diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 1c3b70a77d..31ac6623f7 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -723,6 +723,95 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "activity-type-5126-2.json" + + ```json + + { + "message": "{\"accountId\": \"1234\", \"activityType\": 5126, \"agentId\": \"1234\", \"createdAt\": \"2025-01-30T07:27:16.108284Z\", \"data\": {\"accountName\": \"group\", \"bluetoothAddress\": \"\", \"computerName\": \"HOSTNAME\", \"creator\": \"N/A\", \"deviceClass\": \"00h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"TEST\", \"eventId\": \"{70f9e255-417f-4217-83a5-2a7c68c1cce5}\", \"eventTime\": \"2025-01-30T07:27:30.800+00:00\", \"eventType\": \"disconnected\", \"externalServiceId\": null, \"fullScopeDetails\": \"Group WW\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-servers\", \"gattService\": \"\", \"groupId\": \"1234\", \"groupName\": \"Global / CORP / CORP-Users / Default Group\", \"interface\": \"USB\", \"ipAddress\": \"1.2.3.4\", \"lastLoggedInUserName\": \"user\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"physicalDeviceId\": null, \"productId\": \"2CEE\", \"profileUuids\": \"N/A\", \"realUser\": null, \"ruleId\": \"-1\", \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"WW \", \"siteName\": \"CORP-Users\", \"sourceType\": \"API\", \"uid\": \"\", \"vendorId\": \"1E7D\", \"version\": \"N/A\"}, \"groupId\": \"1083054176758610128\", \"id\": \"1387019684138751044\", \"primaryDescription\": \"USB device TEST was disconnected on HOSTNAME.\", \"secondaryDescription\": \"IP address: 5.6.7.8\", \"siteId\": \"1083054176741832911\", \"updatedAt\": \"2025-01-30T07:27:14.910416Z\"}", + "event": { + "action": "Device Control Approved Event", + "category": "host", + "reason": "USB device TEST was disconnected on HOSTNAME.", + "type": [ + "allowed" + ] + }, + "@timestamp": "2025-01-30T07:27:16.108284Z", + "action": { + "type": 5126 + }, + "agent": { + "id": "1234" + }, + "group": { + "id": "1083054176758610128" + }, + "host": { + "name": "HOSTNAME" + }, + "organization": { + "id": "1234" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "user" + ] + }, + "rule": { + "id": "-1" + }, + "sentinelone": { + "createdAt": "2025-01-30T07:27:16.108284Z", + "data": { + "accountName": "group", + "computerName": "HOSTNAME", + "creator": "N/A", + "deviceClass": "00h", + "deviceName": "TEST", + "eventId": "{70f9e255-417f-4217-83a5-2a7c68c1cce5}", + "eventTime": "2025-01-30T07:27:30.800+00:00", + "eventType": "disconnected", + "fullScopeDetails": "Group WW", + "fullScopeDetailsPath": "Global / CORP / CORP-servers", + "group": { + "id": "1234" + }, + "groupName": "Global / CORP / CORP-Users / Default Group", + "interface": "USB", + "ipAddress": "1.2.3.4", + "lastLoggedInUserName": "user", + "lmpVersion": "N/A", + "minorClass": "N/A", + "osType": "windows", + "productId": "2CEE", + "profileUuids": "N/A", + "ruleType": "productId", + "scopeLevel": "Group", + "scopeName": "WW ", + "siteName": "CORP-Users", + "version": "N/A" + }, + "eventid": 1387019684138751044, + "secondaryDescription": "IP address: 5.6.7.8", + "siteId": 1083054176741832911, + "updatedAt": "2025-01-30T07:27:14.910416Z" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "user" + } + } + + ``` + + === "activity-type-5126.json" ```json @@ -2460,6 +2549,271 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "threat4.json" + + ```json + + { + "message": "{\"agentDetectionInfo\": {\"accountId\": \"1588993609183209372\", \"accountName\": \"0 - MDR - APRR\", \"agentDetectionState\": null, \"agentDomain\": \"saprr.local\", \"agentIpV4\": \"1.2.3.4,5.6.7.8,9.10.11.12\", \"agentIpV6\": \"\", \"agentLastLoggedInUpn\": null, \"agentLastLoggedInUserMail\": null, \"agentLastLoggedInUserName\": \"\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Linux\", \"agentOsRevision\": \"Debian GNU/12 (bookworm) 6.1.0-29-amd64\", \"agentRegisteredAt\": \"2025-01-29T11:05:23.759829Z\", \"agentUuid\": \"1f03f1fd-71b6-91e8-1790-ff46fbd57d08\", \"agentVersion\": \"24.2.2.20\", \"assetVersion\": \"\", \"cloudProviders\": {\"ESXI\": {}}, \"externalIp\": \"10.20.30.40\", \"groupId\": \"1592057602674298966\", \"groupName\": \"Default Group\", \"siteId\": \"1592057602649133141\", \"siteName\": \"Serveurs Linux\"}, \"agentRealtimeInfo\": {\"accountId\": \"1588993609183209372\", \"accountName\": \"0 - MDR - APRR\", \"activeThreats\": 0, \"agentComputerName\": \"slz0080.saprr.local\", \"agentDecommissionedAt\": null, \"agentDomain\": \"saprr.local\", \"agentId\": \"2138423311915892041\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"server\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Linux\", \"agentOsRevision\": \"Debian GNU/12 (bookworm) 