From 69c4eb6c567931124b30180f55f4c1b4597218dc Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 26 Jan 2024 19:40:52 +0100 Subject: [PATCH] doc: update intake documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 74 ++++ .../23b75d0c-2026-4d3e-b916-636c27ba4931.md | 114 ++++++ .../2b13307b-7439-4973-900a-2b58303cac90.md | 27 ++ .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 380 ++++++++++++++++++ .../99da26fc-bf7b-4e5b-a76c-408472fcfebb.md | 138 +++++++ 5 files changed, 733 insertions(+) diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 96d2238658..a87ae9255f 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -314,6 +314,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_cloud_apps.json" + + ```json + + { + "message": "{\"time\":\"2023-09-29T11:45:09.7408937Z\",\"tenantId\":\"4b05a653-e372-418d-9bd0-ba2383d1673e\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"properties\":{\"ActionType\":\"AirInvestigationData\",\"ApplicationId\":11161,\"AccountDisplayName\":\"airinvestigation\",\"AccountObjectId\":null,\"AccountId\":\"airinvestigation\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"airinvestigation\",\"Id\":\"airinvestigation\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"Actions\":[],\"CreationTime\":\"2023-09-29T11:40:30Z\",\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"4b1820ec-39dc-45f3-abf6-5ee80df51fd2\\\",\\\"StartTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"EndTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"TimeGenerated\\\":\\\"2023-09-29T09:29:39.09Z\\\",\\\"ProcessingEndTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"Status\\\":\\\"Resolved\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"652fe57f-98e6-47df-b298-808b45a00db2\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\",\\\"InvestigationStatus\\\":\\\"FullyRemediated\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"4b05a653-e372-418d-9bd0-ba2383d1673e\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious file removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious file that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"4\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"Malicious Payload\\\"}],\\\"Recipient\\\":\\\"john.doe@example.com\\\",\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"malicous@organization.com\\\",\\\"P1Sender\\\":\\\"malicious@organization.com\\\",\\\"P1SenderDomain\\\":\\\"organization.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"malicious@organization.com\\\",\\\"P2SenderDisplayName\\\":\\\"Payroll\\\",\\\"P2SenderDomain\\\":\\\"organization.com\\\",\\\"ReceivedDate\\\":\\\"2023-09-28T22:07:30\\\",\\\"NetworkMessageId\\\":\\\"1f775e39-ff91-4872-a3e1-dd761e41a2ee\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"FileReputation\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"6\\\",\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"170d8411-e4c0-4b27-8ac4-59dbe8db8ccf\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"\\\",\\\"Urn\\\":\\\"urn:FileEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"fbeee67e-838a-4aae-9653-385094b83fb8\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;1.2.3.4;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( ((AttachmentFileHash:\\\\\\\"7H0f0FriZCDeHlHy8xXgf5pK9aSoGtQ73efHDvRa3mg=\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"FileHashThreatIndicator\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"AttachmentFileHash;ContentType\\\",\\\"ClusterByValue\\\":\\\"22222222222222222222222222222222222222222222;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:44444444444444444444444444444444\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;organization.com;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"36d28877-7954-43fb-9f8f-fe26f23bcf34\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;organization.com;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:4d298ccfc6e344df8a199c74a5466290\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"},{\\\"$id\\\":\\\"13\\\",\\\"NetworkMessageIds\\\":[\\\"5a65b4e6-c8f3-468b-8ee6-4c7f817e6bfa\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;1.2.3.4;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cb4c1a4b96883fbdb1dad10b231cfa00\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"}],\\\"LogCreationTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"MachineName\\\":\\\"DBAEUR03BG403\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\",\"EndTimeUtc\":\"2023-09-29T11:34:37Z\",\"Id\":\"8a7cc032-8634-4117-bae4-371071ce0ce5\",\"InvestigationId\":\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\",\"InvestigationName\":\"Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\",\"InvestigationType\":\"ZappedFileInvestigation\",\"LastUpdateTimeUtc\":\"2023-09-29T10:54:43Z\",\"ObjectId\":\"8a7cc032-8634-4117-bae4-371071ce0ce5\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"4b05a653-e372-418d-9bd0-ba2383d1673e\",\"RecordType\":64,\"RunningTime\":6762,\"StartTimeUtc\":\"2023-09-29T09:44:07Z\",\"Status\":\"Remediated\",\"UserId\":\"AirInvestigation\",\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\"},\"ReportId\":\"60913494_11161_8a7cc032-8634-4117-bae4-371071ce0ce5\",\"Timestamp\":\"2023-09-29T11:40:30Z\",\"Application\":\"Microsoft 