ee7f-4939-a218-33ba3c72805e\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MaliciousUrl\\\",\\\"aii\\\":\\\"d6c7276b-3a65-43c7-9e25-525f7e289543\\\",\\\"eid\\\":\\\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\\\",\\\"curlh\\\":\\\"12815939189066485645\\\",\\\"tid\\\":\\\"b76bf78d-7696-4b17-bbda-e9995c266879\\\",\\\"ts\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"te\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"trc\\\":\\\"test.user@example.org\\\",\\\"tdc\\\":\\\"1\\\",\\\"at\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"dm\\\":\\\"MDO Safe Links\\\",\\\"ot\\\":\\\"Allowed\\\",\\\"od\\\":\\\"User clicked on a URL which was identified as potentially malicious at a later time.\\\",\\\"md\\\":\\\"2024-10-07T20:29:25.5945545Z\\\",\\\"lon\\\":\\\"MaliciousUrlClick\\\"}\",\"EntityType\":\"MaliciousUrl\",\"Name\":\"A potentially malicious URL click was detected\",\"PolicyId\":\"471d921d-e417-41c4-be33-ad67040f3ece\",\"Severity\":\"High\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-07T20:29:25Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "email": { + "to": { + "address": [ + "test.user@example.org" + ] + } + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "A potentially malicious URL click was detected", + "entity_type": "MaliciousUrl", + "id": "657fb16a-ee7f-4939-a218-33ba3c72805e", + "severity": "High", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "b76bf78d-7696-4b17-bbda-e9995c266879" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "471d921d-e417-41c4-be33-ad67040f3ece" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "url": { + "domain": "test-d7a3.evil.net", + "original": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh", + "path": "/", + "port": 443, + "query": "param=SGVsbG8gV29ybGQh", + "registered_domain": "evil.net", + "scheme": "https", + "subdomain": "test-d7a3", + "top_level_domain": "net" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + === "source_log.json" ```json @@ -2962,7 +3566,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "email": "user@test.io", "id": "i:0h.f|membership|xxxxxx@test.com", - "name": "user@test.io" + "name": "user@test.io", + "target": { + "name": "user@test.io" + } }, "user_agent": { "device": { @@ -2981,6 +3588,117 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "targetusername.json" + + ```json + + { + "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"EditFalse\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}", + "event": { + "action": "AddedToSecureLink", + "category": [ + "file" + ], + "code": "14", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-29T07:41:53Z", + "action": { + "id": 14, + "name": "AddedToSecureLink", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://compagny-my.sharepoint.com/personal/usrename", + "SourceFileName": "filename.pdf", + "SourceRelativeUrl": "Documents/filename.pdf", + "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/filename.pdf", + "extension": "pdf", + "name": "filename.pdf" + }, + "office365": { + "audit": { + "object_id": "https://compagny-my.sharepoint.com/personal/docname.pdf" + }, + "context": { + "aad_session_id": "000-000-000-000", + "client": { + "id": "000-000-000-000", + "name": "Microsoft Teams" + }, + "correlation": { + "id": "000-000-000-000" + } + }, + "record_type": 14, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "000-000-000-000" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "user.name@compagny.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "compagny-my.sharepoint.com", + "full": "https://compagny-my.sharepoint.com/personal/docname.pdf", + "original": "https://compagny-my.sharepoint.com/personal/docname.pdf", + "path": "/personal/docname.pdf", + "port": 443, + "registered_domain": "sharepoint.com", + "scheme": "https", + "subdomain": "compagny-my", + "top_level_domain": "com" + }, + "user": { + "email": "user.name@compagny.com", + "id": "userkey@live.com", + "name": "user.name@compagny.com", + "target": { + "name": "target_user_name_value" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "130.0.0" + } + } + + ``` + + === "teams_message_has_link.json" ```json @@ -4031,12 +4749,14 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.investigation.email.sender.ip` | `array` | Email sender IP`s | |`office365.investigation.email.subjects` | `array` | A list of email subjects | |`office365.investigation.email.urls` | `array` | Email urls | +|`office365.investigation.emails` | `array` | Several infos about emails | |`office365.investigation.id` | `keyword` | Investigation id | |`office365.investigation.name` | `keyword` | Investigation name | |`office365.investigation.status` | `keyword` | Investigation status | |`office365.investigation.threats` | `array` | A list of threats | |`office365.investigation.type` | `keyword` | Investigation type | |`office365.logon_error` | `keyword` | Logon error detailed reason | +|`office365.operation.properties` | `object` | A list of objects describing the operation | |`office365.record_type` | `long` | The type of the operation | |`office365.result_status` | `keyword` | Indicates whether the action was successful or not | |`office365.scope.code` | `long` | The origin (saas or on-premise) of the event | @@ -4073,6 +4793,7 @@ The following table lists the fields that are extracted, normalized under the EC |`user.email` | `keyword` | User email address. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | +|`user.target.name` | `keyword` | Short name or login of the user. | |`user_agent.name` | `keyword` | Name of the user agent. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | |`user_agent.version` | `keyword` | Version of the user agent. | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index 619e0ad07e..9547f1ebb2 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -297,6 +297,40 @@ In this section, you will find examples of raw logs as generated natively by the +=== "automated_investigation_and_response_1" + + + ```json + { + "CreationTime": "2024-10-31T16:24:41", + "Id": "c3ebef20-fb63-4d14-b3c1-7bfb5937903a", + "Operation": "AirInvestigationData", + "OrganizationId": "xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx", + "RecordType": 64, + "UserKey": "AirInvestigation", + "UserType": 4, + "Version": 1, + "Workload": "AirInvestigation", + "ObjectId": "c3ebef20-fb63-4d14-b3c1-7bfb5937903a", + "UserId": "AirInvestigation", + "Actions": [ + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:a17bc80a136cbf4f5d4e82f43a9a3d1d\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"24b8430c-484d-4ee0-e12b-08dcee99416a\",\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\",\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\",\"fd400540-8a8d-42ae-d1f9-08dced20c42f\",\"31cfca73-f309-4e21-cbc4-08dceed074cf\",\"0491b33a-15fc-4503-9dd1-08dced818f57\",\"4b620244-917b-4a04-7416-08dcf50af378\",\"1abed68d-3b03-46bd-45e2-08dcf43fb625\",\"abb4c4a5-7049-4047-5a68-08dcec201c1f\",\"92bba720-15bc-4f09-49f2-08dcf8d738a4\",\"3d511617-b717-416c-89cf-08dcf90a51c7\",\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\",\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"a1d9684c-9982-4f80-880c-08dcf775c1a9\"],\"CountByThreatType\":{\"HighConfPhish\":5,\"Phish\":0,\"Malware\":0,\"Spam\":0,\"MaliciousUrl\":15},\"CountByProtectionStatus\":{\"Delivered\":10,\"Blocked\":4,\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"Inbox\":10,\"Quarantine\":4,\"DeletedFolder\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:54.2957192Z\",\"MailCount\":15,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:54.2957192Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:54 PM\",\"Urn\":\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:56\"}],\"RelatedAlertIds\":[\"fff21c13-c681-7398-1200-08dcf8958252\"],\"StartTimeUtc\":\"2024-10-31T13:33:19\",\"LastUpdateTimeUtc\":\"2024-10-31T15:28:45.1030022Z\",\"TimestampUtc\":\"2024-10-31T13:33:19\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-10-31T15:28:45.1030022Z\",\"MachineName\":\"MachineNameTest\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}" + ], + "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"TestProvider\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2024-10-30T03:47:24Z\",\"EndTimeUtc\":\"2024-10-30T03:47:24Z\",\"TimeGenerated\":\"2024-10-30T03:52:49.16Z\",\"ProcessingEndTime\":\"2024-10-31T15:28:45.1030022Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"UrlReputation\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"fff21c13-c681-7398-1200-08dcf8958252\",\"SystemAlertId\":null,\"CorrelationKey\":\"bb0ac18c-5081-41e0-8656-f256ba9298d0\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fafff21c13-c681-7398-1200-08dcf8958252\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"Url\":\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\",\"Type\":\"url\",\"ClickCount\":0,\"EmailCount\":2,\"Urn\":\"urn:UrlEntity:289101bb3aa22cd0464dcd3ffa7116a8\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T12:58:53\"},{\"$id\":\"4\",\"Files\":[{\"$id\":\"5\",\"Name\":\"returnLabel_314378736750.pdf\",\"FileHashes\":[{\"$id\":\"6\",\"Algorithm\":\"SHA256\",\"Value\":\"F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D\",\"Type\":\"filehash\"}],\"Type\":\"file\",\"MalwareFamily\":null}],\"Recipient\":\"test.to@ixina.com\",\"Urls\":[\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7\",\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA\",\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf\",\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2\",\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv\",\"http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png\",\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg\",\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg\",\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\",\"https://fr.shein.com/\",\"https://fr.shein.com/robot\",\"https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1\",\"https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8\"],\"Threats\":[\"ZapPhish\",\"HighConfPhish\"],\"Sender\":\"test.sender@gmail.com\",\"P1Sender\":\"test.sender@gmail.com\",\"P1SenderDomain\":\"gmail.com\",\"SenderIP\":\"1.2.3.4\",\"P2Sender\":\"test.sender@gmail.com\",\"P2SenderDisplayName\":\"Fanny Barriol\",\"P2SenderDomain\":\"gmail.com\",\"ReceivedDate\":\"2024-10-29T21:12:56\",\"NetworkMessageId\":\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"InternetMessageId\":\"\",\"Subject\":\"Fwd: Votre \u00e9tiquette de retour de SHEIN\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Blocked\",\"ThreatDetectionMethods\":[\"UrlReputation\"],\"Language\":\"fr\",\"DeliveryLocation\":\"Quarantine\",\"OriginalDeliveryLocation\":\"Inbox\",\"PhishConfidenceLevel\":\"High\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved to quarantine]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:79be71f3203d9db81f0076352eca662e\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T12:58:53\"},{\"$id\":\"7\",\"MailboxPrimaryAddress\":\"test.to@ixina.com\",\"Upn\":\"test.to@ixina.com\",\"AadId\":\"2011d28b-3a87-4359-b2a0-7d14f0a83828\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:f182c190672d0194477f316c5f0367e5\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T12:58:53\"},{\"$id\":\"8\",\"NetworkMessageIds\":[\"37b236bd-ad39-41c0-3984-08dcf85e6b44\"],\"CountByThreatType\":{\"HighConfPhish\":1,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Blocked\":1},\"CountByDeliveryLocation\":{\"Quarantine\":1},\"Query\":\"( (( (BodyFingerprintBin1:\\\"2929356879\\\") ) AND ( (SenderIp:\\\"1.2.3.4\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:45.0302157Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:45.0302157Z\",\"ClusterGroup\":\"BodyFingerprintBin1,SenderIp\",\"Type\":\"mailCluster\",\"ClusterBy\":\"BodyFingerprintBin1;SenderIp;ContentType\",\"ClusterByValue\":\"2929356879;1.2.3.4;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:45 PM\",\"Urn\":\"urn:MailClusterEntity:0b159e7db54d59b4165e81fb02f6c656\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:52\"},{\"$id\":\"9\",\"NetworkMessageIds\":[\"37b236bd-ad39-41c0-3984-08dcf85e6b44\"],\"CountByThreatType\":{\"HighConfPhish\":1,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Blocked\":1},\"CountByDeliveryLocation\":{\"Quarantine\":1},\"Query\":\"( (( (Subject:\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\") ) AND ( (P2SenderDomain:\\\"gmail.com\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:45.0302157Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:45.0302157Z\",\"ClusterGroup\":\"Subject,P2SenderDomain,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;P2SenderDomain;AntispamDirection;ContentType\",\"ClusterByValue\":\"Fwd: Votre \u00e9tiquette de retour de SHEIN;gmail.com;1;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:45 PM\",\"Urn\":\"urn:MailClusterEntity:5e820543f7cce922d13fcc25a0ca2204\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:52\"},{\"$id\":\"10\",\"NetworkMessageIds\":[\"37b236bd-ad39-41c0-3984-08dcf85e6b44\"],\"CountByThreatType\":{\"HighConfPhish\":1,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Blocked\":1},\"CountByDeliveryLocation\":{\"Quarantine\":1},\"Query\":\"( (( (Subject:\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\") ) AND ( (SenderIp:\\\"1.2.3.4\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:45.0302157Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:45.0302157Z\",\"ClusterGroup\":\"Subject,SenderIp,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;SenderIp;AntispamDirection;ContentType\",\"ClusterByValue\":\"Fwd: Votre \u00e9tiquette de retour de SHEIN;1.2.3.4;1;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:45 PM\",\"Urn\":\"urn:MailClusterEntity:a42bb73f2f36d917364f11fe67f0c39b\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:52\"},{\"$id\":\"11\",\"NetworkMessageIds\":[\"37b236bd-ad39-41c0-3984-08dcf85e6b44\"],\"CountByThreatType\":{\"HighConfPhish\":1,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Blocked\":1},\"CountByDeliveryLocation\":{\"Quarantine\":1},\"Query\":\"( (( (BodyFingerprintBin1:\\\"2929356879\\\") ) AND ( (P2SenderDomain:\\\"gmail.com\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:45.0302157Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:45.0302157Z\",\"ClusterGroup\":\"BodyFingerprintBin1,P2SenderDomain\",\"Type\":\"mailCluster\",\"ClusterBy\":\"BodyFingerprintBin1;P2SenderDomain;ContentType\",\"ClusterByValue\":\"2929356879;gmail.com;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:45 PM\",\"Urn\":\"urn:MailClusterEntity:a5f65badbcbc2e3c6409625436363a29\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:52\"},{\"$id\":\"12\",\"NetworkMessageIds\":[\"24b8430c-484d-4ee0-e12b-08dcee99416a\",\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\",\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\",\"fd400540-8a8d-42ae-d1f9-08dced20c42f\",\"31cfca73-f309-4e21-cbc4-08dceed074cf\",\"0491b33a-15fc-4503-9dd1-08dced818f57\",\"4b620244-917b-4a04-7416-08dcf50af378\",\"1abed68d-3b03-46bd-45e2-08dcf43fb625\",\"abb4c4a5-7049-4047-5a68-08dcec201c1f\",\"92bba720-15bc-4f09-49f2-08dcf8d738a4\",\"3d511617-b717-416c-89cf-08dcf90a51c7\",\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\",\"37b236bd-ad39-41c0-3984-08dcf85e6b44\",\"a1d9684c-9982-4f80-880c-08dcf775c1a9\"],\"CountByThreatType\":{\"HighConfPhish\":5,\"Phish\":0,\"Malware\":0,\"Spam\":0,\"MaliciousUrl\":15},\"CountByProtectionStatus\":{\"Delivered\":10,\"Blocked\":4,\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"Inbox\":10,\"Quarantine\":4,\"DeletedFolder\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-10-31T13:31:54.2957192Z\",\"MailCount\":15,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-10-11T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-10-31T13:31:54.2957192Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\",\"QueryStartTime\":\"10/11/2024 12:00:00 AM\",\"QueryTime\":\"10/31/2024 1:31:54 PM\",\"Urn\":\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\",\"Source\":\"TestProvider\",\"FirstSeen\":\"2024-10-31T13:31:56\"}],\"LogCreationTime\":\"2024-10-31T15:28:45.1030022Z\",\"MachineName\":\"MachineNameTest\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", + "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101", + "EndTimeUtc": "2024-10-31T15:26:49", + "InvestigationId": "urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101", + "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101", + "InvestigationType": "ZappedUrlInvestigation", + "LastUpdateTimeUtc": "2024-10-31T12:59:19", + "RunningTime": 9022, + "StartTimeUtc": "2024-10-31T12:58:22", + "Status": "Pending Action" + } + ``` + + + === "automated_investigation_and_response_with_additional_fields" @@ -337,25 +371,25 @@ In this section, you will find examples of raw logs as generated natively by the ```json { "CreationTime": "2024-09-02T03:33:37", - "Id": "8217bd67-1368-4213-b6be-498cdbff1542", + "Id": "1234ab56-7890-1234-c5de-678fabcd9012", "Operation": "AirInvestigationData", - "OrganizationId": "275ae857-f201-4a2e-8f43-d48391c56871", + "OrganizationId": "123abc456-d789-0e1f-2a34-b56789c01234", "RecordType": 64, "UserKey": "AirInvestigation", "UserType": 4, "Version": 1, "Workload": "AirInvestigation", - "ObjectId": "8217bd67-1368-4213-b6be-498cdbff1542", + "ObjectId": "1234ab56-7890-1234-c5de-678fabcd9012", "UserId": "AirInvestigation", "Actions": [ - "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:48971b6852ea31ff93989b88b832bca5\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"Recipient\":\"ggravier@ixina.com\",\"Urls\":[\"https://zpr.io/TUZAu6VrAvQT\",\"https://zupimages.net/up/24/35/1itk.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P1Sender\":\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\",\"P1SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"SenderIP\":\"40.107.244.101\",\"P2Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P2SenderDisplayName\":\"Tractor Supply\",\"P2SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"InternetMessageId\":\"\",\"Subject\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"}],\"RelatedAlertIds\":[\"76572799-59c1-0221-8c00-08dccafd4a30\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}", - "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\",\"2019a522-c814-4cd0-b23d-08dccaf8cc37\",\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"02c4a467-76c0-4491-737f-08dccaf8d47c\",\"26c865c1-2187-469c-5c0c-08dccaf8dca1\",\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\",\"5f3c47d0-051b-4439-8235-08dccaf8d27a\",\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\",\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\",\"1106f7ec-3c1f-45f6-2640-08dccaf90045\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://zpr.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://zpr.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://zpr.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"RelatedAlertIds\":[\"76572799-59c1-0221-8c00-08dccafd4a30\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}" + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:12345a6789bc01de23456f789ab0\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"Recipient\":\"user@mailbox.com\",\"Urls\":[\"https://test.io/TUZAu6VrAvQT\",\"https://website.net/up/24/35/image.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"sender@test.integration.com\",\"P1Sender\":\"p1sender@test.integration.com\",\"P1SenderDomain\":\"test.integration.com\",\"SenderIP\":\"1.2.3.4\",\"P2Sender\":\"sender@test.integration.com\",\"P2SenderDisplayName\":\"P2 name\",\"P2SenderDomain\":\"test.integration.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"InternetMessageId\":\"\",\"Subject\":\"Subject of the mail\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"}],\"RelatedAlertIds\":[\"01234567-89a0-1234-5b67-89cdefa0b12\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"MACHINE01\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}", + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:012345a6789bcd0e1f23a4b5cd678ef9\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"01a2bcd3-efab-4c56-7890-12defa3bc4d\",\"0123a456-b789-0cd1-e23f-45abcd6ef78\",\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"01a2b345-67c8-9012-345d-67efabc8d90e\",\"01a234b5-6789-012c-3d4e-56fabcd7ef8\",\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\",\"0a1b23c4-567d-8901-2345-67efabc8d90a\",\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\",\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\",\"0123a4bc-5d6e-78f9-0123-45abcde67890\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://test.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://test.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://test.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"RelatedAlertIds\":[\"01234567-89a0-1234-5b67-89cdefa0b12\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"MACHINE01\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}" ], - "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"EndTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"TimeGenerated\":\"2024-09-02T03:16:43.91Z\",\"ProcessingEndTime\":\"2024-09-02T03:33:31.8137435Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"URLList\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"76572799-59c1-0221-8c00-08dccafd4a30\",\"SystemAlertId\":null,\"CorrelationKey\":\"8a5bf71a-d9e4-422e-8bdb-33272de66983\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationStatus\":\"Pending\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"Recipient\":\"ggravier@ixina.com\",\"Urls\":[\"https://zpr.io/TUZAu6VrAvQT\",\"https://zupimages.net/up/24/35/1itk.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P1Sender\":\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\",\"P1SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"SenderIP\":\"40.107.244.101\",\"P2Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P2SenderDisplayName\":\"Tractor Supply\",\"P2SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"InternetMessageId\":\"\",\"Subject\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"4\",\"MailboxPrimaryAddress\":\"ggravier@ixina.com\",\"Upn\":\"ggravier@ixina.com\",\"AadId\":\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"5\",\"Url\":\"https://zpr.io/TUZAu6VrAvQT\",\"Type\":\"url\",\"ClickCount\":0,\"EmailCount\":12,\"Urn\":\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"6\",\"NetworkMessageIds\":[\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\") ) AND ( (SenderIp:\\\"40.107.244.101\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,SenderIp,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;SenderIp;AntispamDirection;ContentType\",\"ClusterByValue\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"7\",\"NetworkMessageIds\":[\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\",\"2019a522-c814-4cd0-b23d-08dccaf8cc37\",\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"02c4a467-76c0-4491-737f-08dccaf8d47c\",\"26c865c1-2187-469c-5c0c-08dccaf8dca1\",\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\",\"5f3c47d0-051b-4439-8235-08dccaf8d27a\",\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\",\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\",\"1106f7ec-3c1f-45f6-2640-08dccaf90045\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://zpr.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://zpr.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://zpr.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"8\",\"NetworkMessageIds\":[\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\") ) AND ( (P2SenderDomain:\\\"wdezd.ersdz.meradebo.com\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,P2SenderDomain,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;P2SenderDomain;AntispamDirection;ContentType\",\"ClusterByValue\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", - "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"EndTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"TimeGenerated\":\"2024-09-02T03:16:43.91Z\",\"ProcessingEndTime\":\"2024-09-02T03:33:31.8137435Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"URLList\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"01234567-89a0-1234-5b67-89cdefa0b12\",\"SystemAlertId\":null,\"CorrelationKey\":\"8a5bf71a-d9e4-422e-8bdb-33272de66983\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationStatus\":\"Pending\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa01234567-89a0-1234-5b67-89cdefa0b12\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"Recipient\":\"user@mailbox.com\",\"Urls\":[\"https://test.io/TUZAu6VrAvQT\",\"https://website.net/up/24/35/image.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"sender@test.integration.com\",\"P1Sender\":\"p1sender@test.integration.com\",\"P1SenderDomain\":\"test.integration.com\",\"SenderIP\":\"1.2.3.4\",\"P2Sender\":\"sender@test.integration.com\",\"P2SenderDisplayName\":\"P2 name\",\"P2SenderDomain\":\"test.integration.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"InternetMessageId\":\"\",\"Subject\":\"Subject of the mail\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"4\",\"MailboxPrimaryAddress\":\"user@mailbox.com\",\"Upn\":\"user@mailbox.com\",\"AadId\":\"0123ac45-6c7d-e89f-a0123b45c6d7\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:1a2b3456c7defabc8901d2e3fa456789\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"5\",\"Url\":\"https://test.io/TUZAu6VrAvQT\",\"Type\":\"url\",\"ClickCount\":0,\"EmailCount\":12,\"Urn\":\"urn:UrlEntity:0123a4567b8c9de0fa123bcde4f5a6b\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"6\",\"NetworkMessageIds\":[\"ab12cde3-f456-789a-01bc-23defa4bc5d\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"Subject of the mail\\\") ) AND ( (SenderIp:\\\"1.2.3.4\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,SenderIp,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;SenderIp;AntispamDirection;ContentType\",\"ClusterByValue\":\"Subject of the mail;1.2.3.4;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:01a2bc345678de901f2a34b567cdef89\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"7\",\"NetworkMessageIds\":[\"01a2bcd3-efab-4c56-7890-12defa3bc4d\",\"0123a456-b789-0cd1-e23f-45abcd6ef78\",\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"01a2b345-67c8-9012-345d-67efabc8d90e\",\"01a234b5-6789-012c-3d4e-56fabcd7ef8\",\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\",\"0a1b23c4-567d-8901-2345-67efabc8d90a\",\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\",\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\",\"0123a4bc-5d6e-78f9-0123-45abcde67890\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://test.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://test.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://test.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"8\",\"NetworkMessageIds\":[\"ab12cde3-f456-789a-01bc-23defa4bc5d\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"Subject of the mail\\\") ) AND ( (P2SenderDomain:\\\"test.integration.com\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ab12cde3-f456-789a-01bc-23defa4bc5d\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,P2SenderDomain,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;P2SenderDomain;AntispamDirection;ContentType\",\"ClusterByValue\":\"Subject of the mail;test.integration.com;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"MACHINE01\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", + "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9", "EndTimeUtc": "2024-09-02T03:33:31", - "InvestigationId": "urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", - "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "InvestigationId": "urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9", + "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9", "InvestigationType": "ZappedUrlInvestigation", "LastUpdateTimeUtc": "2024-09-02T03:28:24", "RunningTime": 771, @@ -1422,6 +1456,159 @@ In this section, you will find examples of raw logs as generated natively by the +=== "operation_properties_01" + + + ```json + { + "AppAccessContext": {}, + "CreationTime": "2024-10-28T10:34:13", + "Id": "xxxx-xxx-xxx-xxxx", + "Operation": "UpdateInboxRules", + "OrganizationId": "xxxx-xxx-xxx-xxxx", + "RecordType": 2, + "ResultStatus": "Succeeded", + "UserKey": "xxxx-xxx-xxx-xxxx", + "UserType": 0, + "Version": 1, + "Workload": "Exchange", + "ClientIP": "1.2.3.4", + "UserId": "john.doe@mail.fr", + "ClientIPAddress": "1.2.3.4", + "ClientInfoString": "Client=xxxx-xxx-xxx-xxxx", + "ClientProcessName": "PROCESS.EXE", + "ClientRequestId": "{xxxx-xxx-xxx-xxxx}", + "ClientVersion": "16.0.17328.20550", + "ExternalAccess": false, + "InternalLogonType": 0, + "LogonType": 2, + "LogonUserSid": "S-1-2-3-4", + "MailboxGuid": "xxxx-xxx-xxx-xxxx", + "MailboxOwnerMasterAccountSid": "S-1-2-3", + "MailboxOwnerSid": "S-1-2-3-4-5", + "MailboxOwnerUPN": "owner@mail.fr", + "OperationProperties": [ + { + "Name": "RuleOperation", + "Value": "ModifyMailboxRule" + }, + { + "Name": "RuleId", + "Value": "-123" + }, + { + "Name": "RuleState", + "Value": "Enabled" + }, + { + "Name": "RuleCondition", + "Value": "{(Exists(ItemClass))}" + }, + { + "Name": "RuleName" + }, + { + "Name": "RuleProvider", + "Value": "RuleOrganizer" + }, + { + "Name": "RuleActions", + "Value": "[{\"ActionType\":\"Forward\",\"Recipients\":[\"john.doe@mail.fr\",\"user@email.fr\",\"asmithee@mailbox.fr\",\"user.name@mail.fr\"],\"ForwardFlags\":\"None\"}]" + } + ], + "OrganizationName": "organization.com", + "OriginatingServer": "Origin Server\r\n", + "SessionId": "xxxx-xxx-xxx-xxxx", + "Item": { + "Id": "ID12345", + "ImmutableId": "ErrorDuringIdConversion", + "ParentFolder": { + "Id": "ID12345", + "Name": "Bo\u00eete de r\u00e9ception", + "Path": "\\Bo\u00eete de r\u00e9ception" + } + } + } + ``` + + + +=== "operation_properties_02" + + + ```json + { + "AppAccessContext": {}, + "CreationTime": "2024-10-23T12:26:18", + "Id": "xxxx-xxx-xxx-xxxx", + "Operation": "UpdateInboxRules", + "OrganizationId": "xxxx-xxx-xxx-xxxx", + "RecordType": 2, + "ResultStatus": "Succeeded", + "UserKey": "123456", + "UserType": 0, + "Version": 1, + "Workload": "Exchange", + "ClientIP": "1.2.3.4", + "UserId": "john.doe@mail.fr", + "ClientIPAddress": "1.2.3.4", + "ClientInfoString": "Client=xxxx-xxx-xxx-xxxx", + "ClientProcessName": "PROCESS.EXE", + "ClientRequestId": "{xxxx-xxx-xxx-xxxx}", + "ClientVersion": "16.0.16731.20456", + "ExternalAccess": false, + "InternalLogonType": 0, + "LogonType": 0, + "LogonUserSid": "S-1-2-3", + "MailboxGuid": "xxxx-xxx-xxx-xxxx", + "MailboxOwnerSid": "S-1-2-3", + "MailboxOwnerUPN": "john.doe@mail.fr", + "OperationProperties": [ + { + "Name": "RuleOperation", + "Value": "ModifyMailboxRule" + }, + { + "Name": "RuleId", + "Value": "4561233110666051585" + }, + { + "Name": "RuleState", + "Value": "Enabled" + }, + { + "Name": "RuleCondition", + "Value": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}" + }, + { + "Name": "RuleName" + }, + { + "Name": "RuleProvider", + "Value": "RuleOrganizer" + }, + { + "Name": "RuleActions", + "Value": "[{\"ActionType\":\"Forward\",\"Recipients\":[\"user.name@mail.fr\"],\"ForwardFlags\":\"None\"}]" + } + ], + "OrganizationName": "organization.name.com", + "OriginatingServer": "Origin Server\r\n", + "SessionId": "xxxx-xxx-xxx-xxxx", + "Item": { + "Id": "xxxx-xxx-xxx-xxxx", + "ImmutableId": "ErrorDuringIdConversion", + "ParentFolder": { + "Id": "xxxx-xxx-xxx-xxxx", + "Name": "Bo\u00eete de r\u00e9ception", + "Path": "\\Bo\u00eete de r\u00e9ception" + } + } + } + ``` + + + === "power_bi" @@ -1760,6 +1947,84 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_compliance_alert_7" + + + ```json + { + "CreationTime": "2024-10-24T09:10:38", + "Id": "9b1762d6-2667-4c2d-ad8f-5faa9b9dbad8", + "Operation": "AlertEntityGenerated", + "OrganizationId": "3995fc59-1c0e-4812-b0f1-5308a209ef5e", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1", + "UserId": "SecurityComplianceAlerts", + "AlertEntityId": "32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1", + "AlertId": "6c88ef80-67f0-4a32-b1c9-4696ba48a3e4", + "AlertLinks": [ + { + "AlertLinkHref": "" + } + ], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-10-24T09:07:19.0000000Z\",\"md\":\"2024-10-24T07:08:32.0000000Z\",\"sip\":null,\"ms\":\" [TEST] Click on this!!!\",\"imsgid\":\"\",\"ttdt\":\"2024-10-24T09:07:19.0000000Z\",\"ttr\":\"Success_MessageQuarantined\",\"dm\":\"UrlReputation\",\"eid\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"aii\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d\",\"thn\":\"Phish, Malicious\",\"ts\":\"2024-10-24T09:06:19.0000000Z\",\"te\":\"2024-10-24T09:08:19.0000000Z\",\"fvs\":\"Filters\",\"tpt\":\"HostedContentFilterPolicy\",\"tpid\":\"f0749efa-70b1-4420-94f7-9527b4f7f677\",\"tid\":\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\",\"tht\":\"Phish, Malicious\",\"trc\":\"test.user@example.com\",\"tsd\":\"evil@bad.com\",\"zu\":\"clickonthis.example.com/api/phishing\",\"pud\":\"clickonthis.example.com/api/phishing\",\"tdc\":\"1\",\"cpid\":null,\"lon\":\"Protection\"}", + "EntityType": "MalwareFamily", + "Name": "Email messages containing malicious URL removed after delivery\u200b", + "PolicyId": "55087523-49bd-4bbd-b269-cda496a06d05", + "Severity": "Informational", + "Source": "Office 365 Security & Compliance", + "Status": "Active" + } + ``` + + + +=== "security_compliance_alert_malicious_url" + + + ```json + { + "CreationTime": "2024-10-07T20:29:25", + "Id": "33c6081c-a402-49a3-828e-8e6df08c5e90", + "Operation": "AlertEntityGenerated", + "OrganizationId": "b76bf78d-7696-4b17-bbda-e9995c266879", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh", + "UserId": "SecurityComplianceAlerts", + "AlertEntityId": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh", + "AlertId": "657fb16a-ee7f-4939-a218-33ba3c72805e", + "AlertLinks": [ + { + "AlertLinkHref": "" + } + ], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "{\"etype\":\"MaliciousUrl\",\"aii\":\"d6c7276b-3a65-43c7-9e25-525f7e289543\",\"eid\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"curlh\":\"12815939189066485645\",\"tid\":\"b76bf78d-7696-4b17-bbda-e9995c266879\",\"ts\":\"2024-10-07T20:07:11.0000000Z\",\"te\":\"2024-10-07T20:07:11.0000000Z\",\"trc\":\"test.user@example.org\",\"tdc\":\"1\",\"at\":\"2024-10-07T20:07:11.0000000Z\",\"dm\":\"MDO Safe Links\",\"ot\":\"Allowed\",\"od\":\"User clicked on a URL which was identified as potentially malicious at a later time.\",\"md\":\"2024-10-07T20:29:25.5945545Z\",\"lon\":\"MaliciousUrlClick\"}", + "EntityType": "MaliciousUrl", + "Name": "A potentially malicious URL click was detected", + "PolicyId": "471d921d-e417-41c4-be33-ad67040f3ece", + "Severity": "High", + "Source": "Office 365 Security & Compliance", + "Status": "Active" + } + ``` + + + === "source_log" @@ -1808,6 +2073,63 @@ In this section, you will find examples of raw logs as generated natively by the +=== "targetusername" + + + ```json + { + "AppAccessContext": { + "AADSessionId": "000-000-000-000", + "ClientAppId": "000-000-000-000", + "ClientAppName": "Microsoft Teams", + "CorrelationId": "000-000-000-000", + "UniqueTokenId": "xxxxxx" + }, + "CreationTime": "2024-10-29T07:41:53", + "Id": "000-000-000-000", + "Operation": "AddedToSecureLink", + "OrganizationId": "000-000-000-000", + "RecordType": 14, + "UserKey": "userkey@live.com", + "UserType": 0, + "Version": 1, + "Workload": "OneDrive", + "ClientIP": "1.2.3.4", + "UserId": "user.name@compagny.com", + "ApplicationId": "000-000-000-000", + "AuthenticationType": "OAuth", + "BrowserName": "Edge", + "BrowserVersion": "130.0.0.0", + "CorrelationId": "000-000-000-000", + "EventSource": "SharePoint", + "GeoLocation": "EUR", + "IsManagedDevice": true, + "ItemType": "File", + "ListId": "000-000-000-000", + "ListItemUniqueId": "000-000-000-000", + "Platform": "WinDesktop", + "Site": "000-000-000-000", + "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49", + "WebId": "000-000-000-000", + "DeviceDisplayName": "000-000-000-000", + "EventData": "EditFalse", + "SourceFileExtension": "pdf", + "TargetUserOrGroupType": "Member", + "UniqueSharingId": "000-000-000-000", + "TargetUserOrGroupName": "target_user_name_value", + "SiteUrl": "https://compagny-my.sharepoint.com/personal/usrename", + "SourceRelativeUrl": "Documents/filename.pdf", + "SourceFileName": "filename.pdf", + "ApplicationDisplayName": "Microsoft Teams", + "ObjectId": "https://compagny-my.sharepoint.com/personal/docname.pdf", + "AssociatedAdminUnits": [ + "000-000-000-000" + ] + } + ``` + + + === "teams_message_has_link" diff --git a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md index 259e992662..996bc6cef9 100644 --- a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md +++ b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "searchlight_alerts.json" diff --git a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md index 9f8100d9fb..a77c40d80a 100644 --- a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md +++ b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "allowed.json" diff --git a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md index 683b354e86..6075bd4448 100644 --- a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md +++ b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_detection.json" diff --git a/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3.md b/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3.md new file mode 100644 index 0000000000..f8102933fa --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3.md @@ -0,0 +1,232 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | None | +| `Network device logs` | None | +| `File monitoring` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `` | +| Type | `denied`, `info`, `start` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. + +=== "antimalware_1.json" + + ```json + + { + "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500", + "event": { + "action": "blocked", + "category": [ + "malware" + ], + "module": "av", + "severity": 9, + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-15T09:06:52Z", + "host": { + "ip": "10.0.0.4", + "name": "desktop-jdo.example.org" + }, + "observer": { + "product": "GravityZone", + "vendor": "Bitdefender", + "version": "6.50.0-27" + }, + "organization": { + "id": "8646b1be9aae4aefb3b23147" + }, + "related": { + "ip": [ + "10.0.0.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "user": { + "id": "S-1-5-21-1111111111-222222222-3333333333-500", + "name": "jdoe" + } + }, + "threat": { + "indicator": { + "file": { + "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp", + "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp" + }, + "name": "EICAR-Test-File (not a virus)", + "type": "file" + } + } + } + + ``` + + +=== "antimalware_2.json" + + ```json + + { + "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500", + "event": { + "action": "blocked", + "category": [ + "malware" + ], + "module": "av", + "severity": 9, + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-15T09:06:53Z", + "host": { + "ip": "10.0.0.4", + "name": "desktop-jdo.example.org" + }, + "observer": { + "product": "GravityZone", + "vendor": "Bitdefender", + "version": "6.50.0-27" + }, + "organization": { + "id": "8646b1be9aae4aefb3b23147" + }, + "related": { + "ip": [ + "10.0.0.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "user": { + "id": "S-1-5-21-1111111111-222222222-3333333333-500", + "name": "jdoe" + } + }, + "threat": { + "indicator": { + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" + }, + "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp", + "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp" + }, + "name": "EICAR-Test-File (not a virus)", + "type": "file" + } + } + } + + ``` + + +=== "login_1.json" + + ```json + + { + "message": "CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4", + "event": { + "category": [ + "authentication" + ], + "severity": 3, + "type": [ + "start" + ] + }, + "host": { + "name": "1.2.3.4" + }, + "observer": { + "product": "GZ", + "vendor": "Bitdefender", + "version": "6.50.0-27" + }, + "related": { + "user": [ + "jdoe" + ] + }, + "source": { + "user": { + "name": "jdoe" + } + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`bitdefender.gravityzone.exploit.type` | `keyword` | Exploit type detected by Bitdefender GravityZone. | +|`destination.user.name` | `keyword` | Short name or login of the user. | +|`email.sender.address` | `keyword` | Address of the message sender. | +|`email.subject` | `keyword` | The subject of the email message. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.module` | `keyword` | Name of the module this data is coming from. | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`host.id` | `keyword` | Unique host id. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.name` | `keyword` | Name of the host. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`organization.id` | `keyword` | Unique identifier for the organization. | +|`process.parent.name` | `keyword` | Process name. | +|`process.parent.path` | `keyword` | Path of the parent process. | +|`rule.name` | `keyword` | Rule name | +|`source.ip` | `ip` | IP address of the source. | +|`source.user.id` | `keyword` | Unique identifier of the user. | +|`source.user.name` | `keyword` | Short name or login of the user. | +|`threat.indicator.file.hash.sha256` | `keyword` | SHA256 hash. | +|`threat.indicator.file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`threat.indicator.file.path` | `keyword` | Full path to the file, including the file name. | +|`threat.indicator.type` | `keyword` | Type of indicator | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Bitdefender/gravityzone). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3_sample.md b/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3_sample.md new file mode 100644 index 0000000000..6ccb617ffe --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/d11df984-840d-4c29-a6dc-b9195c3a24e3_sample.md @@ -0,0 +1,30 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "antimalware_1" + + ``` + CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\Users\\\\jdoe\\\\Downloads\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500 + ``` + + + +=== "antimalware_2" + + ``` + CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\Users\\\\jdoe\\\\Downloads\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500 + ``` + + + +=== "login_1" + + ``` + CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4 + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md index 9d527c3cea..1bbdf202f1 100644 --- a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md +++ b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_network.json" diff --git a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md index ff22e5d06a..4c62a726c9 100644 --- a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md +++ b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "salesforce_apex_execution.json" @@ -62,6 +62,72 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "salesforce_apex_rest_api.json" + + ```json + + { + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", + "event": { + "category": [ + "network" + ], + "dataset": "ApexRestApi", + "type": [ + "info" + ] + }, + "@timestamp": "2034-02-21T02:48:31.272150Z", + "http": { + "request": { + "method": "POST" + }, + "response": { + "mime_type": "application/json", + "status_code": 200 + } + }, + "organization": { + "id": "11111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "login": { + "key": "xxxxxxxxxxxxxx" + }, + "request": { + "id": "5-Acr8biM2uu2UsrkBY5B-", + "status": "S" + }, + "session": { + "key": { + "id": "session-key12323" + } + }, + "user": { + "type": "Standard" + }, + "user_agent": 12024001 + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "path": "/requests" + }, + "user": { + "id": "user123123123123" + } + } + + ``` + + === "salesforce_api_event.json" ```json @@ -235,6 +301,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -309,7 +378,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "query": "queryParam1=val1&queryParam2=val2" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "device": { @@ -375,6 +445,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -430,7 +503,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "initiated_logout": true, "type": "admin" - } + }, + "user_agent": 0 }, "source": { "address": "1.2.3.4", @@ -444,19 +518,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "path": "/sObject/0064100000JXITSAA5/view" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { - "device": { - "name": "Other" - }, "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", - "os": { - "name": "Windows", - "version": "10" - }, - "version": "93.0.4577" + "version": "93.0.4577.82" } } @@ -493,6 +560,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "address": "192.168.0.1", "ip": "192.168.0.1" }, + "url": { + "domain": "login.salesforce.com", + "original": "https://login.salesforce.com", + "port": 443, + "registered_domain": "salesforce.com", + "scheme": "https", + "subdomain": "login", + "top_level_domain": "com" + }, "user": { "email": "john.doe@example.com" } @@ -501,6 +577,78 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "salesforce_login_event_1.json" + + ```json + + { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "Login", + "type": [ + "start" + ] + }, + "@timestamp": "2034-02-21T02:43:24.464103Z", + "organization": { + "id": "ORG_ID_TEST" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "api": { + "version": "9998.0" + }, + "login": { + "key": "xxxxxxxxxxxxx", + "status": "LOGIN_NO_ERROR", + "sub_type": "oauthclientcredentials" + }, + "request": { + "id": "request_id_test" + }, + "user": { + "type": "Standard" + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "TLSv1.3" + }, + "url": { + "original": "test.my.salesforce.com", + "path": "/services/oauth2/token" + }, + "user": { + "email": "user.integration@test.com", + "id": "USER_ID_TEST" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Python Requests", + "original": "python-requests/2.28.0", + "os": { + "name": "Other" + }, + "version": "2.28" + } + } + + ``` + + === "salesforce_report_event.json" ```json @@ -588,6 +736,7 @@ The following table lists the fields that are extracted, normalized under the EC |`salesforce.session.key.id` | `keyword` | Salesforce session key id | |`salesforce.user.initiated_logout` | `boolean` | Salesforce user initiated logout | |`salesforce.user.type` | `keyword` | Salesforce user type | +|`salesforce.user_agent` | `number` | Salesforce user agent | |`source.geo.country_name` | `keyword` | Country name. | |`source.geo.region_name` | `keyword` | Region name. | |`source.ip` | `ip` | IP address of the source. | diff --git a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff_sample.md b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff_sample.md index ae7b3ddcbe..e1ca2acfb5 100644 --- a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff_sample.md +++ b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff_sample.md @@ -23,6 +23,47 @@ In this section, you will find examples of raw logs as generated natively by the +=== "salesforce_apex_rest_api" + + + ```json + { + "EVENT_TYPE": "ApexRestApi", + "TIMESTAMP": "20241029112721.500", + "REQUEST_ID": "5-Acr8biM2uu2UsrkBY5B-", + "ORGANIZATION_ID": "11111111111111111", + "USER_ID": "user123123123123", + "RUN_TIME": "462", + "CPU_TIME": "211", + "URI": "/requests", + "SESSION_KEY": "session-key12323", + "LOGIN_KEY": "xxxxxxxxxxxxxx", + "USER_TYPE": "Standard", + "REQUEST_STATUS": "S", + "DB_TOTAL_TIME": "181052355", + "METHOD": "POST", + "MEDIA_TYPE": "application/json", + "STATUS_CODE": "200", + "USER_AGENT": "12024001", + "ROWS_PROCESSED": "0", + "NUMBER_FIELDS": "", + "DB_BLOCKS": "22201502", + "DB_CPU_TIME": "143", + "REQUEST_SIZE": "", + "RESPONSE_SIZE": "", + "ENTITY_NAME": "", + "CONNECTED_APP_ID": "", + "CLIENT_NAME": "", + "EXCEPTION_MESSAGE": "", + "TIMESTAMP_DERIVED": "2024-10-29T11:27:21.500Z", + "USER_ID_DERIVED": "user123123123123QAC", + "CLIENT_IP": "1.2.3.4", + "URI_ID_DERIVED": "" + } + ``` + + + === "salesforce_api_event" @@ -229,6 +270,47 @@ In this section, you will find examples of raw logs as generated natively by the +=== "salesforce_login_event_1" + + + ```json + { + "EVENT_TYPE": "Login", + "TIMESTAMP": "20241026044641.024", + "REQUEST_ID": "request_id_test", + "ORGANIZATION_ID": "ORG_ID_TEST", + "USER_ID": "USER_ID_TEST", + "RUN_TIME": "47", + "CPU_TIME": "12", + "URI": "/services/oauth2/token", + "SESSION_KEY": "", + "LOGIN_KEY": "xxxxxxxxxxxxx", + "USER_TYPE": "Standard", + "REQUEST_STATUS": "", + "DB_TOTAL_TIME": "29963703", + "LOGIN_TYPE": "i", + "BROWSER_TYPE": "python-requests/2.28.0", + "API_TYPE": "", + "API_VERSION": "9998.0", + "USER_NAME": "user.integration@test.com", + "TLS_PROTOCOL": "TLSv1.3", + "CIPHER_SUITE": "TLS_AES_256_GCM_SHA384", + "LOGIN_URL": "test.my.salesforce.com", + "AUTHENTICATION_METHOD_REFERENCE": "", + "LOGIN_SUB_TYPE": "oauthclientcredentials", + "AUTHENTICATION_SERVICE_ID": "", + "TIMESTAMP_DERIVED": "2024-10-26T04:46:41.024Z", + "USER_ID_DERIVED": "USER_ID_TEST_IA4", + "CLIENT_IP": "1.2.3.4", + "URI_ID_DERIVED": "", + "LOGIN_STATUS": "LOGIN_NO_ERROR", + "SOURCE_IP": "1.2.3.4", + "FORWARDED_FOR_IP": "" + } + ``` + + + === "salesforce_report_event" diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index d191dedcbd..31c840bc0b 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "7602ff70-7e5f-42e9-86b2-36803df39183.json" diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md index 2908dbc0b2..3a3d99ea0b 100644 --- a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "elff_event.json" diff --git a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md index 0a980e80a2..ea3ef40b3f 100644 --- a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md +++ b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_auth_fail.json" diff --git a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md index d358cfa6aa..60cf6e0938 100644 --- a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md +++ b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "admin_services_service_modify.json" diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index dd358d27bc..db1a351f24 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "auth_was_rejected.json" diff --git a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md index 7449005ee9..bb6f6a2829 100644 --- a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md +++ b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "access.json" diff --git a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md index dc4276507d..831db65a85 100644 --- a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md +++ b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "input.json" diff --git a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md index cff8f2639e..76fcd8f0d0 100644 --- a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md +++ b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "event_01.json" diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index f1ec00ae5e..bc773913a3 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event_audit1.json" diff --git a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md index 59692757f7..e5d92395e1 100644 --- a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md +++ b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "connexion1.json" diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md index f3dae76d68..29c1cf2c7c 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_audit_log_deleted_inline_policy.json" diff --git a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md index 07ea0bc3be..3c72863601 100644 --- a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md +++ b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_maillog.json" diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index 6df3aa073d..32c45a3c7c 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "action_overdict.json" diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index 8474d24372..73cb50d886 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_auth_via_idp.json" @@ -91,7 +91,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "john.doe@example.org" + "system@okta.com" ] }, "source": { @@ -117,10 +117,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "org" }, "user": { - "email": "john.doe@example.org", - "full_name": "John Doe", - "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "email": "system@okta.com", + "full_name": "Okta System", + "id": "2pHxMaUZr2yoej9R2Lsf4", + "name": "system@okta.com", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -225,7 +231,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": "john.doe@example.org", "full_name": "John Doe", "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -329,7 +341,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": "john.doe@example.org", "full_name": "John Doe", "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -433,7 +451,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": "john.doe@example.org", "full_name": "John Doe", "id": "fWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "fWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -596,7 +620,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": "john.doe@example.org", "full_name": "John Doe", "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -701,8 +731,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "email": "john.doe@example.org", "full_name": "John Doe", - "id": "0ua42fzx6ndP18frF697", - "name": "john.doe@example.org" + "id": "00u42g1huy7jGFsKX697", + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "0ua42fzx6ndP18frF697", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { @@ -801,7 +837,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": "john.doe@example.org", "full_name": "John Doe", "id": "eWiaLPtSTpjyy1BIwNFXg", - "name": "john.doe@example.org" + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } }, "user_agent": { "device": { diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index 9dcec8b0a4..11aa0b6b24 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "client_connection_0.json" diff --git a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md index e27924e9d3..16cab4fe18 100644 --- a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md +++ b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "AUD_It.json" diff --git a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md index 052fad5478..b50409079d 100644 --- a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md +++ b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "User_id_1_csv.json" diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index 87989c720e..0e7dc6978d 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "anvil.json" diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index e8d5842094..9ab6ad9d38 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -30,7 +30,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_app_control_detection_alert.json" diff --git a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md index edff737c84..435e2847cd 100644 --- a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md +++ b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "account_modification.json" diff --git a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md index 4a9135ef80..209b07b966 100644 --- a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md +++ b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "CountsofSecurityEvents.json" diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md index 993b39f9fc..c80b20edaf 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "CEF.json" diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md index a0060dafb9..769a6a5999 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_transaction_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md index f9f280d3a9..5a76924222 100644 --- a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md +++ b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_blocked_file.json" diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index c235987812..bac669e9c4 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_type_1000.json" diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md index db8f85cd53..ab05a36e03 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "dns_format_error.json" diff --git a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md index cf48a096bd..508f31855c 100644 --- a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md +++ b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "cpc1126_1.json" diff --git a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md index 6c18e52fd2..23b41d54c9 100644 --- a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md +++ b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "get_record.json" diff --git a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md index f59c772718..9aa956b115 100644 --- a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md +++ b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "access.json" diff --git a/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md index 147d0ebcc3..1a748d65ef 100644 --- a/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md +++ b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. === "test_event_1.json" diff --git a/docs/getting_started/best_practices.md b/docs/getting_started/best_practices.md index 86569c09d6..9a560f60af 100644 --- a/docs/getting_started/best_practices.md +++ b/docs/getting_started/best_practices.md @@ -4,15 +4,15 @@ In the current cybersecurity landscape, organizations face significant challenge ### Rules Configuration -Our extensive catalog of over 900 rules, each [associated with a TTP from the MITRE ATT&CK framework](https://docs.sekoia.io/xdr/features/detect/built_in_detection_rules/), is categorized by four levels of effort. This enables targeted and effective defense against threats. The normalization of events via [intake formats](https://github.com/SEKOIA-IO/intake-formats/blob/main/doc/structured_event.md) and the use of [ECS taxonomy](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) allows for technology-agnostic integration, facilitating the production of detection rules based on the [SIGMA models](https://docs.sekoia.io/xdr/features/detect/sigma/), our specific [anomaly detection engine](https://docs.sekoia.io/xdr/features/detect/anomaly/) and even the [IOC Detection](https://docs.sekoia.io/xdr/features/detect/iocdetection/) & [Collections](https://docs.sekoia.io/xdr/features/detect/ioccollections/). +Our extensive catalog of over 900 rules, each [associated with a TTP from the MITRE ATT&CK framework](/xdr/features/detect/built_in_detection_rules.md), is categorized by four levels of effort. This enables targeted and effective defense against threats. The normalization of events via [intake formats](https://github.com/SEKOIA-IO/intake-formats/blob/main/doc/structured_event.md) and the use of [ECS taxonomy](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) allows for technology-agnostic integration, facilitating the production of detection rules based on the [SIGMA models](/xdr/features/detect/sigma.md), our specific [anomaly detection engine](/xdr/features/detect/anomaly.md) and even the [IOC Detection](/xdr/features/detect/iocdetection.md) & [Collections](/xdr/features/detect/ioccollections.md). **Recommendations:** -- **Activate all [effort level](https://docs.sekoia.io/xdr/features/detect/rules_catalog/#effort-level) 1 and 2 rules** during the initial setup of your community. +- **Activate all [effort level](/xdr/features/detect/rules_catalog.md#effort-level) 1 and 2 rules** during the initial setup of your community. -- **Configure the Rules Settings** to [enable new rules](https://docs.sekoia.io/xdr/features/detect/rules_catalog/#automatically) up to the Intermediate level. +- **Configure the Rules Settings** to [enable new rules](/xdr/features/detect/rules_catalog.md#automatically) up to the Intermediate level. -- **Fine-tune detection rules** after each false positive alert through the [available options](https://docs.sekoia.io/xdr/features/detect/rules_catalog/#limiting-the-scope-of-a-rule), primarily using alert filters. +- **Fine-tune detection rules** after each false positive alert through the [available options](/xdr/features/detect/rules_catalog.md#limiting-the-scope-of-a-rule), primarily using alert filters. - **Activate a new wave of higher effort level rules** after the initial RUN period, representing: @@ -33,10 +33,10 @@ To ensure comprehensive and effective coverage, it is crucial to configure your - **2 company wide Network Based Intake** (e.g., Loadbalancer/Reverse-Proxy, Proxy, DNS). They help monitor internal network traffic and detect anomalies such as lateral movements by attackers and suspicious communications. - **1 company wide Email Security Based Intake** (e.g., Office, ProofPoint, Vade) **with security options enabled**. This helps identify phishing attacks, malware transmitted via email, and other email-related threats. - **1 Identity and Access Management Based Intake** for **on-premise** environments (e.g., Active Directory, Okta, Wallix) **and 1 for cloud** environments if applicable (e.g., Azure Entra ID, Cloudflare Access Requests, Google Workspace). This helps detect suspicious activities related to user access, such as unauthorized login attempts and privilege changes, and ensures security oversight across both on-premise and cloud environments. -- **Activity Logs**: Ensure that [Sekoia.io activity logs](https://docs.sekoia.io/integration/integrations/application/sekoiaio_activity_logs/) are activated. This allows monitoring actions and changes within the Sekoia.io platform itself, ensuring complete transparency and traceability. -- **No intake should have zero events received** in the past 7 days. An intake without events can indicate a configuration or data collection issue, compromising threat detection capability. Ensure that notifications are configured to alert in the case of [an event drop for an intake](https://docs.sekoia.io/getting_started/notifications-Examples/#intakes). +- **Activity Logs**: Ensure that [Sekoia.io activity logs](/integration/categories/applicative/sekoiaio_activity_logs.md) are activated. This allows monitoring actions and changes within the Sekoia.io platform itself, ensuring complete transparency and traceability. +- **No intake should have zero events received** in the past 7 days. An intake without events can indicate a configuration or data collection issue, compromising threat detection capability. Ensure that notifications are configured to alert in the case of [an event drop for an intake](/getting_started/notifications-Examples.md#intakes). -- **Use the [Sekoia.io Forwarder](https://docs.sekoia.io/integration/ingestion_methods/syslog/sekoiaio_forwarder/)** each time you need to forward On Premise events via syslog protocol to Sekoia.io SOC Platform to ease discriminate logs before adding them the relevant Intake Key. It also is the only log forwarder that our Support team will be able to provide you with assistance. +- **Use the [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md)** each time you need to forward On Premise events via syslog protocol to Sekoia.io SOC Platform to ease discriminate logs before adding them the relevant Intake Key. It also is the only log forwarder that our Support team will be able to provide you with assistance. ### Events Quality @@ -66,27 +66,27 @@ Playbooks complement operational optimization by automating various types of man - **Keep the number of playbook executions per day low**: Aim for less than 60 executions per playbook per day, aligning with the number of raised alerts. Each playbook should have a specific objective to meet a particular need. - **Design playbooks with simplicity in mind**: On average, each playbook should be composed of less than 15 modules, including: - - **1 [Trigger](https://docs.sekoia.io/xdr/features/automate/triggers/)** such as the “Manual trigger” or “Alert created” trigger **with a filter condition** to start the playbook only for relevant cases. - - **Some [Operator](https://docs.sekoia.io/xdr/features/automate/operators/) modules** like "[Condition](https://docs.sekoia.io/xdr/features/automate/operators/#condition)" and "[Foreach](https://docs.sekoia.io/xdr/features/automate/operators/#foreach)" to halt the playbook execution if new information gathered during the process indicates that the playbook is unnecessary in the current context. - - **A majority of [Action](https://docs.sekoia.io/xdr/features/automate/actions/) modules** making it easily understandable for new team members and maintainable over time. To give you more details on the top 10 most used playbook Actions, here is a list: - - 1. [Read JSON File](https://docs.sekoia.io/xdr/features/automate/library/fileutils/#read-json-file) - 2. [Comment Alert](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#comment-alert) - 3. [Get Alert](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#get-alert) - 4. [Request URL](https://docs.sekoia.io/xdr/features/automate/library/http/#request-url) - 5. [Update Alert Status](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#update-alert-status) - 6. [Get Events](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#get-events) - 7. [VirusTotal Scan URL](https://docs.sekoia.io/xdr/features/automate/library/virustotal/#scan-url) - 8. [Get Event Field Common Values](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#get-event-field-common-values) - 9. [Edit Alert](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#edit-alert) - 10. [VirusTotal Scan Hash](https://docs.sekoia.io/xdr/features/automate/library/virustotal/#scan-hash) - -For instance, the following [playbook template](https://docs.sekoia.io/xdr/features/automate/build-playbooks/#templates) composed of 9 modules (1 Trigger, 1 Operator, 7 Actions) answers the need of adding a domain in a blocklist (IOC Collection). + - **1 [Trigger](/xdr/features/automate/triggers.md)** such as the “Manual trigger” or “Alert created” trigger **with a filter condition** to start the playbook only for relevant cases. + - **Some [Operator](/xdr/features/automate/operators.md) modules** like "[Condition](https://docs.sekoia.io/xdr/features/automate/operators/#condition)" and "[Foreach](/xdr/features/automate/operators.md#foreach)" to halt the playbook execution if new information gathered during the process indicates that the playbook is unnecessary in the current context. + - **A majority of [Action](/xdr/features/automate/actions.md) modules** making it easily understandable for new team members and maintainable over time. To give you more details on the top 10 most used playbook Actions, here is a list: + + 1. [Read JSON File](/xdr/features/automate/library/fileutils.md#read-json-file) + 2. [Comment Alert](/xdr/features/automate/library/sekoia-io.md#comment-alert) + 3. [Get Alert](/xdr/features/automate/library/sekoia-io.md#get-alert) + 4. [Request URL](/xdr/features/automate/library/http.md#request-url) + 5. [Update Alert Status](/xdr/features/automate/library/sekoia-io.md#update-alert-status) + 6. [Get Events](/xdr/features/automate/library/sekoia-io.md#get-events) + 7. [VirusTotal Scan URL](/xdr/features/automate/library/virustotal.md#scan-url) + 8. [Get Event Field Common Values](/xdr/features/automate/library/sekoia-io.md#get-event-field-common-values) + 9. [Edit Alert](/xdr/features/automate/library/sekoia-io.md#edit-alert) + 10. [VirusTotal Scan Hash](/xdr/features/automate/library/virustotal.md#scan-hash) + +For instance, the following [playbook template](/xdr/features/automate/build-playbooks.md#templates) composed of 9 modules (1 Trigger, 1 Operator, 7 Actions) answers the need of adding a domain in a blocklist (IOC Collection). ![playbook_example](/assets/getting_started/playbook_example.png){: style="max-width:100%"} - **Ensure the duration of each Action** within playbooks is less than 10 seconds to reduce the chance of a timeout with most third-party tools you interact with. -- **Track the overall [duration of playbook executions](https://docs.sekoia.io/xdr/features/automate/navigate-playbooks/#playbook-runs)** for each playbook to complete its execution in less than 1 minute. +- **Track the overall [duration of playbook executions](/xdr/features/automate/navigate-playbooks.md)** for each playbook to complete its execution in less than 1 minute. - **Ensure no playbook is having an issue** that is visible with the status "Trigger crashed" and "Configuration issues". - **Keep a low number of "Ready to start" playbooks**, for instance less than 2, to avoid activation issue after a long period of configuration due to confict with recent evolutions of your community. diff --git a/docs/getting_started/get_troubleshooting_tips.md b/docs/getting_started/get_troubleshooting_tips.md index 8f27d435c1..9685027bfb 100644 --- a/docs/getting_started/get_troubleshooting_tips.md +++ b/docs/getting_started/get_troubleshooting_tips.md @@ -12,7 +12,7 @@ If Sekoia.io can't maintain WebSocket connections on the browser, the web applic **Step 1: Contact your network administrator** -Contact your network administrator to make sure they support WebSocket connections. Also ask it to review login attempts to the following URL: [app.sekoia.io/live](app.sekoia.io/live) +Contact your network administrator to make sure they support WebSocket connections. Also ask it to review login attempts to the following URL: [app.sekoia.io/live](wss://app.sekoia.io/live) **Step 2: Collect and send us network logs** diff --git a/docs/getting_started/invite_users.md b/docs/getting_started/invite_users.md index 63324f490d..23eb58c3fd 100644 --- a/docs/getting_started/invite_users.md +++ b/docs/getting_started/invite_users.md @@ -1,23 +1,23 @@ # Invite users to join your workspace -To invite users to a workspace or a community, you need to send them an invitation to join you on Sekoia.io. You can invite as many users as needed as soon as you are an Administrator of the workspace/community. +To invite users to a workspace or a community, you need to send them an invitation to join you on Sekoia.io. You can invite as many users as needed as soon as you are an Administrator of the workspace/community. -However, depending on the [type of community](concepts.md) you are in, the invitation process can differ. +However, depending on the [type of community](concepts.md) you are in, the invitation process can differ. -In this documentation, you will learn how to add news users to a workspace or a community. +In this documentation, you will learn how to add news users to a workspace or a community. ## Add new users to a workspace -To invite new users to a workspace, follow these steps: +To invite new users to a workspace, follow these steps: -1. Navigate to the `Settings` page from the menu +1. Navigate to the `Settings` page from the menu 2. On the `Users` page, click the `Add new users` button -3. Enter the email addresses of the users you want to invite, separating each with a comma +3. Enter the email addresses of the users you want to invite, separating each with a comma 4. Select the communities you want to add them to -5. Assign roles to your guests. You can either select the default ones or create custom roles based on chosen permissions. Check this documentation to learn how to [create custom roles](docs/getting_started/roles.md). +5. Assign roles to your guests. You can either select the default ones or create custom roles based on chosen permissions. Check this documentation to learn how to [create custom roles](/getting_started/roles.md). -These steps are the same whether you want to invite new users to a workspace or to a community. -In case it's a multi-tenant workspace, the invited user will only have access to the selected community, not the whole workspace. +These steps are the same whether you want to invite new users to a workspace or to a community. +In case it's a multi-tenant workspace, the invited user will only have access to the selected community, not the whole workspace. !!! note A welcome email with a password set link is sent only to new users on Sekoia.io (excluding existing members in other communities). @@ -25,10 +25,3 @@ In case it's a multi-tenant workspace, the invited user will only have access to ## Automatic creation of users with SSO Okta As mentioned on [this page](sso/openid_connect.md): Workspace admins who have enabled SSO with Okta can configure an option to automatically create new users accounts in their workspace. When a user logs-in for the first time, their account will be automatically created. You can set the default role for newly created users, and you can choose the default role among all the roles available in your community. - - - - - - - diff --git a/docs/getting_started/sso/azure.md b/docs/getting_started/sso/azure.md index 838c5468c8..d9c59da872 100644 --- a/docs/getting_started/sso/azure.md +++ b/docs/getting_started/sso/azure.md @@ -5,7 +5,7 @@ In order to configure Azure with Sekoia.io, the following steps must be done: 1. Verify that the user that will connect have a complete profile. To authenticate, the profile must have the following information: email address, first name, last name and full name 2. Create a new application on Azure 3. Connect to Sekoia.io, add a new domain that belongs to your community and wait for its validation -4. Configure OpenID Connect in Sekoia.io (see associated documentation [Single Sign-On With OpenID Connect](/getting_started/sso/openid_connect)) +4. Configure OpenID Connect in Sekoia.io (see associated documentation [Single Sign-On With OpenID Connect](/getting_started/sso/openid_connect.md)) ## Create a Microsoft Entra ID (Azure AD) app registration diff --git a/docs/getting_started/sso/okta.md b/docs/getting_started/sso/okta.md index 61bdfe6c36..bc0ac4a4f2 100644 --- a/docs/getting_started/sso/okta.md +++ b/docs/getting_started/sso/okta.md @@ -4,7 +4,7 @@ In order to configure Okta with Sekoia.io, the following steps must be done: 1. Create a new application in your Okta admin console 2. Connect to Sekoia.io and add a new domain that belongs to your community and wait for its validation. -3. Configure OpenID Connect in Sekoia.io. (see associated documentation [Single Sign-On With OpenID Connect](/getting_started/sso/openid_connect)) +3. Configure OpenID Connect in Sekoia.io. (see associated documentation [Single Sign-On With OpenID Connect](/getting_started/sso/openid_connect.md)) ## Create a new application in Okta diff --git a/docs/getting_started/sso/openid_connect.md b/docs/getting_started/sso/openid_connect.md index ebb0f44935..3caaee2636 100644 --- a/docs/getting_started/sso/openid_connect.md +++ b/docs/getting_started/sso/openid_connect.md @@ -38,7 +38,7 @@ You can choose to enable the automatic creation of users' accounts in your commu By using this feature, when a user logs-in for the first time, their account will be automatically created. You can set the default role for newly created users, and you can choose the default role among all the roles available in your community. -If you don't enable "just-in-time" account creation, you will have to manually create user accounts. You can learn more about how to create user accounts in the article [Invite users](invite_users.md)". +If you don't enable "just-in-time" account creation, you will have to manually create user accounts. You can learn more about how to create user accounts in the article [Invite users](/getting_started/invite_users.md)". ## Login method diff --git a/docs/integration/categories/applicative/azure_files.md b/docs/integration/categories/applicative/azure_files.md index 063f4f4f29..fcb760e2e5 100644 --- a/docs/integration/categories/applicative/azure_files.md +++ b/docs/integration/categories/applicative/azure_files.md @@ -58,7 +58,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/feature/automate/library/microsoft-azure/#consume-eventhub-messages) +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/features/automate/library/microsoft-azure.md#consume-eventhub-messages) 2. Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/applicative/github_audit_logs.md b/docs/integration/categories/applicative/github_audit_logs.md index b7bd3a7c24..e716e9fe50 100644 --- a/docs/integration/categories/applicative/github_audit_logs.md +++ b/docs/integration/categories/applicative/github_audit_logs.md @@ -21,7 +21,7 @@ This setup guide describes how to forward audit logs from Github to Sekoia.io. - Your organization must use GitHub Entreprise Cloud to [get access to audit log API](https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api) - You must be Administrator of the organization. There are two options on how to configure connector: * [With Github API Key](#creating-the-github-api-key) - * [With Github PEM file](#creating-the-github-pem-file) + * [With Github PEM file](#create-the-github-pem-file) ### Creating the Github API key @@ -38,7 +38,7 @@ To create an API key on [Github](https://github.com/): ![Personal tokens](/assets/instructions/github_audit_logs/personal_tokens.png) ![Generate new token](/assets/instructions/github_audit_logs/generate_new_token.png) - + ![Generate new token](/assets/instructions/github_audit_logs/generate_new_token.png) 3. Validate the configuration and save the token for the configuration of the connector. @@ -51,32 +51,32 @@ To create an API key on [Github](https://github.com/): ![Users organizations](/assets/instructions/github_audit_logs/users_organizations.png) 2. Select organization you want to create PEM file for: - + ![Select organization](/assets/instructions/github_audit_logs/select_organization.png) 3. Scroll to `Developer settings` and select `Github apps`: - + ![Org developer settings](/assets/instructions/github_audit_logs/github_apps.png) 4. Click on edit `Github app`: - + ![Edit Github app](/assets/instructions/github_audit_logs/edit_github_app.png) * Make sure you have all necessary rights (#1) * After that click on edit (#2) - + 5. Go to `General` section: - + ![General](/assets/instructions/github_audit_logs/general_section.png) 6. Scroll to `Private keys` section and click on `Generate a private key`: - + ![Private keys](/assets/instructions/github_audit_logs/generate_private_key.png) 7. Follow all necessary instructions and save PEM file for the configuration of the connector. 8. Scroll up and copy `App ID` for the configuration of the connector. - + ![App ID](/assets/instructions/github_audit_logs/app_id.png) 9. As a result you should have `App ID` and `PEM file` for the configuration of the connector. @@ -89,7 +89,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new audit logs from Github](/integration/action_library/collaboration_tools/github) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new audit logs from Github](/integration/action_library/github.md) trigger 2. Set up the module configuration with the Github organization and the APIkey. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events @@ -100,4 +100,3 @@ To start to pull events, you have to: {!_shared_content/operations_center/detection/generated/suggested_rules_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md!} - diff --git a/docs/integration/categories/applicative/salesforce.md b/docs/integration/categories/applicative/salesforce.md index 0011ea100d..bfd745b8c0 100644 --- a/docs/integration/categories/applicative/salesforce.md +++ b/docs/integration/categories/applicative/salesforce.md @@ -60,7 +60,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Salesforce](/integration/action_library/applicative/salesforce) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Salesforce](/integration/action_library/salesforce.md) trigger 2. Set up the module configuration with the consumer key and consumer secret. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/applicative/sekoiaio_forwarder_logs.md b/docs/integration/categories/applicative/sekoiaio_forwarder_logs.md index d11927d257..b17b75e360 100644 --- a/docs/integration/categories/applicative/sekoiaio_forwarder_logs.md +++ b/docs/integration/categories/applicative/sekoiaio_forwarder_logs.md @@ -16,11 +16,11 @@ Sekoia.io forwarder logs collect all statictics coming from Sekoia forwarder ins ## Configure -To monitor forwarder health, create a new intake `Sekoia.io forwarer logs` in your community. Once the intake is enabled, please follow [this documentation](/integration/ingestion_methods/syslog/sekoiaio_forwarder/#monitor-your-concentrator) in order to activate metrics on the forwarder side. You can find also details about the generated metrics +To monitor forwarder health, create a new intake `Sekoia.io forwarer logs` in your community. Once the intake is enabled, please follow [this documentation](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md#monitor-your-concentrator) in order to activate metrics on the forwarder side. You can find also details about the generated metrics -{!_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671fc_sample.md!} +{!_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671_sample.md!} {!_shared_content/integration/detection_section.md!} -{!_shared_content/operations_center/detection/generated/suggested_rules_915a119c-2ec8-4482-a3c6-4d4cae62b671fc_do_not_edit_manually.md!} -{!_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671fc.md!} +{!_shared_content/operations_center/detection/generated/suggested_rules_915a119c-2ec8-4482-a3c6-4d4cae62b671_do_not_edit_manually.md!} +{!_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md!} diff --git a/docs/integration/categories/applicative/systancia_cleanroom.md b/docs/integration/categories/applicative/systancia_cleanroom.md index c968707be7..297cf80792 100644 --- a/docs/integration/categories/applicative/systancia_cleanroom.md +++ b/docs/integration/categories/applicative/systancia_cleanroom.md @@ -22,12 +22,12 @@ This setup guide will show you how to forward your Systancia Cleanroom logs to S ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. ### Systancia Cleanroom 1. In the Systancia Clearoom system console, go to `Logger settings` - + ![logger_settings.png](/assets/integration/application/systancia-cleanroom/logger_settings.png) 2. In the `Logger setting` panel: @@ -49,4 +49,3 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n {!_shared_content/operations_center/detection/generated/suggested_rules_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md!} - diff --git a/docs/integration/categories/applicative/veeam_backup.md b/docs/integration/categories/applicative/veeam_backup.md index d841538d4e..86e2125f3e 100644 --- a/docs/integration/categories/applicative/veeam_backup.md +++ b/docs/integration/categories/applicative/veeam_backup.md @@ -54,7 +54,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_sample.md!} diff --git a/docs/integration/categories/email/message_trace.md b/docs/integration/categories/email/message_trace.md index 345defd1f4..e73906dbd2 100644 --- a/docs/integration/categories/email/message_trace.md +++ b/docs/integration/categories/email/message_trace.md @@ -21,7 +21,7 @@ According to [docs.microsoft.com](https://docs.microsoft.com/en-us/microsoft-365 - Microsoft Defender for Office 365 plan 1 and plan 2 - Microsoft 365 Defender -In Sekoia.io XDR, [create a new intake key](/xdr/features/collect/intakes/#create-an-intake-from-our-integrations-catalog) using the "Message Trace" format. +In Sekoia.io XDR, [create a new intake key](/xdr/features/collect/intakes.md#create-an-intake-from-our-integrations-catalog) using the "Message Trace" format. ## Configure OAuth @@ -144,4 +144,3 @@ If your user cannot access the MessageTrace API, please visit the [Azure Sign-in {!_shared_content/operations_center/detection/generated/suggested_rules_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md!} - diff --git a/docs/integration/categories/email/o365.md b/docs/integration/categories/email/o365.md index ed967efecb..abf65130db 100644 --- a/docs/integration/categories/email/o365.md +++ b/docs/integration/categories/email/o365.md @@ -112,7 +112,7 @@ Go to your Sekoia.io [playbooks page](https://app.sekoia.io/operations/playbooks #### Alternative mode If you are unable or you don't want to collect Office 365 logs through the management API, -Sekoia.io also supports Office 365 log collection through Azure EventHub. Follow [this guide](/integration/categories/endpoint/azure_windows) for more details on this solution. +Sekoia.io also supports Office 365 log collection through Azure EventHub. Follow [this guide](/integration/categories/endpoint/azure_windows.md) for more details on this solution. ### Collect Microsoft Defender for Office365 events diff --git a/docs/integration/categories/email/postfix.md b/docs/integration/categories/email/postfix.md index c5cdb6289d..4ec624ae27 100644 --- a/docs/integration/categories/email/postfix.md +++ b/docs/integration/categories/email/postfix.md @@ -17,7 +17,7 @@ As of now, the main solution to collect Postfix logs leverages the Rsyslog recip ### Rsyslog -Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd_sample.md!} diff --git a/docs/integration/categories/email/proofpoint_pod.md b/docs/integration/categories/email/proofpoint_pod.md index 31b828f493..0157d843b2 100644 --- a/docs/integration/categories/email/proofpoint_pod.md +++ b/docs/integration/categories/email/proofpoint_pod.md @@ -34,7 +34,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Pull events -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint PoD connector](/integration/action_library/applicative/proofpoint/#get-proofpoint-pod-events). +Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint PoD connector](/integration/action_library/proofpoint.md#get-proofpoint-pod-events). Set up the trigger configuration with the api key, the cluster id and the intake key. Customize others parameters if needed. diff --git a/docs/integration/categories/email/proofpoint_tap.md b/docs/integration/categories/email/proofpoint_tap.md index 4929d5cb26..d95a789316 100644 --- a/docs/integration/categories/email/proofpoint_tap.md +++ b/docs/integration/categories/email/proofpoint_tap.md @@ -7,7 +7,7 @@ type: intake Proofpoint Targeted Attack Protection (TAP) helps detect, mitigate, and block advanced threats that target people through email. - **Vendor**: Proofpoint -- **Supported environment**: Cloud +- **Supported environment**: Cloud - **Detection based on**: Telemetry - **Supported application or feature**: Email gateway @@ -31,7 +31,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Pull events -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint TAP connector](/integration/action_library/applicative/proofpoint/#get-proofpoint-tap-events). +Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [ProofPoint TAP connector](/integration/action_library/proofpoint.md#get-proofpoint-tap-events). Set up the trigger configuration with the service principal, the secret and the intake key. Customize others parameters if needed. diff --git a/docs/integration/categories/email/vade.md b/docs/integration/categories/email/vade.md index 8d45f702dc..90e448f65d 100644 --- a/docs/integration/categories/email/vade.md +++ b/docs/integration/categories/email/vade.md @@ -36,7 +36,7 @@ Lastly, you must add the Sekoia's action `Push Events to intake` to the graph an - the Sekoia.io `api_key` generated within the user center - the `base_url` (`https://intake.sekoia.io`) - the `events_path` to push on Intake (your logs, you will probably fill it with `{{ node.0['emails_path'] }}`) -- the `intake_key` of the intake you have previously created (documentation can be found [here](/xdr/features/collect/intakes)) +- the `intake_key` of the intake you have previously created (documentation can be found [here](/xdr/features/collect/intakes.md)) {!_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_sample.md!} diff --git a/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md b/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md index 7b235fa6ae..0071cc8df1 100644 --- a/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md +++ b/docs/integration/categories/endpoint/checkpoint_harmony_mobile.md @@ -41,7 +41,7 @@ To create the intake, go to the [intake page](https://app.sekoia.io/operations/i To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Check Point Harmony Mobile](/integration/action_library/network/check-point) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Check Point Harmony Mobile](/integration/action_library/check-point.md) trigger 2. Set up the module configuration with the Client ID, Client Secret and Authentication URL. 3. Set up the trigger configuration with the intake key 4. Start the playbook and enjoy your events diff --git a/docs/integration/categories/endpoint/crowdstrike_falcon.md b/docs/integration/categories/endpoint/crowdstrike_falcon.md index 18b2cd25c1..08413571cd 100644 --- a/docs/integration/categories/endpoint/crowdstrike_falcon.md +++ b/docs/integration/categories/endpoint/crowdstrike_falcon.md @@ -58,7 +58,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch CrowdStrike Falcon Events](/integration/action_library/endpoint/crowdstrike-falcon) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch CrowdStrike Falcon Events](/integration/action_library/crowdstrike-falcon.md) trigger 2. Set up the module configuration with the base URL of the API (e.g. https://api.eu-1.crowdstrike.com), your client id and your client secret. Set up the trigger configuration with the intake key. 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md b/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md index 2b8e287c29..e2358fb1a2 100644 --- a/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md +++ b/docs/integration/categories/endpoint/crowdstrike_falcon_telemetry.md @@ -47,7 +47,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from CrowdStrike Data replication](/integration/action_library/endpoint/crowdstrike) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from CrowdStrike Data replication](/integration/action_library/crowdstrike.md) trigger 2. Set up the module configuration with your client id, the client secret and the region. Set up the trigger configuration with the intake key and the queue name. 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/endpoint/cybereason_malop.md b/docs/integration/categories/endpoint/cybereason_malop.md index e7494bd34b..a16414955b 100644 --- a/docs/integration/categories/endpoint/cybereason_malop.md +++ b/docs/integration/categories/endpoint/cybereason_malop.md @@ -12,7 +12,7 @@ Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Thro !!! warning If your tenant uses an allowlist to authorize connections, please ensure that Sekoia.io's IPs are allowed. - See our [FAQ](/xdr/FAQ) to get our IPs. + See our [FAQ](/xdr/FAQ.md) to get our IPs. ## Configure @@ -21,7 +21,7 @@ This setup guide will lead you into forwarding all MalOp activities to Sekoia.io ### Prerequisites -To forward events produced by Cybereason to Sekoia.io, you will need your Cybereason username and password. +To forward events produced by Cybereason to Sekoia.io, you will need your Cybereason username and password. !!! warning Please ensure the user has, at least, `Analyst L2` rights granted. @@ -33,9 +33,9 @@ Keep aside the intake key. ### Pull events -To start pulling events, you have to: +To start pulling events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from Cybereason](/integration/action_library/endpoint/cybereason.md) module. +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from Cybereason](/integration/action_library/cybereason.md) module. 2. Set up the module configuration with your Cybereason username and password. 3. Set up the trigger configuration with your intake key 4. Start the playbook and enjoy your [events](https://app.sekoia.io/operations/events). diff --git a/docs/integration/categories/endpoint/cybereason_malop_activity.md b/docs/integration/categories/endpoint/cybereason_malop_activity.md index 0e1ecf860d..46b9567a4d 100644 --- a/docs/integration/categories/endpoint/cybereason_malop_activity.md +++ b/docs/integration/categories/endpoint/cybereason_malop_activity.md @@ -29,7 +29,7 @@ Keep aside the intake key. ### Setup the Syslog collector -Check the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to install and set up the syslog collector. +Check the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to install and set up the syslog collector. Once the setup has completed, write down the IP address and port. This information will be used in the next step. diff --git a/docs/integration/categories/endpoint/eset_protect.md b/docs/integration/categories/endpoint/eset_protect.md index 3777332fcd..7ff07acd3a 100644 --- a/docs/integration/categories/endpoint/eset_protect.md +++ b/docs/integration/categories/endpoint/eset_protect.md @@ -74,7 +74,7 @@ To enable Syslog server in ESET Protect on On-Prem : ![Syslog configuration](/assets/instructions/eset_protect/enable_syslog_2.png) !!! warning - Important note - For ESET Protect Cloud, you will required a secured syslog forwarder. Please read our article [how to secure data collection to the syslog forwarder](intergration/ingestion_methods/syslog/secured_forwarded.md) + Important note - For ESET Protect Cloud, you will required a secured syslog forwarder. Please read our article [how to secure data collection to the syslog forwarder](/integration/ingestion_methods/syslog/secured_forwarding.md) To enable Syslog server in ESET Protect on Cloud: @@ -113,4 +113,3 @@ To enable Syslog server in ESET Protect on Cloud: - [Export logs to Syslog server from ESET PROTECT (8.x–10.x)](https://techcenter.eset.nl/en-US/kb/articles/export-logs-to-syslog-server-from-eset-protect-8x-10x) - [Collect logs from ESET PROTECT with Elastic Agent](https://docs.elastic.co/integrations/eset_protect#to-collect-data-from-eset-protect-via-syslog-follow-the-below-steps) - [Support: Export logs to Syslog server from ESET PROTECT On-Prem](https://support.eset.com/en/kb8022-export-logs-to-syslog-server-from-eset-protect) - diff --git a/docs/integration/categories/endpoint/google_kubernetes_engine.md b/docs/integration/categories/endpoint/google_kubernetes_engine.md index 16c0b0caf7..310b6770f6 100644 --- a/docs/integration/categories/endpoint/google_kubernetes_engine.md +++ b/docs/integration/categories/endpoint/google_kubernetes_engine.md @@ -10,12 +10,12 @@ type: intake There are different types of logs produced by GKE: -**Auditd logs**: Most important logs from a security point of view. We recommend that you use [Auditbeat](/integration/categories/endpoint/auditbeat_linux) to collect Auditd logs. +**Auditd logs**: Most important logs from a security point of view. We recommend that you use [Auditbeat](/integration/categories/endpoint/auditbeat_linux.md) to collect Auditd logs. **Flow Logs**: From [Google VPC FLow Logs documentation](https://cloud.google.com/vpc/docs/using-flow-logs): > VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization. -Please read the [dedicated documentation](/integration/categories/network/google_vpc_flow_logs). +Please read the [dedicated documentation](/integration/categories/network/google_vpc_flow_logs.md). (*Intake type: Google VPC Flow Logs*) **Activity logs** (*Intake type: Google Cloud Audit log*): diff --git a/docs/integration/categories/endpoint/ibm_i.md b/docs/integration/categories/endpoint/ibm_i.md index c5354ecd2f..5d55ddbec9 100644 --- a/docs/integration/categories/endpoint/ibm_i.md +++ b/docs/integration/categories/endpoint/ibm_i.md @@ -70,7 +70,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Send logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872_sample.md!} diff --git a/docs/integration/categories/endpoint/kaspersky_endpoint_security.md b/docs/integration/categories/endpoint/kaspersky_endpoint_security.md index 926abca593..1f7452a107 100644 --- a/docs/integration/categories/endpoint/kaspersky_endpoint_security.md +++ b/docs/integration/categories/endpoint/kaspersky_endpoint_security.md @@ -15,9 +15,6 @@ type: intake ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![kaspersky_endpoint_security_architecture](/assets/integration/kaspersky_endpoint_security_architecture.png) ## Specification diff --git a/docs/integration/categories/endpoint/log_insight_windows.md b/docs/integration/categories/endpoint/log_insight_windows.md index fcae49711b..0c0bf99512 100644 --- a/docs/integration/categories/endpoint/log_insight_windows.md +++ b/docs/integration/categories/endpoint/log_insight_windows.md @@ -25,7 +25,7 @@ As of now, the main solution to collect Windows logs with Log Insight leverages ### Rsyslog -Please refer to the documentation of Linux to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please refer to the documentation of Linux to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_sample.md!} diff --git a/docs/integration/categories/endpoint/panda_security_aether.md b/docs/integration/categories/endpoint/panda_security_aether.md index 227a4dc1f8..659806155c 100644 --- a/docs/integration/categories/endpoint/panda_security_aether.md +++ b/docs/integration/categories/endpoint/panda_security_aether.md @@ -34,7 +34,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Pull events -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Panda Security trigger](/integration/action_library/endpoint/panda-security/#fetch-security-events). You can use the existing template to fasten and ease the creation of your playbook. +Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Panda Security trigger](/integration/action_library/panda-security.md#fetch-security-events). You can use the existing template to fasten and ease the creation of your playbook. Set up the module configuration with an access ID, the password of the access ID (`access_secret`), your WatchGuard Cloud account ID (`account_id`), the API Key (`api_key`). Set the `base_url` with the domain part of the API Url (e.g: for the API URL `https://api.usa.cloud.watchguard.com/rest/`, the `base_url` is `https://api.usa.cloud.watchguard.com`). diff --git a/docs/integration/categories/endpoint/sentinelone.md b/docs/integration/categories/endpoint/sentinelone.md index b56f8ca251..c27ac9f13c 100644 --- a/docs/integration/categories/endpoint/sentinelone.md +++ b/docs/integration/categories/endpoint/sentinelone.md @@ -23,7 +23,7 @@ Depending on the context of the log, additional content could be available, such - File information !!! Tip - For advanced log collection, we suggest you use the SentinelOne Cloud Funnel 2.0 option, as described in the [SentinelOne Cloud Funnel 2.0 integration](/integration/categories/endpoint/sentinelone_cloudfunnel2.0). + For advanced log collection, we suggest you use the SentinelOne Cloud Funnel 2.0 option, as described in the [SentinelOne Cloud Funnel 2.0 integration](/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md). ## Configure @@ -41,7 +41,7 @@ This setup guide will show you how to pull events produced by SentinelOne EDR on 4. Select `Create User` and copy the generated API token. !!! note - A `Service User` with the `Site Admin` or `IR Team` role can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](/xdr/features/automate/library/sentinelone). A user with the `Site Viewer` role can view activity events and threats but cannot take action. + A `Service User` with the `Site Admin` or `IR Team` role can mitigate threats from [Sekoia.io](https://app.sekoia.io/) using [SentinelOne playbook actions](/xdr/features/automate/library/sentinelone.md). A user with the `Site Viewer` role can view activity events and threats but cannot take action. ## Create a SentinelOne intake @@ -52,11 +52,11 @@ In the [Sekoia.io Operation Center](https://app.sekoia.io/operations/intakes): 3. Click `Create` under the relevant object (SentinelOne EDR or SentinelOne Cloud Funnel). 4. Enter the `Name` of your intake that will be displayed, select the related `Entity` from the dropdown, and then select `Automatically`: -![SentinelOne EDR Intake creation](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone-configure-intake.png){: style="max-width:60%"} +![SentinelOne EDR Intake creation](/assets/integration/endpoint/sentinelone/sentinelone-configure-intake.png){: style="max-width:60%"} 5. Enter the previously downloaded SentinelOne `API token` and the related `URL Domain`: -![SentinelOne EDR secret](/assets/operation_center/integration_catalog/endpoint/sentinelone/sentinelone_edr_api.png){: style="max-width:60%"} +![SentinelOne EDR secret](/assets/integration/endpoint/sentinelone/sentinelone_edr_api.png){: style="max-width:60%"} {!_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md!} diff --git a/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md b/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md index 0335f8744e..d8fc7dd57a 100644 --- a/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md +++ b/docs/integration/categories/endpoint/sentinelone_cloudfunnel2.0.md @@ -17,7 +17,7 @@ SentinelOne Deep Visibility logs provides in-depth logs that are useful for dete No additional installation or configuration on the agents is needed. !!! warning - Alerts and Events logs from the SentinelOne console are not available with CloudFunnel. To collect events to be able to have information on access to the console, one must configure the SentinelOne log collection from API as documented [here](/integration/categories/endpoint/sentinelone). + Alerts and Events logs from the SentinelOne console are not available with CloudFunnel. To collect events to be able to have information on access to the console, one must configure the SentinelOne log collection from API as documented [here](/integration/categories/endpoint/sentinelone.md). Please find bellow a short list of activities that are available for security supervision thanks to SentinelOne Deep Visibility logs: @@ -70,7 +70,7 @@ To enable SentinelOne's AWS account to perform necessary operations such as list By following these steps, you can set up the AWS S3 bucket to seamlessly handle SentinelOne Deep Visibility telemetry data. -{!_shared_content/operations_center/integrations/aws_create_s3_notification.md!} +{!_shared_content/operations_center/integrations/aws_create_s3_sqs_notification.md!} ### Setup SentinelOne Cloud Funnel 2.0 @@ -95,7 +95,7 @@ In the [Sekoia.io Operations Center](https://app.sekoia.io/operations/intakes): To start pulling events, follow these steps: 1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) -2. Create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/cloud_providers/aws#fetch-new-logs-on-s3) +2. Create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) 3. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name 4. Set up the trigger configuration with the name of the SQS queue and the intake key (from the intake previously created) 5. Start the playbook and enjoy your events diff --git a/docs/integration/categories/endpoint/sophos_edr.md b/docs/integration/categories/endpoint/sophos_edr.md index 3937e0229a..75b7cd45f8 100644 --- a/docs/integration/categories/endpoint/sophos_edr.md +++ b/docs/integration/categories/endpoint/sophos_edr.md @@ -10,7 +10,7 @@ This EDR reduces the attack surface and prevent attacks from running with an ant This setup guide shows how to forward events produced by Sophos EDR to Sekoia.io. - **Vendor**: Sophos -- **Supported environment**: Cloud +- **Supported environment**: Cloud - **Detection based on**: Telemetry - **Supported application or feature**: File monitoring, Process monitoring @@ -39,7 +39,7 @@ In the Sophos Central Admin console: 1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). 2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. 3. Give it a name and a description and click on `Next`. -4. In `Choose a trigger`, select the [Get Sophos events](/integration/action_library/endpoint/sophos/#get-sophos-events). +4. In `Choose a trigger`, select the [Get Sophos events](/integration/action_library/sophos.md). 5. Click on the `Get Sophos events` module on the right sidebar and in the `Module Configuration` section, select `Create new configuration`. 6. Write a `name` and paste the `client_id` and `client_secret` from the Sophos console and click on `Save`. diff --git a/docs/integration/categories/endpoint/stormshield_ses.md b/docs/integration/categories/endpoint/stormshield_ses.md index 5928713958..87ce192f73 100644 --- a/docs/integration/categories/endpoint/stormshield_ses.md +++ b/docs/integration/categories/endpoint/stormshield_ses.md @@ -25,9 +25,9 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n 2. Go to `Backoffice > Agent handlers` 3. Select an Agent handler group or create a new one 4. On the Agent handler group, in the `Syslog servers`, click `+ Add a server` - ![Agent handlers](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_01.png){: style="max-width:100%"} + ![Agent handlers](/assets/integration/endpoint/stormshield/stormshield_ses_01.png){: style="max-width:100%"} 5. In the syslog server configuration: - + 1. Set the address of the syslog destination to `intake.sekoia.io` 2. Select `TCP/TLS` as the protocol 3. Define the syslog destination port to 10514 @@ -35,7 +35,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n 5. Select `Non-Transparent-Framing` as transfert-type 6. In the `Structured data` input, add `[SEKOIA@53288 intake_key=""]` with our intake key as replacement of the placeholder 7. Save the configuration - ![Configuration](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_02.png){: style="max-width:100%"} + ![Configuration](/assets/integration/endpoint/stormshield/stormshield_ses_02.png){: style="max-width:100%"} ## Troubleshooting @@ -45,12 +45,12 @@ The Sekoia.io syslog endpoint is secured with a [Letsencrypt](https://letsencryp According to our SES Agent handler installation, it may be necessary to install `ISRG ROOT X1` certificate in our **trusted root certification authorities certificate store**: -On the SES Agent handler machines: +On the SES Agent handler machines: 1. Download the `ISRG ROOT X1` certificate: 2. Rename the downloaded certificate by suffixing it with the extension`.crt` 3. Import the certificate in the trusted root certification authorities certificate store of the machine - ![Certificate store](/assets/operation_center/integration_catalog/endpoint/stormshield/stormshield_ses_03.png){: style="max-width:100%"} + ![Certificate store](/assets/integration/endpoint/stormshield/stormshield_ses_03.png){: style="max-width:100%"} {!_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_sample.md!} diff --git a/docs/integration/categories/endpoint/tanium.md b/docs/integration/categories/endpoint/tanium.md index b8902b6ed7..1b30a66fa0 100644 --- a/docs/integration/categories/endpoint/tanium.md +++ b/docs/integration/categories/endpoint/tanium.md @@ -13,7 +13,7 @@ Tanium solutions manage and protect networks and endpoints. ## Configure -Tanium logs can be collected under the rsyslog format and then forward to Sekoia.io. Refer to the official documentation of Tanium to forward your logs under rsyslog format and consult the [Rsyslog Transport](/integration/ingestion_methods/rsyslog) documentation to forward these logs to Sekoia.io. +Tanium logs can be collected under the rsyslog format and then forward to Sekoia.io. Refer to the official documentation of Tanium to forward your logs under rsyslog format and consult the [Rsyslog Transport](/integration/ingestion_methods/rsyslog.