Skip to content

Commit

Permalink
Merge pull request #2223 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Feb 19, 2025
2 parents cb99354 + ebbc811 commit 57c697a
Show file tree
Hide file tree
Showing 12 changed files with 1,380 additions and 0 deletions.
354 changes: 354 additions & 0 deletions ...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md
View file

Large diffs are not rendered by default.

336 changes: 336 additions & 0 deletions ...ns_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,67 @@ In this section, you will find examples of raw logs as generated natively by the



=== "activity-type-5126-2"


```json
{
"accountId": "1234",
"activityType": 5126,
"agentId": "1234",
"createdAt": "2025-01-30T07:27:16.108284Z",
"data": {
"accountName": "group",
"bluetoothAddress": "",
"computerName": "HOSTNAME",
"creator": "N/A",
"deviceClass": "00h",
"deviceInformationServiceInfoKey": "",
"deviceInformationServiceInfoValue": "",
"deviceName": "TEST",
"eventId": "{70f9e255-417f-4217-83a5-2a7c68c1cce5}",
"eventTime": "2025-01-30T07:27:30.800+00:00",
"eventType": "disconnected",
"externalServiceId": null,
"fullScopeDetails": "Group WW",
"fullScopeDetailsPath": "Global / CORP / CORP-servers",
"gattService": "",
"groupId": "1234",
"groupName": "Global / CORP / CORP-Users / Default Group",
"interface": "USB",
"ipAddress": "1.2.3.4",
"lastLoggedInUserName": "user",
"lmpVersion": "N/A",
"manufacturerName": "",
"minorClass": "N/A",
"osType": "windows",
"physicalDeviceId": null,
"productId": "2CEE",
"profileUuids": "N/A",
"realUser": null,
"ruleId": "-1",
"ruleName": null,
"ruleScopeName": null,
"ruleType": "productId",
"scopeLevel": "Group",
"scopeName": "WW ",
"siteName": "CORP-Users",
"sourceType": "API",
"uid": "",
"vendorId": "1E7D",
"version": "N/A"
},
"groupId": "1083054176758610128",
"id": "1387019684138751044",
"primaryDescription": "USB device TEST was disconnected on HOSTNAME.",
"secondaryDescription": "IP address: 5.6.7.8",
"siteId": "1083054176741832911",
"updatedAt": "2025-01-30T07:27:14.910416Z"
}
```



=== "activity-type-5126"


Expand Down Expand Up @@ -1940,6 +2001,281 @@ In this section, you will find examples of raw logs as generated natively by the