365\"},\"Tenant\":\"DefaultTenant\"}\n", + "event": { + "category": [ + "intrusion_detection" + ], + "dataset": "cloud_app_events", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-29T11:40:30Z", + "action": { + "properties": { + "Application": "Microsoft 365", + "ApplicationId": "11161", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"Actions\": [], \"CreationTime\": \"2023-09-29T11:40:30Z\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"4b1820ec-39dc-45f3-abf6-5ee80df51fd2\\\",\\\"StartTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"EndTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"TimeGenerated\\\":\\\"2023-09-29T09:29:39.09Z\\\",\\\"ProcessingEndTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"Status\\\":\\\"Resolved\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"652fe57f-98e6-47df-b298-808b45a00db2\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\",\\\"InvestigationStatus\\\":\\\"FullyRemediated\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"4b05a653-e372-418d-9bd0-ba2383d1673e\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious file removed after delivery\\u200b\\\",\\\"Description\\\":\\\"Emails with malicious file that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"4\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"Malicious Payload\\\"}],\\\"Recipient\\\":\\\"john.doe@example.com\\\",\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"malicous@organization.com\\\",\\\"P1Sender\\\":\\\"malicious@organization.com\\\",\\\"P1SenderDomain\\\":\\\"organization.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"malicious@organization.com\\\",\\\"P2SenderDisplayName\\\":\\\"Payroll\\\",\\\"P2SenderDomain\\\":\\\"organization.com\\\",\\\"ReceivedDate\\\":\\\"2023-09-28T22:07:30\\\",\\\"NetworkMessageId\\\":\\\"1f775e39-ff91-4872-a3e1-dd761e41a2ee\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"FileReputation\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"6\\\",\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"170d8411-e4c0-4b27-8ac4-59dbe8db8ccf\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"\\\",\\\"Urn\\\":\\\"urn:FileEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"fbeee67e-838a-4aae-9653-385094b83fb8\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;1.2.3.4;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( ((AttachmentFileHash:\\\\\\\"7H0f0FriZCDeHlHy8xXgf5pK9aSoGtQ73efHDvRa3mg=\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"FileHashThreatIndicator\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"AttachmentFileHash;ContentType\\\",\\\"ClusterByValue\\\":\\\"22222222222222222222222222222222222222222222;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:44444444444444444444444444444444\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;organization.com;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"36d28877-7954-43fb-9f8f-fe26f23bcf34\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;organization.com;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:4d298ccfc6e344df8a199c74a5466290\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"},{\\\"$id\\\":\\\"13\\\",\\\"NetworkMessageIds\\\":[\\\"5a65b4e6-c8f3-468b-8ee6-4c7f817e6bfa\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;1.2.3.4;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cb4c1a4b96883fbdb1dad10b231cfa00\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"}],\\\"LogCreationTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"MachineName\\\":\\\"DBAEUR03BG403\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"EndTimeUtc\": \"2023-09-29T11:34:37Z\", \"Id\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"InvestigationId\": \"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationName\": \"Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationType\": \"ZappedFileInvestigation\", \"LastUpdateTimeUtc\": \"2023-09-29T10:54:43Z\", \"ObjectId\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"4b05a653-e372-418d-9bd0-ba2383d1673e\", \"RecordType\": 64, \"RunningTime\": 6762, \"StartTimeUtc\": \"2023-09-29T09:44:07Z\", \"Status\": \"Remediated\", \"UserId\": \"AirInvestigation\", \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\"}" + }, + "type": "AirInvestigationData" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68" + }, + "name": "pix.png" + } + } + ] + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "airinvestigation", + "Name": "airinvestigation", + "Role": "Actor", + "Type": "Account" + } + ], + "type": "Basic" + }, + "investigation": { + "id": "urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd", + "name": "Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd", + "status": "Remediated", + "type": "ZappedFileInvestigation" + }, + "report": { + "id": "60913494_11161_8a7cc032-8634-4117-bae4-371071ce0ce5" + } + } + }, + "user": { + "full_name": "airinvestigation" + } + } + + ``` + + === "test_detection_source.