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5_sample.md!} diff --git a/docs/integration/categories/endpoint/tehtris_edr.md b/docs/integration/categories/endpoint/tehtris_edr.md index 13df9ed0be..29ab56d259 100644 --- a/docs/integration/categories/endpoint/tehtris_edr.md +++ b/docs/integration/categories/endpoint/tehtris_edr.md @@ -9,7 +9,7 @@ TEHTRIS EDR is a security product to monitor, detect and mitigate threats on end This setup guide shows how to forward events produced by TEHTRIS EDR to Sekoia.io. - **Vendor**: TEHTRIS -- **Supported environment**: On Cloud +- **Supported environment**: On Cloud - **Detection based on**: Telemetry / Alert - **Supported application or feature**: File monitoring, Process monitoring and Anti-virus @@ -36,7 +36,7 @@ To create the intake, go to the [intake page](https://app.sekoia.io/operations/i To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from TEHTRIS](/integration/action_library/endpoint/tehtris/#fetch-new-events-from-tehtris) module +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new events from TEHTRIS](/integration/action_library/tehtris.md#fetch-new-events-from-tehtris) module 2. Set up the module configuration with your API key and your tenant ID (most of time, your tenant ID is the subdomain of your TEHTRIS instance; eg: `https://{tenant_id}.tehtris.net`) diff --git a/docs/integration/categories/endpoint/trellix_edr.md b/docs/integration/categories/endpoint/trellix_edr.md index be57bc2b68..0c52e22d10 100644 --- a/docs/integration/categories/endpoint/trellix_edr.md +++ b/docs/integration/categories/endpoint/trellix_edr.md @@ -10,7 +10,7 @@ type: intake - **Supported application or feature**: Trellix has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. - + ## Configure @@ -30,7 +30,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/endpoint/trellix) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/trellix.md) trigger 2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events @@ -41,4 +41,3 @@ To start to pull events, you have to: {!_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md!} - diff --git a/docs/integration/categories/endpoint/trend_micro_apex_one.md b/docs/integration/categories/endpoint/trend_micro_apex_one.md index 13eb61b45b..856f9d01d5 100644 --- a/docs/integration/categories/endpoint/trend_micro_apex_one.md +++ b/docs/integration/categories/endpoint/trend_micro_apex_one.md @@ -80,7 +80,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365_sample.md!} diff --git a/docs/integration/categories/endpoint/vmware_esxi.md b/docs/integration/categories/endpoint/vmware_esxi.md index 1318b640e6..2c5025be9c 100644 --- a/docs/integration/categories/endpoint/vmware_esxi.md +++ b/docs/integration/categories/endpoint/vmware_esxi.md @@ -31,7 +31,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90_sample.md!} diff --git a/docs/integration/categories/endpoint/vmware_vcenter.md b/docs/integration/categories/endpoint/vmware_vcenter.md index 02180fcda7..71a5cd5eb3 100644 --- a/docs/integration/categories/endpoint/vmware_vcenter.md +++ b/docs/integration/categories/endpoint/vmware_vcenter.md @@ -35,7 +35,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. Create a new configuration file: diff --git a/docs/integration/categories/endpoint/windows.md b/docs/integration/categories/endpoint/windows.md index 928e971b68..e6e6228c6e 100644 --- a/docs/integration/categories/endpoint/windows.md +++ b/docs/integration/categories/endpoint/windows.md @@ -210,11 +210,11 @@ Restart-Service nxlog ### Configure the concentrator to forward events to Sekoia.io Please read the dedicated documentation for each concentrator: -* [Rsyslog](/integration/ingestion_methods/syslog/overview) -* [Logstash](/integration/ingestion_methods/logstash) -* [Syslog-ng](/integration/ingestion_methods/syslog-ng) -* [Graylog](/integration/ingestion_methods/https/graylog) -* [Sekoia.io docker concentrator](/integration/ingestion_methods/syslog/sekoiaio_forwarder) +* [Rsyslog](/integration/ingestion_methods/syslog/overview.md) +* [Logstash](/integration/ingestion_methods/logstash.md) +* [Syslog-ng](/integration/ingestion_methods/syslog-ng.md) +* [Graylog](/integration/ingestion_methods/https/graylog.md) +* [Sekoia.io docker concentrator](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) !!! Note While Sekoia.io docker concentrator is highly recommended, you are free to use the one that you are most comfortable with. diff --git a/docs/integration/categories/endpoint/winlogbeat.md b/docs/integration/categories/endpoint/winlogbeat.md index b63793ec5c..27ffc42e30 100644 --- a/docs/integration/categories/endpoint/winlogbeat.md +++ b/docs/integration/categories/endpoint/winlogbeat.md @@ -153,7 +153,7 @@ PS C:\Program Files\Winlogbeat> Start-Service winlogbeat ### Forward logs to Sekoia.io -Please consult our [guide](/integration/ingestion_methods/https/logstash) to configure logs forwarding from Logstash to Sekoia.io. +Please consult our [guide](/integration/ingestion_methods/https/logstash.md) to configure logs forwarding from Logstash to Sekoia.io. {!_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b_sample.md!} diff --git a/docs/integration/categories/endpoint/withsecure_elements.md b/docs/integration/categories/endpoint/withsecure_elements.md index f311c54ef5..1f4c7bbe06 100644 --- a/docs/integration/categories/endpoint/withsecure_elements.md +++ b/docs/integration/categories/endpoint/withsecure_elements.md @@ -36,7 +36,7 @@ In the WithSecure Elements Central Admin console: 1. Go to the [Playbook page](https://app.sekoia.io/operations/playbooks). 2. Click on `+ PLAYBOOK` and choose `Create a playbook from scratch`. 3. Give it a name such as `Collect WithSecure Elements events` and a description and click on `Next`. -4. In `Choose a trigger`, select the [Fetch security events](/integration/action_library/endpoint/withsecure). +4. In `Choose a trigger`, select the [Fetch security events](/integration/action_library/withsecure.md). 5. Click on the `Fetch security events` trigger and, on the right sidebar, create a new `Module Configuration`. Give it a name such as `My Organisation WithSecure` and enter your API Client credentials `Client ID`/`Secret` 6. In the Trigger Configuration section, Click on `Create new configuration`. 8. Write a `name`, paste the `intake_key` associated to your `WithSecure Elements` intake and click on `Save`. diff --git a/docs/integration/categories/generic/cef.md b/docs/integration/categories/generic/cef.md index 315887ff2b..7e7d433288 100644 --- a/docs/integration/categories/generic/cef.md +++ b/docs/integration/categories/generic/cef.md @@ -15,7 +15,7 @@ As of now, the main solution to collect CEF logs leverages the Rsyslog recipe. P ### Rsyslog -Please refer to the documentation of your vendor to forward events to your rsyslog server. The reader is also invited to consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please refer to the documentation of your vendor to forward events to your rsyslog server. The reader is also invited to consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777_sample.md!} diff --git a/docs/integration/categories/iam/alsid.md b/docs/integration/categories/iam/alsid.md index 477bcc94da..9b3d4dc116 100644 --- a/docs/integration/categories/iam/alsid.md +++ b/docs/integration/categories/iam/alsid.md @@ -20,7 +20,7 @@ As of now, the main solution to collect Alsid logs leverages the Rsyslog recipe. ### Rsyslog -Please refer to the documentation of Alsid to forward events to your rsyslog server. The reader is also invited to consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please refer to the documentation of Alsid to forward events to your rsyslog server. The reader is also invited to consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/integration/detection_section.md!} diff --git a/docs/integration/categories/iam/azure_key_vault.md b/docs/integration/categories/iam/azure_key_vault.md index e4a6a5b6d1..1666feafa7 100644 --- a/docs/integration/categories/iam/azure_key_vault.md +++ b/docs/integration/categories/iam/azure_key_vault.md @@ -38,7 +38,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Azure Key Vault](/integration/action_library/cloud_providers/microsoft-azure/#beta-collect-azure-blob-storage-events) +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Azure Key Vault](/integration/action_library/microsoft-azure.md) 2. Set up the trigger configuration with `account_key`, `account_name` and the `container_name`. 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/iam/jumpcloud_directory_insights.md b/docs/integration/categories/iam/jumpcloud_directory_insights.md index a9ebc4a913..f01973e1f9 100644 --- a/docs/integration/categories/iam/jumpcloud_directory_insights.md +++ b/docs/integration/categories/iam/jumpcloud_directory_insights.md @@ -33,7 +33,7 @@ Jumpcloud Directory Insights provides activity records related to your organizat To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Jumpcloud Directory Insights Connector](/integration/action_library/iam/jumpcloud-directory-insights) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Jumpcloud Directory Insights Connector](/integration/action_library/jumpcloud-directory-insights.md) trigger 2. Set up the module configuration with your API Key. Set up the trigger configuration with the intake key and select the event types you want to collect (`all` by default, refer to the [Jumpcloud Directory Insights service list](https://docs.jumpcloud.com/api/insights/directory/1.0/index.html#section/Using-the-Directory-Insights-API/JSON-POST-Request-Body) for other possible values). 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/iam/manageengine_adauditplus.md b/docs/integration/categories/iam/manageengine_adauditplus.md index 35cb986783..6c064b9e72 100644 --- a/docs/integration/categories/iam/manageengine_adauditplus.md +++ b/docs/integration/categories/iam/manageengine_adauditplus.md @@ -43,7 +43,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. @@ -57,4 +57,3 @@ Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sek {!_shared_content/operations_center/detection/generated/suggested_rules_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md!} - diff --git a/docs/integration/categories/iam/okta_system_log.md b/docs/integration/categories/iam/okta_system_log.md index 550c64dfa2..a5e5c32bdf 100644 --- a/docs/integration/categories/iam/okta_system_log.md +++ b/docs/integration/categories/iam/okta_system_log.md @@ -26,7 +26,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new system logs from OKTA](/integration/action_library/iam/okta) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new system logs from OKTA](/integration/action_library/okta.md) trigger 2. Set up the module configuration with your API Key and the base url of your Okta instance. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/iam/openldap.md b/docs/integration/categories/iam/openldap.md index 6bdbe84d20..da0cd15228 100644 --- a/docs/integration/categories/iam/openldap.md +++ b/docs/integration/categories/iam/openldap.md @@ -39,7 +39,7 @@ Below is a couple of suggestions you can follow to configure your system to coll ``` ### Forward logs to SEKOIA.IO -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/integration/detection_section.md!} diff --git a/docs/integration/categories/iam/rsa_securid.md b/docs/integration/categories/iam/rsa_securid.md index 9c71e898e7..584fd46e28 100644 --- a/docs/integration/categories/iam/rsa_securid.md +++ b/docs/integration/categories/iam/rsa_securid.md @@ -37,7 +37,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Sekoia Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Sekoia Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. diff --git a/docs/integration/categories/network/aws_flow_logs.md b/docs/integration/categories/network/aws_flow_logs.md index c5e285fed7..26971649b9 100644 --- a/docs/integration/categories/network/aws_flow_logs.md +++ b/docs/integration/categories/network/aws_flow_logs.md @@ -44,8 +44,8 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: 1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with: - - the [AWS Fetch new Flowlogs on S3 connector](/integration/action_library/cloud_providers/aws/#fetch-new-flowlogs-on-s3) for plain text files (gzipped included) - - the [AWS Fetch new FlowLogs Parquet records on S3 connector](/integration/action_library/cloud_providers/aws/#fetch-new-flowlogs-parquet-records-on-s3) for parquet files + - the [AWS Fetch new Flowlogs on S3 connector](/integration/action_library/aws.md) for plain text files (gzipped included) + - the [AWS Fetch new FlowLogs Parquet records on S3 connector](/integration/action_library/aws.md) for parquet files 2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created. 3. Start the playbook and enjoy your events. diff --git a/docs/integration/categories/network/azure_application_gateway.md b/docs/integration/categories/network/azure_application_gateway.md index 1df40adb83..a499b54275 100644 --- a/docs/integration/categories/network/azure_application_gateway.md +++ b/docs/integration/categories/network/azure_application_gateway.md @@ -24,7 +24,7 @@ Azure Application Gateway is a web traffic load balancer that manages traffic to ## Step-by-Step Configuration Procedure ### How to setup Event Hub - + {!_shared_content/operations_center/integrations/event_hub.md!} ### Enable Application Gateway diagnostics logs @@ -47,7 +47,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/feature/automate/library/microsoft-azure/#consume-eventhub-messages) +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/xdr/features/automate/library/microsoft-azure.md#consume-eventhub-messages) 2. Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. 3. Start the playbook and enjoy your events @@ -62,4 +62,3 @@ To start to pull events, you have to: ## Further Readings - [Diagnostic logs for Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics) - [Send Azure Monitor activity log data](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-azure-storage) - diff --git a/docs/integration/categories/network/cato_sase.md b/docs/integration/categories/network/cato_sase.md index 7ce21f9dc0..c28c7b71b9 100644 --- a/docs/integration/categories/network/cato_sase.md +++ b/docs/integration/categories/network/cato_sase.md @@ -21,7 +21,7 @@ This setup guide will show you how to provide an integration between Cato SASE e 1. Log in to your Cato Management Application 2. Click on the `Administration` section then click on `API & Integrations` - ![Administration](/assets/integration/cloud_and_saas/cato/administration.png){: style="max-width:100%"} + ![Administration](/assets/integration/cloud_and_saas/cato/administration.png){: style="max-width:100%"} 3. Select the tab `Events Integration` 4. Click on `Enable integration with Cato events` ![Administration](/assets/integration/cloud_and_saas/cato/enable_eventsfeed.png){: style="max-width:100%"} @@ -49,7 +49,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Cato SASE](/integration/action_library/network/cato-networks) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Cato SASE](/integration/action_library/cato-networks.md) trigger 2. Set up the module configuration with the Api Key and Account Id. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/network/dhcpd.md b/docs/integration/categories/network/dhcpd.md index 11e48330a4..72638df789 100644 --- a/docs/integration/categories/network/dhcpd.md +++ b/docs/integration/categories/network/dhcpd.md @@ -15,9 +15,6 @@ ISC DHCP offers a complete open-source solution for implementing DHCP servers. ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![isc_dhcp_architecture](/assets/integration/isc_dhcp_architecture.png) !!! Alternative diff --git a/docs/integration/categories/network/efficientip_solidserver_ddi.md b/docs/integration/categories/network/efficientip_solidserver_ddi.md index 72ed0f6f71..ee60f10caf 100644 --- a/docs/integration/categories/network/efficientip_solidserver_ddi.md +++ b/docs/integration/categories/network/efficientip_solidserver_ddi.md @@ -40,22 +40,22 @@ An internal syslog concentrator is required to collect and forward events to Sek 1. Log in SOLIDServer console 2. On the left panel, click `Administration` - ![Adminstation](/assets/operation_center/integration_catalog/network/efficientip_solidserver/01 - administration.png) + ![Adminstation](/assets/integration/network/efficientip_solidserver/01 - administration.png) 3. In the `monitoring` section, click `Configuration` - ![Configuration](/assets/operation_center/integration_catalog/network/efficientip_solidserver/02 - configuration.png) + ![Configuration](/assets/integration/network/efficientip_solidserver/02 - configuration.png) 4. In the menu, click `+ Add` - ![syslog](/assets/operation_center/integration_catalog/network/efficientip_solidserver/03 - syslog.png) + ![syslog](/assets/integration/network/efficientip_solidserver/03 - syslog.png) 5. In the `Services` drop-dwon, select the following services: - `named` 6. In the `Target server`, fill the ip address and the port of the log concentrator. - ![target](/assets/operation_center/integration_catalog/network/efficientip_solidserver/04 - target.png) + ![target](/assets/integration/network/efficientip_solidserver/04 - target.png) 7. Click `OK` @@ -67,7 +67,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md!} diff --git a/docs/integration/categories/network/ekinops_oneos.md b/docs/integration/categories/network/ekinops_oneos.md index 43a83cd311..c996bf27cc 100644 --- a/docs/integration/categories/network/ekinops_oneos.md +++ b/docs/integration/categories/network/ekinops_oneos.md @@ -48,7 +48,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832_sample.md!} diff --git a/docs/integration/categories/network/forcepoint_web_gateway.md b/docs/integration/categories/network/forcepoint_web_gateway.md index 0c1c51b358..f9ceae855b 100644 --- a/docs/integration/categories/network/forcepoint_web_gateway.md +++ b/docs/integration/categories/network/forcepoint_web_gateway.md @@ -18,9 +18,6 @@ Forcepoint Secure Web Gateway (SWG) is a proxy, installed on the endpoint, apply ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![forcepoint_swg_architecture](/assets/integration/forcepoint_swg_architecture.png) !!! Alternative @@ -63,7 +60,7 @@ In this guide, you will configure the gateway to forward events to syslog. This #### Detailed Procedure: 1. **Internal Syslog Concentrator Requirement:** - - An internal syslog concentrator is required to collect and forward events to Sekoia.io. We highly recommend using the [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder/). + - An internal syslog concentrator is required to collect and forward events to Sekoia.io. We highly recommend using the [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md). 2. **Enable SIEM Integration:** - Log on to the Web Security module of the Forcepoint Security Manager and navigate to `Settings > General > SIEM Integration`. diff --git a/docs/integration/categories/network/juniper_switches.md b/docs/integration/categories/network/juniper_switches.md index 2335d35764..63274eae0b 100644 --- a/docs/integration/categories/network/juniper_switches.md +++ b/docs/integration/categories/network/juniper_switches.md @@ -85,7 +85,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c_sample.md!} diff --git a/docs/integration/categories/network/microsoft_always_on_vpn.md b/docs/integration/categories/network/microsoft_always_on_vpn.md index 8e5adc8698..9007443e67 100644 --- a/docs/integration/categories/network/microsoft_always_on_vpn.md +++ b/docs/integration/categories/network/microsoft_always_on_vpn.md @@ -73,7 +73,7 @@ Restart the NXLog service through the Services tool as Administrator or use Powe ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. ### Enjoy your events Go to the [events page](https://app.sekoia.io/operations/events) to watch your incoming events. diff --git a/docs/integration/categories/network/netfilter.md b/docs/integration/categories/network/netfilter.md index 62a1b61d37..4616efe8a7 100644 --- a/docs/integration/categories/network/netfilter.md +++ b/docs/integration/categories/network/netfilter.md @@ -32,7 +32,7 @@ As of now, the main solution to send Netfilter events to Sekoia.io is to use a R ### Rsyslog -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io ### Configure Netfilter using Iptables The first step is to configure Netfilter to log the awaited diff --git a/docs/integration/categories/network/openssh.md b/docs/integration/categories/network/openssh.md index 8f6193a0f3..0b77a5ca2f 100644 --- a/docs/integration/categories/network/openssh.md +++ b/docs/integration/categories/network/openssh.md @@ -18,7 +18,7 @@ As of now, the main solution to collect OpenSSH logs leverages the Rsyslog recip ### Rsyslog -Please refer to the documentation of OpenSSH to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please refer to the documentation of OpenSSH to forward events to your rsyslog server. The reader can consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f_sample.md!} diff --git a/docs/integration/categories/network/openvpn.md b/docs/integration/categories/network/openvpn.md index f495f40696..5a0d24287b 100644 --- a/docs/integration/categories/network/openvpn.md +++ b/docs/integration/categories/network/openvpn.md @@ -67,7 +67,7 @@ This setup guide will show you how to forward your OpenVPN logs to Sekoia.io by ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. ### Create the intake diff --git a/docs/integration/categories/network/opnsense.md b/docs/integration/categories/network/opnsense.md index ff3d94b5b1..2b3e9018f8 100644 --- a/docs/integration/categories/network/opnsense.md +++ b/docs/integration/categories/network/opnsense.md @@ -45,7 +45,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. diff --git a/docs/integration/categories/network/pulse.md b/docs/integration/categories/network/pulse.md index 4470a2977b..a0dd52d292 100644 --- a/docs/integration/categories/network/pulse.md +++ b/docs/integration/categories/network/pulse.md @@ -15,9 +15,6 @@ Pulse Connect Secure is an SSL VPN solution for remote and mobile users. ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![pulse_connect_secure_architecture](/assets/integration/pulse_connect_secure_architecture.png) !!! Alternative @@ -66,7 +63,7 @@ This setup guide will show you how to forward your Pulse Connect Secure logs to - Please refer to the documentation of Pulse Secure Connect to forward events to your syslog concentrator. 3. **Forward Logs to Sekoia.io:** - - The reader can consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. + - The reader can consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. ### Instruction on Sekoia diff --git a/docs/integration/categories/network/sesameit_jizo.md b/docs/integration/categories/network/sesameit_jizo.md index bed4965872..5037fbee95 100644 --- a/docs/integration/categories/network/sesameit_jizo.md +++ b/docs/integration/categories/network/sesameit_jizo.md @@ -40,12 +40,12 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. -{!_shared_content/operations_center/integrations/generated/ 46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_sample.md!} +{!_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_sample.md!} {!_shared_content/integration/detection_section.md!} -{!_shared_content/operations_center/detection/generated/suggested_rules_ 46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md!} -{!_shared_content/operations_center/integrations/generated/ 46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md!} +{!_shared_content/operations_center/detection/generated/suggested_rules_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.md!} +{!_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md!} diff --git a/docs/integration/categories/network/squid.md b/docs/integration/categories/network/squid.md index 15bcf362c1..e19d042099 100644 --- a/docs/integration/categories/network/squid.md +++ b/docs/integration/categories/network/squid.md @@ -16,7 +16,7 @@ As of now, the main solution to collect Squid logs leverages the Rsyslog recipe. ### Rsyslog -In this Section, we detail how to configure Squid’s logging output for Sekoia.io by means of the Rsyslog transport. We hereby focus on the configuration of Squid and invite the reader to the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +In this Section, we detail how to configure Squid’s logging output for Sekoia.io by means of the Rsyslog transport. We hereby focus on the configuration of Squid and invite the reader to the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. To configure Squid logging, you can create a new configuration `99-sekoiaio.conf` file in the `/etc/squid/conf.d/` directory of your server. With most of Squid configurations (including Debian, Red Hat Entreprise Linux, etc.), this file will automatically be used. diff --git a/docs/integration/categories/network/umbrella_dns.md b/docs/integration/categories/network/umbrella_dns.md index a4e4908964..dcbf84fc14 100644 --- a/docs/integration/categories/network/umbrella_dns.md +++ b/docs/integration/categories/network/umbrella_dns.md @@ -34,7 +34,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/cloud_providers/aws/#fetch-new-logs-on-s3) +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) 2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/network/unbound.md b/docs/integration/categories/network/unbound.md index f832896048..e52ad5a2a6 100644 --- a/docs/integration/categories/network/unbound.md +++ b/docs/integration/categories/network/unbound.md @@ -16,7 +16,7 @@ Unbound is a validating, recursive, and caching DNS resolver product from NLnet This setup guide will show you how to forward logs produced by your Unbound server to Sekoia.io by means of an rsyslog transport channel. ### Configure the Rsyslog server -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8_sample.md!} diff --git a/docs/integration/categories/network_security/aws_cloudfront.md b/docs/integration/categories/network_security/aws_cloudfront.md index 34dc56c936..1e873ba711 100644 --- a/docs/integration/categories/network_security/aws_cloudfront.md +++ b/docs/integration/categories/network_security/aws_cloudfront.md @@ -44,7 +44,7 @@ To turn on standard logging for a CloudFront distribution, follow these steps: To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudFront logs on S3](/integration/action_library/cloud_providers/aws#fetch-new-logs-on-s3). +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudFront logs on S3](/integration/action_library/aws.md). 2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created. 3. Start the playbook and enjoy your events. diff --git a/docs/integration/categories/network_security/aws_cloudtrail.md b/docs/integration/categories/network_security/aws_cloudtrail.md index ad4dcb36f4..1fff69a905 100644 --- a/docs/integration/categories/network_security/aws_cloudtrail.md +++ b/docs/integration/categories/network_security/aws_cloudtrail.md @@ -35,7 +35,7 @@ Activate the logging on the trail through the switch button (On/Off) located at ### Pull events -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudTrail records on S3 connector](/integration/action_library/cloud_providers/aws#fetch-new-cloudtrail-records-on-s3). +Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Fetch new CloudTrail records on S3 connector](/integration/action_library/aws.md). Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key, and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key from the previously created intake. diff --git a/docs/integration/categories/network_security/aws_guardduty.md b/docs/integration/categories/network_security/aws_guardduty.md index e86a824e77..d9f8de0c9e 100644 --- a/docs/integration/categories/network_security/aws_guardduty.md +++ b/docs/integration/categories/network_security/aws_guardduty.md @@ -32,7 +32,7 @@ You have to: To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/cloud_providers/aws#fetch-new-logs-on-s3) +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) 2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue as well as the intake key from the intake previously created 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/network_security/aws_waf.md b/docs/integration/categories/network_security/aws_waf.md index 383e254693..44bff17f7d 100644 --- a/docs/integration/categories/network_security/aws_waf.md +++ b/docs/integration/categories/network_security/aws_waf.md @@ -35,7 +35,7 @@ To forward events produced by AWS WAF to S3, you have to: To start to pull events, you have to: -1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/cloud_providers/aws#fetch-new-logs-on-s3) +1. Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [AWS Fetch new logs on S3 connector](/integration/action_library/aws.md) 2. Set up the module configuration with the [AWS Access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), the secret key and the region name. Set up the trigger configuration with the name of the SQS queue and the intake key, from the intake previously created 3. Start the playbook and enjoy your events diff --git a/docs/integration/categories/network_security/azure_front_door.md b/docs/integration/categories/network_security/azure_front_door.md index bf4f52fc26..f19c62e418 100644 --- a/docs/integration/categories/network_security/azure_front_door.md +++ b/docs/integration/categories/network_security/azure_front_door.md @@ -31,7 +31,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Pull events -Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/integration/action_library/cloud_providers/microsoft-azure#consume-eventhub-messages). +Go to the [playbook page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Consume Eventhub messages](/integration/action_library/microsoft-azure.md#consume-eventhub-messages). Set up the trigger configuration with the EventHub's `Connection string-primary key`, the hub name, the consumer group, the storage's `Connection string-primary key` and the container name. diff --git a/docs/integration/categories/network_security/clavister_ng_fw.md b/docs/integration/categories/network_security/clavister_ng_fw.md index 3751fabe39..6d7520b28b 100644 --- a/docs/integration/categories/network_security/clavister_ng_fw.md +++ b/docs/integration/categories/network_security/clavister_ng_fw.md @@ -80,7 +80,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/64d118f0-84a5-4f46-ab05-7776bd6d0eed_sample.md!} diff --git a/docs/integration/categories/network_security/fortiproxy.md b/docs/integration/categories/network_security/fortiproxy.md index 40c84ab678..7d086a5c92 100644 --- a/docs/integration/categories/network_security/fortiproxy.md +++ b/docs/integration/categories/network_security/fortiproxy.md @@ -19,9 +19,6 @@ In this documentation, we will explain one way to collect and send FortiProxy lo ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![fortinet_fortiproxy_architecture](/assets/integration/fortinet_fortiproxy_architecture.png) !!! Alternative diff --git a/docs/integration/categories/network_security/gatewatcher_aioniq.md b/docs/integration/categories/network_security/gatewatcher_aioniq.md index 7493f325f4..8819886db7 100644 --- a/docs/integration/categories/network_security/gatewatcher_aioniq.md +++ b/docs/integration/categories/network_security/gatewatcher_aioniq.md @@ -15,9 +15,6 @@ Gatewatcher AionIQ is a detection and response platform for your network that id ## High-Level Architecture Diagram - **Type of integration**: Outbound (PUSH to Sekoia.io) -- **Schema** - -![gatewatcher_aioniq_architecture](/assets/integration/gatewatcher_aioniq_architecture.png) ## Specification diff --git a/docs/integration/categories/network_security/skyhigh_secure_web_gateway.md b/docs/integration/categories/network_security/skyhigh_secure_web_gateway.md index 45d2dcbf62..68d01c6565 100644 --- a/docs/integration/categories/network_security/skyhigh_secure_web_gateway.md +++ b/docs/integration/categories/network_security/skyhigh_secure_web_gateway.md @@ -43,7 +43,7 @@ To forward your logs to your log concentrator, in our MWG console: ``` if $programname == 'mwg' and $syslogfacility-text == 'daemon' and $syslogseverity-text == 'info' then @@: ``` - Replace the `` placeholder with the ip address of our log concentrator and `` by the listening port on the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) for the Skyhigh raw events. + Replace the `` placeholder with the ip address of our log concentrator and `` by the listening port on the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) for the Skyhigh raw events. !!!Note The double at characters without spaces (@@) indicates that syslog messages are transferred to a host using the TCP protocol. To use the UDP protocol, use single at character (@). @@ -51,7 +51,7 @@ To forward your logs to your log concentrator, in our MWG console: ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687_sample.md!} diff --git a/docs/integration/categories/network_security/sonicwall_fw.md b/docs/integration/categories/network_security/sonicwall_fw.md index fd472f3b76..30e5d22f6d 100644 --- a/docs/integration/categories/network_security/sonicwall_fw.md +++ b/docs/integration/categories/network_security/sonicwall_fw.md @@ -39,7 +39,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887_sample.md!} diff --git a/docs/integration/categories/network_security/sonicwall_sma.md b/docs/integration/categories/network_security/sonicwall_sma.md index e5db9c6373..00a00ab26a 100644 --- a/docs/integration/categories/network_security/sonicwall_sma.md +++ b/docs/integration/categories/network_security/sonicwall_sma.md @@ -37,7 +37,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463_sample.md!} diff --git a/docs/integration/categories/network_security/sophos_fw.md b/docs/integration/categories/network_security/sophos_fw.md index aed2832d9b..e9aafe3512 100644 --- a/docs/integration/categories/network_security/sophos_fw.md +++ b/docs/integration/categories/network_security/sophos_fw.md @@ -36,7 +36,7 @@ You can configure a syslog server in Sophos Firewall by following the instructio ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266_sample.md!} diff --git a/docs/integration/categories/network_security/stormshield_network_security.md b/docs/integration/categories/network_security/stormshield_network_security.md index e9f6628404..80803f366f 100644 --- a/docs/integration/categories/network_security/stormshield_network_security.md +++ b/docs/integration/categories/network_security/stormshield_network_security.md @@ -19,7 +19,7 @@ In this documentation we will explain how to collect and send Stormshield Networ ### Instruction on Sekoia #### Create your intake -Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes). +Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes.md). 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Stormshield Network Security`. 2. Copy the associated Intake key diff --git a/docs/integration/categories/network_security/trellix_epo.md b/docs/integration/categories/network_security/trellix_epo.md index aa4ba04855..124dda2689 100644 --- a/docs/integration/categories/network_security/trellix_epo.md +++ b/docs/integration/categories/network_security/trellix_epo.md @@ -38,7 +38,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n To start to pull events, you have to: -1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/endpoint/trellix) trigger +1. Go to the [playbooks page](https://app.sekoia.io/operations/playbooks) and create a new playbook with the [Trellix](/integration/action_library/trellix.md) trigger 2. Set up the module configuration with the Client Id and Client Secret. Set up the trigger configuration with the intake key 3. Start the playbook and enjoy your events @@ -49,4 +49,3 @@ To start to pull events, you have to: {!_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md!} - diff --git a/docs/integration/categories/network_security/trellix_nx.md b/docs/integration/categories/network_security/trellix_nx.md index 30d90828a6..e006ecb0a2 100644 --- a/docs/integration/categories/network_security/trellix_nx.md +++ b/docs/integration/categories/network_security/trellix_nx.md @@ -40,7 +40,7 @@ You should have: Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trellix Network Security. ### Configure the Rsyslog server -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5_sample.md!} diff --git a/docs/integration/categories/network_security/trend_micro_deep_security.md b/docs/integration/categories/network_security/trend_micro_deep_security.md index 7b51033c3c..e2313d6382 100644 --- a/docs/integration/categories/network_security/trend_micro_deep_security.md +++ b/docs/integration/categories/network_security/trend_micro_deep_security.md @@ -62,7 +62,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d_sample.md!} diff --git a/docs/integration/categories/network_security/ubika_waap.md b/docs/integration/categories/network_security/ubika_waap.md index 50c42ae2d9..5f6bbf7fe9 100644 --- a/docs/integration/categories/network_security/ubika_waap.md +++ b/docs/integration/categories/network_security/ubika_waap.md @@ -38,7 +38,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e_sample.md!} diff --git a/docs/integration/categories/network_security/varonis_data_security.md b/docs/integration/categories/network_security/varonis_data_security.md index 9527dd6246..09dfcf4a63 100644 --- a/docs/integration/categories/network_security/varonis_data_security.md +++ b/docs/integration/categories/network_security/varonis_data_security.md @@ -51,9 +51,9 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. -Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to [this documentation](/integration/ingestion_methods/syslog/sekoiaio_forwarder#import-a-custom-rsyslog-configuration) in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs: +Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to [this documentation](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md#import-a-custom-rsyslog-configuration) in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs: ```bash input(type="im$PROTOCOL" port="$PORT" ruleset="remoteVaronis") @@ -84,4 +84,3 @@ action( {!_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md!} - diff --git a/docs/integration/categories/network_security/vectra.md b/docs/integration/categories/network_security/vectra.md index a446d9e53a..00d1d3b7d7 100644 --- a/docs/integration/categories/network_security/vectra.md +++ b/docs/integration/categories/network_security/vectra.md @@ -16,7 +16,7 @@ Vectra provides AI-powered incident detection and resolution support for native This setup guide will show you how to forward logs produced by your Vectra Appliance server to Sekoia.io by means of an rsyslog transport channel. ### Configure the Rsyslog server -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation to forward these logs to Sekoia.io. +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md!} diff --git a/docs/integration/categories/network_security/watchguard_firebox.md b/docs/integration/categories/network_security/watchguard_firebox.md index afe11041ef..fcdc5c365b 100644 --- a/docs/integration/categories/network_security/watchguard_firebox.md +++ b/docs/integration/categories/network_security/watchguard_firebox.md @@ -36,7 +36,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview) documentation or [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Rsyslog Transport](/integration/ingestion_methods/syslog/overview.md) documentation or [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570_sample.md!} diff --git a/docs/integration/categories/network_security/zscaler_zia.md b/docs/integration/categories/network_security/zscaler_zia.md index aa37ce9bee..4407635728 100644 --- a/docs/integration/categories/network_security/zscaler_zia.md +++ b/docs/integration/categories/network_security/zscaler_zia.md @@ -99,7 +99,7 @@ In the Zscaler ZIA console: #### Forward logs to Sekoia.io -For more information on forwarding logs to Sekoia.io, see [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) +For more information on forwarding logs to Sekoia.io, see [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md) ### Forward events with Cloud NSS Feed diff --git a/docs/integration/categories/overview.md b/docs/integration/categories/overview.md index 489452e15b..81c67af198 100644 --- a/docs/integration/categories/overview.md +++ b/docs/integration/categories/overview.md @@ -4,7 +4,7 @@ Welcome to the Intake Categories section of our documentation! This section prov ## Structure of the Intake Categories Section -The Intake Categories section is organized into several sub-categories as explained in the [Best Practices for Using Sekoia SOC Platform page](getting_started/best_practices/), each representing a different type of data source. Below is the structure of the folder: +The Intake Categories section is organized into several sub-categories as explained in the [Best Practices for Using Sekoia SOC Platform page](/getting_started/best_practices.md), each representing a different type of data source. Below is the structure of the folder: - **Applicative**: This category includes documentation on various application-level technologies like Apache HTTP Server, Salesforce, JumpCloud. - **Email**: Documentation related to email data sources can be found here. diff --git a/docs/integration/develop_integration/automation/action.md b/docs/integration/develop_integration/automation/action.md index 21711b0127..bc7679335b 100644 --- a/docs/integration/develop_integration/automation/action.md +++ b/docs/integration/develop_integration/automation/action.md @@ -1,6 +1,6 @@ # Action -An action helps to execute specific tasks (see [definition](https://docs.sekoia.io/xdr/features/automate/actions/)). It composes one of the three items of a playbook. +An action helps to execute specific tasks (see [definition](/xdr/features/automate/actions.md)). It composes one of the three items of a playbook. In a module, each action consists of 2 elements: @@ -13,25 +13,19 @@ In a module, each action consists of 2 elements: - A description of the arguments of the action (field `arguments`). This description is a [JSON schema model](https://json-schema.org/) - A description of the output of the action (field `results`). This description is a [JSON schema model](https://json-schema.org/) and may be empty if the action returns no data. - See [Azure Active Directory «Enable User» action’s manifest](../AzureActiveDirectory/action_enable_user.json) - -- A python code +- A python code ## Python code -An action is a class based on [`Action`](https://github.com/SEKOIA-IO/sekoia-automation-sdk/blob/main/sekoia_automation/action.py) from [sekoia-automation-sdk](https://github.com/SEKOIA-IO/sekoia-automation-sdk/). +An action is a class based on [`Action`](https://github.com/SEKOIA-IO/sekoia-automation-sdk/blob/main/sekoia_automation/action.py) from [sekoia-automation-sdk](https://github.com/SEKOIA-IO/sekoia-automation-sdk/). This class must implement the class properties `name` and `description`. It also must implement the method `run` that accepts the arguments and may returns a result. The arguments and the result must be declared as a [pydantic model](https://docs.pydantic.dev/), holding the same properties declared in the JSON schema model for the arguments and the result in the manifest. -(See [Azure Active Directory «Enable User» code](../AzureActiveDirectory/azure_ad/user.py)) - ## Entrypoint To expose an action of the module, the action must be declared in `main.py` at the root of the module. Import the class in `main.py` and register the class, against the module, with the unique command name of the action as second argument. - -(See [Azure Active Directory main.py](../AzureActiveDirectory/main.py)) diff --git a/docs/integration/develop_integration/automation/trigger.md b/docs/integration/develop_integration/automation/trigger.md index c0db7e94af..2bb58ba592 100644 --- a/docs/integration/develop_integration/automation/trigger.md +++ b/docs/integration/develop_integration/automation/trigger.md @@ -27,12 +27,9 @@ A Connector is a class based on [`Connector`](https://github.com/SEKOIA-IO/sekoi It must implement the method `run` and call the method `publish_events_to_intake` to forward events. -(See [OKTA system log connector](../Okta/okta_modules/system_log_trigger.py)) ## Entrypoint To expose a trigger of the module, the trigger must be declared in `main.py` at the root of the module. Import the class in `main.py` and register the class, against the module, with the unique command name of the trigger as second argument. - -(See [Okta main.py](../Okta/main.py)) diff --git a/docs/integration/develop_integration/overview.md b/docs/integration/develop_integration/overview.md index 3c0635f475..251424d62a 100644 --- a/docs/integration/develop_integration/overview.md +++ b/docs/integration/develop_integration/overview.md @@ -19,9 +19,9 @@ #### Step 1. Understand the general concepts !!! warning - For this usecase, you must already be able to forward your data into Sekoia SOC platform with an existing [ingestion methods](/integration/ingestion_methods/) + For this usecase, you must already be able to forward your data into Sekoia SOC platform with an existing [ingestion methods](/integration/ingestion_methods/index.md) -Before starting, read this [overview of intake format](../formats/overview/) to get a grasp of the general concepts. +Before starting, read this [overview of intake format](formats/overview.md) to get a grasp of the general concepts. #### Step 2. Create your custom intake @@ -29,13 +29,13 @@ To ingest a format of data, you will first create a custom format with the custo Create a custom format to describe the format of the data to extract: -- Start by creating a [custom format](../formats/create_a_format/#custom-format-creation-on-the-platform) -- Write the parser of the custom format by following this [guide](../formats/parser/) +- Start by creating a [custom format](formats/create_a_format.md#custom-format-creation-on-the-platform) +- Write the parser of the custom format by following this [guide](formats/parser.md) !!! info Additional resources to support development: - - Best practices for [Authentications](../formats/best_practices/authentications/) logs + - Best practices for [Authentications](formats/best_practices/authentications.md) logs - An E-learning module for the development of custom format is available in our training catalog, you can request an access [here](https://www.sekoia.io/en/lets-talk-about-your-training-project/) Once you are done, you will create a custom intake based using this custom format. A custom intake is an instance of your custom format. @@ -55,10 +55,10 @@ You have now successfully ingested data from a new product. If you would like to If you have created a new format and want Sekoia to manage its maintenance, you can request homologation for your custom format. Once approved, the format will be added to Sekoia's public catalog. !!! info - To homologate your custom format, you will need to contribute through our Github repository + To homologate your custom format, you will need to contribute through our Github repository - Fork the Github repository [SEKOIA-IO/intake-formats](https://github.com/SEKOIA-IO/intake-formats) -- Follow this [guide](../formats/create_a_format/#custom-format-creation-with-the-github-repository) to add the custom format in Github and request an homologation +- Follow this [guide](formats/create_a_format.md#custom-format-creation-with-the-github-repository) to add the custom format in Github and request an homologation ### Usecase 2. You want to modify an existing intake @@ -68,7 +68,7 @@ You would like to parse additional fields in an existing intake or modify the wa 2. Search for the intake you wish to modify 3. Click on the `See format` button at the top right of the card 4. Click on the `Duplicate` button at the top right of the custom parser editor -5. Modify the parser by using this [guide](../formats/parser/) +5. Modify the parser by using this [guide](formats/parser.md) Once you have finished your modifications, [create a custom intake](#step-2-create-your-custom-intake) based on this new custom format. @@ -79,17 +79,17 @@ Once you have finished your modifications, [create a custom intake](#step-2-crea #### Step 1. Understand the general concepts -Before developing a new playbook trigger or playbook action, read this [overview of automations](../automation/overview) to get a grasp of the general concepts of automations. +Before developing a new playbook trigger or playbook action, read this [overview of automations](automation/overview.md) to get a grasp of the general concepts of automations. #### Step 2. Create your automation Once you have acquired a basic understanding of automations: - Fork the Github repository [SEKOIA-IO/automation-library](https://github.com/SEKOIA-IO/automation-library) -- Follow this guide to [create your module](../automation/create_a_module/) +- Follow this guide to [create your module](automation/create_a_module.md) #### Step 3. Homologate your automation in the Sekoia catalog The last step is to homologate your automation in order to make it available in the automation library. -- Follow these [instructions](../automation/create_a_module/#homologation-request) to homologate your automation \ No newline at end of file +- Follow these [instructions](automation/create_a_module.md#homologation-request) to homologate your automation \ No newline at end of file diff --git a/docs/integration/faq/general_questions/bug_and_improvement_requests.md b/docs/integration/faq/general_questions/bug_and_improvement_requests.md index 2cdd415964..0999da09b8 100644 --- a/docs/integration/faq/general_questions/bug_and_improvement_requests.md +++ b/docs/integration/faq/general_questions/bug_and_improvement_requests.md @@ -37,10 +37,10 @@ In the context of an intake or automation, an improvement is defined by the foll In the functional category, distinguishing between a bug and an improvement request can sometimes be nuanced, particularly concerning the extraction of new fields in the context of an intake. Here is a more precise explanation: - **Bug**: A new field extraction request will be considered a bug if the field is part of the list of ECS fields present in the sections "Required Fields" or "Required Fields depending on context" of the documentation pages found in the section "How to develop a new Integration" > "Formats" > "Best Practices". For instance: - - For technologies of type Endpoints, see the [Required Fields](/integration/develop_integration/formats/best_practices/endpoints#required-fields). - - For network technologies, see the [Required Fields](/integration/develop_integration/formats/best_practices/networks#required-fields). + - For technologies of type Endpoints, see the [Required Fields](/integration/develop_integration/formats/best_practices/endpoints.md#required-fields). + - For network technologies, see the [Required Fields](/integration/develop_integration/formats/best_practices/networks.md#required-fields). - **Improvement**: A request to add a field that does not fall under the aforementioned mandatory ECS fields will be considered an improvement. This can include optional fields or new fields that enhance the functionality but are not strictly required by the ECS standard. - - Clients have the flexibility to create custom formats to meet their specific needs. Additionally, they can be supported by our Professional Services team. Furthermore, clients can request the homologation of their custom format by following the process described in our documentation: [Homologate Your Custom Format in the SEKOIA Catalog](/integration/develop_integration/overview#step-3-homologate-your-custom-format-in-the-sekoia-catalog-optional) + - Clients have the flexibility to create custom formats to meet their specific needs. Additionally, they can be supported by our Professional Services team. Furthermore, clients can request the homologation of their custom format by following the process described in our documentation: [Homologate Your Custom Format in the SEKOIA Catalog](/integration/develop_integration/overview.md#step-3-homologate-your-custom-format-in-the-sekoia-catalog-optional) Understanding whether an issue is a bug or an improvement request is crucial for effective problem resolution and enhancement planning. Should you encounter issues or have suggestions, please consult this guide and reach out to our support team if needed. diff --git a/docs/integration/index.md b/docs/integration/index.md index ef4d841617..ff4dc7b9e2 100644 --- a/docs/integration/index.md +++ b/docs/integration/index.md @@ -6,19 +6,19 @@ Welcome to the Integrations section of our documentation! This section is design ### Ingestion Methods -In this section, you'll find detailed information on the various methods (pushing on [HTTPS](/integration/ingestion_methods/https/overview/) or [Syslog](/integration/ingestion_methods/syslog/overview/), or pulling a [remote external cloud storage](/integration/ingestion_methods/cloud_saas/overview/)) you can use to ingest data into Sekoia.io SOC Platform. We provide [comprehensive guides and examples](/integration/ingestion_methods/) to help you set up and manage your data ingestion processes efficiently. +In this section, you'll find detailed information on the various methods (pushing on [HTTPS](/integration/ingestion_methods/https/overview.md) or [Syslog](/integration/ingestion_methods/syslog/overview.md), or pulling a [remote external cloud storage](/integration/ingestion_methods/cloud_saas/overview.md)) you can use to ingest data into Sekoia.io SOC Platform. We provide [comprehensive guides and examples](/integration/ingestion_methods/index.md) to