6.1.0-29-amd64\", \"agentOsType\": \"linux\", \"agentUuid\": \"1f03f1fd-71b6-91e8-1790-ff46fbd57d08\", \"agentVersion\": \"24.2.2.20\", \"groupId\": \"1604948594358127522\", \"groupName\": \"Docker\", \"networkInterfaces\": [{\"id\": \"2147130287111486641\", \"inet\": [], \"inet6\": [], \"name\": \"veth133e4a3\", \"physical\": \"11:22:33:44:55:66\"}, {\"id\": \"2147114829782704490\", \"inet\": [], \"inet6\": [], \"name\": \"veth1ebd738\", \"physical\": \"AA:BB:CC:DD:EE:FF\"}, {\"id\": \"2147114829765927270\", \"inet\": [\"9.10.11.12\"], \"inet6\": [], \"name\": \"br-eecebc98dd4b\", \"physical\": \"77:88:99:00:11:22\"}, {\"id\": \"2147114829757538660\", \"inet\": [], \"inet6\": [], \"name\": \"vethcab2067\", \"physical\": \"A1:B2:C3:D4:E5:F6\"}, {\"id\": \"2145128987023664939\", \"inet\": [\"5.6.7.8\"], \"inet6\": [], \"name\": \"docker0\", \"physical\": \"1A:2B:3C:4D:5E:6F\"}, {\"id\": \"2138423311932669261\", \"inet\": [\"1.2.3.4\"], \"inet6\": [], \"name\": \"ens192\", \"physical\": \"00:11:22:33:44:55\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": null, \"scanStartedAt\": null, \"scanStatus\": \"none\", \"siteId\": \"1592057602649133141\", \"siteName\": \"Serveurs Linux\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": \"b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c\", \"image\": \"aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112\", \"isContainerQuarantine\": false, \"labels\": [\"MAINTAINER:\\\"AxonOps \\\"\", \"com.docker.compose.config-hash:\\\"559ae0e792091b120f6f99d15da543e95d5c59e3209ed216d4077492de88ebdd\\\"\", \"com.docker.compose.container-number:\\\"1\\\"\", \"com.docker.compose.oneoff:\\\"False\\\"\", \"com.docker.compose.project:\\\"axonops\\\"\", \"com.docker.compose.project.config_files:\\\"axonops-compose.yml\\\"\", \"com.docker.compose.project.working_dir:\\\"/opt/aprr/docker-app/axonops\\\"\", \"com.docker.compose.service:\\\"axon-dash\\\"\", \"com.docker.compose.version:\\\"1.26.0\\\"\", \"org.opencontainers.image.ref.name:\\\"ubuntu\\\"\", \"org.opencontainers.image.version:\\\"22.04\\\"\"], \"name\": \"axonops_axon-dash_1\"}, \"ecsInfo\": {\"clusterName\": null, \"serviceArn\": null, \"serviceName\": null, \"taskArn\": null, \"taskAvailabilityZone\": null, \"taskDefinitionArn\": null, \"taskDefinitionFamily\": null, \"taskDefinitionRevision\": null, \"type\": null, \"version\": null}, \"id\": \"2147115586493991494\", \"indicators\": [{\"category\": \"Post Exploitation\", \"description\": \"A file was executed in a container that was not a part of the container image\", \"ids\": [1446], \"tactics\": []}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"isContainerQuarantine\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"nodeLabels\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 3, \"total\": 3}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2025-02-10T10:55:23.951728Z\", \"latestReport\": \"/threats/mitigation-report/2147115589035740263\", \"mitigationEndedAt\": \"2025-02-10T10:55:23.596000Z\", \"mitigationStartedAt\": \"2025-02-10T10:55:23.595000Z\", \"reportId\": \"2147115589035740263\", \"status\": \"success\"}, {\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 46, \"total\": 46}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2025-02-10T10:55:24.023572Z\", \"latestReport\": \"/threats/mitigation-report/2147115589639720178\", \"mitigationEndedAt\": \"2025-02-10T10:55:23.594000Z\", \"mitigationStartedAt\": \"2025-02-10T10:55:23.594000Z\", \"reportId\": \"2147115589639720178\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"false_positive\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": null, \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"2145125396640532798\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2025-02-10T10:55:23.648310Z\", \"detectionEngines\": [{\"key\": \"application_control\", \"title\": \"Application Control\"}], \"detectionType\": \"dynamic\", \"engines\": [\"Application Control\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": null, \"fileExtensionType\": null, \"filePath\": \"/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun\", \"fileSize\": 78, \"fileVerificationType\": null, \"identifiedAt\": \"2025-02-10T10:55:23.587476Z\", \"incidentStatus\": \"resolved\", \"incidentStatusDescription\": \"Resolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": null, \"macroModules\": null, \"maliciousProcessArguments\": \"/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"marked_as_benign\", \"mitigationStatusDescription\": \"Marked as benign\", \"originatorProcess\": null, \"pendingActions\": false, \"processUser\": \"\", \"publisherName\": null, \"reachedEventsLimit\": null, \"rebootRequired\": false, \"rootProcessUpn\": null, \"sha1\": \"315e54b4903ac4923d3014b4ebb098fb966b1e09\", \"sha256\": \"2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0\", \"storyline\": \"2278a12c-b8f7-e37f-aaa6-286b028d3bf0\", \"threatId\": \"2147115586493991494\", \"threatName\": \"AppRun\", \"updatedAt\": \"2025-02-10T10:58:43.575450Z\"}, \"whiteningOptions\": [\"hash\", \"path\"]}", + "event": { + "category": [ + "malware" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "agent": { + "id": "2138423311915892041" + }, + "container": { + "id": "b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c", + "image": { + "name": "aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112" + }, + "name": "axonops_axon-dash_1" + }, + "file": { + "extension": "none", + "hash": { + "sha1": "315e54b4903ac4923d3014b4ebb098fb966b1e09", + "sha256": "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0" + }, + "name": "AppRun", + "path": "/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "size": 78 + }, + "host": { + "domain": "saprr.local", + "ip": [ + "1.2.3.4", + "10.20.30.40", + "5.6.7.8", + "9.10.11.12" + ], + "name": "slz0080.saprr.local", + "os": { + "family": "linux", + "version": "Linux" + } + }, + "organization": { + "id": "1588993609183209372", + "name": "0 - MDR - APRR" + }, + "related": { + "hash": [ + "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0", + "315e54b4903ac4923d3014b4ebb098fb966b1e09" + ], + "ip": [ + "1.2.3.4", + "10.20.30.40", + "5.6.7.8", + "9.10.11.12" + ] + }, + "sentinelone": { + "agentDetectionInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "agentDomain": "saprr.local", + "agentIpV4": "1.2.3.4,5.6.7.8,9.10.11.12", + "agentMitigationMode": "protect", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentRegisteredAt": "2025-01-29T11:05:23.759829Z", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "externalIp": "10.20.30.40", + "groupId": 1592057602674298966, + "groupName": "Default Group", + "siteId": 1592057602649133141, + "siteName": "Serveurs Linux" + }, + "agentRealtimeInfo": { + "activeThreats": 0, + "agentComputerName": "slz0080.saprr.local", + "agentDomain": "saprr.local", + "agentId": "2138423311915892041", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "groupId": 1604948594358127522, + "groupName": "Docker", + "networkInterfaces": [ + { + "id": "2147130287111486641", + "inet": [], + "inet6": [], + "name": "veth133e4a3", + "physical": "11:22:33:44:55:66" + }, + { + "id": "2147114829782704490", + "inet": [], + "inet6": [], + "name": "veth1ebd738", + "physical": "AA:BB:CC:DD:EE:FF" + }, + { + "id": "2147114829765927270", + "inet": [ + "9.10.11.12" + ], + "inet6": [], + "name": "br-eecebc98dd4b", + "physical": "77:88:99:00:11:22" + }, + { + "id": "2147114829757538660", + "inet": [], + "inet6": [], + "name": "vethcab2067", + "physical": "A1:B2:C3:D4:E5:F6" + }, + { + "id": "2145128987023664939", + "inet": [ + "5.6.7.8" + ], + "inet6": [], + "name": "docker0", + "physical": "1A:2B:3C:4D:5E:6F" + }, + { + "id": "2138423311932669261", + "inet": [ + "1.2.3.4" + ], + "inet6": [], + "name": "ens192", + "physical": "00:11:22:33:44:55" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanStatus": "none", + "siteId": 1592057602649133141, + "siteName": "Serveurs Linux", + "userActionsNeeded": [] + }, + "eventid": 2147115586493991494, + "indicators": [ + { + "category": "Post Exploitation", + "description": "A file was executed in a container that was not a part of the container image", + "ids": [ + 1446 + ], + "tactics": [] + } + ], + "mitigationStatus": [ + { + "action": "kill", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 3, + "total": 3 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:23.951728Z", + "latestReport": "/threats/mitigation-report/2147115589035740263", + "mitigationEndedAt": "2025-02-10T10:55:23.596000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.595000Z", + "reportId": "2147115589035740263", + "status": "success" + }, + { + "action": "quarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 46, + "total": 46 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:24.023572Z", + "latestReport": "/threats/mitigation-report/2147115589639720178", + "mitigationEndedAt": "2025-02-10T10:55:23.594000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.594000Z", + "reportId": "2147115589639720178", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "false_positive", + "analystVerdictDescription": "False positive", + "automaticallyResolved": false, + "classificationSource": "Static", + "collectionId": "2145125396640532798", + "detectionEngines": [ + { + "key": "application_control", + "title": "Application Control" + } + ], + "detectionType": "dynamic", + "engines": [ + "Application Control" + ], + "externalTicketExists": false, + "failedActions": false, + "incidentStatus": "resolved", + "incidentStatusDescription": "Resolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "isFileless": false, + "maliciousProcessArguments": "/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "mitigatedPreemptively": false, + "mitigationStatus": "marked_as_benign", + "mitigationStatusDescription": "Marked as benign", + "pendingActions": false, + "rebootRequired": false, + "storyline": "2278a12c-b8f7-e37f-aaa6-286b028d3bf0", + "threatId": "2147115586493991494", + "updatedAt": "2025-02-10T10:58:43.575450Z" + }, + "whiteningOptions": [ + "hash", + "path" + ] + }, + "threat": { + "enrichments": { + "matched": { + "occurred": "2025-02-10T10:55:23.587476Z" + } + }, + "indicator": { + "confidence": "suspicious", + "file": { + "created": "2025-02-10T10:55:23.648310Z", + "size": 78 + } + }, + "software": { + "type": "Malware" + } + } + } + + ``` + + === "user_logged_in.