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md index 58278ac7c9..156b280e05 100644 --- a/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md +++ b/_shared_content/operations_center/integrations/generated/23b75d0c-2026-4d3e-b916-636c27ba4931.md @@ -292,6 +292,120 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_log1.json" + + ```json + + { + "message": "Info: 1649655138.876 43 10.10.209.152 TCP_MISS/200 4936 GET http://formationenligne.barthelemy-avocats.com/lib/ajax/service-nologin.php?info=core_output_load_template_with_dependencies,core_output_load_template_with_dependencies,core_output_load_template_with_dependencies&cachekey=1647340070&args=%5B%7B%22index%22%3A0%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22core_message%22%2C%22template%22%3A%22message_jumpto%22%2C%22themename%22%3A%22fordson%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A1%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22tool_usertours%22%2C%22template%22%3A%22resettour%22%2C%22themename%22%3A%22fordson%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A2%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22block_recentlyaccess", + "event": { + "category": [ + "network", + "web" + ], + "kind": "event" + }, + "cisco_wsa": { + "threat": { + "category": "Not Set" + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } + + ``` + + +=== "test_log2.json" + + ```json + + { + "message": "Info: 1649655134.381 30 10.10.209.152 TCP_MISS/200 628 GET http://formationenligne.barthelemy-avocats.com/lib/ajax/service-nologin.php?info=6-method-calls&cachekey=1649643002&args=%5B%7B%22index%22%3A0%2C%22methodname%22%3A%22core_get_string%22%2C%22args%22%3A%7B%22stringid%22%3A%22cancel%22%2C%22stringparams%22%3A%5B%5D%2C%22component%22%3A%22core%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A1%2C%22methodname%22%3A%22core_get_string%22%2C%22args%22%3A%7B%22stringid%22%3A%22closebuttontitle%22%2C%22stringparams%22%3A%5B%5D%2C%22component%22%3A%22core%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A2%2C%22methodname%22%3A%22core_get_string%22%2C%22args%22%3A%7B%22stringid%22%3A%22loading%22%2C%22stringparams%22%3A%5B%5D%2C%22component%22%3A%22core%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A3%2C%22methodname%22%3A%22core_get_string%22%2C%22args%22%3A%7B%22stringid%22%3A%22savechanges%22%2C%22stringparams%22%3A%5B%5D%2", + "event": { + "category": [ + "network", + "web" + ], + "kind": "event" + }, + "cisco_wsa": { + "threat": { + "category": "Not Set" + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } + + ``` + + +=== "test_log3.json" + + ```json + + { + "message": "Info: 1649655134.394 51 10.10.209.152 TCP_MISS/200 8286 GET http://formationenligne.barthelemy-avocats.com/lib/ajax/service-nologin.php?info=7-method-calls&cachekey=1647340070&args=%5B%7B%22index%22%3A0%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22core%22%2C%22template%22%3A%22loading%22%2C%22themename%22%3A%22fordson%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A1%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22core%22%2C%22template%22%3A%22modal%22%2C%22themename%22%3A%22fordson%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A2%2C%22methodname%22%3A%22core_output_load_template_with_dependencies%22%2C%22args%22%3A%7B%22component%22%3A%22core%22%2C%22template%22%3A%22modal_backdrop%22%2C%22themename%22%3A%22fordson%22%2C%22lang%22%3A%22fr%22%7D%7D%2C%7B%22index%22%3A3%2C%22methodname%22%3A%22core_outp", + "event": { + "category": [ + "network", + "web" + ], + "kind": "event" + }, + "cisco_wsa": { + "threat": { + "category": "Not Set" + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Cisco Web Security Appliances", + "type": "proxy", + "vendor": "Cisco" + }, + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } + } + } + + ``` + + === "w3c.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index e3f400b1e9..9e53fc989e 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -1169,6 +1169,33 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_incident.json" + + ```json + + { + "message": " Event [1201736] [2-3] (fileName = \"ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk\", datastore = 'vim.Datastore:d6543eda-9347-4b38-b803-6f5048248ea8:datastore-2809', backingObjectId = \"\", diskMode = \"independent_nonpersistent\", split = , writeThrough = , thinProvisioned = false, eagerlyScrub = false, uuid = \"6000C299-dd5c-07cb-b868-3600b53d2781\", contentId = \"5c1d0d8547e8b15283e287f5cb18ef5e\", changeId = , parent = null, deltaDiskFormat = , digestEnabled = false, deltaGrainSize = , deltaDiskFormatVariant = , sharing = , keyId = null, cryptoIntegrityProtectionType = ), deltaDiskFormat = \"seSparseFormat\", digestEnabled = false, deltaGrainSize = 4, deltaDiskFormatVariant = , sharing = \"sharingNone\", keyId = null, cryptoIntegrityProtectionType = ), connectable = null, slotInfo = null, controllerKey = 1000, unitNumber = 3, numaNode = , capacityInKB = 104857600, capacityInBytes = 107374182400, shar", + "event": { + "kind": "event", + "category": [ + "file" + ], + "type": [ + "info" + ] + }, + "observer": { + "vendor": "VMware", + "product": "ESXi" + }, + "file": { + "name": "ds:///vmfs/volumes/63985d53-c3598817-6688-5c6f69e18ad0/HDD01-835/HDD01-835.vmdk" + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 3fd105983c..20452ebfac 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -6920,6 +6920,386 