help you set up and manage your data ingestion processes efficiently. ### Intake Categories -This section offers an organized view of different [intake categories](/integration/categories/overview/), that are used for log collection and processing purposes. You'll find documentation on various types of data (endpoint, network, email...) and how to configure each one, ensuring you a smooth BUILD phase of Third party logs collection. +This section offers an organized view of different [intake categories](/integration/categories/overview.md), that are used for log collection and processing purposes. You'll find documentation on various types of data (endpoint, network, email...) and how to configure each one, ensuring you a smooth BUILD phase of Third party logs collection. ### Automation Categories -This section contains a wealth of [automation actions](/integration/action_library/overview/) to interract with Third party directly from and without leaving the Sekoia.io SOC Platform. These resources are designed to help you streamline your workflows and automate repetitive tasks, allowing you to focus on more strategic activities. +This section contains a wealth of [automation actions](/integration/action_library/overview.md) to interract with Third party directly from and without leaving the Sekoia.io SOC Platform. These resources are designed to help you streamline your workflows and automate repetitive tasks, allowing you to focus on more strategic activities. ### How to Develop A New Integration -For those looking to extend the capabilities of Sekoia.io SOC Platform, this section provides a [step-by-step guide on how to develop custom integrations](/integration/develop_integration/overview/). You'll learn about our integration framework, best practices, and how to contribute to our ecosystem. +For those looking to extend the capabilities of Sekoia.io SOC Platform, this section provides a [step-by-step guide on how to develop custom integrations](/integration/develop_integration/overview.md). You'll learn about our integration framework, best practices, and how to contribute to our ecosystem. ### FAQ Section diff --git a/docs/integration/ingestion_methods/cloud_saas/overview.md b/docs/integration/ingestion_methods/cloud_saas/overview.md index 568cb38593..147ade36e6 100644 --- a/docs/integration/ingestion_methods/cloud_saas/overview.md +++ b/docs/integration/ingestion_methods/cloud_saas/overview.md @@ -2,7 +2,7 @@ In addition to the previously documented push modes (HTTPS, Syslog, Relp), Sekoia.io also possesses the capability to ingest data using a pulling mode. -Indeed, many tools and equipment have APIs to enable direct data consumption. However, using these endpoints can be a bit tricky. Therefore, Sekoia.io has developed numerous integrations that include out-of-the-box connectors, known as triggers, responsible for collecting data. You can easily configure them in [Sekoia.io playbooks](/xdr/features/automate/) with just a few clicks. Make sure to follow the documentation associated with your integration to verify the complete procedure. +Indeed, many tools and equipment have APIs to enable direct data consumption. However, using these endpoints can be a bit tricky. Therefore, Sekoia.io has developed numerous integrations that include out-of-the-box connectors, known as triggers, responsible for collecting data. You can easily configure them in [Sekoia.io playbooks](/xdr/features/automate/index.md) with just a few clicks. Make sure to follow the documentation associated with your integration to verify the complete procedure. Sekoia.io can also retrieve logs and data from cloud platforms, including Microsoft Azure, Amazon Web Services, or Google Cloud. To consume this type of data, as a prerequisites you need to define a location to centralize data coming from your managed services on your cloud provider: @@ -11,5 +11,3 @@ Sekoia.io can also retrieve logs and data from cloud platforms, including Micros - [Google Pub/Sub](gcp.md) Finally, you have to configure the associated out-of-the-box trigger as explained in the previous section. You can find a end to end documentation for each integration in his specific page covering the configuration of these prerequisites - - diff --git a/docs/integration/ingestion_methods/https/logstash.md b/docs/integration/ingestion_methods/https/logstash.md index 1a0af370b7..055df6038d 100644 --- a/docs/integration/ingestion_methods/https/logstash.md +++ b/docs/integration/ingestion_methods/https/logstash.md @@ -6,14 +6,14 @@ To push logs, you have to configure some filters in Logstash that will add the p ## Example -In the following example, we have multiple inputs to handle logs collected via Syslog (Apache HTTP Server and NGINX logs) and via [Beats (Winlogbeat)](/integration/integrations/endpoint/winlogbeat.md) and forward them to Sekoia.io. +In the following example, we have multiple inputs to handle logs collected via Syslog (Apache HTTP Server and NGINX logs) and via [Beats (Winlogbeat)](/integration/categories/endpoint/winlogbeat.md) and forward them to Sekoia.io. In order to filter events effectively, Logstash uses tags as a key component. To ensure proper functionality, make sure to update the intake key value by editing the placeholder `CHANGE_ME_INTAKE_KEY` mentioned below. Additionally, you have the flexibility to incorporate multiple filters within the `filter` section as per your requirements. -!!! tip +!!! tip By adding additional filters, you can enhance the filtering capabilities of Logstash and customize the processing of events to suit your requirements. -!!! note +!!! note Beats agents require a specific output configuration as you need to forward the complete JSON event to Sekoia.io. ``` @@ -77,7 +77,7 @@ The above configuration will send your logs one at a time (one HTTP request per For more advanced use cases, where you want to send logs to Sekoia.io and to an Elasticsearch instance for example, a more advanced Logstash configuration is recommended to achieve higher throughput. This configuration uses multiple pipelines and pipeline-to-pipeline communications to duplicate events and format them to the expected payload format required by Sekoia.io. Events will be sent in batch mode, providing better performance. -!!! note +!!! note Beats events do not need to be duplicated into a second pipeline as the complete JSON event is sent to Sekoia.io. *pipelines.yml* diff --git a/docs/integration/ingestion_methods/index.md b/docs/integration/ingestion_methods/index.md index 9a4b41dbe9..091f4534c0 100644 --- a/docs/integration/ingestion_methods/index.md +++ b/docs/integration/ingestion_methods/index.md @@ -10,10 +10,10 @@ Sekoia.io is able to collect logs through various mechanisms, configuration on y Sekoia.io supports the following log collecting methods: -- [HTTPS](/integration/ingestion_methods/https/overview/) (`https://intake.sekoia.io`): `POST` your JSON events to Sekoia.io. -- [Syslog](/integration/ingestion_methods/syslog/overview/) over TLS (`intake.sekoia.io:10514`): forward your events with the Syslog protocol specified in RFC 5424. -- [RELP](/integration/ingestion_methods/syslog/rsyslog/#how-to-forward-logs-to-sekoiaio-using-relp) over TLS (`relp.intake.sekoia.io:11514`): forward your events with Rsyslog’s reliable protocol called RELP. -- [Cloud hosting and API polling](/integration/ingestion_methods/cloud_saas/overview/): configure Sekoia.io to regularly retrieve your logs. +- [HTTPS](/integration/ingestion_methods/https/overview.md) (`https://intake.sekoia.io`): `POST` your JSON events to Sekoia.io. +- [Syslog](/integration/ingestion_methods/syslog/overview.md) over TLS (`intake.sekoia.io:10514`): forward your events with the Syslog protocol specified in RFC 5424. +- [RELP](/integration/ingestion_methods/syslog/rsyslog.md#how-to-forward-logs-to-sekoiaio-using-relp) over TLS (`relp.intake.sekoia.io:11514`): forward your events with Rsyslog’s reliable protocol called RELP. +- [Cloud hosting and API polling](/integration/ingestion_methods/cloud_saas/overview.md): configure Sekoia.io to regularly retrieve your logs. If these solutions do not meet your needs, contact our support. @@ -30,16 +30,16 @@ and after <%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE ``` -We provide [documentation and example configurations](/integration/ingestion_methods/syslog/overview/) on how to configure your log system for Rsyslog, syslog-ng or use our [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder/), but it should be easy to configure other log collectors to forward their events to Sekoia.io. +We provide [documentation and example configurations](/integration/ingestion_methods/syslog/overview.md) on how to configure your log system for Rsyslog, syslog-ng or use our [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder.md), but it should be easy to configure other log collectors to forward their events to Sekoia.io. ## HTTPS integration -To push your events through our [HTTPS log collector](/integration/ingestion_methods/https/overview/), you have to `POST` your logs in the JSON format. To send us events, you should set `Content-Type` HTTP header to `application/json`. +To push your events through our [HTTPS log collector](/integration/ingestion_methods/https/overview.md), you have to `POST` your logs in the JSON format. To send us events, you should set `Content-Type` HTTP header to `application/json`. ## Cloud & SaaS integration -Sekoia.io is also able to retrieve logs and data from [Cloud platform](/integration/ingestion_methods/cloud_saas/overview/), such as Microsoft Azure, Amazon Web Services or Google Cloud. +Sekoia.io is also able to retrieve logs and data from [Cloud platform](/integration/ingestion_methods/cloud_saas/overview.md), such as Microsoft Azure, Amazon Web Services or Google Cloud. ## Datetime representation in the events -Sekoia.io accepts any representation of a datetime; see [Datetime representation](/xdr/FAQ/datetime/) for more details. +Sekoia.io accepts any representation of a datetime; see [Datetime representation](/xdr/FAQ/datetime.md) for more details. diff --git a/docs/integration/ingestion_methods/syslog/sekoiaio_forwarder.md b/docs/integration/ingestion_methods/syslog/sekoiaio_forwarder.md index eb23852c56..af1e8c02b9 100644 --- a/docs/integration/ingestion_methods/syslog/sekoiaio_forwarder.md +++ b/docs/integration/ingestion_methods/syslog/sekoiaio_forwarder.md @@ -25,18 +25,18 @@ Please find our English tutorial video below to see how to configure the forward | 10 000 | 4 | 8 | 1000 | MEMORY_MESSAGES=5000000 / DISK_SPACE=980g | | 50 000 | 6 | 16 | 5000 | MEMORY_MESSAGES=12000000 / DISK_SPACE=4980g | - !!! info + !!! info These data are recommendations based on standards and observed averages on Sekoia.io, so they may change depending on use cases. - + * Last version of Docker Engine. Please follow [this section](#docker-engine-installation) to install it if needed * INBOUND TCP or UDP flows opened between the systems/applications and the concentrator on the ports of your choice * OUTBOUND TCP flow opened towards: - * **FRA1** intake.sekoia.io on port 10514 - * **FRA2** fra2.app.sekoia.io on port 10514 - * **MCO1** mco1.app.sekoia.io on port 10514 - * **EUA1** app.uae1.sekoia.io on port 10514 + * **FRA1** intake.sekoia.io on port 10514 + * **FRA2** fra2.app.sekoia.io on port 10514 + * **MCO1** mco1.app.sekoia.io on port 10514 + * **EUA1** app.uae1.sekoia.io on port 10514 - !!! note + !!! note The disk choice (SSD or HDD type) has no impact on the performance of Sekoia.io Forwarder. However, SSD type would be useful when an issue arise for recovery or catchup. Please choose accordingly to your usage and cost. @@ -90,7 +90,7 @@ intakes: You are not limited to 3 entries. Feel free to adapt it to your needs. #### Debug -A debug variable is available in order to debug a specific intake, for example +A debug variable is available in order to debug a specific intake, for example ```yaml --- intakes: @@ -165,7 +165,7 @@ ports: - "20516-20566:20516-20566/udp" ``` -As specified in the Overview section, the concentrator will be run in an isolated environment. That means, by default, no flow is open between the host and the concentrator. +As specified in the Overview section, the concentrator will be run in an isolated environment. That means, by default, no flow is open between the host and the concentrator. `20516-20518:20516-20566` means that every packets coming through the TCP port form `20516` to `20566` to the host will be forwarded to the concentrator container from port `20516` to `20566`. If you want to open a UDP flow, please add a line with `/udp` at the end. @@ -187,9 +187,9 @@ Volumes are used to share files and folders between the host and the container: * `./conf:/etc/rsyslog.d` is mapped if you want to customize some rsyslog configuration (ADVANCED) * `./disk_queue:/var/spool/rsyslog` is used when the concentrator queue stores data on disk. The mapping avoids data loss if logs are stored on disk and the container is deleted. -#### Import a custom rsyslog configuration +#### Import a custom rsyslog configuration -You can add your own additional rsyslog configuration. It can be useful to deal with specific use cases which are not supported natively by the Sekoia.io concentrator. To enable it, you simply have to create a new folder called `extended_conf` and put an additional your rsyslog file into (your file must have the extension *.conf). You do not have to deal with the `intake.yaml` file. Your custom configuration will be added in addition to the intake definition and will not erase exisiting ones. +You can add your own additional rsyslog configuration. It can be useful to deal with specific use cases which are not supported natively by the Sekoia.io concentrator. To enable it, you simply have to create a new folder called `extended_conf` and put an additional your rsyslog file into (your file must have the extension *.conf). You do not have to deal with the `intake.yaml` file. Your custom configuration will be added in addition to the intake definition and will not erase exisiting ones. You can define your own method for obtaining logs using rsyslog modules, but you still need to forward events to Sekoia.io by providing a syslog-valid message with your intake key as a header, as follows: @@ -213,7 +213,7 @@ action( } ``` -Once additional configuration has been added, you simply have to mount them in the docker as following: +Once additional configuration has been added, you simply have to mount them in the docker as following: ```yaml volumes: @@ -274,7 +274,7 @@ mkdir certs && cd certs ``` === "Fedora, Red Hat, CentOS (dnf)" - + ```bash sudo dnf update sudo dnf install -y openssl @@ -328,14 +328,14 @@ tls_ca_name: server.crt The forwarder is a critical component in the architecture between your information system and the Sekoia platform. A prolonged service interruption could lead to data loss, potentially causing missed detection of an attack within your environment. -In this context, please find below the instructions to enable monitoring of your forwarder. +In this context, please find below the instructions to enable monitoring of your forwarder. This will allow health status information of the component to be transmitted to Sekoia, enabling you to set up alerts based on the values of the transmitted metrics. -### Create the forwarder logs intake +### Create the forwarder logs intake The first step is to create the intake on the Sekoia platform and save the associated intake key -For detailed information on this process, please refer to the following [documentation](/integration/categories/applicative/sekoiaio_forwarder_logs/) +For detailed information on this process, please refer to the following [documentation](/integration/categories/applicative/sekoiaio_forwarder_logs.md) ### Configuration of the intake.yml file @@ -362,7 +362,7 @@ The forwarder is configured with one input module per intake, as specified in th ![image](/assets/operation_center/ingestion_methods/sekoiaio_forwarder/forwarder_monitoring_2.png){: style="max-width:100%"} -By leveraging these metrics, you can easily define custom rules to detect specific behaviors such as service interruptions, full queues, discarded events, and more. This monitoring capability is crucial for maintaining optimal performance and ensuring the reliability of the forwarder in your system. +By leveraging these metrics, you can easily define custom rules to detect specific behaviors such as service interruptions, full queues, discarded events, and more. This monitoring capability is crucial for maintaining optimal performance and ensuring the reliability of the forwarder in your system. Below is an example of a rule pattern designed to identify if queues are full on the forwarder, which may lead to log loss. The cause of a full queue can be attributed to several factors, such as an under-provisioned machine unable to handle the load, a sudden increase in events per second (EPS), or infrastructure issues. In any case, this type of alert indicates the need for further investigation into the behavior of the forwarder to understand the root cause of the problem. @@ -489,14 +489,14 @@ sudo docker compose logs -f 1. Check that the forwarder is correctly configured - * Check the `intakes.yaml` file to see if you have declared the protocols and ports you wanted. + * Check the `intakes.yaml` file to see if you have declared the protocols and ports you wanted. * Verify if this information is taken into account by the concentrator. At start-up, the concentrator always shows the list of Intakes with the protocols and ports. ```bash sudo docker compose logs | more ``` - * Check that you correctly declared the `ports` section in the `docker-compose.yml` file. They MUST be the same as the ports declared in the `intakes.yaml` file. For instance, if you declared 4 technologies on ports `25020`, `25021`, `25022` and `25023`, the ports line the `docker-compose.yml` has to be at least `"25020-25023:25020-25023"` for TCP and `"25020-25023:25020-25023/udp"` if using UDP. + * Check that you correctly declared the `ports` section in the `docker-compose.yml` file. They MUST be the same as the ports declared in the `intakes.yaml` file. For instance, if you declared 4 technologies on ports `25020`, `25021`, `25022` and `25023`, the ports line the `docker-compose.yml` has to be at least `"25020-25023:25020-25023"` for TCP and `"25020-25023:25020-25023/udp"` if using UDP. 2. Verify that traffic is incoming from your log source, **meaning no firewall is blocking the events**. ```bash @@ -506,7 +506,7 @@ sudo docker compose logs -f `remote_ip`is the IP from which the logs should be incoming. 3. If you are sure that no firewall blocks the events but you still don't see any logs, verify on the source that you are forwarding the logs to the right IP and port using the correct protocol. - + **Example** You want to forward your firewall logs to Sekoia. You decided to use the `TCP/20524` port. @@ -682,7 +682,7 @@ Connect to the remote server where you would like to install the Sekoia.io Forwa 2. Edit the configuration files - - `sekoiaio-concentrator/intakes.yaml` by replacing the `name`, `protocol`, `port` and `intake_key` for each intake you would like to collect + - `sekoiaio-concentrator/intakes.yaml` by replacing the `name`, `protocol`, `port` and `intake_key` for each intake you would like to collect - `sekoiaio-concentrator/docker-compose.yml` by remplacing the value `"20516-20518:20516-20518"` by a relevant content according to the `sekoiaio-concentrator/intakes.yaml` previously edited 3. Start the docker diff --git a/docs/xdr/FAQ/Alerts_qa.md b/docs/xdr/FAQ/Alerts_qa.md index ce92c7764d..5e52e5e3fd 100644 --- a/docs/xdr/FAQ/Alerts_qa.md +++ b/docs/xdr/FAQ/Alerts_qa.md @@ -1,10 +1,10 @@ ## Alert date -When an alert is triggered, additional events can enrich this alert but the date of the alert will not be updated (date= 1st trigger). +When an alert is triggered, additional events can enrich this alert but the date of the alert will not be updated (date= 1st trigger). ## Bell icon in alerts page -The bell icon means that "the event is involved in an alert". +The bell icon means that "the event is involved in an alert". When a bell on an event is displayed on an alert page, the event is involved in the current alert AND in another alert. @@ -12,12 +12,12 @@ If it is involved in the current alert, the bell is not displayed. ## How an alert is triggered with a delay ? -Besides matching a rule in real time, an alert can be triggered with a delay when: +Besides matching a rule in real time, an alert can be triggered with a delay when: - An IOC is published, old events are scanned and if an event matches, the rule will automatically trigger an alert. - - Logs from the source were received by Sekoia with a delay. Common route causes: - * the log collection was interrupted, if logs are buffered loccaly on customer's side, before being sent later when the collection restarts + - Logs from the source were received by Sekoia with a delay. Common route causes: + * the log collection was interrupted, if logs are buffered loccaly on customer's side, before being sent later when the collection restarts * Reingestion of old logs !!! Note - See more informaiton on `timestamp` and `event.created`fields [here](Events_qa.md#timestampeventcreated-eventstart-eventend-meaning). + See more informaiton on `timestamp` and `event.created`fields [here](Events_qa.md). diff --git a/docs/xdr/features/collect/assets.md b/docs/xdr/features/collect/assets.md index db79af39dd..777d3b199d 100644 --- a/docs/xdr/features/collect/assets.md +++ b/docs/xdr/features/collect/assets.md @@ -40,7 +40,7 @@ For each category, there are additional sub-categories to add an optional additi The asset criticality value is a numerical indicator that represents the level of criticality or importance of each asset within the organization's IT infrastructure. It ranges from 0 to 100, where 0 indicates that the asset has no criticality or minimal importance, and 100 signifies maximum criticality, denoting assets crucial for the organization's operations. -This value contribues to the [urgency score of alerts](/xdr/features/investigate/alerts). Hence it plays a key role in computing and prioritizing alerts related to assets, ensuring that your SOC team focuses on addressing the most critical security incidents promptly. +This value contribues to the [urgency score of alerts](/xdr/features/investigate/alerts.md). Hence it plays a key role in computing and prioritizing alerts related to assets, ensuring that your SOC team focuses on addressing the most critical security incidents promptly. ### Detection Properties diff --git a/docs/xdr/features/collect/intakes.md b/docs/xdr/features/collect/intakes.md index 1eae43d06f..47df9fd311 100644 --- a/docs/xdr/features/collect/intakes.md +++ b/docs/xdr/features/collect/intakes.md @@ -112,8 +112,8 @@ To create an intake, you have to: ![intakes_creation](/assets/operation_center/intakes/modal-intake-creation.png){: style="max-width:100%"} !!! Note - The documentation about the integration of your data sources is also available in the [integrations](integrations/index.md) page. - + The documentation about the integration of your data sources is also available in the [integrations](/integration/index.md) page. +Pin ## Configure a notification to report on inactive intake An inactive intake may have devastating consequences on your security monitoring. To prevent incidents from happening, you can set up notifications to get alerted when an intake stops sending events to Sekoia.io. @@ -121,7 +121,7 @@ To set up your notification, you can: 1. Go to the Intakes listing page and click on: ![Card menu](/assets/operation_center/intakes/intakes-card-menu.png){: style="max-width:10%"} on the right side of the card and click on the `Notifications` menu 2. Specify how long the intake should be inactive before sending a notification. The duration can go from 15 min to 24 hours. -3. Select how you want to be notified. Triggered actions that are available are mentioned in the page [Turn on notifications](/getting_started/notifications-Listing_Creation). +3. Select how you want to be notified. Triggered actions that are available are mentioned in the page [Turn on notifications](/getting_started/notifications-Listing_Creation.md). !!! note You can also set up this notification from the **intake details page** or the **User Center** > Notifications by selecting the trigger `No events are received`. @@ -130,7 +130,7 @@ To set up your notification, you can: ## Create a custom intake -To learn more about how to create a custom intake, please refer to this [section.](/../../../integration/develop_integration/formats/create_a_format/) +To learn more about how to create a custom intake, please refer to this [section.](/integration/develop_integration/formats/create_a_format.md) ## Intake details page @@ -205,7 +205,7 @@ The `Connector log` tab is only available for Pull intakes. ![intakes_connector](/assets/operation_center/intakes/intakes-connector.png){: style="max-width:100%"} In this tab, you will find the latest logs of the connector. These logs help you check that the connector is functioning properly by checking the `Info` level messages. -But they also help you troubleshoot issues by checking the `Error` level messages. +But they also help you troubleshoot issues by checking the `Error` level messages. Use the filter button to filter `Error` logs. @@ -231,7 +231,7 @@ The intake menu allows you to perform different kind of actions: #### Edit entity -To modify the entity of the intake: +To modify the entity of the intake: 1. Click on `Edit entity` in the menu 2. Select a new entity in the list @@ -254,7 +254,7 @@ This menu is only available for Pull intakes. Use this menu to modify the parame #### Notifications -To create a new notification on the intake: +To create a new notification on the intake: 1. Click on `Notifications` in the menu 2. Configure the notification settings @@ -262,7 +262,7 @@ To create a new notification on the intake: #### Rename intake -To rename the intake: +To rename the intake: 1. Click on `Rename` in the menu 2. Enter the new name of the intake @@ -272,7 +272,7 @@ To rename the intake: #### Delete intake -To delete the intake: +To delete the intake: 1. Click on `Delete` in the menu 2. Confirm the deletion diff --git a/docs/xdr/features/detect/built_in_detection_rules.md b/docs/xdr/features/detect/built_in_detection_rules.md index 9501c4ac1b..340618a8aa 100644 --- a/docs/xdr/features/detect/built_in_detection_rules.md +++ b/docs/xdr/features/detect/built_in_detection_rules.md @@ -2,7 +2,7 @@ Sekoia.io provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. -Please check the [dedicated FAQ page](../../../FAQ/Detection_qa/) related to detection rule strategy. +Please check the [dedicated FAQ page](../../FAQ/Detection_qa.md) related to detection rule strategy. For Windows-related rules, Sekoia.io automatically produces [this regularly updated list](built_in_detection_rules_eventids.md) of the needed EventIDs by rule but also globally as some statistics are provided. diff --git a/docs/xdr/features/detect/iocdetection.md b/docs/xdr/features/detect/iocdetection.md index d95d569374..215504bf95 100644 --- a/docs/xdr/features/detect/iocdetection.md +++ b/docs/xdr/features/detect/iocdetection.md @@ -2,11 +2,11 @@ IOC detection is a critical mechanism in detecting attacks that are trying to harm your system or have already breached it. The Sekoia SOC platform is powered by our Threat Detection & Research (TDR) team, which constantly enriches our IOC database with its state-of-the-art investigations and extensive expertise in Intelligence. -With IOC detection, you can automatically identify potential threats in your past and future events by monitoring active IOCs. +With IOC detection, you can automatically identify potential threats in your past and future events by monitoring active IOCs. ## How does IOC detection at Sekoia work? -Sekoia Threat Detection & Research (TDR) team maintains the CTI database with millions of IOCs through their investigation and dedicated expertise. +Sekoia Threat Detection & Research (TDR) team maintains the CTI database with millions of IOCs through their investigation and dedicated expertise. All this incredible work benefits Sekoia XDR clients, who can consult the number of IOCs available on the Rules catalog page in the section `Active IOCs`. ![verified iocs](/assets/operation_center/rules_catalog/verified_iocs.gif){: style="max-width:100%"} @@ -25,7 +25,7 @@ On the Alerts page, look for the Detection type of the alert. `CTI Retrohunt` al #### Would your SOC team like to scan a specific list of IOCs to perform retrohunt? That’s possible via the IOC collections. You can import a specific list of IOCs to perform retrohunting. -Please see the dedicated documentation on [IOC Collections](../ioccollections). +Please see the dedicated documentation on [IOC Collections](ioccollections.md). ## Technical dive into IOC detection @@ -55,7 +55,7 @@ The tables below list the ECS event fields that are verified by IOC detection. #### Observable type: Domain Name -| STIX path | ECS event field | +| STIX path | ECS event field | | --- | --- | | domain-name:value | client.domain
client.registered_domain
destination.domain
destination.registered_domain
dns.question.name
dns.question.registered_domain
server.domain
server.registered_domain
source.domain
source.registered_domain
tls.[*client/server*].x509.alternative_names
tls.[*client/server*].x509.subject.common_name
url.domain
url.registered_domain | @@ -75,8 +75,8 @@ The tables below list the ECS event fields that are verified by IOC detection. | file:hashes.SSDEEP | file.hash.ssdeep | | file.hash.SHA-1 | file.hash.sha1
dll.hash.sha1
email.attachments.file.hash.sha1
process.hash.sha1 | | file.hash.SHA-256 | file.hash.sha256
dll.hash.sha256
email.attachments.file.hash.sha256
process.hash.sha256 | -| file.hash.SHA-512 | file.hash.sha512
dll.hash.sha512
email.attachments.file.hash.sha512
process.hash.sha512 | -| file:mime_type | file.mime_type | +| file.hash.SHA-512 | file.hash.sha512
dll.hash.sha512
email.attachments.file.hash.sha512
process.hash.sha512 | +| file:mime_type | file.mime_type | | file:mtime | file.ctime | | file:name | file.name | | file:size | file.size | @@ -97,7 +97,7 @@ The tables below list the ECS event fields that are verified by IOC detection. | network-traffic:dst_port | destination.port | | network-traffic:dst_ref.value | destination.ip | | network-traffic:extensions.http-request-ext.request_header.User-Agent | user_agent.original | -| network-traffic:src_port | source.port | +| network-traffic:src_port | source.port | | network-traffic:src_ref.value | source.ip | #### Observable type: URL @@ -110,18 +110,18 @@ The tables below list the ECS event fields that are verified by IOC detection. | STIX path | ECS event field | | --- | --- | -| windows-registry-key:key | registry.key | +| windows-registry-key:key | registry.key | | windows-registry-key:values | registry.value | #### Observable type: X.509 Certificate | STIX path | ECS event field | | --- | --- | -| x509-certificate:issuer | x509.issuer.common_name
x509.issuer.distinguished_name | -| x509-certificate:serial_number | x509.serial_number | +| x509-certificate:issuer | x509.issuer.common_name
x509.issuer.distinguished_name | +| x509-certificate:serial_number | x509.serial_number | | x509-certificate:signature_algorithm | x509.signature_algorithm | | x509-certificate:subject | x509.subject.common_name
x509.subject.distinguished_name | -| x509-certificate:subject_public_key_algorithm | x509.public_key_algorithm | +| x509-certificate:subject_public_key_algorithm | x509.public_key_algorithm | | x509-certificate:subject_public_key_exponent | x509.public_key_exponent | -| x509-certificate:validity_not_before | x509.not_before | -| x509-certificate:validity_not_after | x509.not_after | +| x509-certificate:validity_not_before | x509.not_before | +| x509-certificate:validity_not_after | x509.not_after | diff --git a/docs/xdr/features/detect/rules_catalog.md b/docs/xdr/features/detect/rules_catalog.md index 6516e8b2f2..ce9bdd6f82 100644 --- a/docs/xdr/features/detect/rules_catalog.md +++ b/docs/xdr/features/detect/rules_catalog.md @@ -4,7 +4,7 @@ Once your event logs are collected and normalized by Sekoia.io, you probably wan All rules are applied to your event stream in real-time, so that you can detect - and respond to - threats as fast as possible. -Please check the [dedicated FAQ page](../../../FAQ/Detection_qa/) related to detection rule strategy. +Please check the [dedicated FAQ page](../../FAQ/Detection_qa.md) related to detection rule strategy. ## Rule Types @@ -20,15 +20,15 @@ The Rules Catalog page can be used to list and manage all detection rules. Many ![rules_catalog](/assets/operation_center/rules_catalog/rules-catalog-layout.png){: style="max-width:100%"} !!! tip - You can enable or disable rules one by one or all at once according to current filters. + You can enable or disable rules one by one or all at once according to current filters. ### Rules Attributes #### Available and verified rules -The Rules Catalog lists all detection rules available to your organization: -
![available_verified_rules](/assets/operation_center/rules_catalog/available_verified.png){ width=300 }
. +The Rules Catalog lists all detection rules available to your organization: +
![available_verified_rules](/assets/operation_center/rules_catalog/available_verified.png){ width=300 }
. - **Verified Rules**: rules with the following logo ![verified_logo](/assets/operation_center/rules_catalog/verified_logo.PNG) are verified. These rules are created for you by Sekoia.io's Threat & Detection Research team and already built-in. Verified rules are constantly updated to improve detection. Furthermore, they follow a specific process to test them and be certain they won't cause many false positives. This process is described in our blogpost [XDR detection engineering at scale: crafting detection rules for SecOps efficiency](https://blog.sekoia.io/xdr-detection-rules-at-scale/). This set of more than 900+ rules can be used to detect known threats, attack patterns, etc. - **Your Rules**: rules created by your team that are specific to your organization. @@ -46,7 +46,7 @@ Description of each effort level: - `Elementary`: rule requires no effort to enable rule and raises fewer alerts. Those rules are built to be effective and designed to raise as little false positives as possible - `Intermediate`: similar to `Elementary` effort but a rule could raise more alerts - `Advanced`: rule could require more effort to be enabled and could raise alerts frequently depending on the IT configuration -- `Master`: rule could require a specific configuration to be enabled and/or could raise a high number of alerts, but is designed to detect weaker signals. `Master` rules usually require an additional customization effort, depending on the IT context and configuration. They are designed for more mature organizations. +- `Master`: rule could require a specific configuration to be enabled and/or could raise a high number of alerts, but is designed to detect weaker signals. `Master` rules usually require an additional customization effort, depending on the IT context and configuration. They are designed for more mature organizations. #### Intake formats @@ -70,7 +70,7 @@ Use the associated search filter to list rules associated to specific threats. #### Tags -To have a filtered view of your rules, you can rely on filters cited before ([Available/Verified](#available-and-verified-rules), [Effort level](#effort-level), [Capabilities](#capabilities)) but also on tags associated with rules. +To have a filtered view of your rules, you can rely on filters cited before ([Available/Verified](#available-and-verified-rules), [Effort level](#effort-level), Capabilities) but also on tags associated with rules. These tags are defined by Sekoia.io analysts to help make searching for a rule easier and provide categories such as `AWS`, `CVE`, `O365` and `phishing`. @@ -82,7 +82,7 @@ To filter rules using tags, there are two ways: ![tag_selector](/assets/operation_center/rules_catalog/tag_selector1.png){: style="max-width:100%"} !!! tip - To remove filters, simply click on `Clear all filters` next to the tags' list or deselect one tag at a time by clicking on the close icon inside the tag. + To remove filters, simply click on `Clear all filters` next to the tags' list or deselect one tag at a time by clicking on the close icon inside the tag. ---- @@ -107,14 +107,14 @@ The color changes depending on the number of rules contained in one cell: ### Rule Details You can click on the name of a rule to display additional details, such as, but not limited to: -- The severity which should be used to later determine the [Alert's Urgency](../../investigate/alerts/#alert-urgency) +- The severity which should be used to later determine the [Alert's Urgency](../investigate/alerts.md#alert-urgency) - The category of created alerts - Associated Threats - Associated Data Sources - Known False Positives - The actual detection logic (the pattern) - Alert filters -- [Similarity strategy](../../investigate/alerts/#similarity-strategies) for the produced alerts +- [Similarity strategy](../investigate/alerts.md#similarity-strategies) for the produced alerts ![rule details](/assets/operation_center/rules_catalog/rule_details2.png) @@ -160,13 +160,13 @@ Rules are automatically enabled based on the configured effort level, or you can #### Manually -To ensure that activated rules comply with your security policy, you can choose which rules you want to enable. -For an MSSP Community, you can easily enable your custom and verified rules in multiple managed communities. +To ensure that activated rules comply with your security policy, you can choose which rules you want to enable. +For an MSSP Community, you can easily enable your custom and verified rules in multiple managed communities. ![Enable rules for MSSP community](/assets/operation_center/rules_catalog/enable_multi_communities.png){: style="max-width:70%"} ### Enable / Disable all rules -As seen previously, rules can be filtered by type, status, effort level and tags. To enable or disable these filtered rules, you can simply click on the button `Enable all` or `Disable all` that are displayed under the search bar. +As seen previously, rules can be filtered by type, status, effort level and tags. To enable or disable these filtered rules, you can simply click on the button `Enable all` or `Disable all` that are displayed under the search bar. ![enable-disable](/assets/operation_center/rules_catalog/rules-enable-disable.png){: style="max-width:100%"} @@ -179,12 +179,12 @@ In addition to the verified rules that are already built-in, you can create your The Rule creation form has the following sections: -#### General definition of the rule +#### General definition of the rule - The rule name is mandatory during the creation, it will be used to name the corresponding raised alerts by default. You can add an optional description below. - Select the effort level required and the threats detected with this rule if any, by selecting it from the MITRE ATT&CK or by using the search bar through keywords or the drop-down list. - For an MSSP community, first select the community you want to create your rule in. -- -Two options are available: select `All communities` or select a specific community. +- +Two options are available: select `All communities` or select a specific community. If you choose `All communities`, your rule will be available for all your communities and you can enable it later on the desired community. @@ -193,23 +193,23 @@ If you choose `All communities`, your rule will be available for all your commun #### Detection Pattern This is the detection logic itself. It varies according to the selected rule type. - -!!! note - Fields available to create a detection pattern follow the ECS standard and can be found on Events page > **Show fields and top values**. - + +!!! note + Fields available to create a detection pattern follow the ECS standard and can be found on Events page > **Show fields and top values**. + #### Security alerts In the Alert properties part, you should indicate the category and type of the alerts raised by the rule and the severity of the rule, which is used to calculate the urgency of the corresponding raised alerts in association with assets criticality for events matching assets. -##### Fields displayed in alert events - +##### Fields displayed in alert events + You can select fields that will be displayed in events present inside your raised alerts to speed up alert qualification. To search for fields you want to display, click on the select and type in your event field. This field works as an auto-complete. - + ##### Custom similarity strategy -Alerts are considered similar when some event fields have identical values. +Alerts are considered similar when some event fields have identical values. -You can select these event fields in your rule configuration. To do so, click on the select and type in your event field. You can select as many fields as needed. +You can select these event fields in your rule configuration. To do so, click on the select and type in your event field. You can select as many fields as needed. In addition to that, these event fields can be added to the `Swappable fields`. A typical example of that is `source.ip` and `destination.ip`. @@ -218,16 +218,16 @@ In addition to that, these event fields can be added to the `Swappable fields`. Fields used in the `group-by` clause of the pattern will be used as similarity strategy. !!! note - You can learn more about similarity strategies in this [section](../../investigate/alerts/#similarity-strategies). - + You can learn more about similarity strategies in this [section](../investigate/alerts.md#similarity-strategies). + ### Edit your custom rules -When the Rule Details panel is open, you can click on the `Configure` icon at the top right to edit the rule's configuration. -For Custom rule, you will be able to edit its main definition: +When the Rule Details panel is open, you can click on the `Configure` icon at the top right to edit the rule's configuration. +For Custom rule, you will be able to edit its main definition: - General definition of the rule - Detection Pattern -- Security alerts (event fields can be selected to define the similarity strategy in the section `Similarity strategy`). +- Security alerts (event fields can be selected to define the similarity strategy in the section `Similarity strategy`). For an MSSP communty, when you edit this part and your rule is multi-communities, changes will be shared with all your managed communities. @@ -237,7 +237,7 @@ For an MSSP communty, when you edit this part and your rule is multi-communities For all types of rules, You will be able to limit its applicable scope with the following filters. For an MSSP community, these filters will be applied only on the community selected: -- **Alert Filters**: are additional patterns that you can add to any rule to exclude matching events. This is useful to exclude known false positives so that your detections are always spot on. It is often easier to create Alert Filters [directly from an Alert](../../investigate/alerts/#create-an-alert-filter). +- **Alert Filters**: are additional patterns that you can add to any rule to exclude matching events. This is useful to exclude known false positives so that your detections are always spot on. It is often easier to create Alert Filters [directly from an Alert](../investigate/alerts.md#create-an-alert-filter). - **Entities**: select the entities this rule should apply to. By default, rules apply to all entities. - **Assets**: select the assets this rule should apply to. By default, rules apply to all assets @@ -259,7 +259,7 @@ To prevent known false positives from raising alerts in the future: ![notif_rules](/assets/operation_center/rules_catalog/notification_rules.png){ align=right } -We continuously update the rules catalog with new rules. +We continuously update the rules catalog with new rules. To keep posted, we introduced a dedicated trigger in the Notification Center. This new notification trigger enables the creation of notification rules that triggers when a new detection rule is added to the Rules Catalog by Sekoia.io. diff --git a/docs/xdr/features/integrations/interconnect_sekoia_with_xsoar.md b/docs/xdr/features/integrations/interconnect_sekoia_with_xsoar.md index c1cdd5b045..475d9eeabd 100644 --- a/docs/xdr/features/integrations/interconnect_sekoia_with_xsoar.md +++ b/docs/xdr/features/integrations/interconnect_sekoia_with_xsoar.md @@ -15,21 +15,21 @@ This integration serves as an extension that leverages the **SEKOIA.IO Defend (X * `IoC Collections` !!! Note - To create your API Key, follow this [documentation](../../../../getting_started/manage_api_keys/#create-an-api-key). + To create your API Key, follow this [documentation](/getting_started/manage_api_keys.md#create-an-api-key). ## Configure This section of the documentation will guide you through the steps required to configure the SEKOIA.IO DEFEND (XDR) extension. 1. In your Palo Alto Cortex XSOAR instance, navigate to the Marketplace and search for **SekoiaXDR**. -![!View of Sekoia.io XDR extension in the marketplace](../../../assets/operation_center/external_integrations/sekoia_extension_marketplace.png) +![!View of Sekoia.io XDR extension in the marketplace](/assets/operation_center/external_integrations/sekoia_extension_marketplace.png) 2. Select the **SEKOIAXDR** pack to open its description, then click the Install button to add the pack to your instance. -![!View of Sekoia.io XDR extension install button](../../../assets/operation_center/external_integrations/sekoia_installation.png) +![!View of Sekoia.io XDR extension install button](/assets/operation_center/external_integrations/sekoia_installation.png) 3. Once installed, go to Settings. You should see **SEKOIAXDR** listed. Click the Add instance button to create a new instance. -![!View of Sekoia.io XDR instance in XSOAR UI](../../../assets/operation_center/external_integrations/sekoia_pack_instance.png) +![!View of Sekoia.io XDR instance in XSOAR UI](/assets/operation_center/external_integrations/sekoia_pack_instance.png) 4. Complete the required fields in the configuration form, including the API key, and then save your configuration. -![!View of Sekoia.io XDR configuration part](../../../assets/operation_center/external_integrations/xsoar_config_part.png) +![!View of Sekoia.io XDR configuration part](/assets/operation_center/external_integrations/xsoar_config_part.png) 5. Use the Test button to validate your configuration (a successful test result should display in green). -![!View of Sekoia.io XDR test button](../../../assets/operation_center/external_integrations/xsoar_test_button.png) +![!View of Sekoia.io XDR test button](/assets/operation_center/external_integrations/xsoar_test_button.png) You can now utilize the integration. For example, you can run a command like `!sekoia-xdr-list-assets limit=5 assets_type="computer"`. diff --git a/docs/xdr/features/investigate/alerts.md b/docs/xdr/features/investigate/alerts.md index fe445111a9..8d55e87832 100644 --- a/docs/xdr/features/investigate/alerts.md +++ b/docs/xdr/features/investigate/alerts.md @@ -61,7 +61,7 @@ There are three possibilities to define the similarity strategy to use. By order Rules written by Sekoia.io and available in the Rules Catalog may define specific similarity strategies. -Similarity strategies by rule can be defined during the rule creation process. Learn more about how to do it in [this section](../../detect/rules_catalog/#custom-similarity-strategy). +Similarity strategies by rule can be defined during the rule creation process. Learn more about how to do it in [this section](../detect/rules_catalog.md#custom-similarity-strategy). #### Similarity by event diff --git a/docs/xdr/features/investigate/cases.md b/docs/xdr/features/investigate/cases.md index d405bc79ba..9f4ba56714 100644 --- a/docs/xdr/features/investigate/cases.md +++ b/docs/xdr/features/investigate/cases.md @@ -78,7 +78,7 @@ The Events tab lists the events that are associated with the case in a display s Events associated with the case are: - Events that raised an alert that was added to the case. -- Events that were [directly added to the case](../events/#adding-events-to-cases). +- Events that were [directly added to the case](events.md#adding-events-to-cases). When interacting with individual values, it is possible to: @@ -97,11 +97,11 @@ The "Search Events with this value" feature can be used to perform a search into ![search-events](/assets/operation_center/alerts/search-events.png){align=right} -The search query is automatically created from selected values. +The search query is automatically created from selected values. -To search events with a value: +To search events with a value: -- On the `case` page, go to `events` tab +- On the `case` page, go to `events` tab - Click on `Toggle value selection` button in the upper right of the logs list - Select `values` you want to search for by clicking on them in the logs list - Click on the button `Perform a search` as shown in the screenshot @@ -117,7 +117,7 @@ The Graph Investigation Tab is presenting the analyst with a graphical visualiza The following items appear on the graph: - `Observables`: these are automatically extracted from events (IP addresses, Domain Names, URLs, User Account, etc.) -- `Observable Relationships`: relationships between observables are represented by arrows linking them on the graph. Relationships are extracted from events using the [Smart Description](../../collect/intakes/#smart-descriptions) definitions +- `Observable Relationships`: relationships between observables are represented by arrows linking them on the graph. Relationships are extracted from events using the [Smart Description](../collect/intakes.md) definitions - `CTI Objects`: STIX objects from the Intelligence Center that provide additional context - `STIX relationships` between Threat Objects diff --git a/docs/xdr/features/investigate/events.md b/docs/xdr/features/investigate/events.md index e910de1c9e..c1388031c1 100644 --- a/docs/xdr/features/investigate/events.md +++ b/docs/xdr/features/investigate/events.md @@ -8,7 +8,7 @@ In this documentation, we will dive into the different parts that constitute the - The [Search bar](#search-bar) and its filtering and sharing options - The [list of events](#log-listing) and the detailed view of your parsed events - The mechanism behind [events enrichment](#events-enrichment) or how events are contextualized in Sekoia.io -- The [aggregation](#aggregation) feature and how to create an [anomaly detection rule](#Create-Anomaly-Detection-rule-from-the-aggregation-view) from your query +- The [aggregation](#aggregation) feature and how to create an [anomaly detection rule](#create-anomaly-detection-rule-from-the-aggregation-view) from your query !!! note To send your logs to Sekoia.io, please refer to this [section](https://docs.sekoia.io/integration/ingestion_methods/). diff --git a/docs/xdr/features/investigate/query_builder.md b/docs/xdr/features/investigate/query_builder.md index f3ee1b0d1f..51071a5883 100644 --- a/docs/xdr/features/investigate/query_builder.md +++ b/docs/xdr/features/investigate/query_builder.md @@ -4,7 +4,7 @@ Start exploring your data with the Query Builder. Hunt for threats, obtain analy With this form, you can aggregate data to extract new insights, helping you make informed decisions. Additionally, the Query Builder enables the visualization of data through various types of charts, enriching your reporting capabilities. -Currently, the Alerts data source is available, along with the Events source and the Cases source, with plans to introduce more sources in the future. +Currently, the Alerts data source is available, along with the Events source and the Cases source, with plans to introduce more sources in the future. ![query builder](/assets/operation_center/events/qb-run.gif){: style="max-width:100%"} @@ -62,7 +62,7 @@ Use the following operators to define your conditions in the `WHERE` clause. | > | Strictly more than | | >= | More than or equal to | -### Alert properties +### Alert properties When using the Query Builder with Alerts as a source, users can filter and manipulate queries based on the following alert properties: @@ -187,10 +187,10 @@ The Line Chart is designed to visualize data points over a continuous range, mak - In the **`X-axis`**, select the column you want to use for the time or continuous variable. This column can be of any data type. - In the **`Y-axis`**, select the column that contains the numeric values. This column must consist of numeric data. -### Options +### Options #### Breakdown by -The **Breakdown By** feature allows you to analyze your data in more depth across multiple visualization types, including Bar Charts, Column Charts, and Line Charts. +The **Breakdown By** feature allows you to analyze your data in more depth across multiple visualization types, including Bar Charts, Column Charts, and Line Charts. When you include a **Group By** clause in your query, you can break down your data by a specific attribute. This enables you to visualize how different categories or values contribute to the overall dataset. @@ -220,7 +220,7 @@ Choose a title for your query and click on the `Save` button. Your last result is also saved and will be displayed when you open your saved query. -!!! note +!!! note - Saved queries are visible to all users of your community.