=== "threat4"


```json
{
"agentDetectionInfo": {
"accountId": "1588993609183209372",
"accountName": "0 - MDR - APRR",
"agentDetectionState": null,
"agentDomain": "saprr.local",
"agentIpV4": "1.2.3.4,5.6.7.8,9.10.11.12",
"agentIpV6": "",
"agentLastLoggedInUpn": null,
"agentLastLoggedInUserMail": null,
"agentLastLoggedInUserName": "",
"agentMitigationMode": "protect",
"agentOsName": "Linux",
"agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64",
"agentRegisteredAt": "2025-01-29T11:05:23.759829Z",
"agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08",
"agentVersion": "24.2.2.20",
"assetVersion": "",
"cloudProviders": {
"ESXI": {}
},
"externalIp": "10.20.30.40",
"groupId": "1592057602674298966",
"groupName": "Default Group",
"siteId": "1592057602649133141",
"siteName": "Serveurs Linux"
},
"agentRealtimeInfo": {
"accountId": "1588993609183209372",
"accountName": "0 - MDR - APRR",
"activeThreats": 0,
"agentComputerName": "slz0080.saprr.local",
"agentDecommissionedAt": null,
"agentDomain": "saprr.local",
"agentId": "2138423311915892041",
"agentInfected": false,
"agentIsActive": true,
"agentIsDecommissioned": false,
"agentMachineType": "server",
"agentMitigationMode": "protect",
"agentNetworkStatus": "connected",
"agentOsName": "Linux",
"agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64",
"agentOsType": "linux",
"agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08",
"agentVersion": "24.2.2.20",
"groupId": "1604948594358127522",
"groupName": "Docker",
"networkInterfaces": [
{
"id": "2147130287111486641",
"inet": [],
"inet6": [],
"name": "veth133e4a3",
"physical": "11:22:33:44:55:66"
},
{
"id": "2147114829782704490",
"inet": [],
"inet6": [],
"name": "veth1ebd738",
"physical": "AA:BB:CC:DD:EE:FF"
},
{
"id": "2147114829765927270",
"inet": [
"9.10.11.12"
],
"inet6": [],
"name": "br-eecebc98dd4b",
"physical": "77:88:99:00:11:22"
},
{
"id": "2147114829757538660",
"inet": [],
"inet6": [],
"name": "vethcab2067",
"physical": "A1:B2:C3:D4:E5:F6"
},
{
"id": "2145128987023664939",
"inet": [
"5.6.7.8"
],
"inet6": [],
"name": "docker0",
"physical": "1A:2B:3C:4D:5E:6F"
},
{
"id": "2138423311932669261",
"inet": [
"1.2.3.4"
],
"inet6": [],
"name": "ens192",
"physical": "00:11:22:33:44:55"
}
],
"operationalState": "na",
"rebootRequired": false,
"scanAbortedAt": null,
"scanFinishedAt": null,
"scanStartedAt": null,
"scanStatus": "none",
"siteId": "1592057602649133141",
"siteName": "Serveurs Linux",
"storageName": null,
"storageType": null,
"userActionsNeeded": []
},
"containerInfo": {
"id": "b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c",
"image": "aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112",
"isContainerQuarantine": false,
"labels": [
"MAINTAINER:\"AxonOps <[email protected]>\"",
"com.docker.compose.config-hash:\"559ae0e792091b120f6f99d15da543e95d5c59e3209ed216d4077492de88ebdd\"",
"com.docker.compose.container-number:\"1\"",
"com.docker.compose.oneoff:\"False\"",
"com.docker.compose.project:\"axonops\"",
"com.docker.compose.project.config_files:\"axonops-compose.yml\"",
"com.docker.compose.project.working_dir:\"/opt/aprr/docker-app/axonops\"",
"com.docker.compose.service:\"axon-dash\"",
"com.docker.compose.version:\"1.26.0\"",
"org.opencontainers.image.ref.name:\"ubuntu\"",
"org.opencontainers.image.version:\"22.04\""
],
"name": "axonops_axon-dash_1"
},
"ecsInfo": {
"clusterName": null,
"serviceArn": null,
"serviceName": null,
"taskArn": null,
"taskAvailabilityZone": null,
"taskDefinitionArn": null,
"taskDefinitionFamily": null,
"taskDefinitionRevision": null,
"type": null,
"version": null
},
"id": "2147115586493991494",
"indicators": [
{
"category": "Post Exploitation",
"description": "A file was executed in a container that was not a part of the container image",
"ids": [
1446
],
"tactics": []
}
],
"kubernetesInfo": {
"cluster": null,
"controllerKind": null,
"controllerLabels": null,
"controllerName": null,
"isContainerQuarantine": null,
"namespace": null,
"namespaceLabels": null,
"node": null,
"nodeLabels": null,
"pod": null,
"podLabels": null
},
"mitigationStatus": [
{
"action": "kill",
"actionsCounters": {
"failed": 0,
"notFound": 0,
"pendingReboot": 0,
"success": 3,
"total": 3
},
"agentSupportsReport": true,
"groupNotFound": false,
"lastUpdate": "2025-02-10T10:55:23.951728Z",
"latestReport": "/threats/mitigation-report/2147115589035740263",
"mitigationEndedAt": "2025-02-10T10:55:23.596000Z",
"mitigationStartedAt": "2025-02-10T10:55:23.595000Z",
"reportId": "2147115589035740263",
"status": "success"
},
{
"action": "quarantine",
"actionsCounters": {
"failed": 0,
"notFound": 0,
"pendingReboot": 0,
"success": 46,
"total": 46
},
"agentSupportsReport": true,
"groupNotFound": false,
"lastUpdate": "2025-02-10T10:55:24.023572Z",
"latestReport": "/threats/mitigation-report/2147115589639720178",
"mitigationEndedAt": "2025-02-10T10:55:23.594000Z",
"mitigationStartedAt": "2025-02-10T10:55:23.594000Z",
"reportId": "2147115589639720178",
"status": "success"
}
],
"threatInfo": {
"analystVerdict": "false_positive",
"analystVerdictDescription": "False positive",
"automaticallyResolved": false,
"browserType": null,
"certificateId": null,
"classification": "Malware",
"classificationSource": "Static",
"cloudFilesHashVerdict": null,
"collectionId": "2145125396640532798",
"confidenceLevel": "suspicious",
"createdAt": "2025-02-10T10:55:23.648310Z",
"detectionEngines": [
{
"key": "application_control",
"title": "Application Control"
}
],
"detectionType": "dynamic",
"engines": [
"Application Control"
],
"externalTicketExists": false,
"externalTicketId": null,
"failedActions": false,
"fileExtension": null,
"fileExtensionType": null,
"filePath": "/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun",
"fileSize": 78,
"fileVerificationType": null,
"identifiedAt": "2025-02-10T10:55:23.587476Z",
"incidentStatus": "resolved",
"incidentStatusDescription": "Resolved",
"initiatedBy": "agent_policy",
"initiatedByDescription": "Agent Policy",
"initiatingUserId": null,
"initiatingUsername": null,
"isFileless": false,
"isValidCertificate": null,
"macroModules": null,
"maliciousProcessArguments": "/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun",
"md5": null,
"mitigatedPreemptively": false,
"mitigationStatus": "marked_as_benign",
"mitigationStatusDescription": "Marked as benign",
"originatorProcess": null,
"pendingActions": false,
"processUser": "",
"publisherName": null,
"reachedEventsLimit": null,
"rebootRequired": false,
"rootProcessUpn": null,
"sha1": "315e54b4903ac4923d3014b4ebb098fb966b1e09",
"sha256": "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0",
"storyline": "2278a12c-b8f7-e37f-aaa6-286b028d3bf0",
"threatId": "2147115586493991494",
"threatName": "AppRun",
"updatedAt": "2025-02-10T10:58:43.575450Z"
},
"whiteningOptions": [
"hash",
"path"
]
}
```



=== "user_logged_in"


Expand Down
Loading

0 comments on commit 57c697a

Please sign in to comment.