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_event_1117.json" + + ```json + + { + "message": "{\"EventTime\":\"2023-07-27 12:58:38\",\"Hostname\":\"local.example.org\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":1117,\"SourceName\":\"Microsoft-Windows-Windows Defender\",\"ProviderGuid\":\"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":11190,\"ActivityID\":\"{0E8E4EFB-F7EC-487F-BE78-82B11D0D3DB7}\",\"ProcessID\":12848,\"ThreadID\":11792,\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Product Name\":\"Microsoft Defender Antivirus\",\"Product Version\":\"4.18.23050.9\",\"Detection ID\":\"{FEEEC80B-1F6D-4B88-81F9-19C54AF3F889}\",\"Detection Time\":\"2023-07-27T10:58:19.035Z\",\"Threat ID\":\"2147780199\",\"Threat Name\":\"Trojan:Script/Sabsik.FL.A!ml\",\"Severity ID\":\"5\",\"Severity Name\":\"Severe\",\"Category ID\":\"8\",\"Category Name\":\"Trojan\",\"FWLink\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Sabsik.FL.A!ml&threatid=2147780199&enterprise=0\",\"Status Code\":\"3\",\"State\":\"2\",\"Source ID\":\"2\",\"Source Name\":\"System\",\"Process Name\":\"C:\\\\Program Files\\\\Cybereason ActiveProbe\\\\minionhost.exe\",\"Detection User\":\"NT AUTHORITY\\\\SYSTEM\",\"Path\":\"file:_C:\\\\Users\\\\john-doe\\\\AppData\\\\Local\\\\Microsoft\\\\Edge\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_221f56\",\"Origin ID\":\"1\",\"Origin Name\":\"Local machine\",\"Execution ID\":\"1\",\"Execution Name\":\"Suspended\",\"Type ID\":\"8\",\"Type Name\":\"FastPath\",\"Pre Execution Status\":\"0\",\"Action ID\":\"2\",\"Action Name\":\"Quarantine\",\"Error Code\":\"0x00000000\",\"Error Description\":\"The operation completed successfully. \",\"Post Clean Status\":\"0\",\"Additional Actions ID\":\"0\",\"Additional Actions String\":\"No additional actions required\",\"Remediation User\":\"NT AUTHORITY\\\\SYSTEM\",\"Security intelligence Version\":\"AV: 1.393.1459.0, AS: 1.393.1459.0, NIS: 1.393.1459.0\",\"Engine Version\":\"AM: 1.1.23060.1005, NIS: 1.1.23060.1005\",\"EventReceivedTime\":\"2023-07-27 13:03:23\",\"SourceModuleName\":\"in\",\"SourceModuleType\":\"im_msvistalog\"}\n", + "event": { + "code": "1117", + "provider": "Microsoft-Windows-Windows Defender" + }, + "action": { + "id": 1117, + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "AdditionalActionsID": "0", + "AdditionalActionsString": "No additional actions required", + "DetectionUser": "NT AUTHORITY\\SYSTEM", + "Domain": "NT AUTHORITY", + "ErrorCode": "0x00000000", + "EventType": "INFO", + "Execution Name": "Suspended", + "Keywords": "-9223372036854775808", + "OpcodeValue": 0, + "Path": "file:_C:\\Users\\john-doe\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_221f56", + "ProcessName": "C:\\Program Files\\Cybereason ActiveProbe\\minionhost.exe", + "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Windows Defender", + "Task": 0, + "ThreatName": "Trojan:Script/Sabsik.FL.A!ml" + }, + "record_id": 11190, + "type": "Microsoft-Windows-Windows Defender/Operational" + }, + "host": { + "hostname": "local.example.org", + "name": "local.example.org" + }, + "log": { + "hostname": "local.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 12848, + "pid": 12848, + "thread": { + "id": 11792 + } + }, + "related": { + "hosts": [ + "local.example.org" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + } + } + + ``` + + +=== "test_event_15.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2023-08-07 17:51:40\",\n \"Hostname\": \"local\",\n \"Keywords\": -9223372035555775808,\n \"EventType\": \"INFO\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 15,\n \"SourceName\": \"Microsoft-Windows-Sysmon\",\n \"ProviderGuid\": \"{5775585F-C22A-43E0-BF4C-06F5698FFBD9}\",\n \"Version\": 2,\n \"Task\": 15,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 17754983,\n \"ProcessID\": 5832,\n \"ThreadID\": 7824,\n \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"Domain\": \"AUTORITE NT\",\n \"AccountName\": \"Syst\u00e8me\",\n \"UserID\": \"S-1-5-55\",\n \"AccountType\": \"User\",\n \"Message\": \"File stream created:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-07 15:51:40.638\\r\\nProcessGuid: {94e23bda-9743-7777-7d01-00000000e700}\\r\\nProcessId: 14740\\r\\nImage: C:\\\\Program Files (x86)\\\\Nuance\\\\PDF Professional 8\\\\PdfPro8Hook.exe\\r\\nTargetFilename: C:\\\\ProgramData\\\\TEMP\\r\\nCreationUtcTime: 2022-08-18 14:36:59.395\\r\\nHash: Unknown\\r\\nContents: -\\r\\nUser: myuser\",\n \"Category\": \"File stream created (rule: FileCreateStreamHash)\",\n \"Opcode\": \"Informations\",\n \"RuleName\": \"-\",\n \"UtcTime\": \"2023-08-07 15:51:40.638\",\n \"ProcessGuid\": \"{94e23bda-9743-64d0-7d01-00000000e700}\",\n \"Image\": \"C:\\\\Program Files (x86)\\\\Nuance\\\\PDF Professional 8\\\\PdfPro8Hook.exe\",\n \"TargetFilename\": \"C:\\\\ProgramData\\\\TEMP\",\n \"CreationUtcTime\": \"2022-08-18 14:36:59.395\",\n \"Hash\": \"Unknown\",\n \"Contents\": \"-\",\n \"User\": \"myuser\",\n \"EventReceivedTime\": \"2023-08-07 17:51:42\",\n \"SourceModuleName\": \"evtx_win\",\n \"SourceModuleType\": \"im_msvistalog\"\n}\n", + "event": { + "code": "15", + "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2023-08-07 