- In MSSP multi-tenancy, saved queries are not visible in sub-communities. @@ -234,6 +234,6 @@ JSON Lines is a convenient format for storing structured data that may be proces See [JSON Lines documentation](https://jsonlines.org/) for more details. -## Add query to dashboard +## Add query to dashboard -Queries can be added to dashboards. To read more about this feature, check our documentation on [dashboards](/xdr/features/report/dashboards/#query-builders-widgets). +Queries can be added to dashboards. To read more about this feature, check our documentation on [dashboards](/xdr/features/report/dashboards.md#query-builders-widgets). diff --git a/docs/xdr/features/report/dashboards.md b/docs/xdr/features/report/dashboards.md index 6fde9ef8f8..b1b3107e18 100644 --- a/docs/xdr/features/report/dashboards.md +++ b/docs/xdr/features/report/dashboards.md @@ -1,6 +1,6 @@ # Dashboards -Dashboards provide a powerful and intuitive way to visualize and monitor key metrics and data in real-time. +Dashboards provide a powerful and intuitive way to visualize and monitor key metrics and data in real-time. Users can create customized views by combining various widgets, offering insights into different aspects of their operations, security posture, or other critical areas. A key aspect of dashboards is the ability to use query builders, which enable users to create custom data queries directly within the dashboard. This allows for highly tailored data analysis and visualization, empowering users to explore specific datasets and derive insights that are most relevant to their needs. @@ -11,7 +11,7 @@ With features like time range configuration, manual and automatic data refresh, Accounts on Sekoia.io come with a preconfigured dashboard that gives a synthetic view of the current community activity, either from an operational security perspective (risk level, number of alerts, etc.) or from an activity perspective (list of last posted comments, last created alerts, etc.). ## Time Range -Managing the time range for data displayed in your dashboard is essential for analyzing trends and patterns over specific periods. +Managing the time range for data displayed in your dashboard is essential for analyzing trends and patterns over specific periods. The dashboard offers flexible options for configuring the time range for each widget and the overall dashboard. **Widget-Specific Time Range** @@ -27,7 +27,7 @@ The dashboard's overall date range can be set using the range selector, which is By configuring these settings, you can ensure that your dashboard provides the most relevant and consistent view of data, tailored to the specific time periods that matter most to your analysis. ## Refreshing Data -Ensuring that the data displayed on your dashboard is up-to-date is critical for accurate monitoring and analysis. +Ensuring that the data displayed on your dashboard is up-to-date is critical for accurate monitoring and analysis. The dashboard provides several options for refreshing the data presented in the widgets. By default, the dashboard shows data that was computed during the last refresh. This means that when you first view a dashboard, the information is based on the most recent refresh that occurred. @@ -56,7 +56,7 @@ To create a new dashboard, you have to: 5. Click on `Add widget` and select a widget from the list in the right panel 6. Drag the needed widget in the workspace and edit it following your needs 7. Click on `Save` - + To access your dashboards, you have to click on the name of the dashboard in the upper left of the screen and choose a dashboard from the list. !!! note @@ -83,31 +83,31 @@ The Default Dashboard cannot be deleted. ## Add, edit and organize widgets -Dashboards can be easily customized using a variety of widgets, allowing users to tailor the interface to their specific needs. +Dashboards can be easily customized using a variety of widgets, allowing users to tailor the interface to their specific needs. -### Add widgets +### Add widgets To add widgets to your dashboard, click on the `Add New Widget` button located in the top right corner of the screen. From the panel, select the desired widgets from the available queries and presets. -### Edit widgets +### Edit widgets To edit an existing widget, click the `three dots` in the upper right corner of the widget, and then select **Edit Widget**. - If the widget is a **query visualization**, you will be redirected to the query settings page, where you can edit the query parameters as needed. - If the widget is a **preset** from the widgets' library, the editing panel will appear, allowing you to adjust options such as the time range or visualization type. -### Reorganize widgets +### Reorganize widgets To reorganize the layout of widgets on your dashboard, click the `Edit button` in the top right corner of the screen. This mode enables you to change both the position and size of each widget. You can easily drag and drop widgets to your preferred locations. Don’t forget to click `Save` to apply your changes! -### Remove widgets -To remove widgets from your dashboard, click the `three dots` and select **Delete from dashboard**. +### Remove widgets +To remove widgets from your dashboard, click the `three dots` and select **Delete from dashboard**. ## Query Builders Widgets Query builders can be inserted into dashboards to streamline data visualization and management. It allows you to easily integrate existing query builders into multiple dashboards, ensuring that any updates made to a query on the query page are automatically reflected across all dashboards where it is used. By leveraging this integration, you maintain consistency and reduce the need for manual updates, enhancing the efficiency and accuracy of your data visualizations. -The Query widget in the dashboard utilizes the visualization settings saved with the query builder on the query page. For detailed information on how visualizations are managed, refer to the [documentation of Query Builders](/xdr/features/investigate/query_builder/). +The Query widget in the dashboard utilizes the visualization settings saved with the query builder on the query page. For detailed information on how visualizations are managed, refer to the [documentation of Query Builders](/xdr/features/investigate/query_builder.md). Changes made to a query builder on the query builder page are automatically propagated to all dashboards that use that query builder. It ensures that updates are reflected without requiring manual intervention. On the query builder’s edit page, you can view a list of all dashboards utilizing the query builder. This helps track where changes will take effect. @@ -117,7 +117,7 @@ On the query builder’s edit page, you can view a list of all dashboards utiliz ## Built-in Widgets -Dashboards come equipped with a variety of built-in widgets designed to provide immediate access to critical data and insights. +Dashboards come equipped with a variety of built-in widgets designed to provide immediate access to critical data and insights. These widgets are pre-configured for common use cases, allowing users to quickly add valuable information to their dashboards without the need for custom queries or extensive configuration. The built-in widgets are organized into categories to help users easily find the tools they need: diff --git a/docs/xdr/index.md b/docs/xdr/index.md index c23fb3ecfe..407af4d5e6 100644 --- a/docs/xdr/index.md +++ b/docs/xdr/index.md @@ -11,8 +11,8 @@ It allows you to easily integrate and analyze the events produced by your applic To defend your business, you need to know what's going on. Monitoring your assets is a prerequisite for their security. Sekoia.io is able to collect logs via various mechanisms, setting it up on your end is easy! -1. Find out the supported [ingestion methods](/integration/ingestion_methods/). -2. Take a look at our pre-defined [Integrations](/integration/categories/)' list that keeps growing to suit all of your needs. +1. Find out the supported [ingestion methods](/integration/ingestion_methods/index.md). +2. Take a look at our pre-defined [Integrations](/integration/categories/index.md)' list that keeps growing to suit all of your needs. 3. Configure your [Intakes](features/collect/intakes.md) to collect your logs. 4. Organize your intakes in [Entities](features/collect/entities.md). 5. Enrich your events with your [Assets](features/collect/assets.md). diff --git a/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md b/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md index 4459285393..aa31233c0a 100644 --- a/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md +++ b/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md @@ -12,11 +12,11 @@ This use case describes how to enrich the comments of an alert with the User age * `SIC_WRITE_ALERTS_COMMENT` !!!note - To create your API Key, follow this [documentation](/getting_started/manage_api_keys/#create-an-api-key). + To create your API Key, follow this [documentation](/getting_started/manage_api_keys.md#create-an-api-key). ## Playbook configuration -Find the playbook configuration below: +Find the playbook configuration below: ![Playbook Add_UserAgent_in_comment](/assets/playbooks/library/UseCases/Add_UserAgent_in_comment.png) @@ -29,14 +29,14 @@ Find the playbook configuration below: !!!note - The query could vary according to the event types / intakes. + The query could vary according to the event types / intakes. If the events does not contain user Agent, it will not retrieve any events `Get Event Field Common Values` - **earliest_time** `{{ ((node.2.first_seen_at | iso8601_to_timestamp) - 3600000) | timestamp_to_iso8601 }}` - **fields** `user_agent.original` - - **latest_time** `now` + - **latest_time** `now` - **query** `source.ip:"{{ node.2['source'] }}" AND destination.ip:"{{ node.2['target'] }}" AND entity.uuid:"{{ node.2['entity']['uuid'] }}"` - + `Comment Alert` - **content** `{{ node.3| jsonpath("$.fields[*].common_values[*]['value']", True) }}% of time this user-agent "{{ node.3| jsonpath("$.fields[*].common_values[*]['name']", True) }}}" was seen on these events during the last 60 minutes.` diff --git a/docs/xdr/usecases/playbook/ExtractIP_from_Url_country.md b/docs/xdr/usecases/playbook/ExtractIP_from_Url_country.md index 54038e1ac0..ab798d13ed 100644 --- a/docs/xdr/usecases/playbook/ExtractIP_from_Url_country.md +++ b/docs/xdr/usecases/playbook/ExtractIP_from_Url_country.md @@ -1,6 +1,6 @@ -# Extract IP from URL & Country +# Extract IP from URL & Country -This use case describes how to extract an IP address from a URL and a country. +This use case describes how to extract an IP address from a URL and a country. ## Prerequisites @@ -10,7 +10,7 @@ This use case describes how to extract an IP address from a URL and a country. * Be an Administrator or an Analyst of the community. * Have an API Key with a role that contains at least the permission "View alerts" -> To create your API Key, follow this [documentation](/getting_started/manage_api_keys/). +> To create your API Key, follow this [documentation](/getting_started/manage_api_keys.md). ## Playbook configuration @@ -29,12 +29,12 @@ For example, we would like to extract the IP `65.74.70.888` from `url.original : Read JSON File module, **Jsonpath** = `{{ value.split()[0].split("/ManageIP/New/")[1] }}` ``` -This Jinja recipe consists in splitting the URL into 2 strings: the one preceding the string /ManageIP/New/ and the one succeeding it, which corresponds to the IP address. +This Jinja recipe consists in splitting the URL into 2 strings: the one preceding the string /ManageIP/New/ and the one succeeding it, which corresponds to the IP address. The value is set with the second string stored in the array, with the use of [1]. ``` !!!note - You can find the CODE Feature section in documentation page and in particular built-in filters existing in Jinja [here](https://jinja.palletsprojects.com/en/3.0.x/templates/#builtin-filters). + You can find the CODE Feature section in documentation page and in particular built-in filters existing in Jinja [here](https://jinja.palletsprojects.com/en/3.0.x/templates/#builtin-filters).   (split is coming from Python) ### Extract IP from Country diff --git a/docs/xdr/usecases/playbook/Get_events_information_from_alert.md b/docs/xdr/usecases/playbook/Get_events_information_from_alert.md index 496ac70e8b..9e1e54fa28 100644 --- a/docs/xdr/usecases/playbook/Get_events_information_from_alert.md +++ b/docs/xdr/usecases/playbook/Get_events_information_from_alert.md @@ -14,7 +14,7 @@ This use case describes how to get the MAC address of events associated with an * `SIC_READ_EVENT_STATS` !!! note - To create your API Key, follow this [documentation](/getting_started/manage_api_keys). + To create your API Key, follow this [documentation](/getting_started/manage_api_keys.md). ## Playbook configuration diff --git a/mkdocs.yml b/mkdocs.yml index 3216bc25e5..e8f1a1c5ff 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,10 @@ markdown_extensions: - markdown_include.include - lightgallery - pymdownx.snippets +validation: + omitted_files: ignore + links: + absolute_links: relative_to_docs nav: - Getting started: - Overview: getting_started/index.md @@ -775,7 +779,7 @@ plugins: xdr/features/collect/integrations/network/cisco/cisco_nx_os.md: integration/categories/network/cisco_nx_os.md xdr/features/collect/integrations/network/cisco/cisco_wsa.md: integration/categories/network_security/cisco_wsa.md xdr/features/collect/integrations/network/citrix_netscaler_adc.md: integration/categories/network/citrix_netscaler_adc.md - xdr/features/collect/integrations/network/clavister_ng_fw.md: integration/categories/network/clavister_ng_fw.md + xdr/features/collect/integrations/network/clavister_ng_fw.md: integration/categories/network_security/clavister_ng_fw.md xdr/features/collect/integrations/network/efficientip_solidserver_ddi.md: integration/categories/network/efficientip_solidserver_ddi.md xdr/features/collect/integrations/network/ekinops_oneos.md: integration/categories/network/ekinops_oneos.md xdr/features/collect/integrations/network/f5-big-ip.md: integration/categories/network/f5-big-ip.md diff --git a/plugins/intakes_by_uuid.py b/plugins/intakes_by_uuid.py index c37f03962f..c8a091f0e0 100644 --- a/plugins/intakes_by_uuid.py +++ b/plugins/intakes_by_uuid.py @@ -35,7 +35,10 @@ class IntakesByUUIDPlugin(mkdocs.plugins.BasePlugin): _integrations: list[dict[str, str]] = [] def on_files(self, files: Files, config: Config): - new_files = [] + new_files: list[File] = [] + source_files = [ + source_file for source_file in files if source_file.src_path.endswith(".md") + ] for source_file in files: if not source_file.src_path.endswith(".md"): @@ -45,7 +48,7 @@ def on_files(self, files: Files, config: Config): with filename.open() as f: _, metadata = get_data(f.read()) - if "uuid" not in metadata or metadata.get("type").lower() != "intake": + if "uuid" not in metadata or metadata.get("type").lower() != "intake": continue dialect_uuids = (uuid.strip() for uuid in metadata["uuid"].split(",")) @@ -68,13 +71,18 @@ def on_files(self, files: Files, config: Config): ) new_files.append(newfile) - new_files.append(File( - path="integration/categories/index.md", - src_dir="operation_center/integration_catalog/", - dest_dir=config["site_dir"], - use_directory_urls=True, - )) - files._files += new_files + new_files.append( + File( + path="integration/categories/index.md", + src_dir="operation_center/integration_catalog/", + dest_dir=config["site_dir"], + use_directory_urls=True, + ) + ) + for file in new_files: + if file.src_uri in files._src_uris: + files.remove(file) + files.append(file) def on_page_read_source(self, page, config): if page.file.src_path.startswith("operation_center/integration_catalog/uuid/"): @@ -88,6 +96,12 @@ def on_page_read_source(self, page, config): content = filename.open().read() for page in sorted(self._integrations, key=lambda x: x["name"]): - content += f"- [{page['name']}](/{page['destination']})\n" + href = ( + f"/{page['destination']}".replace( + "/integration/categories/", "" + ).rstrip("/") + + ".md" + ) + content += f"- [{page['name']}]({href})\n" return content diff --git a/poetry.lock b/poetry.lock index 7a3429454e..456e18c7c4 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,14 +1,14 @@ -# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. [[package]] name = "babel" -version = "2.14.0" +version = "2.16.0" description = "Internationalization utilities" optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "Babel-2.14.0-py3-none-any.whl", hash = "sha256:efb1a25b7118e67ce3a259bed20545c29cb68be8ad2c784c83689981b7a57287"}, - {file = "Babel-2.14.0.tar.gz", hash = "sha256:6919867db036398ba21eb5c7a0f6b28ab8cbc3ae7a73a44ebe34ae74a4e7d363"}, + {file = "babel-2.16.0-py3-none-any.whl", hash = "sha256:368b5b98b37c06b7daf6696391c3240c938b37767d4584413e8438c5c435fa8b"}, + {file = "babel-2.16.0.tar.gz", hash = "sha256:d1f3554ca26605fe173f3de0c65f750f5a42f924499bf134de6423582298e316"}, ] [package.extras] @@ -16,112 +16,127 @@ dev = ["freezegun (>=1.0,<2.0)", "pytest (>=6.0)", "pytest-cov"] [[package]] name = "certifi" -version = "2024.2.2" +version = "2024.8.30" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.6" files = [ - {file = "certifi-2024.2.2-py3-none-any.whl", hash = "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"}, - {file = "certifi-2024.2.2.tar.gz", hash = "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f"}, + {file = "certifi-2024.8.30-py3-none-any.whl", hash = "sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8"}, + {file = "certifi-2024.8.30.tar.gz", hash = "sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9"}, ] [[package]] name = "charset-normalizer" -version = "3.3.2" +version = "3.4.0" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7.0" files = [ - {file = "charset-normalizer-3.3.2.tar.gz", hash = "sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-win32.whl", hash = "sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-win_amd64.whl", hash = "sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-win32.whl", hash = "sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-win_amd64.whl", hash = "sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-win32.whl", hash = "sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-win_amd64.whl", hash = "sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-win32.whl", hash = "sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-win_amd64.whl", hash = "sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-win32.whl", hash = "sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-win_amd64.whl", hash = "sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-win32.whl", hash = "sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-win_amd64.whl", hash = "sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d"}, - {file = "charset_normalizer-3.3.2-py3-none-any.whl", hash = "sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:4f9fc98dad6c2eaa32fc3af1417d95b5e3d08aff968df0cd320066def971f9a6"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0de7b687289d3c1b3e8660d0741874abe7888100efe14bd0f9fd7141bcbda92b"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:5ed2e36c3e9b4f21dd9422f6893dec0abf2cca553af509b10cd630f878d3eb99"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40d3ff7fc90b98c637bda91c89d51264a3dcf210cade3a2c6f838c7268d7a4ca"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1110e22af8ca26b90bd6364fe4c763329b0ebf1ee213ba32b68c73de5752323d"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:86f4e8cca779080f66ff4f191a685ced73d2f72d50216f7112185dc02b90b9b7"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f683ddc7eedd742e2889d2bfb96d69573fde1d92fcb811979cdb7165bb9c7d3"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:27623ba66c183eca01bf9ff833875b459cad267aeeb044477fedac35e19ba907"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:f606a1881d2663630ea5b8ce2efe2111740df4b687bd78b34a8131baa007f79b"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:0b309d1747110feb25d7ed6b01afdec269c647d382c857ef4663bbe6ad95a912"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:136815f06a3ae311fae551c3df1f998a1ebd01ddd424aa5603a4336997629e95"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:14215b71a762336254351b00ec720a8e85cada43b987da5a042e4ce3e82bd68e"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:79983512b108e4a164b9c8d34de3992f76d48cadc9554c9e60b43f308988aabe"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-win32.whl", hash = "sha256:c94057af19bc953643a33581844649a7fdab902624d2eb739738a30e2b3e60fc"}, + {file = "charset_normalizer-3.4.0-cp310-cp310-win_amd64.whl", hash = "sha256:55f56e2ebd4e3bc50442fbc0888c9d8c94e4e06a933804e2af3e89e2f9c1c749"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:0d99dd8ff461990f12d6e42c7347fd9ab2532fb70e9621ba520f9e8637161d7c"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c57516e58fd17d03ebe67e181a4e4e2ccab1168f8c2976c6a334d4f819fe5944"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:6dba5d19c4dfab08e58d5b36304b3f92f3bd5d42c1a3fa37b5ba5cdf6dfcbcee"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bf4475b82be41b07cc5e5ff94810e6a01f276e37c2d55571e3fe175e467a1a1c"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ce031db0408e487fd2775d745ce30a7cd2923667cf3b69d48d219f1d8f5ddeb6"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8ff4e7cdfdb1ab5698e675ca622e72d58a6fa2a8aa58195de0c0061288e6e3ea"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3710a9751938947e6327ea9f3ea6332a09bf0ba0c09cae9cb1f250bd1f1549bc"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:82357d85de703176b5587dbe6ade8ff67f9f69a41c0733cf2425378b49954de5"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:47334db71978b23ebcf3c0f9f5ee98b8d65992b65c9c4f2d34c2eaf5bcaf0594"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8ce7fd6767a1cc5a92a639b391891bf1c268b03ec7e021c7d6d902285259685c"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:f1a2f519ae173b5b6a2c9d5fa3116ce16e48b3462c8b96dfdded11055e3d6365"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:63bc5c4ae26e4bc6be6469943b8253c0fd4e4186c43ad46e713ea61a0ba49129"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:bcb4f8ea87d03bc51ad04add8ceaf9b0f085ac045ab4d74e73bbc2dc033f0236"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-win32.whl", hash = "sha256:9ae4ef0b3f6b41bad6366fb0ea4fc1d7ed051528e113a60fa2a65a9abb5b1d99"}, + {file = "charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:cee4373f4d3ad28f1ab6290684d8e2ebdb9e7a1b74fdc39e4c211995f77bec27"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:0713f3adb9d03d49d365b70b84775d0a0d18e4ab08d12bc46baa6132ba78aaf6"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:de7376c29d95d6719048c194a9cf1a1b0393fbe8488a22008610b0361d834ecf"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4a51b48f42d9358460b78725283f04bddaf44a9358197b889657deba38f329db"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b295729485b06c1a0683af02a9e42d2caa9db04a373dc38a6a58cdd1e8abddf1"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ee803480535c44e7f5ad00788526da7d85525cfefaf8acf8ab9a310000be4b03"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3d59d125ffbd6d552765510e3f31ed75ebac2c7470c7274195b9161a32350284"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8cda06946eac330cbe6598f77bb54e690b4ca93f593dee1568ad22b04f347c15"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:07afec21bbbbf8a5cc3651aa96b980afe2526e7f048fdfb7f1014d84acc8b6d8"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:6b40e8d38afe634559e398cc32b1472f376a4099c75fe6299ae607e404c033b2"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:b8dcd239c743aa2f9c22ce674a145e0a25cb1566c495928440a181ca1ccf6719"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:84450ba661fb96e9fd67629b93d2941c871ca86fc38d835d19d4225ff946a631"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:44aeb140295a2f0659e113b31cfe92c9061622cadbc9e2a2f7b8ef6b1e29ef4b"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:1db4e7fefefd0f548d73e2e2e041f9df5c59e178b4c72fbac4cc6f535cfb1565"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-win32.whl", hash = "sha256:5726cf76c982532c1863fb64d8c6dd0e4c90b6ece9feb06c9f202417a31f7dd7"}, + {file = "charset_normalizer-3.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:b197e7094f232959f8f20541ead1d9862ac5ebea1d58e9849c1bf979255dfac9"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:dd4eda173a9fcccb5f2e2bd2a9f423d180194b1bf17cf59e3269899235b2a114"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:e9e3c4c9e1ed40ea53acf11e2a386383c3304212c965773704e4603d589343ed"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:92a7e36b000bf022ef3dbb9c46bfe2d52c047d5e3f3343f43204263c5addc250"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:54b6a92d009cbe2fb11054ba694bc9e284dad30a26757b1e372a1fdddaf21920"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ffd9493de4c922f2a38c2bf62b831dcec90ac673ed1ca182fe11b4d8e9f2a64"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:35c404d74c2926d0287fbd63ed5d27eb911eb9e4a3bb2c6d294f3cfd4a9e0c23"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4796efc4faf6b53a18e3d46343535caed491776a22af773f366534056c4e1fbc"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e7fdd52961feb4c96507aa649550ec2a0d527c086d284749b2f582f2d40a2e0d"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:92db3c28b5b2a273346bebb24857fda45601aef6ae1c011c0a997106581e8a88"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ab973df98fc99ab39080bfb0eb3a925181454d7c3ac8a1e695fddfae696d9e90"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:4b67fdab07fdd3c10bb21edab3cbfe8cf5696f453afce75d815d9d7223fbe88b"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:aa41e526a5d4a9dfcfbab0716c7e8a1b215abd3f3df5a45cf18a12721d31cb5d"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ffc519621dce0c767e96b9c53f09c5d215578e10b02c285809f76509a3931482"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-win32.whl", hash = "sha256:f19c1585933c82098c2a520f8ec1227f20e339e33aca8fa6f956f6691b784e67"}, + {file = "charset_normalizer-3.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:707b82d19e65c9bd28b81dde95249b07bf9f5b90ebe1ef17d9b57473f8a64b7b"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:dbe03226baf438ac4fda9e2d0715022fd579cb641c4cf639fa40d53b2fe6f3e2"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dd9a8bd8900e65504a305bf8ae6fa9fbc66de94178c420791d0293702fce2df7"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b8831399554b92b72af5932cdbbd4ddc55c55f631bb13ff8fe4e6536a06c5c51"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a14969b8691f7998e74663b77b4c36c0337cb1df552da83d5c9004a93afdb574"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dcaf7c1524c0542ee2fc82cc8ec337f7a9f7edee2532421ab200d2b920fc97cf"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:425c5f215d0eecee9a56cdb703203dda90423247421bf0d67125add85d0c4455"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-musllinux_1_2_aarch64.whl", hash = "sha256:d5b054862739d276e09928de37c79ddeec42a6e1bfc55863be96a36ba22926f6"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-musllinux_1_2_i686.whl", hash = "sha256:f3e73a4255342d4eb26ef6df01e3962e73aa29baa3124a8e824c5d3364a65748"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-musllinux_1_2_ppc64le.whl", hash = "sha256:2f6c34da58ea9c1a9515621f4d9ac379871a8f21168ba1b5e09d74250de5ad62"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-musllinux_1_2_s390x.whl", hash = "sha256:f09cb5a7bbe1ecae6e87901a2eb23e0256bb524a79ccc53eb0b7629fbe7677c4"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-musllinux_1_2_x86_64.whl", hash = "sha256:0099d79bdfcf5c1f0c2c72f91516702ebf8b0b8ddd8905f97a8aecf49712c621"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-win32.whl", hash = "sha256:9c98230f5042f4945f957d006edccc2af1e03ed5e37ce7c373f00a5a4daa6149"}, + {file = "charset_normalizer-3.4.0-cp37-cp37m-win_amd64.whl", hash = "sha256:62f60aebecfc7f4b82e3f639a7d1433a20ec32824db2199a11ad4f5e146ef5ee"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:af73657b7a68211996527dbfeffbb0864e043d270580c5aef06dc4b659a4b578"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:cab5d0b79d987c67f3b9e9c53f54a61360422a5a0bc075f43cab5621d530c3b6"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:9289fd5dddcf57bab41d044f1756550f9e7cf0c8e373b8cdf0ce8773dc4bd417"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b493a043635eb376e50eedf7818f2f322eabbaa974e948bd8bdd29eb7ef2a51"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9fa2566ca27d67c86569e8c85297aaf413ffab85a8960500f12ea34ff98e4c41"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a8e538f46104c815be19c975572d74afb53f29650ea2025bbfaef359d2de2f7f"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6fd30dc99682dc2c603c2b315bded2799019cea829f8bf57dc6b61efde6611c8"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2006769bd1640bdf4d5641c69a3d63b71b81445473cac5ded39740a226fa88ab"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:dc15e99b2d8a656f8e666854404f1ba54765871104e50c8e9813af8a7db07f12"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:ab2e5bef076f5a235c3774b4f4028a680432cded7cad37bba0fd90d64b187d19"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:4ec9dd88a5b71abfc74e9df5ebe7921c35cbb3b641181a531ca65cdb5e8e4dea"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:43193c5cda5d612f247172016c4bb71251c784d7a4d9314677186a838ad34858"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:aa693779a8b50cd97570e5a0f343538a8dbd3e496fa5dcb87e29406ad0299654"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-win32.whl", hash = "sha256:7706f5850360ac01d80c89bcef1640683cc12ed87f42579dab6c5d3ed6888613"}, + {file = "charset_normalizer-3.4.0-cp38-cp38-win_amd64.whl", hash = "sha256:c3e446d253bd88f6377260d07c895816ebf33ffffd56c1c792b13bff9c3e1ade"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:980b4f289d1d90ca5efcf07958d3eb38ed9c0b7676bf2831a54d4f66f9c27dfa"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:f28f891ccd15c514a0981f3b9db9aa23d62fe1a99997512b0491d2ed323d229a"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a8aacce6e2e1edcb6ac625fb0f8c3a9570ccc7bfba1f63419b3769ccf6a00ed0"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bd7af3717683bea4c87acd8c0d3d5b44d56120b26fd3f8a692bdd2d5260c620a"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5ff2ed8194587faf56555927b3aa10e6fb69d931e33953943bc4f837dfee2242"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e91f541a85298cf35433bf66f3fab2a4a2cff05c127eeca4af174f6d497f0d4b"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:309a7de0a0ff3040acaebb35ec45d18db4b28232f21998851cfa709eeff49d62"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:285e96d9d53422efc0d7a17c60e59f37fbf3dfa942073f666db4ac71e8d726d0"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:5d447056e2ca60382d460a604b6302d8db69476fd2015c81e7c35417cfabe4cd"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:20587d20f557fe189b7947d8e7ec5afa110ccf72a3128d61a2a387c3313f46be"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:130272c698667a982a5d0e626851ceff662565379baf0ff2cc58067b81d4f11d"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:ab22fbd9765e6954bc0bcff24c25ff71dcbfdb185fcdaca49e81bac68fe724d3"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:7782afc9b6b42200f7362858f9e73b1f8316afb276d316336c0ec3bd73312742"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-win32.whl", hash = "sha256:2de62e8801ddfff069cd5c504ce3bc9672b23266597d4e4f50eda28846c322f2"}, + {file = "charset_normalizer-3.4.0-cp39-cp39-win_amd64.whl", hash = "sha256:95c3c157765b031331dd4db3c775e58deaee050a3042fcad72cbc4189d7c8dca"}, + {file = "charset_normalizer-3.4.0-py3-none-any.whl", hash = "sha256:fe9f97feb71aa9896b81973a7bbada8c49501dc73e58a10fcef6663af95e5079"}, + {file = "charset_normalizer-3.4.0.tar.gz", hash = "sha256:223217c3d4f82c3ac5e29032b3f1c2eb0fb591b72161f86d93f5719079dae93e"}, ] [[package]] @@ -168,24 +183,27 @@ dev = ["flake8", "markdown", "twine", "wheel"] [[package]] name = "idna" -version = "3.6" +version = "3.10" description = "Internationalized Domain Names in Applications (IDNA)" optional = false -python-versions = ">=3.5" +python-versions = ">=3.6" files = [ - {file = "idna-3.6-py3-none-any.whl", hash = "sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f"}, - {file = "idna-3.6.tar.gz", hash = "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca"}, + {file = "idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"}, + {file = "idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"}, ] +[package.extras] +all = ["flake8 (>=7.1.1)", "mypy (>=1.11.2)", "pytest (>=8.3.2)", "ruff (>=0.6.2)"] + [[package]] name = "jinja2" -version = "3.1.3" +version = "3.1.4" description = "A very fast and expressive template engine." optional = false python-versions = ">=3.7" files = [ - {file = "Jinja2-3.1.3-py3-none-any.whl", hash = "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa"}, - {file = "Jinja2-3.1.3.tar.gz", hash = "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90"}, + {file = "jinja2-3.1.4-py3-none-any.whl", hash = "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"}, + {file = "jinja2-3.1.4.tar.gz", hash = "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369"}, ] [package.dependencies] @@ -241,71 +259,72 @@ tests = ["pytest"] [[package]] name = "markupsafe" -version = "2.1.5" +version = "3.0.2" description = "Safely add untrusted strings to HTML/XML markup." optional = false -python-versions = ">=3.7" +python-versions = ">=3.9" files = [ - {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-win32.whl", hash = "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4"}, - {file = "MarkupSafe-2.1.5-cp310-cp310-win_amd64.whl", hash = "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-win32.whl", hash = "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906"}, - {file = "MarkupSafe-2.1.5-cp311-cp311-win_amd64.whl", hash = "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-win32.whl", hash = "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad"}, - {file = "MarkupSafe-2.1.5-cp312-cp312-win_amd64.whl", hash = "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-win32.whl", hash = "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371"}, - {file = "MarkupSafe-2.1.5-cp37-cp37m-win_amd64.whl", hash = "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-win32.whl", hash = "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff"}, - {file = "MarkupSafe-2.1.5-cp38-cp38-win_amd64.whl", hash = "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-win32.whl", hash = "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf"}, - {file = "MarkupSafe-2.1.5-cp39-cp39-win_amd64.whl", hash = "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5"}, - {file = "MarkupSafe-2.1.5.tar.gz", hash = "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-win32.whl", hash = "sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"}, + {file = "MarkupSafe-3.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-win32.whl", hash = "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d"}, + {file = "MarkupSafe-3.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-win32.whl", hash = "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30"}, + {file = "MarkupSafe-3.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-win32.whl", hash = "sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1"}, + {file = "MarkupSafe-3.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-win32.whl", hash = "sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6"}, + {file = "MarkupSafe-3.0.2-cp313-cp313t-win_amd64.whl", hash = "sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-win32.whl", hash = "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f"}, + {file = "MarkupSafe-3.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a"}, + {file = "markupsafe-3.0.2.tar.gz", hash = "sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0"}, ] [[package]] @@ -321,13 +340,13 @@ files = [ [[package]] name = "mkdocs" -version = "1.5.3" +version = "1.6.1" description = "Project documentation with Markdown." optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "mkdocs-1.5.3-py3-none-any.whl", hash = "sha256:3b3a78e736b31158d64dbb2f8ba29bd46a379d0c6e324c2246c3bc3d2189cfc1"}, - {file = "mkdocs-1.5.3.tar.gz", hash = "sha256:eb7c99214dcb945313ba30426c2451b735992c73c2e10838f76d09e39ff4d0e2"}, + {file = "mkdocs-1.6.1-py3-none-any.whl", hash = "sha256:db91759624d1647f3f34aa0c3f327dd2601beae39a366d6e064c03468d35c20e"}, + {file = "mkdocs-1.6.1.tar.gz", hash = "sha256:7b432f01d928c084353ab39c57282f29f92136665bdd6abf7c1ec8d822ef86f2"}, ] [package.dependencies] @@ -335,29 +354,45 @@ click = ">=7.0" colorama = {version = ">=0.4", markers = "platform_system == \"Windows\""} ghp-import = ">=1.0" jinja2 = ">=2.11.1" -markdown = ">=3.2.1" +markdown = ">=3.3.6" markupsafe = ">=2.0.1" mergedeep = ">=1.3.4" +mkdocs-get-deps = ">=0.2.0" packaging = ">=20.5" pathspec = ">=0.11.1" -platformdirs = ">=2.2.0" pyyaml = ">=5.1" pyyaml-env-tag = ">=0.1" watchdog = ">=2.0" [package.extras] i18n = ["babel (>=2.9.0)"] -min-versions = ["babel (==2.9.0)", "click (==7.0)", "colorama (==0.4)", "ghp-import (==1.0)", "importlib-metadata (==4.3)", "jinja2 (==2.11.1)", "markdown (==3.2.1)", "markupsafe (==2.0.1)", "mergedeep (==1.3.4)", "packaging (==20.5)", "pathspec (==0.11.1)", "platformdirs (==2.2.0)", "pyyaml (==5.1)", "pyyaml-env-tag (==0.1)", "typing-extensions (==3.10)", "watchdog (==2.0)"] +min-versions = ["babel (==2.9.0)", "click (==7.0)", "colorama (==0.4)", "ghp-import (==1.0)", "importlib-metadata (==4.4)", "jinja2 (==2.11.1)", "markdown (==3.3.6)", "markupsafe (==2.0.1)", "mergedeep (==1.3.4)", "mkdocs-get-deps (==0.2.0)", "packaging (==20.5)", "pathspec (==0.11.1)", "pyyaml (==5.1)", "pyyaml-env-tag (==0.1)", "watchdog (==2.0)"] + +[[package]] +name = "mkdocs-get-deps" +version = "0.2.0" +description = "MkDocs extension that lists all dependencies according to a mkdocs.yml file" +optional = false +python-versions = ">=3.8" +files = [ + {file = "mkdocs_get_deps-0.2.0-py3-none-any.whl", hash = "sha256:2bf11d0b133e77a0dd036abeeb06dec8775e46efa526dc70667d8863eefc6134"}, + {file = "mkdocs_get_deps-0.2.0.tar.gz", hash = "sha256:162b3d129c7fad9b19abfdcb9c1458a651628e4b1dea628ac68790fb3061c60c"}, +] + +[package.dependencies] +mergedeep = ">=1.3.4" +platformdirs = ">=2.2.0" +pyyaml = ">=5.1" [[package]] name = "mkdocs-material" -version = "9.5.14" +version = "9.5.44" description = "Documentation that simply works" optional = false python-versions = ">=3.8" files = [ - {file = "mkdocs_material-9.5.14-py3-none-any.whl", hash = "sha256:a45244ac221fda46ecf8337f00ec0e5cb5348ab9ffb203ca2a0c313b0d4dbc27"}, - {file = "mkdocs_material-9.5.14.tar.gz", hash = "sha256:2a1f8e67cda2587ab93ecea9ba42d0ca61d1d7b5fad8cf690eeaeb39dcd4b9af"}, + {file = "mkdocs_material-9.5.44-py3-none-any.whl", hash = "sha256:47015f9c167d58a5ff5e682da37441fc4d66a1c79334bfc08d774763cacf69ca"}, + {file = "mkdocs_material-9.5.44.tar.gz", hash = "sha256:f3a6c968e524166b3f3ed1fb97d3ed3e0091183b0545cedf7156a2a6804c56c0"}, ] [package.dependencies] @@ -365,7 +400,7 @@ babel = ">=2.10,<3.0" colorama = ">=0.4,<1.0" jinja2 = ">=3.0,<4.0" markdown = ">=3.2,<4.0" -mkdocs = ">=1.5.3,<1.6.0" +mkdocs = ">=1.6,<2.0" mkdocs-material-extensions = ">=1.3,<2.0" paginate = ">=0.5,<1.0" pygments = ">=2.16,<3.0" @@ -391,44 +426,44 @@ files = [ [[package]] name = "mkdocs-redirects" -version = "1.2.1" -description = "A MkDocs plugin for dynamic page redirects to prevent broken links." +version = "1.2.2" +description = "A MkDocs plugin for dynamic page redirects to prevent broken links" optional = false -python-versions = ">=3.6" +python-versions = ">=3.8" files = [ - {file = "mkdocs-redirects-1.2.1.tar.gz", hash = "sha256:9420066d70e2a6bb357adf86e67023dcdca1857f97f07c7fe450f8f1fb42f861"}, - {file = "mkdocs_redirects-1.2.1-py3-none-any.whl", hash = "sha256:497089f9e0219e7389304cffefccdfa1cac5ff9509f2cb706f4c9b221726dffb"}, + {file = "mkdocs_redirects-1.2.2-py3-none-any.whl", hash = "sha256:7dbfa5647b79a3589da4401403d69494bd1f4ad03b9c15136720367e1f340ed5"}, + {file = "mkdocs_redirects-1.2.2.tar.gz", hash = "sha256:3094981b42ffab29313c2c1b8ac3969861109f58b2dd58c45fc81cd44bfa0095"}, ] [package.dependencies] mkdocs = ">=1.1.1" -[package.extras] -dev = ["autoflake", "black", "isort", "pytest", "twine (>=1.13.0)"] -release = ["twine (>=1.13.0)"] -test = ["autoflake", "black", "isort", "pytest"] - [[package]] name = "packaging" -version = "24.0" +version = "24.2" description = "Core utilities for Python packages" optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "packaging-24.0-py3-none-any.whl", hash = "sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5"}, - {file = "packaging-24.0.tar.gz", hash = "sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9"}, + {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"}, + {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"}, ] [[package]] name = "paginate" -version = "0.5.6" +version = "0.5.7" description = "Divides large result sets into pages for easier browsing" optional = false python-versions = "*" files = [ - {file = "paginate-0.5.6.tar.gz", hash = "sha256:5e6007b6a9398177a7e1648d04fdd9f8c9766a1a945bceac82f1929e8c78af2d"}, + {file = "paginate-0.5.7-py2.py3-none-any.whl", hash = "sha256:b885e2af73abcf01d9559fd5216b57ef722f8c42affbb63942377668e35c7591"}, + {file = "paginate-0.5.7.tar.gz", hash = "sha256:22bd083ab41e1a8b4f3690544afb2c60c25e5c9a63a30fa2f483f6c60c8e5945"}, ] +[package.extras] +dev = ["pytest", "tox"] +lint = ["black"] + [[package]] name = "pathspec" version = "0.12.1" @@ -442,32 +477,32 @@ files = [ [[package]] name = "platformdirs" -version = "4.2.0" -description = "A small Python package for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." +version = "4.3.6" +description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." optional = false python-versions = ">=3.8" files = [ - {file = "platformdirs-4.2.0-py3-none-any.whl", hash = "sha256:0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068"}, - {file = "platformdirs-4.2.0.tar.gz", hash = "sha256:ef0cc731df711022c174543cb70a9b5bd22e5a9337c8624ef2c2ceb8ddad8768"}, + {file = "platformdirs-4.3.6-py3-none-any.whl", hash = "sha256:73e575e1408ab8103900836b97580d5307456908a03e92031bab39e4554cc3fb"}, + {file = "platformdirs-4.3.6.tar.gz", hash = "sha256:357fb2acbc885b0419afd3ce3ed34564c13c9b95c89360cd9563f73aa5e2b907"}, ] [package.extras] -docs = ["furo (>=2023.9.10)", "proselint (>=0.13)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"] -test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)"] +docs = ["furo (>=2024.8.6)", "proselint (>=0.14)", "sphinx (>=8.0.2)", "sphinx-autodoc-typehints (>=2.4)"] +test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=8.3.2)", "pytest-cov (>=5)", "pytest-mock (>=3.14)"] +type = ["mypy (>=1.11.2)"] [[package]] name = "pygments" -version = "2.17.2" +version = "2.18.0" description = "Pygments is a syntax highlighting package written in Python." optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "pygments-2.17.2-py3-none-any.whl", hash = "sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c"}, - {file = "pygments-2.17.2.tar.gz", hash = "sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367"}, + {file = "pygments-2.18.0-py3-none-any.whl", hash = "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a"}, + {file = "pygments-2.18.0.tar.gz", hash = "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199"}, ] [package.extras] -plugins = ["importlib-metadata"] windows-terminal = ["colorama (>=0.4.6)"] [[package]] @@ -504,62 +539,64 @@ six = ">=1.5" [[package]] name = "pyyaml" -version = "6.0.1" +version = "6.0.2" description = "YAML parser and emitter for Python" optional = false -python-versions = ">=3.6" +python-versions = ">=3.8" files = [ - {file = "PyYAML-6.