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md index 2bce2d791f..0ca5652541 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md @@ -473,6 +473,67 @@ In this section, you will find examples of raw logs as generated natively by the +=== "activity-type-5126-2" + + + ```json + { + "accountId": "1234", + "activityType": 5126, + "agentId": "1234", + "createdAt": "2025-01-30T07:27:16.108284Z", + "data": { + "accountName": "group", + "bluetoothAddress": "", + "computerName": "HOSTNAME", + "creator": "N/A", + "deviceClass": "00h", + "deviceInformationServiceInfoKey": "", + "deviceInformationServiceInfoValue": "", + "deviceName": "TEST", + "eventId": "{70f9e255-417f-4217-83a5-2a7c68c1cce5}", + "eventTime": "2025-01-30T07:27:30.800+00:00", + "eventType": "disconnected", + "externalServiceId": null, + "fullScopeDetails": "Group WW", + "fullScopeDetailsPath": "Global / CORP / CORP-servers", + "gattService": "", + "groupId": "1234", + "groupName": "Global / CORP / CORP-Users / Default Group", + "interface": "USB", + "ipAddress": "1.2.3.4", + "lastLoggedInUserName": "user", + "lmpVersion": "N/A", + "manufacturerName": "", + "minorClass": "N/A", + "osType": "windows", + "physicalDeviceId": null, + "productId": "2CEE", + "profileUuids": "N/A", + "realUser": null, + "ruleId": "-1", + "ruleName": null, + "ruleScopeName": null, + "ruleType": "productId", + "scopeLevel": "Group", + "scopeName": "WW ", + "siteName": "CORP-Users", + "sourceType": "API", + "uid": "", + "vendorId": "1E7D", + "version": "N/A" + }, + "groupId": "1083054176758610128", + "id": "1387019684138751044", + "primaryDescription": "USB device TEST was disconnected on HOSTNAME.", + "secondaryDescription": "IP address: 5.6.7.8", + "siteId": "1083054176741832911", + "updatedAt": "2025-01-30T07:27:14.910416Z" + } + ``` + + + === "activity-type-5126" @@ -1940,6 +2001,281 @@ In this section, you will find examples of raw logs as generated natively by the +=== "threat4" + + + ```json + { + "agentDetectionInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "agentDetectionState": null, + "agentDomain": "saprr.local", + "agentIpV4": "1.2.3.4,5.6.7.8,9.10.11.12", + "agentIpV6": "", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentRegisteredAt": "2025-01-29T11:05:23.759829Z", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "assetVersion": "", + "cloudProviders": { + "ESXI": {} + }, + "externalIp": "10.20.30.40", + "groupId": "1592057602674298966", + "groupName": "Default Group", + "siteId": "1592057602649133141", + "siteName": "Serveurs Linux" + }, + "agentRealtimeInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "activeThreats": 0, + "agentComputerName": "slz0080.saprr.local", + "agentDecommissionedAt": null, + "agentDomain": "saprr.local", + "agentId": "2138423311915892041", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentOsType": "linux", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "groupId": "1604948594358127522", + "groupName": "Docker", + "networkInterfaces": [ + { + "id": "2147130287111486641", + "inet": [], + "inet6": [], + "name": "veth133e4a3", + "physical": "11:22:33:44:55:66" + }, + { + "id": "2147114829782704490", + "inet": [], + "inet6": [], + "name": "veth1ebd738", + "physical": "AA:BB:CC:DD:EE:FF" + }, + { + "id": "2147114829765927270", + "inet": [ + "9.10.11.12" + ], + "inet6": [], + "name": "br-eecebc98dd4b", + "physical": "77:88:99:00:11:22" + }, + { + "id": "2147114829757538660", + "inet": [], + "inet6": [], + "name": "vethcab2067", + "physical": "A1:B2:C3:D4:E5:F6" + }, + { + "id": "2145128987023664939", + "inet": [ + "5.6.7.8" + ], + "inet6": [], + "name": "docker0", + "physical": "1A:2B:3C:4D:5E:6F" + }, + { + "id": "2138423311932669261", + "inet": [ + "1.2.3.4" + ], + "inet6": [], + "name": "ens192", + "physical": "00:11:22:33:44:55" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": null, + "scanStartedAt": null, + "scanStatus": "none", + "siteId": "1592057602649133141", + "siteName": "Serveurs Linux", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": "b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c", + "image": "aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112", + "isContainerQuarantine": false, + "labels": [ + "MAINTAINER:\"AxonOps \"", + "com.docker.compose.config-hash:\"559ae0e792091b120f6f99d15da543e95d5c59e3209ed216d4077492de88ebdd\"", + "com.docker.compose.container-number:\"1\"", + "com.docker.compose.oneoff:\"False\"", + "com.docker.compose.project:\"axonops\"", + "com.docker.compose.project.config_files:\"axonops-compose.yml\"", + "com.docker.compose.project.working_dir:\"/opt/aprr/docker-app/axonops\"", + "com.docker.compose.service:\"axon-dash\"", + "com.docker.compose.version:\"1.26.0\"", + "org.opencontainers.image.ref.name:\"ubuntu\"", + "org.opencontainers.image.version:\"22.04\"" + ], + "name": "axonops_axon-dash_1" + }, + "ecsInfo": { + "clusterName": null, + "serviceArn": null, + "serviceName": null, + "taskArn": null, + "taskAvailabilityZone": null, + "taskDefinitionArn": null, + "taskDefinitionFamily": null, + "taskDefinitionRevision": null, + "type": null, + "version": null + }, + "id": "2147115586493991494", + "indicators": [ + { + "category": "Post Exploitation", + "description": "A file was executed in a container that was not a part of the container image", + "ids": [ + 1446 + ], + "tactics": [] + } + ], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "isContainerQuarantine": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "nodeLabels": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "kill", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 3, + "total": 3 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:23.951728Z", + "latestReport": "/threats/mitigation-report/2147115589035740263", + "mitigationEndedAt": "2025-02-10T10:55:23.596000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.595000Z", + "reportId": "2147115589035740263", + "status": "success" + }, + { + "action": "quarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 46, + "total": 46 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:24.023572Z", + "latestReport": "/threats/mitigation-report/2147115589639720178", + "mitigationEndedAt": "2025-02-10T10:55:23.594000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.594000Z", + "reportId": "2147115589639720178", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "false_positive", + "analystVerdictDescription": "False positive", + "automaticallyResolved": false, + "browserType": null, + "certificateId": null, + "classification": "Malware", + "classificationSource": "Static", + "cloudFilesHashVerdict": null, + "collectionId": "2145125396640532798", + "confidenceLevel": "suspicious", + "createdAt": "2025-02-10T10:55:23.648310Z", + "detectionEngines": [ + { + "key": "application_control", + "title": "Application Control" + } + ], + "detectionType": "dynamic", + "engines": [ + "Application Control" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": null, + "fileExtensionType": null, + "filePath": "/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "fileSize": 78, + "fileVerificationType": null, + "identifiedAt": "2025-02-10T10:55:23.587476Z", + "incidentStatus": "resolved", + "incidentStatusDescription": "Resolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": null, + "macroModules": null, + "maliciousProcessArguments": "/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "marked_as_benign", + "mitigationStatusDescription": "Marked as benign", + "originatorProcess": null, + "pendingActions": false, + "processUser": "", + "publisherName": null, + "reachedEventsLimit": null, + "rebootRequired": false, + "rootProcessUpn": null, + "sha1": "315e54b4903ac4923d3014b4ebb098fb966b1e09", + "sha256": "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0", + "storyline": "2278a12c-b8f7-e37f-aaa6-286b028d3bf0", + "threatId": "2147115586493991494", + "threatName": "AppRun", + "updatedAt": "2025-02-10T10:58:43.575450Z" + }, + "whiteningOptions": [ + "hash", + "path" + ] + } + ``` + + + === "user_logged_in" diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index b6ae3d87be..b496d72d59 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -2056,6 +2056,84 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_dns_response_complicated.json" + + ```json + + { + "message": "{\"VendorName\": \"palo alto networks\", \"DeviceSN\": \"xxxxxxxxxxxxx\", \"TimeReceived\": \"2025-02-11T10:51:15.456002Z\", \"LogType\": \"DNS\", \"Subtype\": \"realtime_dns_telemetry_response\", \"SubType\": \"realtime_dns_telemetry_response\", \"TimeGenerated\": \"2025-02-11T10:51:15.000000Z\", \"RecordType\": \"cname,cname,cname,a,a,a,a,a,a,a,a\", \"DNSResolverIP\": \"1.2.3.4\", \"ThreatID\": 0, \"DNSCategory\": \"benign\", \"ThreatName\": null, \"SourceAddress\": \"5.6.7.8\", \"FromZone\": \"RN-USDAA-1\", \"Action\": \"Allow\", \"DNSResponse\": [\"sub1.example.com.\", \"sub2.example.com.\", \"example2.net.\", \"9.10.11.9\", \"12.13.14.11\", \"9.10.11.11\", \"12.13.14.15\", \"9.10.11.12\", \"12.13.14.10\", \"9.10.11.14\", \"9.10.11.4\"], \"ToZone\": null, \"DestinationUser\": null}", + "event": { + "action": "Allow", + "category": [ + "network" + ], + "dataset": "dns", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2025-02-11T10:51:15Z", + "action": { + "name": "Allow", + "outcome": "success", + "type": "realtime_dns_telemetry_response" + }, + "dns": { + "question": { + "type": "cname,cname,cname,a,a,a,a,a,a,a,a" + }, + "resolved_ip": [ + "12.13.14.10", + "12.13.14.11", + "12.13.14.15", + "9.10.11.11", + "9.10.11.12", + "9.10.11.14", + "9.10.11.4", + "9.10.11.9" + ] + }, + "log": { + "logger": "dns" + }, + "observer": { + "ingress": { + "interface": { + "alias": "RN-USDAA-1" + } + }, + "product": "PAN-OS", + "serial_number": "xxxxxxxxxxxxx" + }, + "paloalto": { + "Threat_ContentType": "realtime_dns_telemetry_response", + "dns": { + "category": "benign" + } + }, + "related": { + "ip": [ + "12.13.14.10", + "12.13.14.11", + "12.13.14.15", + "5.6.7.8", + "9.10.11.11", + "9.10.11.12", + "9.10.11.14", + "9.10.11.4", + "9.10.11.9" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + } + } + + ``` + + === "test_event_reason.