15:51:40.638\r\nProcessGuid: {94e23bda-9743-7777-7d01-00000000e700}\r\nProcessId: 14740\r\nImage: C:\\Program Files (x86)\\Nuance\\PDF Professional 8\\PdfPro8Hook.exe\r\nTargetFilename: C:\\ProgramData\\TEMP\r\nCreationUtcTime: 2022-08-18 14:36:59.395\r\nHash: Unknown\r\nContents: -\r\nUser: myuser", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2023-08-07T15:51:40.638000Z", + "action": { + "id": 15, + "name": "FileCreateStreamHash", + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Category": "File stream created (rule: FileCreateStreamHash)", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "Hash": "Unknown", + "Image": "C:\\Program Files (x86)\\Nuance\\PDF Professional 8\\PdfPro8Hook.exe", + "Keywords": "-9223372035555775808", + "OpcodeValue": 0, + "ProcessGuid": "{94e23bda-9743-64d0-7d01-00000000e700}", + "ProviderGuid": "{5775585F-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Sysmon", + "TargetFilename": "C:\\ProgramData\\TEMP", + "Task": 15, + "User": "myuser" + }, + "record_id": 17754983, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "file": { + "created": "2022-08-18T14:36:59.395000Z", + "name": "TEMP", + "path": "C:\\ProgramData\\TEMP" + }, + "host": { + "hostname": "local", + "name": "local" + }, + "log": { + "hostname": "local", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "C:\\Program Files (x86)\\Nuance\\PDF Professional 8\\PdfPro8Hook.exe", + "id": 14740, + "name": "PdfPro8Hook.exe", + "pid": 14740, + "thread": { + "id": 7824 + }, + "working_directory": "C:\\Program Files (x86)\\Nuance\\PDF Professional 8\\" + }, + "related": { + "hosts": [ + "local" + ], + "user": [ + "myuser" + ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-55", + "name": "myuser" + } + } + + ``` + + +=== "test_event_4768.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2023-08-30 08:58:21\",\n \"Hostname\": \"ntpdom04.intra.socram.net\",\n \"Keywords\": -9218868437227405312,\n \"EventType\": \"AUDIT_FAILURE\",\n \"SeverityValue\": 4,\n \"Severity\": \"ERROR\",\n \"EventID\": 4768,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"Version\": 0,\n \"Task\": 14339,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 971339700,\n \"ProcessID\": 572,\n \"ThreadID\": 8432,\n \"Channel\": \"Security\",\n \"Message\": \"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\r\\n\\r\\nInformations sur le compte :\\r\\n\\tNom du compte :\\t\\tindsi218$\\r\\n\\tNom du domaine Kerberos fourni :\\tINTRA.SOCRAM.NET\\r\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-0-0\\r\\n\\r\\nInformations sur le service :\\r\\n\\tNom du service :\\t\\tkrbtgt/INTRA.SOCRAM.NET\\r\\n\\tID du service :\\t\\tS-1-0-0\\r\\n\\r\\nInformations sur le r\u00e9seau :\\r\\n\\tAdresse du client :\\t\\t::ffff:10.24.20.7\\r\\n\\tPort client :\\t\\t49681\\r\\n\\r\\nInformations suppl\u00e9mentaires :\\r\\n\\tOptions du ticket :\\t\\t0x40810010\\r\\n\\tCode de r\u00e9sultat :\\t\\t0x4B\\r\\n\\tType de chiffrement du ticket :\\t0xFFFFFFFF\\r\\n\\tType de pr\u00e9-authentification :\\t-\\r\\n\\r\\nInformations sur le certificat :\\r\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\tCN=INDSI218\\r\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t01\\r\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t4871F03F06CB961643295C961CA999D4AC43A0F9\\r\\n\\r\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\r\\n\\r\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\n \"Category\": \"Service d\u2019authentification Kerberos\",\n \"Opcode\": \"Informations\",\n \"TargetUserName\": \"indsi218$\",\n \"TargetDomainName\": \"INTRA.SOCRAM.NET\",\n \"TargetSid\": \"S-1-0-0\",\n \"ServiceName\": \"krbtgt/INTRA.SOCRAM.NET\",\n \"ServiceSid\": \"S-1-0-0\",\n \"TicketOptions\": \"0x40810010\",\n \"Status\": \"0x4b\",\n \"TicketEncryptionType\": \"0xffffffff\",\n \"PreAuthType\": \"-\",\n \"IpAddress\": \"::ffff:10.24.20.7\",\n \"IpPort\": \"49681\",\n \"CertIssuerName\": \"CN=INDSI218\",\n \"CertSerialNumber\": \"01\",\n \"CertThumbprint\": \"4871F03F06CB961643295C961CA999D4AC43A0F9\",\n \"EventReceivedTime\": \"2023-08-30 08:58:24\",\n \"SourceModuleName\": \"eventlog10\",\n \"SourceModuleType\": \"im_msvistalog\"\n}\n", + "event": { + "code": "4768", + "message": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\r\n\r\nInformations sur le compte :\r\n\tNom du compte :\t\tindsi218$\r\n\tNom du domaine Kerberos fourni :\tINTRA.SOCRAM.NET\r\n\tID de l\u2019utilisateur :\t\t\tS-1-0-0\r\n\r\nInformations sur le service :\r\n\tNom du service :\t\tkrbtgt/INTRA.SOCRAM.NET\r\n\tID du service :\t\tS-1-0-0\r\n\r\nInformations sur le r\u00e9seau :\r\n\tAdresse du client :\t\t::ffff:10.24.20.7\r\n\tPort client :\t\t49681\r\n\r\nInformations suppl\u00e9mentaires :\r\n\tOptions du ticket :\t\t0x40810010\r\n\tCode de r\u00e9sultat :\t\t0x4B\r\n\tType de chiffrement du ticket :\t0xFFFFFFFF\r\n\tType de pr\u00e9-authentification :\t-\r\n\r\nInformations sur le certificat :\r\n\tNom de l\u2019\u00e9metteur du certificat :\t\tCN=INDSI218\r\n\tNum\u00e9ro de s\u00e9rie du certificat :\t01\r\n\t Empreinte num\u00e9rique du certificat :\t\t4871F03F06CB961643295C961CA999D4AC43A0F9\r\n\r\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\r\n\r\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4768, + "name": "A