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a"}, - {file = "PyYAML-6.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"}, - {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"}, - {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"}, - {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"}, - {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"}, - {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"}, - {file = "PyYAML-6.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"}, - {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"}, - {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"}, - {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"}, - {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"}, - {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"}, - {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"}, - {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"}, - {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"}, - {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"}, - {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"}, - {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"}, - {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"}, - {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd"}, - {file = "PyYAML-6.0.1-cp36-cp36m-win32.whl", hash = "sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585"}, - {file = "PyYAML-6.0.1-cp36-cp36m-win_amd64.whl", hash = "sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa"}, - {file = "PyYAML-6.0.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3"}, - {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c"}, - {file = "PyYAML-6.0.1-cp37-cp37m-win32.whl", hash = "sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba"}, - {file = "PyYAML-6.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867"}, - {file = "PyYAML-6.0.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"}, - {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"}, - {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"}, - {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"}, - {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"}, - {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"}, - {file = "PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"}, - {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"}, - {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"}, - {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"}, - {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"}, - {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"}, + {file = "PyYAML-6.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086"}, + {file = "PyYAML-6.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b"}, + {file = "PyYAML-6.0.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed"}, + {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180"}, + {file = "PyYAML-6.0.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68"}, + {file = "PyYAML-6.0.2-cp310-cp310-win32.whl", hash = "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99"}, + {file = "PyYAML-6.0.2-cp310-cp310-win_amd64.whl", hash = "sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e"}, + {file = "PyYAML-6.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774"}, + {file = "PyYAML-6.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317"}, + {file = "PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85"}, + {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"}, + {file = "PyYAML-6.0.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e"}, + {file = "PyYAML-6.0.2-cp311-cp311-win32.whl", hash = "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5"}, + {file = "PyYAML-6.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44"}, + {file = "PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab"}, + {file = "PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425"}, + {file = "PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476"}, + {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48"}, + {file = "PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b"}, + {file = "PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4"}, + {file = "PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8"}, + {file = "PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba"}, + {file = "PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484"}, + {file = "PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5"}, + {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc"}, + {file = "PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652"}, + {file = "PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183"}, + {file = "PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563"}, + {file = "PyYAML-6.0.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d"}, + {file = "PyYAML-6.0.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083"}, + {file = "PyYAML-6.0.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706"}, + {file = "PyYAML-6.0.2-cp38-cp38-win32.whl", hash = "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a"}, + {file = "PyYAML-6.0.2-cp38-cp38-win_amd64.whl", hash = "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff"}, + {file = "PyYAML-6.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d"}, + {file = "PyYAML-6.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12"}, + {file = "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19"}, + {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e"}, + {file = "PyYAML-6.0.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725"}, + {file = "PyYAML-6.0.2-cp39-cp39-win32.whl", hash = "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631"}, + {file = "PyYAML-6.0.2-cp39-cp39-win_amd64.whl", hash = "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8"}, + {file = "pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"}, ] [[package]] @@ -578,115 +615,116 @@ pyyaml = "*" [[package]] name = "regex" -version = "2023.12.25" +version = "2024.11.6" description = "Alternative regular expression module, to replace re." optional = false -python-versions = ">=3.7" +python-versions = ">=3.8" files = [ - {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5"}, - {file = "regex-2023.12.25-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8"}, - {file = "regex-2023.12.25-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5"}, - {file = "regex-2023.12.25-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd"}, - {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704"}, - {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1"}, - {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392"}, - {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423"}, - {file = "regex-2023.12.25-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f"}, - {file = "regex-2023.12.25-cp310-cp310-win32.whl", hash = "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630"}, - {file = "regex-2023.12.25-cp310-cp310-win_amd64.whl", hash = "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105"}, - {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6"}, - {file = "regex-2023.12.25-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97"}, - {file = "regex-2023.12.25-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887"}, - {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb"}, - {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c"}, - {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b"}, - {file = "regex-2023.12.25-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa"}, - {file = "regex-2023.12.25-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7"}, - {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0"}, - {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe"}, - {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80"}, - {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd"}, - {file = "regex-2023.12.25-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4"}, - {file = "regex-2023.12.25-cp311-cp311-win32.whl", hash = "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87"}, - {file = "regex-2023.12.25-cp311-cp311-win_amd64.whl", hash = "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f"}, - {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715"}, - {file = "regex-2023.12.25-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d"}, - {file = "regex-2023.12.25-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a"}, - {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a"}, - {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5"}, - {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060"}, - {file = "regex-2023.12.25-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3"}, - {file = "regex-2023.12.25-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9"}, - {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f"}, - {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c"}, - {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457"}, - {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf"}, - {file = "regex-2023.12.25-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d"}, - {file = "regex-2023.12.25-cp312-cp312-win32.whl", hash = "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5"}, - {file = "regex-2023.12.25-cp312-cp312-win_amd64.whl", hash = "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232"}, - {file = "regex-2023.12.25-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f"}, - {file = "regex-2023.12.25-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8"}, - {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a"}, - {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39"}, - {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b"}, - {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347"}, - {file = "regex-2023.12.25-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39"}, - {file = "regex-2023.12.25-cp37-cp37m-win32.whl", hash = "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c"}, - {file = "regex-2023.12.25-cp37-cp37m-win_amd64.whl", hash = "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445"}, - {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53"}, - {file = "regex-2023.12.25-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64"}, - {file = "regex-2023.12.25-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"}, - {file = "regex-2023.12.25-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861"}, - {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc"}, - {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4"}, - {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360"}, - {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756"}, - {file = "regex-2023.12.25-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2"}, - {file = "regex-2023.12.25-cp38-cp38-win32.whl", hash = "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb"}, - {file = "regex-2023.12.25-cp38-cp38-win_amd64.whl", hash = "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697"}, - {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31"}, - {file = "regex-2023.12.25-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7"}, - {file = "regex-2023.12.25-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6"}, - {file = "regex-2023.12.25-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923"}, - {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d"}, - {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca"}, - {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5"}, - {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f"}, - {file = "regex-2023.12.25-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20"}, - {file = "regex-2023.12.25-cp39-cp39-win32.whl", hash = "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9"}, - {file = "regex-2023.12.25-cp39-cp39-win_amd64.whl", hash = "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91"}, - {file = "regex-2023.12.25.tar.gz", hash = "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5"}, + {file = "regex-2024.11.6-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:ff590880083d60acc0433f9c3f713c51f7ac6ebb9adf889c79a261ecf541aa91"}, + {file = "regex-2024.11.6-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:658f90550f38270639e83ce492f27d2c8d2cd63805c65a13a14d36ca126753f0"}, + {file = "regex-2024.11.6-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:164d8b7b3b4bcb2068b97428060b2a53be050085ef94eca7f240e7947f1b080e"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d3660c82f209655a06b587d55e723f0b813d3a7db2e32e5e7dc64ac2a9e86fde"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d22326fcdef5e08c154280b71163ced384b428343ae16a5ab2b3354aed12436e"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f1ac758ef6aebfc8943560194e9fd0fa18bcb34d89fd8bd2af18183afd8da3a2"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:997d6a487ff00807ba810e0f8332c18b4eb8d29463cfb7c820dc4b6e7562d0cf"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:02a02d2bb04fec86ad61f3ea7f49c015a0681bf76abb9857f945d26159d2968c"}, + {file = "regex-2024.11.6-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f02f93b92358ee3f78660e43b4b0091229260c5d5c408d17d60bf26b6c900e86"}, + {file = "regex-2024.11.6-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:06eb1be98df10e81ebaded73fcd51989dcf534e3c753466e4b60c4697a003b67"}, + {file = "regex-2024.11.6-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:040df6fe1a5504eb0f04f048e6d09cd7c7110fef851d7c567a6b6e09942feb7d"}, + {file = "regex-2024.11.6-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:fdabbfc59f2c6edba2a6622c647b716e34e8e3867e0ab975412c5c2f79b82da2"}, + {file = "regex-2024.11.6-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:8447d2d39b5abe381419319f942de20b7ecd60ce86f16a23b0698f22e1b70008"}, + {file = "regex-2024.11.6-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:da8f5fc57d1933de22a9e23eec290a0d8a5927a5370d24bda9a6abe50683fe62"}, + {file = "regex-2024.11.6-cp310-cp310-win32.whl", hash = "sha256:b489578720afb782f6ccf2840920f3a32e31ba28a4b162e13900c3e6bd3f930e"}, + {file = "regex-2024.11.6-cp310-cp310-win_amd64.whl", hash = "sha256:5071b2093e793357c9d8b2929dfc13ac5f0a6c650559503bb81189d0a3814519"}, + {file = "regex-2024.11.6-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:5478c6962ad548b54a591778e93cd7c456a7a29f8eca9c49e4f9a806dcc5d638"}, + {file = "regex-2024.11.6-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:2c89a8cc122b25ce6945f0423dc1352cb9593c68abd19223eebbd4e56612c5b7"}, + {file = "regex-2024.11.6-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:94d87b689cdd831934fa3ce16cc15cd65748e6d689f5d2b8f4f4df2065c9fa20"}, + {file = "regex-2024.11.6-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1062b39a0a2b75a9c694f7a08e7183a80c63c0d62b301418ffd9c35f55aaa114"}, + {file = "regex-2024.11.6-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:167ed4852351d8a750da48712c3930b031f6efdaa0f22fa1933716bfcd6bf4a3"}, + {file = "regex-2024.11.6-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2d548dafee61f06ebdb584080621f3e0c23fff312f0de1afc776e2a2ba99a74f"}, + {file = "regex-2024.11.6-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f2a19f302cd1ce5dd01a9099aaa19cae6173306d1302a43b627f62e21cf18ac0"}, + {file = "regex-2024.11.6-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bec9931dfb61ddd8ef2ebc05646293812cb6b16b60cf7c9511a832b6f1854b55"}, + {file = "regex-2024.11.6-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:9714398225f299aa85267fd222f7142fcb5c769e73d7733344efc46f2ef5cf89"}, + {file = "regex-2024.11.6-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:202eb32e89f60fc147a41e55cb086db2a3f8cb82f9a9a88440dcfc5d37faae8d"}, + {file = "regex-2024.11.6-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:4181b814e56078e9b00427ca358ec44333765f5ca1b45597ec7446d3a1ef6e34"}, + {file = "regex-2024.11.6-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:068376da5a7e4da51968ce4c122a7cd31afaaec4fccc7856c92f63876e57b51d"}, + {file = "regex-2024.11.6-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ac10f2c4184420d881a3475fb2c6f4d95d53a8d50209a2500723d831036f7c45"}, + {file = "regex-2024.11.6-cp311-cp311-win32.whl", hash = "sha256:c36f9b6f5f8649bb251a5f3f66564438977b7ef8386a52460ae77e6070d309d9"}, + {file = "regex-2024.11.6-cp311-cp311-win_amd64.whl", hash = "sha256:02e28184be537f0e75c1f9b2f8847dc51e08e6e171c6bde130b2687e0c33cf60"}, + {file = "regex-2024.11.6-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:52fb28f528778f184f870b7cf8f225f5eef0a8f6e3778529bdd40c7b3920796a"}, + {file = "regex-2024.11.6-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:fdd6028445d2460f33136c55eeb1f601ab06d74cb3347132e1c24250187500d9"}, + {file = "regex-2024.11.6-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:805e6b60c54bf766b251e94526ebad60b7de0c70f70a4e6210ee2891acb70bf2"}, + {file = "regex-2024.11.6-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b85c2530be953a890eaffde05485238f07029600e8f098cdf1848d414a8b45e4"}, + {file = "regex-2024.11.6-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bb26437975da7dc36b7efad18aa9dd4ea569d2357ae6b783bf1118dabd9ea577"}, + {file = "regex-2024.11.6-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:abfa5080c374a76a251ba60683242bc17eeb2c9818d0d30117b4486be10c59d3"}, + {file = "regex-2024.11.6-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b7fa6606c2881c1db9479b0eaa11ed5dfa11c8d60a474ff0e095099f39d98e"}, + {file = "regex-2024.11.6-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0c32f75920cf99fe6b6c539c399a4a128452eaf1af27f39bce8909c9a3fd8cbe"}, + {file = "regex-2024.11.6-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:982e6d21414e78e1f51cf595d7f321dcd14de1f2881c5dc6a6e23bbbbd68435e"}, + {file = "regex-2024.11.6-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:a7c2155f790e2fb448faed6dd241386719802296ec588a8b9051c1f5c481bc29"}, + {file = "regex-2024.11.6-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:149f5008d286636e48cd0b1dd65018548944e495b0265b45e1bffecce1ef7f39"}, + {file = "regex-2024.11.6-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:e5364a4502efca094731680e80009632ad6624084aff9a23ce8c8c6820de3e51"}, + {file = "regex-2024.11.6-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:0a86e7eeca091c09e021db8eb72d54751e527fa47b8d5787caf96d9831bd02ad"}, + {file = "regex-2024.11.6-cp312-cp312-win32.whl", hash = "sha256:32f9a4c643baad4efa81d549c2aadefaeba12249b2adc5af541759237eee1c54"}, + {file = "regex-2024.11.6-cp312-cp312-win_amd64.whl", hash = "sha256:a93c194e2df18f7d264092dc8539b8ffb86b45b899ab976aa15d48214138e81b"}, + {file = "regex-2024.11.6-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:a6ba92c0bcdf96cbf43a12c717eae4bc98325ca3730f6b130ffa2e3c3c723d84"}, + {file = "regex-2024.11.6-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:525eab0b789891ac3be914d36893bdf972d483fe66551f79d3e27146191a37d4"}, + {file = "regex-2024.11.6-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:086a27a0b4ca227941700e0b31425e7a28ef1ae8e5e05a33826e17e47fbfdba0"}, + {file = "regex-2024.11.6-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bde01f35767c4a7899b7eb6e823b125a64de314a8ee9791367c9a34d56af18d0"}, + {file = "regex-2024.11.6-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b583904576650166b3d920d2bcce13971f6f9e9a396c673187f49811b2769dc7"}, + {file = "regex-2024.11.6-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1c4de13f06a0d54fa0d5ab1b7138bfa0d883220965a29616e3ea61b35d5f5fc7"}, + {file = "regex-2024.11.6-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3cde6e9f2580eb1665965ce9bf17ff4952f34f5b126beb509fee8f4e994f143c"}, + {file = "regex-2024.11.6-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0d7f453dca13f40a02b79636a339c5b62b670141e63efd511d3f8f73fba162b3"}, + {file = "regex-2024.11.6-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:59dfe1ed21aea057a65c6b586afd2a945de04fc7db3de0a6e3ed5397ad491b07"}, + {file = "regex-2024.11.6-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:b97c1e0bd37c5cd7902e65f410779d39eeda155800b65fc4d04cc432efa9bc6e"}, + {file = "regex-2024.11.6-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:f9d1e379028e0fc2ae3654bac3cbbef81bf3fd571272a42d56c24007979bafb6"}, + {file = "regex-2024.11.6-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:13291b39131e2d002a7940fb176e120bec5145f3aeb7621be6534e46251912c4"}, + {file = "regex-2024.11.6-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4f51f88c126370dcec4908576c5a627220da6c09d0bff31cfa89f2523843316d"}, + {file = "regex-2024.11.6-cp313-cp313-win32.whl", hash = "sha256:63b13cfd72e9601125027202cad74995ab26921d8cd935c25f09c630436348ff"}, + {file = "regex-2024.11.6-cp313-cp313-win_amd64.whl", hash = "sha256:2b3361af3198667e99927da8b84c1b010752fa4b1115ee30beaa332cabc3ef1a"}, + {file = "regex-2024.11.6-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:3a51ccc315653ba012774efca4f23d1d2a8a8f278a6072e29c7147eee7da446b"}, + {file = "regex-2024.11.6-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ad182d02e40de7459b73155deb8996bbd8e96852267879396fb274e8700190e3"}, + {file = "regex-2024.11.6-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ba9b72e5643641b7d41fa1f6d5abda2c9a263ae835b917348fc3c928182ad467"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40291b1b89ca6ad8d3f2b82782cc33807f1406cf68c8d440861da6304d8ffbbd"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:cdf58d0e516ee426a48f7b2c03a332a4114420716d55769ff7108c37a09951bf"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a36fdf2af13c2b14738f6e973aba563623cb77d753bbbd8d414d18bfaa3105dd"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d1cee317bfc014c2419a76bcc87f071405e3966da434e03e13beb45f8aced1a6"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:50153825ee016b91549962f970d6a4442fa106832e14c918acd1c8e479916c4f"}, + {file = "regex-2024.11.6-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:ea1bfda2f7162605f6e8178223576856b3d791109f15ea99a9f95c16a7636fb5"}, + {file = "regex-2024.11.6-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:df951c5f4a1b1910f1a99ff42c473ff60f8225baa1cdd3539fe2819d9543e9df"}, + {file = "regex-2024.11.6-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:072623554418a9911446278f16ecb398fb3b540147a7828c06e2011fa531e773"}, + {file = "regex-2024.11.6-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:f654882311409afb1d780b940234208a252322c24a93b442ca714d119e68086c"}, + {file = "regex-2024.11.6-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:89d75e7293d2b3e674db7d4d9b1bee7f8f3d1609428e293771d1a962617150cc"}, + {file = "regex-2024.11.6-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:f65557897fc977a44ab205ea871b690adaef6b9da6afda4790a2484b04293a5f"}, + {file = "regex-2024.11.6-cp38-cp38-win32.whl", hash = "sha256:6f44ec28b1f858c98d3036ad5d7d0bfc568bdd7a74f9c24e25f41ef1ebfd81a4"}, + {file = "regex-2024.11.6-cp38-cp38-win_amd64.whl", hash = "sha256:bb8f74f2f10dbf13a0be8de623ba4f9491faf58c24064f32b65679b021ed0001"}, + {file = "regex-2024.11.6-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5704e174f8ccab2026bd2f1ab6c510345ae8eac818b613d7d73e785f1310f839"}, + {file = "regex-2024.11.6-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:220902c3c5cc6af55d4fe19ead504de80eb91f786dc102fbd74894b1551f095e"}, + {file = "regex-2024.11.6-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:5e7e351589da0850c125f1600a4c4ba3c722efefe16b297de54300f08d734fbf"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5056b185ca113c88e18223183aa1a50e66507769c9640a6ff75859619d73957b"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2e34b51b650b23ed3354b5a07aab37034d9f923db2a40519139af34f485f77d0"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5670bce7b200273eee1840ef307bfa07cda90b38ae56e9a6ebcc9f50da9c469b"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:08986dce1339bc932923e7d1232ce9881499a0e02925f7402fb7c982515419ef"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:93c0b12d3d3bc25af4ebbf38f9ee780a487e8bf6954c115b9f015822d3bb8e48"}, + {file = "regex-2024.11.6-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:764e71f22ab3b305e7f4c21f1a97e1526a25ebdd22513e251cf376760213da13"}, + {file = "regex-2024.11.6-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:f056bf21105c2515c32372bbc057f43eb02aae2fda61052e2f7622c801f0b4e2"}, + {file = "regex-2024.11.6-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:69ab78f848845569401469da20df3e081e6b5a11cb086de3eed1d48f5ed57c95"}, + {file = "regex-2024.11.6-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:86fddba590aad9208e2fa8b43b4c098bb0ec74f15718bb6a704e3c63e2cef3e9"}, + {file = "regex-2024.11.6-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:684d7a212682996d21ca12ef3c17353c021fe9de6049e19ac8481ec35574a70f"}, + {file = "regex-2024.11.6-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:a03e02f48cd1abbd9f3b7e3586d97c8f7a9721c436f51a5245b3b9483044480b"}, + {file = "regex-2024.11.6-cp39-cp39-win32.whl", hash = "sha256:41758407fc32d5c3c5de163888068cfee69cb4c2be844e7ac517a52770f9af57"}, + {file = "regex-2024.11.6-cp39-cp39-win_amd64.whl", hash = "sha256:b2837718570f95dd41675328e111345f9b7095d821bac435aac173ac80b19983"}, + {file = "regex-2024.11.6.tar.gz", hash = "sha256:7ab159b063c52a0333c884e4679f8d7a85112ee3078fe3d9004b2dd875585519"}, ] [[package]] name = "requests" -version = "2.32.0" +version = "2.32.3" description = "Python HTTP for Humans." optional = false python-versions = ">=3.8" files = [ - {file = "requests-2.32.0-py3-none-any.whl", hash = "sha256:f2c3881dddb70d056c5bd7600a4fae312b2a300e39be6a118d30b90bd27262b5"}, - {file = "requests-2.32.0.tar.gz", hash = "sha256:fa5490319474c82ef1d2c9bc459d3652e3ae4ef4c4ebdd18a21145a47ca4b6b8"}, + {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"}, + {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"}, ] [package.dependencies] @@ -712,13 +750,13 @@ files = [ [[package]] name = "urllib3" -version = "2.2.2" +version = "2.2.3" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.8" files = [ - {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"}, - {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"}, + {file = "urllib3-2.2.3-py3-none-any.whl", hash = "sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac"}, + {file = "urllib3-2.2.3.tar.gz", hash = "sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9"}, ] [package.extras] @@ -729,40 +767,41 @@ zstd = ["zstandard (>=0.18.0)"] [[package]] name = "watchdog" -version = "4.0.0" +version = "6.0.0" description = "Filesystem events monitoring" optional = false -python-versions = ">=3.8" +python-versions = ">=3.9" files = [ - {file = "watchdog-4.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:39cb34b1f1afbf23e9562501673e7146777efe95da24fab5707b88f7fb11649b"}, - {file = "watchdog-4.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c522392acc5e962bcac3b22b9592493ffd06d1fc5d755954e6be9f4990de932b"}, - {file = "watchdog-4.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6c47bdd680009b11c9ac382163e05ca43baf4127954c5f6d0250e7d772d2b80c"}, - {file = "watchdog-4.0.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8350d4055505412a426b6ad8c521bc7d367d1637a762c70fdd93a3a0d595990b"}, - {file = "watchdog-4.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c17d98799f32e3f55f181f19dd2021d762eb38fdd381b4a748b9f5a36738e935"}, - {file = "watchdog-4.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4986db5e8880b0e6b7cd52ba36255d4793bf5cdc95bd6264806c233173b1ec0b"}, - {file = "watchdog-4.0.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:11e12fafb13372e18ca1bbf12d50f593e7280646687463dd47730fd4f4d5d257"}, - {file = "watchdog-4.0.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:5369136a6474678e02426bd984466343924d1df8e2fd94a9b443cb7e3aa20d19"}, - {file = "watchdog-4.0.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:76ad8484379695f3fe46228962017a7e1337e9acadafed67eb20aabb175df98b"}, - {file = "watchdog-4.0.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:45cc09cc4c3b43fb10b59ef4d07318d9a3ecdbff03abd2e36e77b6dd9f9a5c85"}, - {file = "watchdog-4.0.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:eed82cdf79cd7f0232e2fdc1ad05b06a5e102a43e331f7d041e5f0e0a34a51c4"}, - {file = "watchdog-4.0.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ba30a896166f0fee83183cec913298151b73164160d965af2e93a20bbd2ab605"}, - {file = "watchdog-4.0.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:d18d7f18a47de6863cd480734613502904611730f8def45fc52a5d97503e5101"}, - {file = "watchdog-4.0.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:2895bf0518361a9728773083908801a376743bcc37dfa252b801af8fd281b1ca"}, - {file = "watchdog-4.0.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:87e9df830022488e235dd601478c15ad73a0389628588ba0b028cb74eb72fed8"}, - {file = "watchdog-4.0.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:6e949a8a94186bced05b6508faa61b7adacc911115664ccb1923b9ad1f1ccf7b"}, - {file = "watchdog-4.0.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:6a4db54edea37d1058b08947c789a2354ee02972ed5d1e0dca9b0b820f4c7f92"}, - {file = "watchdog-4.0.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:d31481ccf4694a8416b681544c23bd271f5a123162ab603c7d7d2dd7dd901a07"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:8fec441f5adcf81dd240a5fe78e3d83767999771630b5ddfc5867827a34fa3d3"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_armv7l.whl", hash = "sha256:6a9c71a0b02985b4b0b6d14b875a6c86ddea2fdbebd0c9a720a806a8bbffc69f"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_i686.whl", hash = "sha256:557ba04c816d23ce98a06e70af6abaa0485f6d94994ec78a42b05d1c03dcbd50"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_ppc64.whl", hash = "sha256:d0f9bd1fd919134d459d8abf954f63886745f4660ef66480b9d753a7c9d40927"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:f9b2fdca47dc855516b2d66eef3c39f2672cbf7e7a42e7e67ad2cbfcd6ba107d"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_s390x.whl", hash = "sha256:73c7a935e62033bd5e8f0da33a4dcb763da2361921a69a5a95aaf6c93aa03a87"}, - {file = "watchdog-4.0.0-py3-none-manylinux2014_x86_64.whl", hash = "sha256:6a80d5cae8c265842c7419c560b9961561556c4361b297b4c431903f8c33b269"}, - {file = "watchdog-4.0.0-py3-none-win32.whl", hash = "sha256:8f9a542c979df62098ae9c58b19e03ad3df1c9d8c6895d96c0d51da17b243b1c"}, - {file = "watchdog-4.0.0-py3-none-win_amd64.whl", hash = "sha256:f970663fa4f7e80401a7b0cbeec00fa801bf0287d93d48368fc3e6fa32716245"}, - {file = "watchdog-4.0.0-py3-none-win_ia64.whl", hash = "sha256:9a03e16e55465177d416699331b0f3564138f1807ecc5f2de9d55d8f188d08c7"}, - {file = "watchdog-4.0.0.tar.gz", hash = "sha256:e3e7065cbdabe6183ab82199d7a4f6b3ba0a438c5a512a68559846ccb76a78ec"}, + {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d1cdb490583ebd691c012b3d6dae011000fe42edb7a82ece80965b42abd61f26"}, + {file = "watchdog-6.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:bc64ab3bdb6a04d69d4023b29422170b74681784ffb9463ed4870cf2f3e66112"}, + {file = "watchdog-6.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c897ac1b55c5a1461e16dae288d22bb2e412ba9807df8397a635d88f671d36c3"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6eb11feb5a0d452ee41f824e271ca311a09e250441c262ca2fd7ebcf2461a06c"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ef810fbf7b781a5a593894e4f439773830bdecb885e6880d957d5b9382a960d2"}, + {file = "watchdog-6.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:afd0fe1b2270917c5e23c2a65ce50c2a4abb63daafb0d419fde368e272a76b7c"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:bdd4e6f14b8b18c334febb9c4425a878a2ac20efd1e0b231978e7b150f92a948"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:c7c15dda13c4eb00d6fb6fc508b3c0ed88b9d5d374056b239c4ad1611125c860"}, + {file = "watchdog-6.0.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6f10cb2d5902447c7d0da897e2c6768bca89174d0c6e1e30abec5421af97a5b0"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:490ab2ef84f11129844c23fb14ecf30ef3d8a6abafd3754a6f75ca1e6654136c"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:76aae96b00ae814b181bb25b1b98076d5fc84e8a53cd8885a318b42b6d3a5134"}, + {file = "watchdog-6.0.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a175f755fc2279e0b7312c0035d52e27211a5bc39719dd529625b1930917345b"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:e6f0e77c9417e7cd62af82529b10563db3423625c5fce018430b249bf977f9e8"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:90c8e78f3b94014f7aaae121e6b909674df5b46ec24d6bebc45c44c56729af2a"}, + {file = "watchdog-6.0.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e7631a77ffb1f7d2eefa4445ebbee491c720a5661ddf6df3498ebecae5ed375c"}, + {file = "watchdog-6.0.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:c7ac31a19f4545dd92fc25d200694098f42c9a8e391bc00bdd362c5736dbf881"}, + {file = "watchdog-6.0.