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index d7aeb4221e..114623f0aa 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -582,6 +582,46 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_dns_response_complicated" + + + ```json + { + "VendorName": "palo alto networks", + "DeviceSN": "xxxxxxxxxxxxx", + "TimeReceived": "2025-02-11T10:51:15.456002Z", + "LogType": "DNS", + "Subtype": "realtime_dns_telemetry_response", + "SubType": "realtime_dns_telemetry_response", + "TimeGenerated": "2025-02-11T10:51:15.000000Z", + "RecordType": "cname,cname,cname,a,a,a,a,a,a,a,a", + "DNSResolverIP": "1.2.3.4", + "ThreatID": 0, + "DNSCategory": "benign", + "ThreatName": null, + "SourceAddress": "5.6.7.8", + "FromZone": "RN-USDAA-1", + "Action": "Allow", + "DNSResponse": [ + "sub1.example.com.", + "sub2.example.com.", + "example2.net.", + "9.10.11.9", + "12.13.14.11", + "9.10.11.11", + "12.13.14.15", + "9.10.11.12", + "12.13.14.10", + "9.10.11.14", + "9.10.11.4" + ], + "ToZone": null, + "DestinationUser": null + } + ``` + + + === "test_event_reason" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 326896f0b2..712189675c 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -1662,6 +1662,78 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_551.json" + + ```json + + { + "message": "{\"EventTime\": \"2025-02-13 09:59:16\", \"Hostname\": \"dc2.intranet.example\", \"Keywords\": 580964351930793992, \"EventType\": \"ERROR\", \"SeverityValue\": 4, \"Severity\": \"ERROR\", \"EventID\": 551, \"SourceName\": \"Microsoft-Windows-SMBServer\", \"ProviderGuid\": \"{023B183D-B1C2-4875-82FD-E2EBC8966A98}\", \"Version\": 2, \"Task\": 551, \"OpcodeValue\": 0, \"RecordNumber\": 246121596, \"ProcessID\": 4, \"ThreadID\": 1696, \"Channel\": \"Microsoft-Windows-SMBServer/Security\", \"Domain\": \"NT AUTHORITY\", \"AccountName\": \"SYSTEM\", \"UserID\": \"JOHNDOE\", \"AccountType\": \"User\", \"Message\": \"SMB Session Authentication Failure\\r\\n\\r\\nClient Name: \\\\\\\\1.2.3.4\\r\\nClient Address: 1.2.3.4:41760\\r\\nUser Name: \\r\\nSession ID: 0x123456789\\r\\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\\r\\nSPN: session setup failed before the SPN could be queried\\r\\nSPN Validation Policy: SPN optional / no validation\\r\\n\\r\\nGuidance:\\r\\n\\r\\nYou should expect this error when attempting to connect to shares using incorrect credentials.\\r\\n\\r\\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\\r\\n\\r\\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled\", \"Opcode\": \"Info\", \"EventReceivedTime\": \"2025-02-13 09:59:17\", \"SourceModuleName\": \"eventlog\", \"SourceModuleType\": \"im_msvistalog\"}", + "event": { + "code": "551", + "message": "SMB Session Authentication Failure\r\n\r\nClient Name: \\\\1.2.3.4\r\nClient Address: 1.2.3.4:41760\r\nUser Name: \r\nSession ID: 0x123456789\r\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\r\nSPN: session setup failed before the SPN could be queried\r\nSPN Validation Policy: SPN optional / no validation\r\n\r\nGuidance:\r\n\r\nYou should expect this error when attempting to connect to shares using incorrect credentials.\r\n\r\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\r\n\r\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled", + "provider": "Microsoft-Windows-SMBServer" + }, + "action": { + "id": 551, + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "ERROR", + "Keywords": "580964351930793992", + "OpcodeValue": 0, + "ProviderGuid": "{023B183D-B1C2-4875-82FD-E2EBC8966A98}", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-SMBServer", + "Task": 551 + }, + "record_id": 246121596, + "type": "Microsoft-Windows-SMBServer/Security" + }, + "host": { + "hostname": "dc2.intranet.example", + "name": "dc2.intranet.example" + }, + "log": { + "hostname": "dc2.intranet.example", + "level": "error" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 4, + "pid": 4, + "thread": { + "id": 1696 + } + }, + "related": { + "hosts": [ + "dc2.intranet.example" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "NT AUTHORITY", + "id": "JOHNDOE", + "name": "SYSTEM" + } + } + + ``` + + === "Event_56.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index eda91ef2d8..e9eaf67a1a 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -850,6 +850,40 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_551" + + ``` + { + "EventTime": "2025-02-13 09:59:16", + "Hostname": "dc2.intranet.example", + "Keywords": 580964351930793992, + "EventType": "ERROR", + "SeverityValue": 4, + "Severity": "ERROR", + "EventID": 551, + "SourceName": "Microsoft-Windows-SMBServer", + "ProviderGuid": "{023B183D-B1C2-4875-82FD-E2EBC8966A98}", + "Version": 2, + "Task": 551, + "OpcodeValue": 0, + "RecordNumber": 246121596, + "ProcessID": 4, + "ThreadID": 1696, + "Channel": "Microsoft-Windows-SMBServer/Security", + "Domain": "NT AUTHORITY", + "AccountName": "SYSTEM", + "UserID": "JOHNDOE", + "AccountType": "User", + "Message": "SMB Session Authentication Failure\r\n\r\nClient Name: \\\\1.2.3.4\r\nClient Address: 1.2.3.4:41760\r\nUser Name: \r\nSession ID: 0x123456789\r\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\r\nSPN: session setup failed before the SPN could be queried\r\nSPN Validation Policy: SPN optional / no validation\r\n\r\nGuidance:\r\n\r\nYou should expect this error when attempting to connect to shares using incorrect credentials.