Kerberos authentication ticket (TGT) was requested", + "outcome": "failure", + "properties": { + "Category": "Service d\u2019authentification Kerberos", + "CertIssuerName": "CN=INDSI218", + "CertSerialNumber": "01", + "CertThumbprint": "4871F03F06CB961643295C961CA999D4AC43A0F9", + "EventType": "AUDIT_FAILURE", + "IpAddress": "::ffff:10.24.20.7", + "IpPort": "49681", + "Keywords": "-9218868437227405312", + "OpcodeValue": 0, + "PreAuthType": "-", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "ServiceName": "krbtgt/INTRA.SOCRAM.NET", + "ServiceSid": "S-1-0-0", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Status": "0x4b", + "TargetDomainName": "INTRA.SOCRAM.NET", + "TargetSid": "S-1-0-0", + "TargetUserName": "indsi218$", + "Task": 14339, + "TicketEncryptionType": "0xffffffff", + "TicketOptions": "0x40810010" + }, + "record_id": 971339700, + "type": "Security" + }, + "host": { + "hostname": "ntpdom04.intra.socram.net", + "name": "ntpdom04.intra.socram.net" + }, + "log": { + "hostname": "ntpdom04.intra.socram.net", + "level": "error" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 572, + "pid": 572, + "thread": { + "id": 8432 + } + }, + "related": { + "hosts": [ + "ntpdom04.intra.socram.net" + ], + "ip": [ + "10.24.20.7" + ] + }, + "source": { + "address": "::ffff:10.24.20.7", + "ip": "10.24.20.7" + }, + "user": { + "target": { + "domain": "INTRA.SOCRAM.NET", + "name": "indsi218$" + } + } + } + + ``` + + +=== "test_event_4929.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2023-09-13 09:24:22\",\n \"Hostname\": \"hostname.example.org\",\n \"Keywords\": -9214364837600034816,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4929,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"Version\": 0,\n \"Task\": 14083,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 652068049,\n \"ActivityID\": \"{0AFF6AA6-47D0-416B-8F6B-5931182E4C30}\",\n \"ProcessID\": 592,\n \"ThreadID\": 760,\n \"Channel\": \"Security\",\n \"Message\": \"An Active Directory replica source naming context was removed.\\r\\n\\r\\nDestination DRA:\\tCN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\\r\\nSource DRA:\\t-\\r\\nSource Address:\\t6c073888-8c3b-45a2-8a4e-e57c65a214e9._msdcs.example.org\\r\\nNaming Context:\\tDC=ForestDnsZones,DC=example,DC=org\\r\\nOptions:\\t\\t16640\\r\\nStatus Code:\\t0\",\n \"Category\": \"Detailed Directory Service Replication\",\n \"Opcode\": \"Info\",\n \"DestinationDRA\": \"CN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\",\n \"SourceDRA\": \"-\",\n \"SourceAddr\": \"6c073888-8c3b-45a2-8a4e-e57c65a214e9._msdcs.example.org\",\n \"NamingContext\": \"DC=ForestDnsZones,DC=example,DC=org\",\n \"Options\": \"16640\",\n \"StatusCode\": \"0\",\n \"EventReceivedTime\": \"2023-09-13 09:38:52\",\n \"SourceModuleName\": \"SecurityLog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}\n", + "event": { + "code": "4929", + "message": "An Active Directory replica source naming context was removed.\r\n\r\nDestination DRA:\tCN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org\r\nSource DRA:\t-\r\nSource Address:\t6c073888-8c3b-45a2-8a4e-e57c65a214e9._msdcs.example.org\r\nNaming Context:\tDC=ForestDnsZones,DC=example,DC=org\r\nOptions:\t\t16640\r\nStatus Code:\t0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4929, + "name": "An Active Directory replica source naming context was removed", + "outcome": "success", + "properties": { + "Category": "Detailed Directory Service Replication", + "DestinationDRA": "CN=NTDS Settings,CN=Lyon,CN=Servers,CN=EU-WEST1,CN=Sites,CN=Configuration,DC=example,DC=org", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", + "NamingContext": "DC=ForestDnsZones,DC=example,DC=org", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Severity": "INFO", + "SourceDRA": "-", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Task": 14083 + }, + "record_id": 652068049, + "type": "Security" + }, + "host": { + "hostname": "hostname.example.org", + "name": "hostname.example.org" + }, + "log": { + "hostname": "hostname.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 592, + "pid": 592, + "thread": { + "id": 760 + } + }, + "related": { + "hosts": [ + "hostname.example.org" + ] + } + } + + ``` + + +=== "test_event_7.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2023-08-07 17:51:22\",\n \"Hostname\": \"local\",\n \"Keywords\": -922355554775808,\n \"EventType\": \"INFO\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 7,\n \"SourceName\": \"Microsoft-Windows-Sysmon\",\n \"ProviderGuid\": \"{77777-C22A-43E0-BF4C-06F5698FFBD9}\",\n \"Version\": 3,\n \"Task\": 7,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 13717971,\n \"ProcessID\": 4916,\n \"ThreadID\": 6372,\n \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n \"Domain\": \"AUTORITE NT\",\n \"AccountName\": \"Syst\u00e8me\",\n \"UserID\": \"S-1-5-99\",\n \"AccountType\": \"User\",\n \"Message\": \"Image loaded:\\r\\nRuleName: -\\r\\nUtcTime: 2023-08-07 15:51:22.721\\r\\nProcessGuid: {9b7ebdcf-12fa-64d1-5e12-000000009f00}\\r\\nProcessId: 15368\\r\\nImage: C:\\\\Users\\\\myuser\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\\r\\nImageLoaded: C:\\\\Users\\\\myuser\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe\\r\\nFileVersion: -\\r\\nDescription: -\\r\\nProduct: -\\r\\nCompany: -\\r\\nOriginalFileName: -\\r\\nHashes: -\\r\\nSigned: failed: Invalid hash\\r\\nSignature: -\\r\\nSignatureStatus: -\\r\\nUser: myuser\",\n \"Category\": \"Image loaded (rule: ImageLoad)\",\n \"Opcode\": \"Informations\",\n \"RuleName\": \"-\",\n \"UtcTime\": \"2023-08-07 15:51:22.721\",\n \"ProcessGuid\": \"{9b7ebdcf-12fa-64d1-5e12-000000009f00}\",\n \"Image\": \"C:\\\\Users\\\\myuser\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"ImageLoaded\": \"C:\\\\Users\\\\myuser\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe\",\n \"FileVersion\": \"-\",\n \"Description\": \"-\",\n \"Product\": \"-\",\n \"Company\": \"-\",\n \"OriginalFileName\": \"-\",\n \"Hashes\": \"-\",\n \"Signed\": \"failed: Invalid hash\",\n \"Signature\": \"-\",\n \"SignatureStatus\": \"-\",\n \"User\": \"myuser\",\n \"EventReceivedTime\": \"2023-08-07 17:51:23\",\n \"SourceModuleName\": \"evtx_win\",\n \"SourceModuleType\": \"im_msvistalog\"\n}\n", + "event": { + "code": "7", + "message": "Image loaded:\r\nRuleName: -\r\nUtcTime: 2023-08-07 15:51:22.721\r\nProcessGuid: {9b7ebdcf-12fa-64d1-5e12-000000009f00}\r\nProcessId: 15368\r\nImage: C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe\r\nImageLoaded: C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe\r\nFileVersion: -\r\nDescription: -\r\nProduct: -\r\nCompany: -\r\nOriginalFileName: -\r\nHashes: -\r\nSigned: failed: Invalid hash\r\nSignature: -\r\nSignatureStatus: -\r\nUser: myuser", + "provider": "Microsoft-Windows-Sysmon" + }, + "@timestamp": "2023-08-07T15:51:22.721000Z", + "action": { + "id": 7, + "name": "Image loaded", + "properties": { + "AccountName": "Syst\u00e8me", + "AccountType": "User", + "Category": "Image loaded (rule: ImageLoad)", + "Domain": "AUTORITE NT", + "EventType": "INFO", + "Image": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "ImageLoaded": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe", + "Keywords": "-922355554775808", + "OpcodeValue": 0, + "ProcessGuid": "{9b7ebdcf-12fa-64d1-5e12-000000009f00}", + "ProviderGuid": "{77777-C22A-43E0-BF4C-06F5698FFBD9}", + "Severity": "INFO", + "Signature": "-", + "SignatureStatus": "-", + "Signed": "failed: Invalid hash", + "SourceName": "Microsoft-Windows-Sysmon", + "Task": 7, + "User": "myuser" + }, + "record_id": 13717971, + "type": "Microsoft-Windows-Sysmon/Operational" + }, + "dll": { + "path": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe" + }, + "host": { + "hostname": "local", + "name": "local" + }, + "log": { + "hostname": "local", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", + "id": 15368, + "name": "Teams.exe", + "pid": 15368, + "thread": { + "id": 6372 + }, + "working_directory": "C:\\Users\\myuser\\AppData\\Local\\Microsoft\\Teams\\current\\" + }, + "related": { + "hosts": [ + "local" + ], + "user": [ + "myuser" + ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-99", + "name": "myuser" + } + } + + ``` + + === "working_dir.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md index a0c421bd83..21729b00ea 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md @@ -1025,6 +1025,144 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_sample.json" + + ```json + + { + "message": "{\"parent\":19024,\"sha256\":\"94256542e235681ba64a20bc50910dd745d52347a89d36be2dd4c1465901c52b\",\"upload_size\":1649,\"record_identifier\":\"cebac453bf5aa57f2fbe297628a914814378da9171ac0d7a972f7783af5bfeef\",\"ioc_severity\":5,\"path\":\"C:\\\\Windows\\\\System32\\\\getmac.exe\",\"is_process_file_signed\":\"\",\"ml_score_data\":\"\",\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"WIN-EXE-ENR-ML-SUSPICIOUS-1.star\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_data.columns.sophosPID\\\",\\\"detection.id\\\"]}}\",\"company_name\":\"\",\"pua_score\":0,\"folded\":0,\"meta_mac_address\":\"0a:cc:df:3e:cc:2c\",\"endpoint_id\":\"1e062adb-b215-4abd-aaf9-b1bb9355231e\",\"meta_public_ip_country_code\":\"FR\",\"schema_version\":\"22\",\"uid\":18,\"ioc_detection_mitre_attack\":\"[{\\\"tactic\\\":{\\\"id\\\":\\\"TA0002\\\",\\\"name\\\":\\\"Execution\\\",\\\"techniques\\\":[{\\\"id\\\":\\\"T1059\\\",\\\"name\\\":\\\"Command and Scripting Interpreter\\\"}]}}]\",\"meta_licence\":\"\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2023-09-17T20:17:27.690Z\",\"cmdline\":\"getmac /FO list \",\"ingestion_timestamp\":\"2023-09-17T20:17:04.336Z\",\"ioc_detection_attack\":\"Execution\",\"numerics\":false,\"meta_public_ip\":\"194.0.166.130\",\"counter\":946,\"detection_id_dedup\":\"89913194caf9a64bb388b1ac2037fd2d6895b875\",\"meta_hostname\":\"CER69-P21011144\",\"username\":\"Syst\u00e8me\",\"ioc_worker_name\":\"Security Event Service\",\"ioc_detection_type\":\"process\",\"sha1\":\"d4baeeb9180a4284b33fa3602d86cad7ec05e6a0\",\"ioc_detection_category\":\"Threat\",\"ioc_unix_time\":\"2023-09-17T20:11:56.000Z\",\"epoch\":1694617601,\"meta_ip_mask\":\"255.255.255.0\",\"file_size\":85504,\"ioc_worker_id\":\"security-event-service\",\"global_rep_data\":\"\",\"parent_name\":\"cmd.exe\",\"unix_time\":\"2023-09-17T20:11:56.000Z\",\"pid\":9864,\"ioc_log_type\":\"summary\",\"original_filename\":\"\",\"query_source\":\"xdr_only\",\"sophos_pid\":\"9864:133394546882672445\",\"host_identifier\":\"4C4C4544-0051-3510-8058-B3C04F503733\",\"partition_bucket\":\"87\",\"meta_public_ip_country\":\"France\",\"meta_boot_time\":1694981116,\"local_rep\":0,\"meta_os_name\":\"Microsoft