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:9513f27a1a582d9808cf21a07dae516f0fab1cf2d7683a742c498b93eedabb11"}, + {file = "watchdog-6.0.0-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:7a0e56874cfbc4b9b05c60c8a1926fedf56324bb08cfbc188969777940aef3aa"}, + {file = "watchdog-6.0.0-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:e6439e374fc012255b4ec786ae3c4bc838cd7309a540e5fe0952d03687d8804e"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_aarch64.whl", hash = "sha256:7607498efa04a3542ae3e05e64da8202e58159aa1fa4acddf7678d34a35d4f13"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_armv7l.whl", hash = "sha256:9041567ee8953024c83343288ccc458fd0a2d811d6a0fd68c4c22609e3490379"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_i686.whl", hash = "sha256:82dc3e3143c7e38ec49d61af98d6558288c415eac98486a5c581726e0737c00e"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_ppc64.whl", hash = "sha256:212ac9b8bf1161dc91bd09c048048a95ca3a4c4f5e5d4a7d1b1a7d5752a7f96f"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:e3df4cbb9a450c6d49318f6d14f4bbc80d763fa587ba46ec86f99f9e6876bb26"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_s390x.whl", hash = "sha256:2cce7cfc2008eb51feb6aab51251fd79b85d9894e98ba847408f662b3395ca3c"}, + {file = "watchdog-6.0.0-py3-none-manylinux2014_x86_64.whl", hash = "sha256:20ffe5b202af80ab4266dcd3e91aae72bf2da48c0d33bdb15c66658e685e94e2"}, + {file = "watchdog-6.0.0-py3-none-win32.whl", hash = "sha256:07df1fdd701c5d4c8e55ef6cf55b8f0120fe1aef7ef39a1c6fc6bc2e606d517a"}, + {file = "watchdog-6.0.0-py3-none-win_amd64.whl", hash = "sha256:cbafb470cf848d93b5d013e2ecb245d4aa1c8fd0504e863ccefa32445359d680"}, + {file = "watchdog-6.0.0-py3-none-win_ia64.whl", hash = "sha256:a1914259fa9e1454315171103c6a30961236f508b9b623eae470268bbcc6a22f"}, + {file = "watchdog-6.0.0.tar.gz", hash = "sha256:9ddf7c82fda3ae8e24decda1338ede66e1c99883db93711d8fb941eaa2d8c282"}, ] [package.extras] @@ -771,4 +810,4 @@ watchmedo = ["PyYAML (>=3.10)"] [metadata] lock-version = "2.0" python-versions = "^3.11" -content-hash = "67e7374da66e939057b27d8b65999b003b090535efa382f85dfb021407cbfcad" +content-hash = "fd3597e4332c74b7ae96f5b1d7b1dd40295f7efed8bf2055205f2353473ff069" diff --git a/pyproject.toml b/pyproject.toml index 8ffefbd733..eb9f9a0f52 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ modules_by_uuid = "plugins.modules_by_uuid:ModulesByUUIDPlugin" [tool.poetry.dependencies] python = "^3.11" -mkdocs = "^1.5.3" +mkdocs = "^1.6.0" mkdocs-material = "^9.1.21" mkdocs-redirects = "^1.2.1" markdown-include = "^0.8.1" diff --git a/scripts/update_mkdocs/templates/intake.md.jinja b/scripts/update_mkdocs/templates/intake.md.jinja index 8cff5b79e6..8a43ec0604 100644 --- a/scripts/update_mkdocs/templates/intake.md.jinja +++ b/scripts/update_mkdocs/templates/intake.md.jinja @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte {% if tests %} ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. {% for test in tests %} === "{{test['name']}}" From 1455d948b33c3a78fcb929b131ebe6fbfb8ea870 Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 12:22:57 +0100 Subject: [PATCH 2/6] fix: merge intake_by_uuid and modules_by_uuid plugins into a single on_page_read_source hook (as mkdocs forbids multiple on_page_read_source hooks) --- mkdocs.yml | 4 +- ...akes_by_uuid.py => integration_by_uuid.py} | 108 ++++++++++++------ plugins/modules_by_uuid.py | 72 ------------ pyproject.toml | 4 +- 4 files changed, 79 insertions(+), 109 deletions(-) rename plugins/{intakes_by_uuid.py => integration_by_uuid.py} (53%) delete mode 100644 plugins/modules_by_uuid.py diff --git a/mkdocs.yml b/mkdocs.yml index e8f1a1c5ff..1eedc055df 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -812,8 +812,8 @@ plugins: xdr/features/collect/integrations/network/watchguard_firebox.md: integration/categories/network_security/watchguard_firebox.md xdr/features/investigate/dork_language.md: xdr/features/investigate/events_query_language.md - redoc -- intakes_by_uuid -- modules_by_uuid +- integration_by_uuid +- sass repo_url: https://github.com/SEKOIA-IO/documentation site_name: Sekoia.io Documentation site_url: https://docs.sekoia.io diff --git a/plugins/intakes_by_uuid.py b/plugins/integration_by_uuid.py similarity index 53% rename from plugins/intakes_by_uuid.py rename to plugins/integration_by_uuid.py index c8a091f0e0..a6d6663251 100644 --- a/plugins/intakes_by_uuid.py +++ b/plugins/integration_by_uuid.py @@ -1,5 +1,3 @@ -import re -import string from pathlib import Path import mkdocs @@ -8,13 +6,15 @@ from mkdocs.utils.meta import get_data -class IntakesByUUIDPlugin(mkdocs.plugins.BasePlugin): - """Reading Markdown files that contains an `uuid` metadata to provide +class IntegrationByUUIDPlugin(mkdocs.plugins.BasePlugin): + """ + Reading Markdown files that contains an `uuid` metadata to provide a redirection. When such a file is identified, a new `operation_center/integration_catalog/uuid/$uuid.md` file is faked - which will redirect to it.""" + which will redirect to it. + """ template = """ @@ -34,6 +34,61 @@ class IntakesByUUIDPlugin(mkdocs.plugins.BasePlugin): _redirection_table: dict[str, str] = {} _integrations: list[dict[str, str]] = [] + def process_intake_file( + self, + source_file: File, + metadata: dict, + config: Config, + ): + new_files = [] + dialect_uuids = (uuid.strip() for uuid in metadata["uuid"].split(",")) + + for dialect_uuid in dialect_uuids: + self._redirection_table[dialect_uuid] = source_file.url + self._integrations.append( + { + "uuid": dialect_uuid, + "name": metadata.get("name"), + "destination": source_file.url, + } + ) + + newfile = File( + path=f"operation_center/integration_catalog/uuid/{dialect_uuid}.md", + src_dir="operation_center/integration_catalog/uuid", + dest_dir=config["site_dir"], + use_directory_urls=True, + ) + new_files.append(newfile) + + new_files.append( + File( + path="integration/categories/index.md", + src_dir="operation_center/integration_catalog/", + dest_dir=config["site_dir"], + use_directory_urls=True, + ) + ) + + return new_files + + def process_module_file( + self, + source_file: File, + metadata: dict, + config: Config, + ): + self._redirection_table[metadata["uuid"]] = source_file.url + + return [ + File( + path=f"integration/action_library/uuid/{metadata['uuid']}.md", + src_dir="integration/action_library/uuid", + dest_dir=config["site_dir"], + use_directory_urls=True, + ) + ] + def on_files(self, files: Files, config: Config): new_files: list[File] = [] source_files = [ @@ -48,37 +103,18 @@ def on_files(self, files: Files, config: Config): with filename.open() as f: _, metadata = get_data(f.read()) - if "uuid" not in metadata or metadata.get("type").lower() != "intake": + if "uuid" not in metadata: continue - dialect_uuids = (uuid.strip() for uuid in metadata["uuid"].split(",")) - - for dialect_uuid in dialect_uuids: - self._redirection_table[dialect_uuid] = source_file.url - self._integrations.append( - { - "uuid": dialect_uuid, - "name": metadata.get("name"), - "destination": source_file.url, - } - ) - - newfile = File( - path=f"operation_center/integration_catalog/uuid/{dialect_uuid}.md", - src_dir="operation_center/integration_catalog/uuid", - dest_dir=config["site_dir"], - use_directory_urls=True, - ) - new_files.append(newfile) + if metadata.get("type").lower() == "intake": + new_files += self.process_intake_file(source_file, metadata, config) + elif metadata.get( + "type" + ).lower() == "playbook" and source_file.url.startswith( + "integration/action_library/" + ): + new_files += self.process_module_file(source_file, metadata, config) - new_files.append( - File( - path="integration/categories/index.md", - src_dir="operation_center/integration_catalog/", - dest_dir=config["site_dir"], - use_directory_urls=True, - ) - ) for file in new_files: if file.src_uri in files._src_uris: files.remove(file) @@ -105,3 +141,9 @@ def on_page_read_source(self, page, config): content += f"- [{page['name']}]({href})\n" return content + + if page.file.src_path.startswith("integration/action_library/uuid/"): + if page.file.name in self._redirection_table: + return self.template.format( + destination=self._redirection_table[page.file.name] + ) diff --git a/plugins/modules_by_uuid.py b/plugins/modules_by_uuid.py deleted file mode 100644 index a155823c2e..0000000000 --- a/plugins/modules_by_uuid.py +++ /dev/null @@ -1,72 +0,0 @@ -import re -import string -from pathlib import Path - -import mkdocs -from mkdocs.config import Config -from mkdocs.structure.files import File, Files -from mkdocs.utils.meta import get_data - - -class ModulesByUUIDPlugin(mkdocs.plugins.BasePlugin): - """Reading Markdown files that contains an `uuid` metadata to provide - a redirection. - - When such a file is identified, a new - `integration/action_library/uuid//uuid/$uuid.md` file is faked - which will redirect to it.""" - - template = """ - - - - Redirecting... - - - - - - -Redirecting... - -""" - - _redirection_table: dict[str, str] = {} - - def on_files(self, files: Files, config: Config): - for source_file in files: - if not source_file.src_path.endswith(".md"): - continue - - filename = Path(config["docs_dir"]) / Path(source_file.src_path) - try: - with filename.open() as f: - _, metadata = get_data(f.read()) - except: - # File may have been generated by an other plugin - continue - - if ( - "uuid" not in metadata - or metadata.get("type").lower() != "playbook" - or not source_file.url.startswith("integration/action_library/") - ): - continue - - self._redirection_table[metadata["uuid"]] = source_file.url - - files._files.append( - File( - path=f"integration/action_library/uuid/{metadata['uuid']}.md", - src_dir="integration/action_library/uuid", - dest_dir=config["site_dir"], - use_directory_urls=True, - ) - ) - - def on_page_read_source(self, page, config): - if page.file.src_path.startswith("integration/action_library/uuid/"): - if page.file.name in self._redirection_table: - return self.template.format( - destination=self._redirection_table[page.file.name] - ) diff --git a/pyproject.toml b/pyproject.toml index eb9f9a0f52..6b897bf512 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,8 +9,8 @@ packages = [ [tool.poetry.plugins."mkdocs.plugins"] redoc = "plugins.redoc:RedocPlugin" -intakes_by_uuid = "plugins.intakes_by_uuid:IntakesByUUIDPlugin" -modules_by_uuid = "plugins.modules_by_uuid:ModulesByUUIDPlugin" +integration_by_uuid = "plugins.integration_by_uuid:IntegrationByUUIDPlugin" +sass = "plugins.sass:CompileSCSSPlugin" [tool.poetry.dependencies] python = "^3.11" From 9e027d5477d142423ac2d25ee494c9f7952d0669 Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 14:15:56 +0100 Subject: [PATCH 3/6] feat: incorporate and rewrite lightgallery-markdown extension to allow bumping python-markdown to 3.7, removing etree-related build warnings --- docs/stylesheets/openapi.css | 1 + mkdocs.yml | 12 +----- plugins/custom_lightgallery.py | 77 ++++++++++++++++++++++++++++++++++ poetry.lock | 13 +++--- pyproject.toml | 3 +- 5 files changed, 87 insertions(+), 19 deletions(-) create mode 100644 docs/stylesheets/openapi.css create mode 100644 plugins/custom_lightgallery.py diff --git a/docs/stylesheets/openapi.css b/docs/stylesheets/openapi.css new file mode 100644 index 0000000000..22c56c7754 --- /dev/null +++ b/docs/stylesheets/openapi.css @@ -0,0 +1 @@ +#openapi{position:relative;background:white}#openapi h1{display:none}#openapi .md-typeset h1,#openapi .md-content__button,#openapi .md-footer{display:none}#openapi .md-main__inner{max-width:100%;margin:0}#openapi .redoc-wrap{background:white}#openapi .redoc-wrap>div:last-of-type{background:none !important}#openapi .redoc-wrap .sc-iGgWBj.sc-gsFSXq.lbpUdJ.bOFhJE{padding:20px;border-radius:20px}#openapi .redoc-wrap .sc-ikkxIA.daqcVd{margin:0 12px;padding:0px;padding-left:24px}#openapi .redoc-wrap tr:first-of-type>.sc-dLMFU,#openapi .redoc-wrap tr.last>.sc-dLMFU,#openapi .redoc-wrap .bvNJXm{background:none;border:none}#openapi .redoc-wrap .sc-gFqAkR{visibility:hidden;display:none}#openapi .redoc-wrap .property-name{font-weight:bold;font-size:15px}#openapi .redoc-wrap .examples code{font-family:monospace;font-size:13px !important;background:none !important;color:white !important}#openapi .redoc-wrap .examples code .token.punctuation{opacity:1 !important}#openapi .redoc-wrap .examples .tabs{background:white;margin:-20px;margin-bottom:22px;overflow:hidden;display:flex;padding:0;border:none;list-style-type:none;user-select:none}#openapi .redoc-wrap .examples .tabs li{color:#2d2e83;background:white;border-top:4px solid transparent;opacity:0.6;cursor:pointer;font-weight:bold;margin:0;padding:6px 16px}#openapi .redoc-wrap .examples .tabs li:hover{opacity:1}#openapi .redoc-wrap .examples .tabs li.active{opacity:1;border-top:4px solid #12005e;background:#e2e2e9;color:#12005e;border-top-left-radius:8px;border-top-right-radius:8px}#openapi .redoc-wrap .examples .jhTHfM,#openapi .redoc-wrap .examples h3{color:#12005e;font-weight:bold;font-size:14px}#openapi .redoc-wrap .examples.mode-try-it .response-samples,#openapi .redoc-wrap .examples.mode-try-it .request-samples{display:none}#openapi .redoc-wrap .examples:not(.mode-try-it) .try-it-wrapper{display:none}#openapi .redoc-wrap .examples .try-it-wrapper button{background:#5d4ff2;color:white;height:36px;font-weight:600;font-family:'Inter', sans-serif;border-radius:8px;padding:0px 16px;float:right;cursor:pointer;transition:background 6e2ms;margin:8px 0px}#openapi .redoc-wrap .examples .try-it-wrapper button:hover{background:#3b00bd}#openapi .redoc-wrap .examples .try-it-wrapper button:active{background:#140050}#openapi .redoc-wrap .examples .try-it-wrapper button:disabled{opacity:0.4}#openapi .redoc-wrap .examples .try-it-wrapper input{padding:4px;font-size:15px;border:1px solid #12005e;border-radius:4px;margin:2px 12px}#openapi .redoc-wrap .examples .try-it-wrapper label{display:inline-block;font-size:15px;font-weight:bold;min-width:85px;color:#11171a}#openapi .redoc-wrap .examples .try-it-wrapper .ui-spinner{position:relative !important;left:50%;top:24px}#openapi .redoc-wrap .examples .try-it-wrapper .results pre,#openapi .redoc-wrap .examples .try-it-wrapper .results .output,#openapi .redoc-wrap .examples .try-it-wrapper>code.curl{background:#11171a !important;padding:14px;position:static;min-width:100%;width:100%;display:block;border-radius:8px;color:white;font-family:monospace;font-size:11px;max-height:40vh;overflow:auto}#openapi .redoc-wrap .examples .try-it-wrapper .results pre.error,#openapi .redoc-wrap .examples .try-it-wrapper .results .output.error,#openapi .redoc-wrap .examples .try-it-wrapper>code.curl.error{background:red !important}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples{margin-top:12px}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>ul{display:flex;padding:0;list-style-type:none;margin:0}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>ul>li{cursor:pointer;padding:2px 12px;border-top:4px solid transparent;margin:0px;background:transparent;border-top-left-radius:8px;border-top-right-radius:8px;font-weight:bold;color:#8182b5;transition:all 90ms ease-in-out}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>ul>li:hover{color:#12005e}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>ul>li.selected{border-top-color:#5d4ff2;background:#11171a;color:white}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>div>pre{background:#11171a !important;padding:14px;position:static;min-width:100%;width:100%;display:block;border-radius:8px;color:white;font-family:monospace;font-size:11px;max-height:40vh;overflow:auto;border-top-left-radius:0px;margin:0;white-space:break-spaces}#openapi .redoc-wrap .examples .try-it-wrapper .code-examples>div>pre:not(.selected){display:none}#openapi .redoc-wrap .region-picker{padding:16px 29px}#openapi h2::after{border-bottom:2px solid #2d2e83 !important}.ui-spinner{width:38px;height:38px;border:5px solid #d8d8e922;border-bottom-color:#5d4ff2;border-radius:50%;display:inline-block;box-sizing:border-box;animation:spinner-rotate 1s linear infinite;margin:12px;margin-left:-19px;margin-right:auto;position:absolute;left:50%;top:40vh}@keyframes spinner-rotate{0%{transform:rotate(0deg)}100%{transform:rotate(1turn)}}main>.md-grid{max-width:90vw}main .md-sidebar{display:none !important}main .gdNLsg{position:initial}main .kJndnU{position:absolute}main .kNjBFu:last-child{min-height:initial}main .menu-content{top:70px !important;border-radius:20px;width:353px;background:none}main .menu-content label:not(.active){background:none}main .menu-content>.scrollbar-container>ul{margin:0px}main div[data-role='search:results']{background:#F5F5FA;border-radius:8px}main div[role=search]{padding:5px 31px}main div[role=search] input{font-weight:normal;color:black;padding:10px 27px;font-size:110%;margin:6px -19px}main div[role=search] input::placeholder{font-weight:normal;color:black}main div[role=search] svg{position:relative;top:5px;width:18px;left:0}main ul.sc-iHmpnF{font-size:16px}main span.sc-ehixzo.CHBVM{padding:3px 6px;font-size:10px;margin-right:8px;height:18px;width:8ex}main ul.sc-iHmpnF.bQdsWB{padding:0;margin:0;font-size:10px;user-select:none}main ul.sc-iHmpnF.bQdsWB>li>ul>li>ul{margin-bottom:16px}main ul.sc-iHmpnF.bQdsWB>li>ul>li>ul>li{padding:0px;margin:0px}main ul.sc-iHmpnF.bQdsWB>li>ul>li>ul>li>label{padding:9px;margin:0px}main ul.sc-iHmpnF.bQdsWB>li>ul>li>ul>li>label .sc-eyvILC{font-size:13px;color:#21225F}main label.-depth0{padding:0px 9px;margin:8px}main label.-depth0 span.sc-eyvILC.cyMuFj{font-size:14px;font-weight:bold;color:#6D6E9C}main label.-depth1{display:flex;padding:6px;margin:0;padding-right:16px;align-items:center;padding-left:18px}main label.-depth1 span.sc-eyvILC.cyMuFj{font-size:14px;font-weight:normal;color:#21225F}main label.-depth1.active span.sc-eyvILC.cyMuFj{font-weight:bold}main .sc-kYxDKI.eoKbCJ{margin-left:0px}main ul.sc-iHmpnF.bKAJhU{display:none}main h2.copjkU{color:#2d2e83;font-size:20px;margin-top:30px;font-weight:bold}main .sc-dcJsrY.eVrqat .sc-kAyceB.XMnSL h2{font-size:28px;text-transform:uppercase}main .sc-dcJsrY.eVrqat .sc-kAyceB.XMnSL h2:after{border:none}main .sc-bpUBKd.-depth2>.sc-eyvILC{font-size:14px}main .sc-bpUBKd.-depth2.active{border-top-left-radius:8px;border-bottom-left-radius:8px;border-right:4px solid #2d2e83;background:#F5F5FA}main .sc-bpUBKd.-depth1.active{border-top-left-radius:8px;border-bottom-left-radius:8px;border-right:4px solid #2d2e83;background:#F5F5FA}main .sc-bpUBKd.-depth1:hover{border-top-left-radius:8px;border-bottom-left-radius:8px;background:#F5F5FAaa}main .bOFhJE{background-color:#e2e2e9}main .bOFhJE button.sc-iEXKAA{border-radius:8px}main .cJteCP>.react-tabs__tab-panel.react-tabs__tab-panel--selected{border-radius:8px;border-top-left-radius:0px}main .cJteCP>ul{margin:0px !important}main .cJteCP>ul>li{padding:5px 10px;display:inline-block;background-color:#11171a;cursor:pointer;text-align:center;outline:none;color:#ccc;min-width:60px;font-size:0.9em;font-weight:bold;border:none;border-top:4px solid;margin:0px !important;border-radius:0}main .cJteCP>ul>li:not([aria-selected=true]){border-top-color:transparent;background:none}main button.sc-gdyeKB{width:120px;float:left}main button.sc-gdyeKB p{margin:0px}main .sc-kzqdkY{clear:both}select{padding:6.5px 12px;margin:0px 12px;display:inline-flex;align-items:center;width:111px;cursor:pointer;background:url("data:image/svg+xml,") no-repeat #f8f9fc;background-position:calc(100% - 10px) center !important;-moz-appearance:none !important;-webkit-appearance:none !important;appearance:none !important;border:1px solid #cbcfe1;line-height:1.5;color:#21225f;border-radius:8px} diff --git a/mkdocs.yml b/mkdocs.yml index 1eedc055df..cdc58aa89a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -27,8 +27,8 @@ markdown_extensions: - pymdownx.tabbed: alternate_style: true - markdown_include.include -- lightgallery - pymdownx.snippets +- plugins.custom_lightgallery validation: omitted_files: ignore links: @@ -573,16 +573,7 @@ plugins: - search: null - redirects: redirect_maps: - 'api/automation: symphony orchestrator': xdr/develop/rest_api/playbooks.md - api/dashboards: xdr/develop/rest_api/dashboard.md - api/identity & authentication: xdr/develop/rest_api/community.md - 'api/ingest: manage and test event parsers': xdr/develop/rest_api/parser.md - 'api/intelligence center: cyber threat intelligence database': cti/develop/rest_api/intelligence.md - 'api/intelligence center: enrichment': cti/develop/rest_api/enrichments.md - 'api/operation center: alerts & case management': xdr/develop/rest_api/alert.md - 'api/operation center: asset management': xdr/develop/rest_api/assets_v2.md 'api/operation center: rules, entities, intakes, events.md': xdr/develop/rest_api/configuration.md - api/profile & permissions: xdr/develop/rest_api/community.md cti/develop/rest_api/identity_and_authentication.md: cti/develop/rest_api/community.md develop/rest_api/community.md: xdr/develop/rest_api/community.md develop/rest_api/dashboard.md: xdr/develop/rest_api/community.md @@ -813,7 +804,6 @@ plugins: xdr/features/investigate/dork_language.md: xdr/features/investigate/events_query_language.md - redoc - integration_by_uuid -- sass repo_url: https://github.com/SEKOIA-IO/documentation site_name: Sekoia.io Documentation site_url: https://docs.sekoia.io diff --git a/plugins/custom_lightgallery.py b/plugins/custom_lightgallery.py new file mode 100644 index 0000000000..f414982c79 --- /dev/null +++ b/plugins/custom_lightgallery.py @@ -0,0 +1,77 @@ +from markdown import Extension +from markdown.treeprocessors import Treeprocessor +from xml.etree.ElementTree import Element +import re + + +class ImagesTreeprocessor(Treeprocessor): + """ + Rewritten from https://github.com/g-provost/lightgallery-markdown + to be compatible with python-markdown >= 3.3.7 + + Enables lightgallery.js on image tags of the form ![!blah](img.png) + """ + + def __init__(self, md, config): + super().__init__(md) + self.re = re.compile(r"^!.*") + self.config = config + + def run(self, root): + parent_map = {c: p for p in root.iter() for c in p} + images = root.iter("img") + for image in images: + desc = image.attrib.get("alt", "") + if self.re.match(desc): + desc = desc.lstrip("!") + image.set("alt", desc) + parent = parent_map[image] + ix = list(parent).index(image) + + div_node = Element("div") + div_node.set("class", "lightgallery") + new_node = Element("a") + new_node.set("href", image.attrib["src"]) + + if self.config["show_description_in_lightgallery"]: + new_node.set("data-sub-html", desc) + + new_node.append(image) + div_node.append(new_node) + parent.insert(ix, div_node) + parent.remove(image) + + if self.config["show_description_as_inline_caption"]: + inline_caption_node = Element("p") + inline_caption_node.set( + "class", self.config["custom_inline_caption_css_class"] + ) + inline_caption_node.text = desc + parent.insert(ix + 1, inline_caption_node) + + +class LightGalleryExtension(Extension): + def __init__(self, **kwargs): + self.config = { + "show_description_in_lightgallery": [ + True, + "Adds the description as caption in lightgallery dialog. Default: True", + ], + "show_description_as_inline_caption": [ + False, + "Adds the description as inline caption below the image. Default: False", + ], + "custom_inline_caption_css_class": [ + "", + "Custom CSS classes which are applied to the inline caption paragraph. Multiple classes are separated via space. Default: empty", + ], + } + super().__init__(**kwargs) + + def extendMarkdown(self, md): + config = self.getConfigs() + md.treeprocessors.register(ImagesTreeprocessor(md, config), "lightbox", 15) + + +def makeExtension(*_, **kwargs): + return LightGalleryExtension(**kwargs) diff --git a/poetry.lock b/poetry.lock index 456e18c7c4..a6ab4c4ab2 100644 --- a/poetry.lock +++ b/poetry.lock @@ -228,16 +228,17 @@ markdown = ">=3.0" [[package]] name = "markdown" -version = "3.3.7" -description = "Python implementation of Markdown." +version = "3.7" +description = "Python implementation of John Gruber's Markdown." optional = false -python-versions = ">=3.6" +python-versions = ">=3.8" files = [ - {file = "Markdown-3.3.7-py3-none-any.whl", hash = "sha256:f5da449a6e1c989a4cea2631aa8ee67caa5a2ef855d551c88f9e309f4634c621"}, - {file = "Markdown-3.3.7.tar.gz", hash = "sha256:cbb516f16218e643d8e0a95b309f77eb118cb138d39a4f27851e6a63581db874"}, + {file = "Markdown-3.7-py3-none-any.whl", hash = "sha256:7eb6df5690b81a1d7942992c97fad2938e956e79df20cbc6186e9c3a77b1c803"}, + {file = "markdown-3.7.tar.gz", hash = "sha256:2ae2471477cfd02dbbf038d5d9bc226d40def84b4fe2986e49b59b6b472bbed2"}, ] [package.extras] +docs = ["mdx-gh-links (>=0.2)", "mkdocs (>=1.5)", "mkdocs-gen-files", "mkdocs-literate-nav", "mkdocs-nature (>=0.6)", "mkdocs-section-index", "mkdocstrings[python]"] testing = ["coverage", "pyyaml"] [[package]] @@ -810,4 +811,4 @@ watchmedo = ["PyYAML (>=3.10)"] [metadata] lock-version = "2.0" python-versions = "^3.11" -content-hash = "fd3597e4332c74b7ae96f5b1d7b1dd40295f7efed8bf2055205f2353473ff069" +content-hash = "6725c12f9a8cc36503f09769c7c2fe020bad5e59adf5e0ff18354c99b47afb01" diff --git a/pyproject.toml b/pyproject.toml index 6b897bf512..b12492b1ce 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,7 +10,6 @@ packages = [ [tool.poetry.plugins."mkdocs.plugins"] redoc = "plugins.redoc:RedocPlugin" integration_by_uuid = "plugins.integration_by_uuid:IntegrationByUUIDPlugin" -sass = "plugins.sass:CompileSCSSPlugin" [tool.poetry.dependencies] python = "^3.11" @@ -19,7 +18,7 @@ mkdocs-material = "^9.1.21" mkdocs-redirects = "^1.2.1" markdown-include = "^0.8.1" lightgallery = "^0.5" -markdown = "3.3.7" # Newer versions are not compatible with lightgallery +markdown = "^3.7" [build-system] requires = [ "poetry-core>=1.0.0",] From 8cd103a3a49c0cbb664826abcef38bb3bd52b46c Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 14:35:20 +0100 Subject: [PATCH 4/6] build: mkdocs build with --strict to early catch broken links, imgs and anchors --- .github/workflows/deploy-public-website.yaml | 2 +- .github/workflows/preview.yaml | 2 +- README.md | 9 ++++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-public-website.yaml b/.github/workflows/deploy-public-website.yaml index 940cf23526..d806f4cdef 100644 --- a/.github/workflows/deploy-public-website.yaml +++ b/.github/workflows/deploy-public-website.yaml @@ -49,7 +49,7 @@ jobs: - name: Build site run: | - poetry run python -m mkdocs build + poetry run python -m mkdocs build --strict - name: Install Swift run: | diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml index b7b2c6b7f0..82665084ae 100644 --- a/.github/workflows/preview.yaml +++ b/.github/workflows/preview.yaml @@ -46,7 +46,7 @@ jobs: - name: Build site run: | - poetry run python -m mkdocs build + poetry run python -m mkdocs build --strict - name: Save PR number run: | diff --git a/README.md b/README.md index 21b5f49e27..03c95427a0 100644 --- a/README.md +++ b/README.md @@ -16,5 +16,12 @@ The service relies on the [MkDocs](https://www.mkdocs.org/) Python framework hel $ mkdir -p docs/stylesheets/ && sassc src/sekoiaio.scss docs/stylesheets/sekoiaio.css $ pip install poetry $ poetry install -$ poetry run mkdocs serve +$ poetry run mkdocs serve --strict ``` + +## Guidelines + +* You may use absolute links and images such as `[caption](/folder/page.md#anchor)` or `![!someimage](/folder/image.png)`, they will be interpreted as relative to the `docs/` folder. So the example link would point to `docs/folder/page.md` which must exist in the repo. `mkdocs serve --strict` will help you catching any broken link +* When you want to point to the developer documentation, please use full URLs, such as `[delete_playbook_endpoint](https://docs.sekoia.io/xdr/develop/rest_api/playbooks/#tag/Playbooks/operation/delete_playbook_resource)`, because the API documentation is rendered client-side via ReDoc out of OpenAPI specs retrieved from app.sekoia.io platform's API +* Always include the `.md` extension when linking to markdown files in the repo: `[link](/integration/example/index.md)` is okay, whereas `[link](/integration/example/)` or `[link](/integration/example/index)` won't work. +* All links to internal pages and anchors are strictly validated by the CI (via `mkdocs build --strict`) to spot any broken link. Therefore, please refrain as much as possible from using full URLs to point to internal pages, as they won't be covered by automated broken link verification. From 8407d1acf1cdc1f9b6cba248db47e2938c901eb5 Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 14:41:50 +0100 Subject: [PATCH 5/6] build: compile scss via a libsass mkdocs plugin --- README.md | 1 - plugins/sass.py | 31 +++++++++++++++++++++++++++++++ poetry.lock | 17 ++++++++++++++++- pyproject.toml | 2 ++ 4 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 plugins/sass.py diff --git a/README.md b/README.md index 03c95427a0..bda8b7e54b 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,6 @@ Once your pull request is created, a SEKOIA.IO reviewer will take responsibility The service relies on the [MkDocs](https://www.mkdocs.org/) Python framework helped by a customized [Material theme](https://squidfunk.github.io/mkdocs-material/). To serve the documentation on the port `8000` of your computer, you should create a Python virtual environment, install the few requirements detailed in `pyproject.toml` and trigger the execution of the MkDocs server: ```shell -$ mkdir -p docs/stylesheets/ && sassc src/sekoiaio.scss docs/stylesheets/sekoiaio.css $ pip install poetry $ poetry install $ poetry run mkdocs serve --strict diff --git a/plugins/sass.py b/plugins/sass.py new file mode 100644 index 0000000000..146d684555 --- /dev/null +++ b/plugins/sass.py @@ -0,0 +1,31 @@ +import glob +import logging +import os +from pathlib import Path +from mkdocs import plugins +import sass + +STYLE_DIR = (Path(__file__).parent.parent / "style").absolute() +OUT_DIR = (Path(__file__).parent.parent / "docs" / "stylesheets").absolute() + + +class CompileSCSSPlugin(plugins.BasePlugin): + def on_pre_build(self, config): + os.makedirs(OUT_DIR, exist_ok=True) + for f in glob.glob(f"{STYLE_DIR}/*.scss"): + outf = f.replace(".scss", ".css").replace( + str(STYLE_DIR), + str(OUT_DIR), + ) + logging.info(f"Compile SCSS {f} to {outf}") + with open(f) as fd: + css = sass.compile(string=fd.read(), output_style="compressed") + + # Skip writing if no change is detected + if os.path.isfile(outf): + with open(outf) as fd: + if css.strip() == fd.read().strip(): + continue + + with open(outf, "w") as fd: + fd.write(css) diff --git a/poetry.lock b/poetry.lock index a6ab4c4ab2..097900959d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -212,6 +212,21 @@ MarkupSafe = ">=2.0" [package.extras] i18n = ["Babel (>=2.7)"] +[[package]] +name = "libsass" +version = "0.23.0" +description = "Sass for Python: A straightforward binding of libsass for Python." +optional = false +python-versions = ">=3.8" +files = [ + {file = "libsass-0.23.0-cp38-abi3-macosx_11_0_x86_64.whl", hash = "sha256:34cae047cbbfc4ffa832a61cbb110f3c95f5471c6170c842d3fed161e40814dc"}, + {file = "libsass-0.23.0-cp38-abi3-macosx_14_0_arm64.whl", hash = "sha256:ea97d1b45cdc2fc3590cb9d7b60f1d8915d3ce17a98c1f2d4dd47ee0d9c68ce6"}, + {file = "libsass-0.23.0-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:4a218406d605f325d234e4678bd57126a66a88841cb95bee2caeafdc6f138306"}, + {file = "libsass-0.23.0-cp38-abi3-win32.whl", hash = "sha256:31e86d92a5c7a551df844b72d83fc2b5e50abc6fbbb31e296f7bebd6489ed1b4"}, + {file = "libsass-0.23.0-cp38-abi3-win_amd64.whl", hash = "sha256:a2ec85d819f353cbe807432d7275d653710d12b08ec7ef61c124a580a8352f3c"}, + {file = "libsass-0.23.0.tar.gz", hash = "sha256:6f209955ede26684e76912caf329f4ccb57e4a043fd77fe0e7348dd9574f1880"}, +] + [[package]] name = "lightgallery" version = "0.5" @@ -811,4 +826,4 @@ watchmedo = ["PyYAML (>=3.10)"] [metadata] lock-version = "2.0" python-versions = "^3.11" -content-hash = "6725c12f9a8cc36503f09769c7c2fe020bad5e59adf5e0ff18354c99b47afb01" +content-hash = "1c86f3d92aad7a281961332545bc687241a0d24166e7faeb96fc63d6d86bf8c5" diff --git a/pyproject.toml b/pyproject.toml index b12492b1ce..293bf9c9a2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,6 +10,7 @@ packages = [ [tool.poetry.plugins."mkdocs.plugins"] redoc = "plugins.redoc:RedocPlugin" integration_by_uuid = "plugins.integration_by_uuid:IntegrationByUUIDPlugin" +sass = "plugins.sass:CompileSCSSPlugin" [tool.poetry.dependencies] python = "^3.11" @@ -19,6 +20,7 @@ mkdocs-redirects = "^1.2.1" markdown-include = "^0.8.1" lightgallery = "^0.5" markdown = "^3.7" +libsass = "^0.23.0" [build-system] requires = [ "poetry-core>=1.0.0",] From 749197dc828e7d60e04d15e4d974f393d6780818 Mon Sep 17 00:00:00 2001 From: Jerome Fellus Date: Fri, 15 Nov 2024 15:16:14 +0100 Subject: [PATCH 6/6] fix: fix broken fonts references --- docs/assets/fonts/lg.svg | 54 ++++++++++++++++++++++++++ docs/assets/fonts/lg.ttf | Bin 0 -> 4756 bytes docs/assets/fonts/lg.woff | Bin 0 -> 4832 bytes docs/assets/fonts/lg.woff2 | Bin 0 -> 2332 bytes docs/stylesheets/inter.min.css | 18 ++++----- docs/stylesheets/lightgallery.min.css | 2 +- docs/stylesheets/poppins.min.css | 8 ++-- 7 files changed, 68 insertions(+), 14 deletions(-) create mode 100644 docs/assets/fonts/lg.svg create mode 100644 docs/assets/fonts/lg.ttf create mode 100644 docs/assets/fonts/lg.woff create mode 100644 docs/assets/fonts/lg.woff2 diff --git a/docs/assets/fonts/lg.svg b/docs/assets/fonts/lg.svg new file mode 100644 index 0000000000..fe8b0756b4 --- /dev/null +++ b/docs/assets/fonts/lg.svg @@ -0,0 +1,54 @@ + + + + + + +{ + "fontFamily": "lg", + "majorVersion": 2, + "minorVersion": 0, + "fontURL": "", + "copyright": "", + "license": "", + "licenseURL": "", + "description": "Font generated by IcoMoon.", + "version": "Version 2.0", + "fontId": "lg", + "psName": "lg", + "subFamily": "Regular", + "fullName": "lg" +} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/assets/fonts/lg.ttf b/docs/assets/fonts/lg.ttf new file mode 100644 index 0000000000000000000000000000000000000000..825f4832d409eaebc9684ea59d1e599c364f721d GIT binary patch literal 4756 zcmai2O>7&-6`miGE0W8fU5cbAQR2^vq(n-Jq!mfomSx3GV=Izl*(I6Sa2(6FEGLyE z!s3eQeaD+M>X`kAD2*+4*yC-qlwLp<#@F zyEuR09Nu1xujAdexb({DXFmM1g7HU$xW~^d%%AG|eP-QYAtZMO2x*;vit#x3d(WI* zefczTx-mYA@wugylk=(9dZQTs1>@~!=U+ZYlH^B(C~X)=m*>we{I0mW2jf1-cb#*LhT3J6d_+a`1Q@}WQwDMD16as zQ3DXtL=S^zzPZ5_CKmE0@ICMbCvM=Pw>xil-_~!RyZy7<|NLxo!*xgf!u6$Nv%a}$ ztaOk5Q-dzwQ9vgKoo?QV{5|qTm59(VD0;LG8TI1K?#Kf&wYH1 zko-1d+P%5ojD0u1KT#Ty`v#)Z&uO-yRJ3MuP!=yJXYisbqF6 zpYwr-rAy^23usr&=e1YSt{Kna5~Z}zs8+urf`yY7SuoYBf&o%n@;xL%;)Em~DcQ=% z7GjT3Qv4Q)Z`1O1;X+P|cwB|e?WCVf!s3`PPZ9RTgnoME?$b2Fu9AZ+0 zqKfblEz_&nL^7GkHj3F~B9YAAlwAtzb;n};z$B6#9Z6Ph6jj;fl2v+Damk?bA{ZMb za{{g4{m1&JU`c>Gk)>DrV=>orvP*50RKc&(3W(V2TjUZ?vzy3VLZzUTl2Z9pKA7j} zufCdS{n%Oy0t$1AqzHS7@GmuX(qo!zSp3b-Qn9r(r<)pXur*WR`r?MrS9LXRxm+~u zQaOP-s=Q$!@d9iT6c^3N5b=;aDnf@gV`mpNTr4~sGh<0-MOCaT*2hw^yis2?C9^e1 zmW8~=O-L~m5Yjf_MmQ0YeKO=RQXv^$;u-9$0~rwW$EcLj5uz1VtrtM9lna+iv{bFq zN~1*V;4gw-}sdlb~+2_Rb2a3S<%r30cjDb+xRJr1`rI6f4yV<#M6cDA&s68oOC5 zHwxuiferv&1%Au5bfLRuXs=}zV_jCk%mP-Z7HYKuD;8??Dwd%&pargM=0ur1&R>KN zo$$mcG}DA;Sz)sNa5ab_?6RqEih*txhae-RbP2x~=f=_Ij3=F|P1WStGph&DR#)fd zcFT+krqZnzi(mv(T;4r5w`%g8nZ>qZcUn4$+LSiE6?~{ZY@rKH-@3K*2t6|C>LYca z;(X*~)CyhHCPXsKPG%=)KH;VU8q4XUfnZ{Ynvh9PS$ilT$vR0n(Wj?%eVR4?st$CH z&CX;)gDM@Md?wo*G-{MHMu)uvbuiA%=#s~FO;H40^{z{vwz1jSvFwabxz^^9@Vn;0 zv1=jgtNr+p8>UvKhBP=darCJH5XNQtgNdPueOEqsx2004rR3|#|1xS~ z88y*HT#zqiWB8+f)B%5rmn(4aKm)ncs8v`7rJ%e?@Tg$kE!2%PV&0q=)D-+t-KZV3 zEI5%QqImF3bCF7g4q#sU=4bpae-C$q5y*>6ZfcmN@bufddmm)BL@p$#CSb$$a>T$((Hb!RyS; ze*XFF;P7`2!t?j^DUlQ8BKhGXwBm@}G#wd^n-RQ&4$+ac2kn5*T{(*lJbX6V}u!q)bNgM)U4;PK z57@VMUwyaJ7Jgz+w=ZUO$m#Aw5y~ABZY)erg`)|%%_X&Y?VgOL>F!VV@7MS5UuLqy z8FF=XGoI)QX&**ADEGQtot`d@+VTU?45_Vs81LxvIiPmZ9ZWwKwp#s+^(H$zgH~%WJ~+6)Bh+RIs{;|n zm!=NA?zGwMnOHpYEzbEBYjcyCD)~L1GZNX;-7QI7T?aFnjyUK2eW{U-?wDh0 zaAsbz&&&>_Gke;7;)48u4~{*`2Vn%2VVQ`!QKU@{v6Di`7{E@7Try*^1&A^WkHA~z zb8Cluq^eKq`kwxom`%3DcZQ-P4y)ZFxoilOfb8p#Y`u#+8Qs?B?{#}4Zfn5f4!i6j z_trjXEOUtukBl4$g@Wxg;G@ZIL<B8|fl)OtQ6O?{~p?;Re__Nwb=nipFV!IUWQ> zD@_fC9l}-k@vGJyBl=r&%s=?tKS}4!`+OA02w6^VZe^ zVP#-+m#8W*6L)A~PimZw7*4?z97jb!hn=`w$2~Y$lPIFNbmKM-c8qvP+(nmLJOHe?N-2Bt}y#A4^dBr9c1_@%yK8bgV-&4TcyFqVR% zgkUPB!5G6nQnjo;{=8@6U&Lt<(MtaI^o1+;-p!K^-~8A|vtgd`?To`;G=A4u$)uUj zut_loVj9M!W-sD>3thZLuQa>BiC(_1uQzD|Cur>t^=B~_Yn(77IdB*1A;-u&+EYjiF@2H_w7&ISl z+_nUl;1zTeX83xz)PycK*arOfo3I17HXClZ)M5ul%rIew|0ulK zggNjpHDM?XyG$M{36STTunqWEo3Mk7k?7JQSt5&1t}L%c7Z;Wn&d;wdoQj@!B|3d_ zW&g^`@(_8FtdM20N}^7&-6`miGE0W8fU5cbAQR2^vq(n-Jq!mg3$g*RnwiU^-?2=4uIF4jnmXgYn zVasrWHUVuoK+qa(4`~_$MNzaxkkYJS^pr!9x;_Lw^bj<(P7UD5IV7!-LxJ`XlvKaj zB^}49;t^-&&3kX={mh#;v$}Y2?_NR)ih7qgjs8u-ME}il@Vifp5<=TRnHANe+M*}V z%$)^p5#!&A`o?{Ibz$y2a7@Nn@QUhPSbF6&aP5S+w}|@e2Y*%;=jTp=G!1%A)UMxU zZY%-`+!c&_MU`&wj~CCZz6{*E7-L;>_B3(2msU=KPwBvTo2aSRdZTCNUItw$U>r4S zlKgmi?#w)JtI+XjQQs}@?m4@19%J>^13nIj^ZWFt#0nj+vA<&c6SJrPBs#TY{BWV( zherb5Mabt4erw|v*~L+TF?@<%l&H}fQUHZP6L1)<;0hB9c>{e9@dD!pE_%1~ZuedN z?%BIPyZf(CHr8GD)X!X>J2vVY8{orw59n_iborhFIx*;U<6h(+kQPAkP@N1!i$jSBN|D;6^gD%qxoER zES1#alFi>94ERQa0e`z>)8eUQb}XOsfrq6_<*V~3SIze3t0*^(cDO_-Ei|gt2Sl)N z(jp6{dQ~t$YD>O{L`a;F#A78}8QDbaQABJnL+z9sy`NfFI;*xXL~$pkEp3G)>b&quwHj8)(=b~ z+0l_?whKq%V zV`ePrtf-20#rjxEme=bGret;vl4T*UaR*Wi1%$M9xDif-WS%a+! z`D0W{=?KvZtJVu3SIUJ;C0eRhX{AvjcJLR$FV3|DKY9@PLDGfz(-41I-Oo`eYF_ti zqK`FkdK1qo)oQg-s1~Z#4I+RlKy*b2AZ9fvz=Mv$&=Ta0*4|kmRe?-GAt9^zu&$OB zk~Dv}fnudvp%*J25mqd(IIZ-y&b`Z7a#!Slv52d-?M0theOd zx9|AzefzxcynnkMo`^e2G7WDV9)J4S`(wGI(;{vxI7>(PVd!DTw9q4$*KLxN%Li=| z)gU&IlCnsn;vRu6=AqAL*@t4iEuW4LP3)hgeI-YHV%yEzrdFngG&nSV?CAjzw#f7c z<3r>7ufG3IOQljv$tyVjW#q&%a-xm6AYaPH@JIc~1O5~*SK#1*2F^~SR$&>Wg7OAI zQ^CA7H-wPf)}ELlk#|Pm9}dq@~tr8p~~`enw6oIr@4E<@KXSPCpE z5FJU2a84OLpYI~Q7?v$=7L@%iyVK+JCVF}(n-&LQy74DwVM@g5bh0r` z%P`g-8+7z^Fe`U>tQKmKG#_Apz`nWr>bsq`@KbxbeKD&;PIn)UQ0|cMVqtPB98Jh= zE~(9H_hd9pcYk!?fPUb>GLs$7kgKbk@kCch`ykpux!2|D^mJ*|mXF{ZJRB2;9^-u< zA_E>u=JLs0Fd&>|3kHM(aW+y(oD_IY8WNt%=WwPChScUhjCXYT98f#y4yK<7TdjV^ zdXt@XZE!F!~^+jJ~;k3AA}K9hGin^MsaL% zh@BKd#sGFuoFy|BTYyNj@CdwRwwpWTFRHp%*Z1^K#cZ-Iz9SSJaaipZ$z?;J1Y}=_ zWb0kn!RXdLf3Mpcaa#i(ci3eQxi|MoW0^~Qcx2>YC=_g`0Uu3vBU+GXG-|a`S0>~N zIS2CG=Ct;0^}4y-rgS-2o6Qr#b42*%Il_$h<`7=HgyQzd!dCo-<0Be2+&C`cj7he3 z?EOv{FWdk-CumkPkD_tgV2%et(K@CE!*<~+{P=b2_7VMuGt58u{6OlduJo{?PH}FH zD(i{D;6O38<5a9YSW>*52S*}%wAB7co6`21JfjxXn~Vjr(fFk1+j*uh^#rH4{5TC$ zSM=;|3-t%vbMdju`}+$0_iS!S@mQx7)u)D!@9KMgBsCe)rvh$|>a|dw`?Xz>v`KC2 z>He;aSM~C-bl>83VSnqrog`1feqm)`bf?HFFcWWRVNYrc9Wk7OCpfN(fDSwHxQ=^p zu_lp3@#w~D9PAkJka&@5@_I;BL&zRh&Ls=CTQ-Oq3aJg_z1pOPRB9kOS(kh9OkKYw zSSYcySu7Ig7R(MQYN%dZ$9gW;C)bovNHNz@LdM>mATs|YpTrIO40QjdQo{Gp-PnYd zf;9hi+lI%!X503r3-aub>-Z$-6^1Aw1e9S2R5Nw1Pd561(gv~E zxiHB}854e~ubakDVr{b^d?}2jpeP}jifJ&$u#Z$Nt53e*8UHtNT12#xzdv*S>Q{a9 zrW5}cz?Y;^FwgjQ#^o;xzi+H$z|AIXQp}NAj{60F&q6G>txs7$ zw9VLVNMXzreh8DR_%0BoWu-A_Hg3GO1ef3ybQ5OydbretIq(;num$j2O<25&3QgDs z{P&x%1Ftq4Ubxg^2S&^=VTS)GywQX?@E4mfl!jddQX@M+} zg}p1wtI>t|<@s}StMjL#Ctit8o?JPwva&ox_L3E{Ojb#hERcCX^W+?v!+4&Y0`3HP z1??m`39bXEf_JDifA0K?E6dT*po<> T$r4sSXOiGKDXfAxF literal 0 HcmV?d00001 diff --git a/docs/assets/fonts/lg.woff2 b/docs/assets/fonts/lg.woff2 new file mode 100644 index 0000000000000000000000000000000000000000..2c2e289260bf80880c447749205a7024c34310f0 GIT binary patch literal 2332 zcmV+%3FG#6Pew8T0RR9100|rb3jhEB01}7*00_+h0RR9100000000000000000000 z00006U;u$65eN#LES5?OIsgGS0we=)1Rw>1N(UetsSW_<=W(-oKMAExFsmpPS1K05 zm`JkguSY3=L2BQ9_!?p4ex41!yLOc&r zDT^p(Lo)AyuQlo9HLa2 zByzBWk}@|mNkOuaW+ht7^5wbI?CAO*9J5*jr_QF)i!&HbG#?g{+ddf%B->T{L(HqH&)%|{kM!vaiGD2Wk9^HhF(ny5FXcdS-1k6z*iIF(Do?5A8 zN6jh51JpV{W!W1?#U56Yi%GK;fTGvY`Ex;vf~>k_m+$Yo&4@GKrES#US!7EAXdg}@WV@oiTL(^Q zz5b>N*1ehcK<&7u9k{NNbk=uu6mc911o~bF7|x8yhrZIszRYnSu>LIC%Br1LQcO?$ zlqFa(6>PW_L?r9e-S)L!z8Bgc*?v_;n;e6ho3*dT{UXJ4T|j-qU*+}3AMIeQ&7w5{ zJ5|2S20Gm6E^0Iu zxr&U9MVbTMbkiof$ahDt@J!1SeL`WH+c?jiwrkh2lgr#5D+-rl+M{sGr$$Hw_Cx+f z=kJFf%d{XGW{_SCvJZ+Of}@U+)$+Sk)vEc+yE0H^}yY^rPb zKw5gBJ+@ojxnubM7PPh&TqMIo3#IC;Te8~`h3$r-LPL8|_(W{Rjgah69qi%lg+&I# z{Y}a;ZV9u6p)s1ATmQceY5zSgWmdKoZ@nd<-nLX)*-RBHRuItN=IVrZV&XsZKYsOu zSxN1Vbn>2(Hfky7E!fXci_6;Kg(mtGLoF?7o6mUi>c=f5E2)&D%&F)fmbKinOn9$$ zxC>^uTf76MSjNy0n@MM~Ze9dS3+Qlr`5X5|uUmyU{PBiGNsE);c_&$DShQh71wtxI z-r$px@q$1}kB{)A4SW0Agkx0kGEsZ?f@z_b z#)f@S;pjC0A~5o=|H?>LU z-+M#fHjwR0KQyP;yg!XJM&1mc+--K4aJjcQjq#Vs=DUKfBsFdcFC_^J^IEcAABFm?~JPvLWH6GZ7lJ_ zx^5gWP>(NDJzU#Rbm7Y!t~FKGuQSXgNs?>-Pt3O0_RF&}X~pWPwacX?nq_%Rimdhj zUvwD+zpIz%Q(EMI*b93u78PI6L9s&GsxM1gAG*ZA%Uh*-<=nP{!yB_VrbFJBFgxo> z^i1nV9;1|hpkUVrLaW4^696D#ZC*S}fSu%rvH@3A<%mAobH*tzmjelomOAjHhfJB$ zPkRzQo!Q7;LKT7Qa`SdGMb*RTPMEx1AXH*eG8#_F1-iszG-bNG&kq2g2NnT_yKy6| z0TF%{ZvzAX7=Se@)3#Dt`L|Gt004j=b?yB~9>>q(zr`PK0z(0VMg;KkgbEo4~mUH~pO5l?vLTezY|&tu%iGVZ&~wX_mmvWmQm&hN7E= z!09nKV6dMN+#VwU3TO)P@uPJlMA$IX0})}EWz=IZkiZ9o`}jd3zz1Rkpn;VX0)BiW z5(*)1+eX+18{Z_p?$wA5ZEJV_rZMM0Gwg&NurFE%v|a;VzXw*^K&Ex}`ZaJ^s&9j} zk<`gWyzw8}ZZJPP7nr1my|CGh7|Mri$Q{@q89y~{IrIgCk@oMJR>L0mnF9_D0000L C#$m<) literal 0 HcmV?d00001 diff --git a/docs/stylesheets/inter.min.css b/docs/stylesheets/inter.min.css index c098cead60..17ce922301 100644 --- a/docs/stylesheets/inter.min.css +++ b/docs/stylesheets/inter.min.css @@ -2,62 +2,62 @@ font-family: 'Inter'; font-style: normal; font-weight: 100; - src: url(/assets/fonts/Inter-thin.ttf) format('opentype'); + src: url(../assets/fonts/Inter-thin.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 200; - src: url(/assets/fonts/Inter-ExtraLight.ttf) format('opentype'); + src: url(../assets/fonts/Inter-ExtraLight.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 300; - src: url(/assets/fonts/Inter-Light.ttf) format('opentype'); + src: url(../assets/fonts/Inter-Light.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 400; - src: url(/assets/fonts/Inter-Regular.ttf) format('opentype'); + src: url(../assets/fonts/Inter-Regular.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 500; - src: url(/assets/fonts/Inter-Medium.ttf) format('opentype'); + src: url(../assets/fonts/Inter-Medium.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 600; - src: url(/assets/fonts/Inter-SemiBold.ttf) format('opentype'); + src: url(../assets/fonts/Inter-SemiBold.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 700; - src: url(/assets/fonts/Inter-Bold.ttf) format('opentype'); + src: url(../assets/fonts/Inter-Bold.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 800; - src: url(/assets/fonts/Inter-ExtraBold.ttf) format('opentype'); + src: url(../assets/fonts/Inter-ExtraBold.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @font-face { font-family: 'Inter'; font-style: normal; font-weight: 900; - src: url(/assets/fonts/Inter-Black.ttf) format('opentype'); + src: url(../assets/fonts/Inter-Black.