\r\n\r\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\r\n\r\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled", + "Opcode": "Info", + "EventReceivedTime": "2025-02-13 09:59:17", + "SourceModuleName": "eventlog", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "Event_56" ``` diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index 8b4507e8e1..d688004714 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -27,6 +27,125 @@ In details, the following table denotes the type of events produced by this inte This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. +=== "common_log_format_1.json" + + ```json + + { + "message": "1.2.3.4 - johndoe [05/02/2025 11:30:29] \"GET https://sub.example.com/1.png HTTP/1.1\" 200 - - 1000 Business Services", + "event": { + "category": [ + "network", + "web" + ] + }, + "@timestamp": "2025-05-02T11:30:29Z", + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "johndoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "sub.example.com", + "full": "https://sub.example.com/1.png", + "original": "https://sub.example.com/1.png", + "path": "/1.png", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "subdomain": "sub", + "top_level_domain": "com" + }, + "user": { + "name": "johndoe" + } + } + + ``` + + +=== "common_log_format_2.json" + + ```json + + { + "message": "5.6.7.8 - janedoe [05/02/2025 11:31:06] \"CONNECT https://example.com:443 HTTP/1.1\" 200 -", + "event": { + "category": [ + "network", + "web" + ] + }, + "@timestamp": "2025-05-02T11:31:06Z", + "destination": { + "address": "https://example.com", + "domain": "https://example.com", + "port": 443, + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "http": { + "request": { + "method": "CONNECT" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "hosts": [ + "https://example.com" + ], + "ip": [ + "5.6.7.8" + ], + "user": [ + "janedoe" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "user": { + "name": "janedoe" + } + } + + ``` + + === "connect.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md index 831cf93905..eec8ff688a 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md @@ -4,6 +4,22 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "common_log_format_1" + + ``` + 1.2.3.4 - johndoe [05/02/2025 11:30:29] "GET https://sub.example.com/1.png HTTP/1.1" 200 - - 1000 Business Services + ``` + + + +=== "common_log_format_2" + + ``` + 5.6.7.8 - janedoe [05/02/2025 11:31:06] "CONNECT https://example.com:443 HTTP/1.1" 200 - + ``` + + + === "connect" ``` diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 03de6aaa13..cd8f9612da 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -3606,6 +3606,74 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "security_compliance_alert_8.json" + + ```json + + { + "message": "{\"CreationTime\": \"2025-01-31T23:11:21\", \"Id\": \"3af6fbb3-040e-4ecc-4e18-08dd424c935a\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"abcdef123\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"test@example.com\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"BIURO\", \"AlertId\": \"b69ac1d6-7546-4f1b-a15f-fca0b5a7d005\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"test@example.com\\\",\\\"tid\\\":\\\"abcdef123-ecef-4cb1-a848-794d17916b7b\\\",\\\"ts\\\":\\\"2025-01-31T23:09:52.0000000Z\\\",\\\"te\\\":\\\"2025-01-31T23:09:52.0000000Z\\\",\\\"op\\\":\\\"CompromisedAccount\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"BIURO@SEPARATOR.PL\\\",\\\"ut\\\":\\\"System\\\",\\\"ssic\\\":\\\"0\\\",\\\"lon\\\":\\\"CompromisedAccount\\\"}\", \"EntityType\": \"User\", \"Name\": \"User restricted from sending email\", \"PolicyId\": \"5bd8e1ef-44f4-4a67-b40f-48fd576ec779\", \"Severity\": \"High\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2025-01-31T23:11:21Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "User restricted from sending email", + "entity_type": "User", + "id": "b69ac1d6-7546-4f1b-a15f-fca0b5a7d005", + "severity": "High", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "test@example.com" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "abcdef123" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "5bd8e1ef-44f4-4a67-b40f-48fd576ec779" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + === "security_compliance_alert_malicious_url.