Windows 10 Professionnel\",\"sha256_reputation_score\":70,\"osquery_action\":\"added\",\"lolbins_ml_results\":{\"score\":99.0,\"score_label\":\"Suspicious\",\"sha256\":\"59fef8d35f91932abd3a83ab47ba2a8ea2203a31fc79e99860ba238062ec7af2\"},\"parent_path\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"meta_query_pack_version\":\"1.18.1\",\"calendar_time\":\"2023-09-17T20:11:56.000Z\",\"meta_eid\":\"1e062adb-b215-4abd-aaf9-b1bb9355231e\",\"meta_public_ip_longitude\":2.3387,\"ioc_detection_id\":\"WIN-EXE-ENR-ML-SUSPICIOUS-1\",\"meta_os_platform\":\"windows\",\"meta_username\":\"AC75007611\",\"detection_identifier\":\"cebac453bf5aa57f2fbe297628a914814378da9171ac0d7a972f7783af5bfeef_89913194caf9a64bb388b1ac2037fd2d6895b875\",\"query_name\":\"running_processes_windows_sophos\",\"meta_os_type\":\"\",\"meta_os_version\":\"10.0.18363\",\"parent_cmdline\":\"cmd.exe /c \\\"getmac /FO list >cqfs_tmp_13084.txt.tmp & type cqfs_tmp_13084.txt.tmp >cqfs_tmp_13084.txt & del cqfs_tmp_13084.txt.tmp\\\"\",\"meta_public_ip_latitude\":48.8582,\"local_rep_data\":\"\",\"ioc_detection_licenses\":\"[\\\"MTR\\\"]\",\"parent_sophos_pid\":\"19024:133394546882288030\",\"name\":\"getmac.exe\",\"global_rep\":0,\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"10.0.0.11\",\"time\":1694981088,\"file_version\":\"\",\"ingest_date\":\"2023-09-17\",\"file_description\":\"\",\"ml_score\":0,\"sha256_reputation_band\":\"KNOWN_GOOD\",\"meta_endpoint_type\":\"computer\",\"meta_domain_controller\":\"False\",\"customer_id\":\"f7193486-a186-4197-ab40-0ddc013a0a65\",\"ioc_detection_description\":\"Identifies Lolbin processes labeled as suspicious by a machine learning model.\",\"message_identifier\":\"3225914c27b54c2a9f0e39885e4d632c67a1e188288f8ce9a9e298a2f91b4ece\",\"ioc_attack_type\":\"Security Event Service Detections\",\"product_name\":\"\",\"gid\":18,\"ioc_detection_weight\":5}\n", + "event": { + "code": "WIN-EXE-ENR-ML-SUSPICIOUS-1", + "ingested": "2023-09-17T20:17:04.336000Z", + "kind": "event", + "severity": 5 + }, + "@timestamp": "2023-09-17T20:11:56Z", + "file": { + "hash": { + "sha1": "d4baeeb9180a4284b33fa3602d86cad7ec05e6a0", + "sha256": "94256542e235681ba64a20bc50910dd745d52347a89d36be2dd4c1465901c52b" + }, + "name": "getmac.exe", + "path": "C:\\Windows\\System32\\getmac.exe", + "size": 85504 + }, + "host": { + "id": "4C4C4544-0051-3510-8058-B3C04F503733", + "name": "CER69-P21011144", + "os": { + "full": "Microsoft Windows 10 Professionnel", + "name": "windows", + "version": "10.0.18363" + } + }, + "process": { + "command_line": "getmac /FO list ", + "hash": { + "sha1": "d4baeeb9180a4284b33fa3602d86cad7ec05e6a0", + "sha256": "94256542e235681ba64a20bc50910dd745d52347a89d36be2dd4c1465901c52b" + }, + "name": "Security Event Service", + "parent": { + "command_line": "cmd.exe /c \"getmac /FO list >cqfs_tmp_13084.txt.tmp & type cqfs_tmp_13084.txt.tmp >cqfs_tmp_13084.txt & del cqfs_tmp_13084.txt.tmp\"", + "executable": "C:\\Windows\\System32\\cmd.exe", + "name": "cmd.exe" + }, + "pid": 9864 + }, + "related": { + "hash": [ + "94256542e235681ba64a20bc50910dd745d52347a89d36be2dd4c1465901c52b", + "d4baeeb9180a4284b33fa3602d86cad7ec05e6a0" + ], + "ip": [ + "10.0.0.11", + "194.0.166.130" + ], + "user": [ + "AC75007611" + ] + }, + "sophos": { + "threat_center": { + "aggressive_activity": "False", + "detection_id_dedup": "89913194caf9a64bb388b1ac2037fd2d6895b875", + "endpoint": { + "type": "computer" + }, + "global_rep": 0, + "id": "1e062adb-b215-4abd-aaf9-b1bb9355231e", + "ioc": { + "attack_type": "Security Event Service Detections", + "detection": { + "attack": "Execution", + "category": "Threat", + "licences": [ + "MTR" + ], + "sigma": { + "id": "WIN-EXE-ENR-ML-SUSPICIOUS-1.star" + }, + "type": "process", + "weight": "5" + }, + "log_type": "summary", + "unix_time": "2023-09-17T20:11:56.000000Z" + }, + "lolbins_ml_results": { + "score": "99.0", + "score_label": "Suspicious", + "sha256": "59fef8d35f91932abd3a83ab47ba2a8ea2203a31fc79e99860ba238062ec7af2" + }, + "message": { + "id": "3225914c27b54c2a9f0e39885e4d632c67a1e188288f8ce9a9e298a2f91b4ece" + }, + "ml": { + "score": "99.0" + }, + "pua": { + "score": "0" + }, + "query": { + "action": "added", + "name": "running_processes_windows_sophos", + "pack_version": "1.18.1", + "source": "xdr_only" + }, + "record_identifier": "cebac453bf5aa57f2fbe297628a914814378da9171ac0d7a972f7783af5bfeef", + "sha256": { + "reputation_band": "KNOWN_GOOD", + "reputation_score": "70" + }, + "worker": { + "id": "security-event-service" + } + } + }, + "source": { + "address": "10.0.0.11", + "bytes": 1649, + "geo": { + "country_iso_code": "FR", + "country_name": "France" + }, + "ip": "10.0.0.11", + "mac": "0a:cc:df:3e:cc:2c", + "nat": { + "ip": "194.0.166.130" + } + }, + "user": { + "name": "AC75007611" + }, + "vulnerability": { + "description": "Identifies Lolbin processes labeled as suspicious by a machine learning model." + } + } + + ``` + +