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } \ No newline at end of file diff --git a/docs/stylesheets/lightgallery.min.css b/docs/stylesheets/lightgallery.min.css index 104d68f817..e10ab3df27 100644 --- a/docs/stylesheets/lightgallery.min.css +++ b/docs/stylesheets/lightgallery.min.css @@ -1 +1 @@ -@font-face{font-family:lg;src:url(../fonts/lg.ttf?22t19m) format("truetype"),url(../fonts/lg.woff?22t19m) format("woff"),url(../fonts/lg.svg?22t19m#lg) format("svg");font-weight:400;font-style:normal;font-display:block}.lg-icon{font-family:lg!important;speak:never;font-style:normal;font-weight:400;font-variant:normal;text-transform:none;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.lg-actions .lg-next,.lg-actions .lg-prev{border-radius:2px;color:#999;cursor:pointer;display:block;font-size:22px;margin-top:-10px;padding:8px 10px 9px;position:absolute;top:50%;z-index:1080;outline:0;border:none;background-color:transparent}.lg-actions .lg-next.disabled,.lg-actions .lg-prev.disabled{pointer-events:none;opacity:.5}.lg-actions .lg-next:hover,.lg-actions .lg-prev:hover{color:#FFF}.lg-actions .lg-next{right:20px}.lg-actions .lg-next:before{content:"\e095"}.lg-actions .lg-prev{left:20px}.lg-actions .lg-prev:after{content:"\e094"}@-webkit-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-moz-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-ms-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-webkit-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@-moz-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@-ms-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}.lg-outer.lg-right-end .lg-object{-webkit-animation:lg-right-end .3s;-o-animation:lg-right-end .3s;animation:lg-right-end .3s;position:relative}.lg-outer.lg-left-end .lg-object{-webkit-animation:lg-left-end .3s;-o-animation:lg-left-end .3s;animation:lg-left-end .3s;position:relative}.lg-toolbar{z-index:1082;left:0;position:absolute;top:0;width:100%;background-color:rgba(0,0,0,.45)}.lg-toolbar .lg-icon{color:#999;cursor:pointer;float:right;font-size:24px;height:47px;line-height:27px;padding:10px 0;text-align:center;width:50px;text-decoration:none!important;outline:0;background:0 0;border:none;box-shadow:none;-webkit-transition:color .2s linear;-o-transition:color .2s linear;transition:color .2s linear}.lg-toolbar .lg-icon:hover{color:#FFF}.lg-toolbar .lg-close:after{content:"\e070"}.lg-toolbar .lg-download:after{content:"\e0f2"}.lg-sub-html{background-color:rgba(0,0,0,.45);bottom:0;color:#EEE;font-size:16px;left:0;padding:10px 40px;position:fixed;right:0;text-align:center;z-index:1080}.lg-sub-html h4{margin:0;font-size:13px;font-weight:700}.lg-sub-html p{font-size:12px;margin:5px 0 0}#lg-counter{color:#999;display:inline-block;font-size:16px;padding-left:20px;padding-top:12px;vertical-align:middle}.lg-next,.lg-prev,.lg-toolbar{opacity:1;-webkit-transition:-webkit-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;-moz-transition:-moz-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;-o-transition:-o-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;transition:transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear}.lg-hide-items .lg-prev{opacity:0;-webkit-transform:translate3d(-10px,0,0);transform:translate3d(-10px,0,0)}.lg-hide-items .lg-next{opacity:0;-webkit-transform:translate3d(10px,0,0);transform:translate3d(10px,0,0)}.lg-hide-items .lg-toolbar{opacity:0;-webkit-transform:translate3d(0,-10px,0);transform:translate3d(0,-10px,0)}body:not(.lg-from-hash) .lg-outer.lg-start-zoom .lg-object{-webkit-transform:scale3d(.5,.5,.5);transform:scale3d(.5,.5,.5);opacity:0;-webkit-transition:-webkit-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-moz-transition:-moz-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-o-transition:-o-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;transition:transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-webkit-transform-origin:50% 50%;-moz-transform-origin:50% 50%;-ms-transform-origin:50% 50%;transform-origin:50% 50%}body:not(.lg-from-hash) .lg-outer.lg-start-zoom .lg-item.lg-complete .lg-object{-webkit-transform:scale3d(1,1,1);transform:scale3d(1,1,1);opacity:1}.lg-outer .lg-thumb-outer{background-color:#0D0A0A;bottom:0;position:absolute;width:100%;z-index:1080;max-height:350px;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);-webkit-transition:-webkit-transform .25s cubic-bezier(0,0,.25,1) 0s;-moz-transition:-moz-transform .25s cubic-bezier(0,0,.25,1) 0s;-o-transition:-o-transform .25s cubic-bezier(0,0,.25,1) 0s;transition:transform .25s cubic-bezier(0,0,.25,1) 0s}.lg-outer .lg-thumb-outer.lg-grab .lg-thumb-item{cursor:-webkit-grab;cursor:-moz-grab;cursor:-o-grab;cursor:-ms-grab;cursor:grab}.lg-outer .lg-thumb-outer.lg-grabbing .lg-thumb-item{cursor:move;cursor:-webkit-grabbing;cursor:-moz-grabbing;cursor:-o-grabbing;cursor:-ms-grabbing;cursor:grabbing}.lg-outer .lg-thumb-outer.lg-dragging .lg-thumb{-webkit-transition-duration:0s!important;transition-duration:0s!important}.lg-outer.lg-thumb-open .lg-thumb-outer{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.lg-outer .lg-thumb{padding:10px 0;height:100%;margin-bottom:-5px}.lg-outer .lg-thumb-item{cursor:pointer;float:left;overflow:hidden;height:100%;border:2px solid #FFF;border-radius:4px;margin-bottom:5px}@media (min-width:1025px){.lg-outer .lg-thumb-item{-webkit-transition:border-color .25s ease;-o-transition:border-color .25s ease;transition:border-color .25s ease}}.lg-outer .lg-thumb-item.active,.lg-outer .lg-thumb-item:hover{border-color:#a90707}.lg-outer .lg-thumb-item img{width:100%;height:100%;object-fit:cover}.lg-outer.lg-has-thumb .lg-item{padding-bottom:120px}.lg-outer.lg-can-toggle .lg-item{padding-bottom:0}.lg-outer.lg-pull-caption-up .lg-sub-html{-webkit-transition:bottom .25s ease;-o-transition:bottom .25s ease;transition:bottom .25s ease}.lg-outer.lg-pull-caption-up.lg-thumb-open .lg-sub-html{bottom:100px}.lg-outer .lg-toggle-thumb{background-color:#0D0A0A;border-radius:2px 2px 0 0;color:#999;cursor:pointer;font-size:24px;height:39px;line-height:27px;padding:5px 0;position:absolute;right:20px;text-align:center;top:-39px;width:50px;outline:0;border:none}.lg-outer .lg-toggle-thumb:after{content:"\e1ff"}.lg-outer .lg-toggle-thumb:hover{color:#FFF}.lg-outer .lg-video-cont{display:inline-block;vertical-align:middle;max-width:1140px;max-height:100%;width:100%;padding:0 5px}.lg-outer .lg-video{width:100%;height:0;padding-bottom:56.25%;overflow:hidden;position:relative}.lg-outer .lg-video .lg-object{display:inline-block;position:absolute;top:0;left:0;width:100%!important;height:100%!important}.lg-outer .lg-video .lg-video-play{width:84px;height:59px;position:absolute;left:50%;top:50%;margin-left:-42px;margin-top:-30px;z-index:1080;cursor:pointer}.lg-outer .lg-has-vimeo .lg-video-play{background:url(../img/vimeo-play.png) no-repeat}.lg-outer .lg-has-vimeo:hover .lg-video-play{background:url(../img/vimeo-play.png) 0 -58px no-repeat}.lg-outer .lg-has-html5 .lg-video-play{background:url(../img/video-play.png) no-repeat;height:64px;margin-left:-32px;margin-top:-32px;width:64px;opacity:.8}.lg-outer .lg-has-html5:hover .lg-video-play{opacity:1}.lg-outer .lg-has-youtube .lg-video-play{background:url(../img/youtube-play.png) no-repeat}.lg-outer .lg-has-youtube:hover .lg-video-play{background:url(../img/youtube-play.png) 0 -60px no-repeat}.lg-outer .lg-video-object{width:100%!important;height:100%!important;position:absolute;top:0;left:0}.lg-outer .lg-has-video .lg-video-object{visibility:hidden}.lg-outer .lg-has-video.lg-video-playing .lg-object,.lg-outer .lg-has-video.lg-video-playing .lg-video-play{display:none}.lg-outer .lg-has-video.lg-video-playing .lg-video-object{visibility:visible}.lg-progress-bar{background-color:#333;height:5px;left:0;position:absolute;top:0;width:100%;z-index:1083;opacity:0;-webkit-transition:opacity 80ms ease 0s;-moz-transition:opacity 80ms ease 0s;-o-transition:opacity 80ms ease 0s;transition:opacity 80ms ease 0s}.lg-progress-bar .lg-progress{background-color:#a90707;height:5px;width:0}.lg-progress-bar.lg-start .lg-progress{width:100%}.lg-show-autoplay .lg-progress-bar{opacity:1}.lg-autoplay-button:after{content:"\e01d"}.lg-show-autoplay .lg-autoplay-button:after{content:"\e01a"}.lg-outer.lg-css3.lg-zoom-dragging .lg-item.lg-complete.lg-zoomable .lg-image,.lg-outer.lg-css3.lg-zoom-dragging .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition-duration:0s;transition-duration:0s}.lg-outer.lg-use-transition-for-zoom .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition:-webkit-transform .3s cubic-bezier(0,0,.25,1) 0s;-moz-transition:-moz-transform .3s cubic-bezier(0,0,.25,1) 0s;-o-transition:-o-transform .3s cubic-bezier(0,0,.25,1) 0s;transition:transform .3s cubic-bezier(0,0,.25,1) 0s}.lg-outer.lg-use-left-for-zoom .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;-moz-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;-o-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s}.lg-outer .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}.lg-outer .lg-item.lg-complete.lg-zoomable .lg-image{-webkit-transform:scale3d(1,1,1);transform:scale3d(1,1,1);-webkit-transition:-webkit-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-moz-transition:-moz-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-o-transition:-o-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;transition:transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-webkit-transform-origin:0 0;-moz-transform-origin:0 0;-ms-transform-origin:0 0;transform-origin:0 0;-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}#lg-zoom-in:after{content:"\e311"}#lg-actual-size{font-size:20px}#lg-actual-size:after{content:"\e033"}#lg-zoom-out{opacity:.5;pointer-events:none}#lg-zoom-out:after{content:"\e312"}.lg-zoomed #lg-zoom-out{opacity:1;pointer-events:auto}.lg-outer .lg-pager-outer{bottom:60px;left:0;position:absolute;right:0;text-align:center;z-index:1080;height:10px}.lg-outer .lg-pager-outer.lg-pager-hover .lg-pager-cont{overflow:visible}.lg-outer .lg-pager-cont{cursor:pointer;display:inline-block;overflow:hidden;position:relative;vertical-align:top;margin:0 5px}.lg-outer .lg-pager-cont:hover .lg-pager-thumb-cont{opacity:1;-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.lg-outer .lg-pager-cont.lg-pager-active .lg-pager{box-shadow:0 0 0 2px #fff inset}.lg-outer .lg-pager-thumb-cont{background-color:#fff;color:#FFF;bottom:100%;height:83px;left:0;margin-bottom:20px;margin-left:-60px;opacity:0;padding:5px;position:absolute;width:120px;border-radius:3px;-webkit-transition:opacity .15s ease 0s,-webkit-transform .15s ease 0s;-moz-transition:opacity .15s ease 0s,-moz-transform .15s ease 0s;-o-transition:opacity .15s ease 0s,-o-transform .15s ease 0s;transition:opacity .15s ease 0s,transform .15s ease 0s;-webkit-transform:translate3d(0,5px,0);transform:translate3d(0,5px,0)}.lg-outer .lg-pager-thumb-cont img{width:100%;height:100%}.lg-outer .lg-pager{background-color:rgba(255,255,255,.5);border-radius:50%;box-shadow:0 0 0 8px rgba(255,255,255,.7) inset;display:block;height:12px;-webkit-transition:box-shadow .3s ease 0s;-o-transition:box-shadow .3s ease 0s;transition:box-shadow .3s ease 0s;width:12px}.lg-outer .lg-pager:focus,.lg-outer .lg-pager:hover{box-shadow:0 0 0 8px #fff inset}.lg-outer .lg-caret{border-left:10px solid transparent;border-right:10px solid transparent;border-top:10px dashed;bottom:-10px;display:inline-block;height:0;left:50%;margin-left:-5px;position:absolute;vertical-align:middle;width:0}.lg-fullscreen:after{content:"\e20c"}.lg-fullscreen-on .lg-fullscreen:after{content:"\e20d"}.lg-outer #lg-dropdown-overlay{background-color:rgba(0,0,0,.25);bottom:0;cursor:default;left:0;position:fixed;right:0;top:0;z-index:1081;opacity:0;visibility:hidden;-webkit-transition:visibility 0s linear .18s,opacity .18s linear 0s;-o-transition:visibility 0s linear .18s,opacity .18s linear 0s;transition:visibility 0s linear .18s,opacity .18s linear 0s}.lg-outer.lg-dropdown-active #lg-dropdown-overlay,.lg-outer.lg-dropdown-active .lg-dropdown{-webkit-transition-delay:0s;transition-delay:0s;-moz-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);-ms-transform:translate3d(0,0,0);-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);opacity:1;visibility:visible}.lg-outer.lg-dropdown-active #lg-share{color:#FFF}.lg-outer .lg-dropdown{background-color:#fff;border-radius:2px;font-size:14px;list-style-type:none;margin:0;padding:10px 0;position:absolute;right:0;text-align:left;top:50px;opacity:0;visibility:hidden;-moz-transform:translate3d(0,5px,0);-o-transform:translate3d(0,5px,0);-ms-transform:translate3d(0,5px,0);-webkit-transform:translate3d(0,5px,0);transform:translate3d(0,5px,0);-webkit-transition:-webkit-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;-moz-transition:-moz-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;-o-transition:-o-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;transition:transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s}.lg-outer .lg-dropdown:after{content:"";display:block;height:0;width:0;position:absolute;border:8px solid transparent;border-bottom-color:#FFF;right:16px;top:-16px}.lg-outer .lg-dropdown>li:last-child{margin-bottom:0}.lg-outer .lg-dropdown>li:hover .lg-icon,.lg-outer .lg-dropdown>li:hover a{color:#333}.lg-outer .lg-dropdown a{color:#333;display:block;white-space:pre;padding:4px 12px;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12px}.lg-outer .lg-dropdown a:hover{background-color:rgba(0,0,0,.07)}.lg-outer .lg-dropdown .lg-dropdown-text{display:inline-block;line-height:1;margin-top:-3px;vertical-align:middle}.lg-outer .lg-dropdown .lg-icon{color:#333;display:inline-block;float:none;font-size:20px;height:auto;line-height:1;margin-right:8px;padding:0;vertical-align:middle;width:auto}.lg-outer,.lg-outer .lg,.lg-outer .lg-inner{height:100%;width:100%}.lg-outer #lg-share{position:relative}.lg-outer #lg-share:after{content:"\e80d"}.lg-outer #lg-share-facebook .lg-icon{color:#3b5998}.lg-outer #lg-share-facebook .lg-icon:after{content:"\e904"}.lg-outer #lg-share-twitter .lg-icon{color:#00aced}.lg-outer #lg-share-twitter .lg-icon:after{content:"\e907"}.lg-outer #lg-share-googleplus .lg-icon{color:#dd4b39}.lg-outer #lg-share-googleplus .lg-icon:after{content:"\e905"}.lg-outer #lg-share-pinterest .lg-icon{color:#cb2027}.lg-outer #lg-share-pinterest .lg-icon:after{content:"\e906"}.lg-outer .lg-img-rotate{position:absolute;padding:0 5px;left:0;right:0;top:0;bottom:0;-webkit-transition:-webkit-transform .3s cubic-bezier(.32,0,.67,0) 0s;-moz-transition:-moz-transform .3s cubic-bezier(.32,0,.67,0) 0s;-o-transition:-o-transform .3s cubic-bezier(.32,0,.67,0) 0s;transition:transform .3s cubic-bezier(.32,0,.67,0) 0s}.lg-rotate-left:after{content:"\e900"}.lg-rotate-right:after{content:"\e901"}.lg-icon.lg-flip-hor,.lg-icon.lg-flip-ver{font-size:26px}.lg-flip-hor:after{content:"\e902"}.lg-flip-ver:after{content:"\e903"}.lg-group:after,.lg-group:before{display:table;content:"";line-height:0}.lg-group:after{clear:both}.lg-outer{position:fixed;top:0;left:0;z-index:1050;opacity:0;outline:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-outer *{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.lg-outer.lg-visible{opacity:1}.lg-outer.lg-css3 .lg-item.lg-current,.lg-outer.lg-css3 .lg-item.lg-next-slide,.lg-outer.lg-css3 .lg-item.lg-prev-slide{-webkit-transition-duration:inherit!important;transition-duration:inherit!important;-webkit-transition-timing-function:inherit!important;transition-timing-function:inherit!important}.lg-outer.lg-css3.lg-dragging .lg-item.lg-current,.lg-outer.lg-css3.lg-dragging .lg-item.lg-next-slide,.lg-outer.lg-css3.lg-dragging .lg-item.lg-prev-slide{-webkit-transition-duration:0s!important;transition-duration:0s!important;opacity:1}.lg-outer.lg-grab img.lg-object{cursor:-webkit-grab;cursor:-moz-grab;cursor:-o-grab;cursor:-ms-grab;cursor:grab}.lg-outer.lg-grabbing img.lg-object{cursor:move;cursor:-webkit-grabbing;cursor:-moz-grabbing;cursor:-o-grabbing;cursor:-ms-grabbing;cursor:grabbing}.lg-outer .lg{position:relative;overflow:hidden;margin-left:auto;margin-right:auto;max-width:100%;max-height:100%}.lg-outer .lg-inner{position:absolute;left:0;top:0;white-space:nowrap}.lg-outer .lg-item{background:url(../img/loading.gif) center center no-repeat;display:none!important}.lg-outer.lg-css .lg-current,.lg-outer.lg-css3 .lg-current,.lg-outer.lg-css3 .lg-next-slide,.lg-outer.lg-css3 .lg-prev-slide{display:inline-block!important}.lg-outer .lg-img-wrap,.lg-outer .lg-item{display:inline-block;text-align:center;position:absolute;width:100%;height:100%}.lg-outer .lg-img-wrap:before,.lg-outer .lg-item:before{content:"";display:inline-block;height:50%;width:1px;margin-right:-1px}.lg-outer .lg-img-wrap{position:absolute;padding:0 5px;left:0;right:0;top:0;bottom:0}.lg-outer .lg-item.lg-complete{background-image:none}.lg-outer .lg-item.lg-current{z-index:1060}.lg-outer .lg-image{display:inline-block;vertical-align:middle;max-width:100%;max-height:100%;width:auto!important;height:auto!important}.lg-outer.lg-show-after-load .lg-item .lg-object,.lg-outer.lg-show-after-load .lg-item .lg-video-play{opacity:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-outer.lg-show-after-load .lg-item.lg-complete .lg-object,.lg-outer.lg-show-after-load .lg-item.lg-complete .lg-video-play{opacity:1}.lg-outer .lg-empty-html,.lg-outer.lg-hide-download #lg-download{display:none}.lg-backdrop{position:fixed;top:0;left:0;right:0;bottom:0;z-index:1040;background-color:#000;opacity:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-backdrop.in{opacity:1}.lg-css3.lg-no-trans .lg-current,.lg-css3.lg-no-trans .lg-next-slide,.lg-css3.lg-no-trans .lg-prev-slide{-webkit-transition:none 0s ease 0s!important;-moz-transition:none 0s ease 0s!important;-o-transition:none 0s ease 0s!important;transition:none 0s ease 0s!important}.lg-css3.lg-use-css3 .lg-item,.lg-css3.lg-use-left .lg-item{-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}.lg-css3.lg-fade .lg-item{opacity:0}.lg-css3.lg-fade .lg-item.lg-current{opacity:1}.lg-css3.lg-fade .lg-item.lg-current,.lg-css3.lg-fade .lg-item.lg-next-slide,.lg-css3.lg-fade .lg-item.lg-prev-slide{-webkit-transition:opacity .1s ease 0s;-moz-transition:opacity .1s ease 0s;-o-transition:opacity .1s ease 0s;transition:opacity .1s ease 0s}.lg-css3.lg-slide.lg-use-css3 .lg-item{opacity:0}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-prev-slide{-webkit-transform:translate3d(-100%,0,0);transform:translate3d(-100%,0,0)}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-next-slide{-webkit-transform:translate3d(100%,0,0);transform:translate3d(100%,0,0)}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-current{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);opacity:1}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-current,.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-next-slide,.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-prev-slide{-webkit-transition:-webkit-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-moz-transition:-moz-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-o-transition:-o-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;transition:transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s}.lg-css3.lg-slide.lg-use-left .lg-item{opacity:0;position:absolute;left:0}.lg-css3.lg-slide.lg-use-left .lg-item.lg-prev-slide{left:-100%}.lg-css3.lg-slide.lg-use-left .lg-item.lg-next-slide{left:100%}.lg-css3.lg-slide.lg-use-left .lg-item.lg-current{left:0;opacity:1}.lg-css3.lg-slide.lg-use-left .lg-item.lg-current,.lg-css3.lg-slide.lg-use-left .lg-item.lg-next-slide,.lg-css3.lg-slide.lg-use-left .lg-item.lg-prev-slide{-webkit-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-moz-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-o-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s} \ No newline at end of file +@font-face{font-family:lg;src:url(../assets/fonts/lg.ttf?22t19m) format("truetype"),url(../assets/fonts/lg.woff?22t19m) format("woff"),url(../assets/fonts/lg.svg?22t19m#lg) format("svg");font-weight:400;font-style:normal;font-display:block}.lg-icon{font-family:lg!important;speak:never;font-style:normal;font-weight:400;font-variant:normal;text-transform:none;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.lg-actions .lg-next,.lg-actions .lg-prev{border-radius:2px;color:#999;cursor:pointer;display:block;font-size:22px;margin-top:-10px;padding:8px 10px 9px;position:absolute;top:50%;z-index:1080;outline:0;border:none;background-color:transparent}.lg-actions .lg-next.disabled,.lg-actions .lg-prev.disabled{pointer-events:none;opacity:.5}.lg-actions .lg-next:hover,.lg-actions .lg-prev:hover{color:#FFF}.lg-actions .lg-next{right:20px}.lg-actions .lg-next:before{content:"\e095"}.lg-actions .lg-prev{left:20px}.lg-actions .lg-prev:after{content:"\e094"}@-webkit-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-moz-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-ms-keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@keyframes lg-right-end{0%,100%{left:0}50%{left:-30px}}@-webkit-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@-moz-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@-ms-keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}@keyframes lg-left-end{0%,100%{left:0}50%{left:30px}}.lg-outer.lg-right-end .lg-object{-webkit-animation:lg-right-end .3s;-o-animation:lg-right-end .3s;animation:lg-right-end .3s;position:relative}.lg-outer.lg-left-end .lg-object{-webkit-animation:lg-left-end .3s;-o-animation:lg-left-end .3s;animation:lg-left-end .3s;position:relative}.lg-toolbar{z-index:1082;left:0;position:absolute;top:0;width:100%;background-color:rgba(0,0,0,.45)}.lg-toolbar .lg-icon{color:#999;cursor:pointer;float:right;font-size:24px;height:47px;line-height:27px;padding:10px 0;text-align:center;width:50px;text-decoration:none!important;outline:0;background:0 0;border:none;box-shadow:none;-webkit-transition:color .2s linear;-o-transition:color .2s linear;transition:color .2s linear}.lg-toolbar .lg-icon:hover{color:#FFF}.lg-toolbar .lg-close:after{content:"\e070"}.lg-toolbar .lg-download:after{content:"\e0f2"}.lg-sub-html{background-color:rgba(0,0,0,.45);bottom:0;color:#EEE;font-size:16px;left:0;padding:10px 40px;position:fixed;right:0;text-align:center;z-index:1080}.lg-sub-html h4{margin:0;font-size:13px;font-weight:700}.lg-sub-html p{font-size:12px;margin:5px 0 0}#lg-counter{color:#999;display:inline-block;font-size:16px;padding-left:20px;padding-top:12px;vertical-align:middle}.lg-next,.lg-prev,.lg-toolbar{opacity:1;-webkit-transition:-webkit-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;-moz-transition:-moz-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;-o-transition:-o-transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear;transition:transform .35s cubic-bezier(0,0,.25,1) 0s,opacity .35s cubic-bezier(0,0,.25,1) 0s,color .2s linear}.lg-hide-items .lg-prev{opacity:0;-webkit-transform:translate3d(-10px,0,0);transform:translate3d(-10px,0,0)}.lg-hide-items .lg-next{opacity:0;-webkit-transform:translate3d(10px,0,0);transform:translate3d(10px,0,0)}.lg-hide-items .lg-toolbar{opacity:0;-webkit-transform:translate3d(0,-10px,0);transform:translate3d(0,-10px,0)}body:not(.lg-from-hash) .lg-outer.lg-start-zoom .lg-object{-webkit-transform:scale3d(.5,.5,.5);transform:scale3d(.5,.5,.5);opacity:0;-webkit-transition:-webkit-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-moz-transition:-moz-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-o-transition:-o-transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;transition:transform 250ms cubic-bezier(0,0,.25,1) 0s,opacity 250ms cubic-bezier(0,0,.25,1)!important;-webkit-transform-origin:50% 50%;-moz-transform-origin:50% 50%;-ms-transform-origin:50% 50%;transform-origin:50% 50%}body:not(.lg-from-hash) .lg-outer.lg-start-zoom .lg-item.lg-complete .lg-object{-webkit-transform:scale3d(1,1,1);transform:scale3d(1,1,1);opacity:1}.lg-outer .lg-thumb-outer{background-color:#0D0A0A;bottom:0;position:absolute;width:100%;z-index:1080;max-height:350px;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);-webkit-transition:-webkit-transform .25s cubic-bezier(0,0,.25,1) 0s;-moz-transition:-moz-transform .25s cubic-bezier(0,0,.25,1) 0s;-o-transition:-o-transform .25s cubic-bezier(0,0,.25,1) 0s;transition:transform .25s cubic-bezier(0,0,.25,1) 0s}.lg-outer .lg-thumb-outer.lg-grab .lg-thumb-item{cursor:-webkit-grab;cursor:-moz-grab;cursor:-o-grab;cursor:-ms-grab;cursor:grab}.lg-outer .lg-thumb-outer.lg-grabbing .lg-thumb-item{cursor:move;cursor:-webkit-grabbing;cursor:-moz-grabbing;cursor:-o-grabbing;cursor:-ms-grabbing;cursor:grabbing}.lg-outer .lg-thumb-outer.lg-dragging .lg-thumb{-webkit-transition-duration:0s!important;transition-duration:0s!important}.lg-outer.lg-thumb-open .lg-thumb-outer{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.lg-outer .lg-thumb{padding:10px 0;height:100%;margin-bottom:-5px}.lg-outer .lg-thumb-item{cursor:pointer;float:left;overflow:hidden;height:100%;border:2px solid #FFF;border-radius:4px;margin-bottom:5px}@media (min-width:1025px){.lg-outer .lg-thumb-item{-webkit-transition:border-color .25s ease;-o-transition:border-color .25s ease;transition:border-color .25s ease}}.lg-outer .lg-thumb-item.active,.lg-outer .lg-thumb-item:hover{border-color:#a90707}.lg-outer .lg-thumb-item img{width:100%;height:100%;object-fit:cover}.lg-outer.lg-has-thumb .lg-item{padding-bottom:120px}.lg-outer.lg-can-toggle .lg-item{padding-bottom:0}.lg-outer.lg-pull-caption-up .lg-sub-html{-webkit-transition:bottom .25s ease;-o-transition:bottom .25s ease;transition:bottom .25s ease}.lg-outer.lg-pull-caption-up.lg-thumb-open .lg-sub-html{bottom:100px}.lg-outer .lg-toggle-thumb{background-color:#0D0A0A;border-radius:2px 2px 0 0;color:#999;cursor:pointer;font-size:24px;height:39px;line-height:27px;padding:5px 0;position:absolute;right:20px;text-align:center;top:-39px;width:50px;outline:0;border:none}.lg-outer .lg-toggle-thumb:after{content:"\e1ff"}.lg-outer .lg-toggle-thumb:hover{color:#FFF}.lg-outer .lg-video-cont{display:inline-block;vertical-align:middle;max-width:1140px;max-height:100%;width:100%;padding:0 5px}.lg-outer .lg-video{width:100%;height:0;padding-bottom:56.25%;overflow:hidden;position:relative}.lg-outer .lg-video .lg-object{display:inline-block;position:absolute;top:0;left:0;width:100%!important;height:100%!important}.lg-outer .lg-video .lg-video-play{width:84px;height:59px;position:absolute;left:50%;top:50%;margin-left:-42px;margin-top:-30px;z-index:1080;cursor:pointer}.lg-outer .lg-has-vimeo .lg-video-play{background:url(../img/vimeo-play.png) no-repeat}.lg-outer .lg-has-vimeo:hover .lg-video-play{background:url(../img/vimeo-play.png) 0 -58px no-repeat}.lg-outer .lg-has-html5 .lg-video-play{background:url(../img/video-play.png) no-repeat;height:64px;margin-left:-32px;margin-top:-32px;width:64px;opacity:.8}.lg-outer .lg-has-html5:hover .lg-video-play{opacity:1}.lg-outer .lg-has-youtube .lg-video-play{background:url(../img/youtube-play.png) no-repeat}.lg-outer .lg-has-youtube:hover .lg-video-play{background:url(../img/youtube-play.png) 0 -60px no-repeat}.lg-outer .lg-video-object{width:100%!important;height:100%!important;position:absolute;top:0;left:0}.lg-outer .lg-has-video .lg-video-object{visibility:hidden}.lg-outer .lg-has-video.lg-video-playing .lg-object,.lg-outer .lg-has-video.lg-video-playing .lg-video-play{display:none}.lg-outer .lg-has-video.lg-video-playing .lg-video-object{visibility:visible}.lg-progress-bar{background-color:#333;height:5px;left:0;position:absolute;top:0;width:100%;z-index:1083;opacity:0;-webkit-transition:opacity 80ms ease 0s;-moz-transition:opacity 80ms ease 0s;-o-transition:opacity 80ms ease 0s;transition:opacity 80ms ease 0s}.lg-progress-bar .lg-progress{background-color:#a90707;height:5px;width:0}.lg-progress-bar.lg-start .lg-progress{width:100%}.lg-show-autoplay .lg-progress-bar{opacity:1}.lg-autoplay-button:after{content:"\e01d"}.lg-show-autoplay .lg-autoplay-button:after{content:"\e01a"}.lg-outer.lg-css3.lg-zoom-dragging .lg-item.lg-complete.lg-zoomable .lg-image,.lg-outer.lg-css3.lg-zoom-dragging .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition-duration:0s;transition-duration:0s}.lg-outer.lg-use-transition-for-zoom .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition:-webkit-transform .3s cubic-bezier(0,0,.25,1) 0s;-moz-transition:-moz-transform .3s cubic-bezier(0,0,.25,1) 0s;-o-transition:-o-transform .3s cubic-bezier(0,0,.25,1) 0s;transition:transform .3s cubic-bezier(0,0,.25,1) 0s}.lg-outer.lg-use-left-for-zoom .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;-moz-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;-o-transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s;transition:left .3s cubic-bezier(0,0,.25,1) 0s,top .3s cubic-bezier(0,0,.25,1) 0s}.lg-outer .lg-item.lg-complete.lg-zoomable .lg-img-wrap{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}.lg-outer .lg-item.lg-complete.lg-zoomable .lg-image{-webkit-transform:scale3d(1,1,1);transform:scale3d(1,1,1);-webkit-transition:-webkit-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-moz-transition:-moz-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-o-transition:-o-transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;transition:transform .3s cubic-bezier(0,0,.25,1) 0s,opacity .15s!important;-webkit-transform-origin:0 0;-moz-transform-origin:0 0;-ms-transform-origin:0 0;transform-origin:0 0;-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}#lg-zoom-in:after{content:"\e311"}#lg-actual-size{font-size:20px}#lg-actual-size:after{content:"\e033"}#lg-zoom-out{opacity:.5;pointer-events:none}#lg-zoom-out:after{content:"\e312"}.lg-zoomed #lg-zoom-out{opacity:1;pointer-events:auto}.lg-outer .lg-pager-outer{bottom:60px;left:0;position:absolute;right:0;text-align:center;z-index:1080;height:10px}.lg-outer .lg-pager-outer.lg-pager-hover .lg-pager-cont{overflow:visible}.lg-outer .lg-pager-cont{cursor:pointer;display:inline-block;overflow:hidden;position:relative;vertical-align:top;margin:0 5px}.lg-outer .lg-pager-cont:hover .lg-pager-thumb-cont{opacity:1;-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.lg-outer .lg-pager-cont.lg-pager-active .lg-pager{box-shadow:0 0 0 2px #fff inset}.lg-outer .lg-pager-thumb-cont{background-color:#fff;color:#FFF;bottom:100%;height:83px;left:0;margin-bottom:20px;margin-left:-60px;opacity:0;padding:5px;position:absolute;width:120px;border-radius:3px;-webkit-transition:opacity .15s ease 0s,-webkit-transform .15s ease 0s;-moz-transition:opacity .15s ease 0s,-moz-transform .15s ease 0s;-o-transition:opacity .15s ease 0s,-o-transform .15s ease 0s;transition:opacity .15s ease 0s,transform .15s ease 0s;-webkit-transform:translate3d(0,5px,0);transform:translate3d(0,5px,0)}.lg-outer .lg-pager-thumb-cont img{width:100%;height:100%}.lg-outer .lg-pager{background-color:rgba(255,255,255,.5);border-radius:50%;box-shadow:0 0 0 8px rgba(255,255,255,.7) inset;display:block;height:12px;-webkit-transition:box-shadow .3s ease 0s;-o-transition:box-shadow .3s ease 0s;transition:box-shadow .3s ease 0s;width:12px}.lg-outer .lg-pager:focus,.lg-outer .lg-pager:hover{box-shadow:0 0 0 8px #fff inset}.lg-outer .lg-caret{border-left:10px solid transparent;border-right:10px solid transparent;border-top:10px dashed;bottom:-10px;display:inline-block;height:0;left:50%;margin-left:-5px;position:absolute;vertical-align:middle;width:0}.lg-fullscreen:after{content:"\e20c"}.lg-fullscreen-on .lg-fullscreen:after{content:"\e20d"}.lg-outer #lg-dropdown-overlay{background-color:rgba(0,0,0,.25);bottom:0;cursor:default;left:0;position:fixed;right:0;top:0;z-index:1081;opacity:0;visibility:hidden;-webkit-transition:visibility 0s linear .18s,opacity .18s linear 0s;-o-transition:visibility 0s linear .18s,opacity .18s linear 0s;transition:visibility 0s linear .18s,opacity .18s linear 0s}.lg-outer.lg-dropdown-active #lg-dropdown-overlay,.lg-outer.lg-dropdown-active .lg-dropdown{-webkit-transition-delay:0s;transition-delay:0s;-moz-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);-ms-transform:translate3d(0,0,0);-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);opacity:1;visibility:visible}.lg-outer.lg-dropdown-active #lg-share{color:#FFF}.lg-outer .lg-dropdown{background-color:#fff;border-radius:2px;font-size:14px;list-style-type:none;margin:0;padding:10px 0;position:absolute;right:0;text-align:left;top:50px;opacity:0;visibility:hidden;-moz-transform:translate3d(0,5px,0);-o-transform:translate3d(0,5px,0);-ms-transform:translate3d(0,5px,0);-webkit-transform:translate3d(0,5px,0);transform:translate3d(0,5px,0);-webkit-transition:-webkit-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;-moz-transition:-moz-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;-o-transition:-o-transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s;transition:transform .18s linear 0s,visibility 0s linear .5s,opacity .18s linear 0s}.lg-outer .lg-dropdown:after{content:"";display:block;height:0;width:0;position:absolute;border:8px solid transparent;border-bottom-color:#FFF;right:16px;top:-16px}.lg-outer .lg-dropdown>li:last-child{margin-bottom:0}.lg-outer .lg-dropdown>li:hover .lg-icon,.lg-outer .lg-dropdown>li:hover a{color:#333}.lg-outer .lg-dropdown a{color:#333;display:block;white-space:pre;padding:4px 12px;font-family:"Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;font-size:12px}.lg-outer .lg-dropdown a:hover{background-color:rgba(0,0,0,.07)}.lg-outer .lg-dropdown .lg-dropdown-text{display:inline-block;line-height:1;margin-top:-3px;vertical-align:middle}.lg-outer .lg-dropdown .lg-icon{color:#333;display:inline-block;float:none;font-size:20px;height:auto;line-height:1;margin-right:8px;padding:0;vertical-align:middle;width:auto}.lg-outer,.lg-outer .lg,.lg-outer .lg-inner{height:100%;width:100%}.lg-outer #lg-share{position:relative}.lg-outer #lg-share:after{content:"\e80d"}.lg-outer #lg-share-facebook .lg-icon{color:#3b5998}.lg-outer #lg-share-facebook .lg-icon:after{content:"\e904"}.lg-outer #lg-share-twitter .lg-icon{color:#00aced}.lg-outer #lg-share-twitter .lg-icon:after{content:"\e907"}.lg-outer #lg-share-googleplus .lg-icon{color:#dd4b39}.lg-outer #lg-share-googleplus .lg-icon:after{content:"\e905"}.lg-outer #lg-share-pinterest .lg-icon{color:#cb2027}.lg-outer #lg-share-pinterest .lg-icon:after{content:"\e906"}.lg-outer .lg-img-rotate{position:absolute;padding:0 5px;left:0;right:0;top:0;bottom:0;-webkit-transition:-webkit-transform .3s cubic-bezier(.32,0,.67,0) 0s;-moz-transition:-moz-transform .3s cubic-bezier(.32,0,.67,0) 0s;-o-transition:-o-transform .3s cubic-bezier(.32,0,.67,0) 0s;transition:transform .3s cubic-bezier(.32,0,.67,0) 0s}.lg-rotate-left:after{content:"\e900"}.lg-rotate-right:after{content:"\e901"}.lg-icon.lg-flip-hor,.lg-icon.lg-flip-ver{font-size:26px}.lg-flip-hor:after{content:"\e902"}.lg-flip-ver:after{content:"\e903"}.lg-group:after,.lg-group:before{display:table;content:"";line-height:0}.lg-group:after{clear:both}.lg-outer{position:fixed;top:0;left:0;z-index:1050;opacity:0;outline:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-outer *{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.lg-outer.lg-visible{opacity:1}.lg-outer.lg-css3 .lg-item.lg-current,.lg-outer.lg-css3 .lg-item.lg-next-slide,.lg-outer.lg-css3 .lg-item.lg-prev-slide{-webkit-transition-duration:inherit!important;transition-duration:inherit!important;-webkit-transition-timing-function:inherit!important;transition-timing-function:inherit!important}.lg-outer.lg-css3.lg-dragging .lg-item.lg-current,.lg-outer.lg-css3.lg-dragging .lg-item.lg-next-slide,.lg-outer.lg-css3.lg-dragging .lg-item.lg-prev-slide{-webkit-transition-duration:0s!important;transition-duration:0s!important;opacity:1}.lg-outer.lg-grab img.lg-object{cursor:-webkit-grab;cursor:-moz-grab;cursor:-o-grab;cursor:-ms-grab;cursor:grab}.lg-outer.lg-grabbing img.lg-object{cursor:move;cursor:-webkit-grabbing;cursor:-moz-grabbing;cursor:-o-grabbing;cursor:-ms-grabbing;cursor:grabbing}.lg-outer .lg{position:relative;overflow:hidden;margin-left:auto;margin-right:auto;max-width:100%;max-height:100%}.lg-outer .lg-inner{position:absolute;left:0;top:0;white-space:nowrap}.lg-outer .lg-item{background:url(../img/loading.gif) center center no-repeat;display:none!important}.lg-outer.lg-css .lg-current,.lg-outer.lg-css3 .lg-current,.lg-outer.lg-css3 .lg-next-slide,.lg-outer.lg-css3 .lg-prev-slide{display:inline-block!important}.lg-outer .lg-img-wrap,.lg-outer .lg-item{display:inline-block;text-align:center;position:absolute;width:100%;height:100%}.lg-outer .lg-img-wrap:before,.lg-outer .lg-item:before{content:"";display:inline-block;height:50%;width:1px;margin-right:-1px}.lg-outer .lg-img-wrap{position:absolute;padding:0 5px;left:0;right:0;top:0;bottom:0}.lg-outer .lg-item.lg-complete{background-image:none}.lg-outer .lg-item.lg-current{z-index:1060}.lg-outer .lg-image{display:inline-block;vertical-align:middle;max-width:100%;max-height:100%;width:auto!important;height:auto!important}.lg-outer.lg-show-after-load .lg-item .lg-object,.lg-outer.lg-show-after-load .lg-item .lg-video-play{opacity:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-outer.lg-show-after-load .lg-item.lg-complete .lg-object,.lg-outer.lg-show-after-load .lg-item.lg-complete .lg-video-play{opacity:1}.lg-outer .lg-empty-html,.lg-outer.lg-hide-download #lg-download{display:none}.lg-backdrop{position:fixed;top:0;left:0;right:0;bottom:0;z-index:1040;background-color:#000;opacity:0;-webkit-transition:opacity .15s ease 0s;-o-transition:opacity .15s ease 0s;transition:opacity .15s ease 0s}.lg-backdrop.in{opacity:1}.lg-css3.lg-no-trans .lg-current,.lg-css3.lg-no-trans .lg-next-slide,.lg-css3.lg-no-trans .lg-prev-slide{-webkit-transition:none 0s ease 0s!important;-moz-transition:none 0s ease 0s!important;-o-transition:none 0s ease 0s!important;transition:none 0s ease 0s!important}.lg-css3.lg-use-css3 .lg-item,.lg-css3.lg-use-left .lg-item{-webkit-backface-visibility:hidden;-moz-backface-visibility:hidden;backface-visibility:hidden}.lg-css3.lg-fade .lg-item{opacity:0}.lg-css3.lg-fade .lg-item.lg-current{opacity:1}.lg-css3.lg-fade .lg-item.lg-current,.lg-css3.lg-fade .lg-item.lg-next-slide,.lg-css3.lg-fade .lg-item.lg-prev-slide{-webkit-transition:opacity .1s ease 0s;-moz-transition:opacity .1s ease 0s;-o-transition:opacity .1s ease 0s;transition:opacity .1s ease 0s}.lg-css3.lg-slide.lg-use-css3 .lg-item{opacity:0}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-prev-slide{-webkit-transform:translate3d(-100%,0,0);transform:translate3d(-100%,0,0)}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-next-slide{-webkit-transform:translate3d(100%,0,0);transform:translate3d(100%,0,0)}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-current{-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0);opacity:1}.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-current,.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-next-slide,.lg-css3.lg-slide.lg-use-css3 .lg-item.lg-prev-slide{-webkit-transition:-webkit-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-moz-transition:-moz-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-o-transition:-o-transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;transition:transform 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s}.lg-css3.lg-slide.lg-use-left .lg-item{opacity:0;position:absolute;left:0}.lg-css3.lg-slide.lg-use-left .lg-item.lg-prev-slide{left:-100%}.lg-css3.lg-slide.lg-use-left .lg-item.lg-next-slide{left:100%}.lg-css3.lg-slide.lg-use-left .lg-item.lg-current{left:0;opacity:1}.lg-css3.lg-slide.lg-use-left .lg-item.lg-current,.lg-css3.lg-slide.lg-use-left .lg-item.lg-next-slide,.lg-css3.lg-slide.lg-use-left .lg-item.lg-prev-slide{-webkit-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-moz-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;-o-transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s;transition:left 1s cubic-bezier(0,0,.25,1) 0s,opacity .1s ease 0s} \ No newline at end of file diff --git a/docs/stylesheets/poppins.min.css b/docs/stylesheets/poppins.min.css index abe859cd38..51dd2323ae 100644 --- a/docs/stylesheets/poppins.min.css +++ b/docs/stylesheets/poppins.min.css @@ -4,7 +4,7 @@ font-family: 'Poppins'; font-style: normal; font-weight: 200; - src: url(/assets/fonts/Poppins-ExtraLight.ttf) format('opentype'); + src: url(../assets/fonts/Poppins-ExtraLight.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @@ -13,7 +13,7 @@ font-family: 'Poppins'; font-style: normal; font-weight: 400; - src: url(/assets/fonts/Poppins-Regular.ttf) format('opentype'); + src: url(../assets/fonts/Poppins-Regular.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @@ -22,7 +22,7 @@ font-family: 'Poppins'; font-style: normal; font-weight: 600; - src: url(/assets/fonts/Poppins-SemiBold.ttf) format('opentype'); + src: url(../assets/fonts/Poppins-SemiBold.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } @@ -31,6 +31,6 @@ font-family: 'Poppins'; font-style: normal; font-weight: 700; - src: url(/assets/fonts/Poppins-Bold.ttf) format('opentype'); + src: url(../assets/fonts/Poppins-Bold.ttf) format('opentype'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD; } \ No newline at end of file