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index bf8d6b678b..4e9e4bd9ea 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -2074,6 +2074,45 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_compliance_alert_8" + + + ```json + { + "CreationTime": "2025-01-31T23:11:21", + "Id": "3af6fbb3-040e-4ecc-4e18-08dd424c935a", + "Operation": "AlertEntityGenerated", + "OrganizationId": "abcdef123", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "test@example.com", + "UserId": "SecurityComplianceAlerts", + "AlertEntityId": "BIURO", + "AlertId": "b69ac1d6-7546-4f1b-a15f-fca0b5a7d005", + "AlertLinks": [ + { + "AlertLinkHref": "" + } + ], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "{\"etype\":\"User\",\"eid\":\"test@example.com\",\"tid\":\"abcdef123-ecef-4cb1-a848-794d17916b7b\",\"ts\":\"2025-01-31T23:09:52.0000000Z\",\"te\":\"2025-01-31T23:09:52.0000000Z\",\"op\":\"CompromisedAccount\",\"tdc\":\"1\",\"suid\":\"BIURO@SEPARATOR.PL\",\"ut\":\"System\",\"ssic\":\"0\",\"lon\":\"CompromisedAccount\"}", + "EntityType": "User", + "Name": "User restricted from sending email", + "PolicyId": "5bd8e1ef-44f4-4a67-b40f-48fd576ec779", + "Severity": "High", + "Source": "Office 365 Security & Compliance", + "Status": "Active" + } + ``` + + + === "security_compliance_alert_malicious_url" diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index f780e08207..3d7c4c5673 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -476,6 +476,115 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_authentication_sso_with_slashes.json" + + ```json + + { + "message": "{\n \"uuid\": \"ea4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-11-15T08:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "dataset": "system-log", + "reason": "User single sign on to app", + "type": [ + "start" + ] + }, + "@timestamp": "2022-11-15T08:05:07.656000Z", + "observer": { + "vendor": "Okta" + }, + "okta": { + "system": { + "actor": { + "alternate_id": "john.doe@example.org", + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" + }, + "outcome": { + "result": "SUCCESS" + }, + "severity": "INFO", + "target": { + "alternateId": "Architecture Website", + "displayName": "OpenID Connect Client", + "id": "kdYO9RZnIHNhV6vii333b", + "type": "AppInstance" + }, + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" + } + } + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + }, + "source": { + "address": "example.org", + "as": { + "number": 3741, + "organization": { + "name": "Easttel" + } + }, + "domain": "example.org", + "geo": { + "city_name": "Paris", + "country_name": "France", + "location": { + "lat": 48.856944, + "lon": 2.351389 + }, + "region_name": "Ile-de-France" + }, + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org", + "user": { + "id": "eWiaLPtSTpjyy1BIwNFXg" + } + }, + "user": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "axios", + "original": "axios/0.19.2", + "os": { + "name": "Other" + }, + "version": "0.19.2" + } + } + + ``` + + === "test_login.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md index 54503693ea..fbcf3ddbce 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md @@ -442,6 +442,121 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_authentication_sso_with_slashes" + + + ```json + { + "uuid": "ea4adf13-1469-4059-9d2c-7cfdb464b123", + "actor": { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + }, + "client": { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "zone": "null", + "device": "Unknown", + "ipAddress": "1.2.3.4", + "userAgent": { + "os": "Unknown", + "browser": "UNKNOWN", + "rawUserAgent": "axios/0.19.2" + }, + "geographicalContext": { + "city": "Paris", + "state": "Ile-de-France", + "country": "France", + "postalCode": null, + "geolocation": { + "lat": 48.856944, + "lon": 2.351389 + } + } + }, + "device": null, + "target": [ + { + "id": "kdYO9RZnIHNhV6vii333b", + "type": "AppInstance", + "alternateId": "Architecture Website", + "detailEntry": { + "signOnModeType": "OPENID_CONNECT" + }, + "displayName": "OpenID Connect Client" + }, + { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "AppUser", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + }, + { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + } + ], + "outcome": { + "reason": null, + "result": "SUCCESS" + }, + "request": { + "ipChain": [ + { + "ip": "1.2.3.4", + "source": null, + "version": "V4", + "geographicalContext": { + "city": "Paris", + "state": "Ile-de-France", + "country": "France", + "postalCode": null, + "geolocation": { + "lat": 48.856944, + "lon": 2.351389 + } + } + } + ] + }, + "version": "0", + "severity": "INFO", + "eventType": "user.authentication.sso", + "published": "2022-11-15T08:05:07.656Z", + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB", + "detail": {} + }, + "displayMessage": "User single sign on to app", + "legacyEventType": "app.auth.sso", + "securityContext": { + "isp": "Easttel", + "asOrg": "Easttel", + "domain": "example.org", + "isProxy": false, + "asNumber": 3741 + }, + "authenticationContext": { + "issuer": null, + "interface": null, + "credentialType": null, + "externalSessionId": "unknown", + "authenticationStep": 0, + "credentialProvider": null, + "authenticationProvider": null + } + } + ``` + + + === "test_login"