diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 1c3b70a77..31ac6623f 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -723,6 +723,95 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "activity-type-5126-2.json" + + ```json + + { + "message": "{\"accountId\": \"1234\", \"activityType\": 5126, \"agentId\": \"1234\", \"createdAt\": \"2025-01-30T07:27:16.108284Z\", \"data\": {\"accountName\": \"group\", \"bluetoothAddress\": \"\", \"computerName\": \"HOSTNAME\", \"creator\": \"N/A\", \"deviceClass\": \"00h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"TEST\", \"eventId\": \"{70f9e255-417f-4217-83a5-2a7c68c1cce5}\", \"eventTime\": \"2025-01-30T07:27:30.800+00:00\", \"eventType\": \"disconnected\", \"externalServiceId\": null, \"fullScopeDetails\": \"Group WW\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-servers\", \"gattService\": \"\", \"groupId\": \"1234\", \"groupName\": \"Global / CORP / CORP-Users / Default Group\", \"interface\": \"USB\", \"ipAddress\": \"1.2.3.4\", \"lastLoggedInUserName\": \"user\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"physicalDeviceId\": null, \"productId\": \"2CEE\", \"profileUuids\": \"N/A\", \"realUser\": null, \"ruleId\": \"-1\", \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"WW \", \"siteName\": \"CORP-Users\", \"sourceType\": \"API\", \"uid\": \"\", \"vendorId\": \"1E7D\", \"version\": \"N/A\"}, \"groupId\": \"1083054176758610128\", \"id\": \"1387019684138751044\", \"primaryDescription\": \"USB device TEST was disconnected on HOSTNAME.\", \"secondaryDescription\": \"IP address: 5.6.7.8\", \"siteId\": \"1083054176741832911\", \"updatedAt\": \"2025-01-30T07:27:14.910416Z\"}", + "event": { + "action": "Device Control Approved Event", + "category": "host", + "reason": "USB device TEST was disconnected on HOSTNAME.", + "type": [ + "allowed" + ] + }, + "@timestamp": "2025-01-30T07:27:16.108284Z", + "action": { + "type": 5126 + }, + "agent": { + "id": "1234" + }, + "group": { + "id": "1083054176758610128" + }, + "host": { + "name": "HOSTNAME" + }, + "organization": { + "id": "1234" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "user" + ] + }, + "rule": { + "id": "-1" + }, + "sentinelone": { + "createdAt": "2025-01-30T07:27:16.108284Z", + "data": { + "accountName": "group", + "computerName": "HOSTNAME", + "creator": "N/A", + "deviceClass": "00h", + "deviceName": "TEST", + "eventId": "{70f9e255-417f-4217-83a5-2a7c68c1cce5}", + "eventTime": "2025-01-30T07:27:30.800+00:00", + "eventType": "disconnected", + "fullScopeDetails": "Group WW", + "fullScopeDetailsPath": "Global / CORP / CORP-servers", + "group": { + "id": "1234" + }, + "groupName": "Global / CORP / CORP-Users / Default Group", + "interface": "USB", + "ipAddress": "1.2.3.4", + "lastLoggedInUserName": "user", + "lmpVersion": "N/A", + "minorClass": "N/A", + "osType": "windows", + "productId": "2CEE", + "profileUuids": "N/A", + "ruleType": "productId", + "scopeLevel": "Group", + "scopeName": "WW ", + "siteName": "CORP-Users", + "version": "N/A" + }, + "eventid": 1387019684138751044, + "secondaryDescription": "IP address: 5.6.7.8", + "siteId": 1083054176741832911, + "updatedAt": "2025-01-30T07:27:14.910416Z" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "user" + } + } + + ``` + + === "activity-type-5126.json" ```json @@ -2460,6 +2549,271 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "threat4.json" + + ```json + + { + "message": "{\"agentDetectionInfo\": {\"accountId\": \"1588993609183209372\", \"accountName\": \"0 - MDR - APRR\", \"agentDetectionState\": null, \"agentDomain\": \"saprr.local\", \"agentIpV4\": \"1.2.3.4,5.6.7.8,9.10.11.12\", \"agentIpV6\": \"\", \"agentLastLoggedInUpn\": null, \"agentLastLoggedInUserMail\": null, \"agentLastLoggedInUserName\": \"\", \"agentMitigationMode\": \"protect\", \"agentOsName\": \"Linux\", \"agentOsRevision\": \"Debian GNU/12 (bookworm) 6.1.0-29-amd64\", \"agentRegisteredAt\": \"2025-01-29T11:05:23.759829Z\", \"agentUuid\": \"1f03f1fd-71b6-91e8-1790-ff46fbd57d08\", \"agentVersion\": \"24.2.2.20\", \"assetVersion\": \"\", \"cloudProviders\": {\"ESXI\": {}}, \"externalIp\": \"10.20.30.40\", \"groupId\": \"1592057602674298966\", \"groupName\": \"Default Group\", \"siteId\": \"1592057602649133141\", \"siteName\": \"Serveurs Linux\"}, \"agentRealtimeInfo\": {\"accountId\": \"1588993609183209372\", \"accountName\": \"0 - MDR - APRR\", \"activeThreats\": 0, \"agentComputerName\": \"slz0080.saprr.local\", \"agentDecommissionedAt\": null, \"agentDomain\": \"saprr.local\", \"agentId\": \"2138423311915892041\", \"agentInfected\": false, \"agentIsActive\": true, \"agentIsDecommissioned\": false, \"agentMachineType\": \"server\", \"agentMitigationMode\": \"protect\", \"agentNetworkStatus\": \"connected\", \"agentOsName\": \"Linux\", \"agentOsRevision\": \"Debian GNU/12 (bookworm) 6.1.0-29-amd64\", \"agentOsType\": \"linux\", \"agentUuid\": \"1f03f1fd-71b6-91e8-1790-ff46fbd57d08\", \"agentVersion\": \"24.2.2.20\", \"groupId\": \"1604948594358127522\", \"groupName\": \"Docker\", \"networkInterfaces\": [{\"id\": \"2147130287111486641\", \"inet\": [], \"inet6\": [], \"name\": \"veth133e4a3\", \"physical\": \"11:22:33:44:55:66\"}, {\"id\": \"2147114829782704490\", \"inet\": [], \"inet6\": [], \"name\": \"veth1ebd738\", \"physical\": \"AA:BB:CC:DD:EE:FF\"}, {\"id\": \"2147114829765927270\", \"inet\": [\"9.10.11.12\"], \"inet6\": [], \"name\": \"br-eecebc98dd4b\", \"physical\": \"77:88:99:00:11:22\"}, {\"id\": \"2147114829757538660\", \"inet\": [], \"inet6\": [], \"name\": \"vethcab2067\", \"physical\": \"A1:B2:C3:D4:E5:F6\"}, {\"id\": \"2145128987023664939\", \"inet\": [\"5.6.7.8\"], \"inet6\": [], \"name\": \"docker0\", \"physical\": \"1A:2B:3C:4D:5E:6F\"}, {\"id\": \"2138423311932669261\", \"inet\": [\"1.2.3.4\"], \"inet6\": [], \"name\": \"ens192\", \"physical\": \"00:11:22:33:44:55\"}], \"operationalState\": \"na\", \"rebootRequired\": false, \"scanAbortedAt\": null, \"scanFinishedAt\": null, \"scanStartedAt\": null, \"scanStatus\": \"none\", \"siteId\": \"1592057602649133141\", \"siteName\": \"Serveurs Linux\", \"storageName\": null, \"storageType\": null, \"userActionsNeeded\": []}, \"containerInfo\": {\"id\": \"b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c\", \"image\": \"aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112\", \"isContainerQuarantine\": false, \"labels\": [\"MAINTAINER:\\\"AxonOps \\\"\", \"com.docker.compose.config-hash:\\\"559ae0e792091b120f6f99d15da543e95d5c59e3209ed216d4077492de88ebdd\\\"\", \"com.docker.compose.container-number:\\\"1\\\"\", \"com.docker.compose.oneoff:\\\"False\\\"\", \"com.docker.compose.project:\\\"axonops\\\"\", \"com.docker.compose.project.config_files:\\\"axonops-compose.yml\\\"\", \"com.docker.compose.project.working_dir:\\\"/opt/aprr/docker-app/axonops\\\"\", \"com.docker.compose.service:\\\"axon-dash\\\"\", \"com.docker.compose.version:\\\"1.26.0\\\"\", \"org.opencontainers.image.ref.name:\\\"ubuntu\\\"\", \"org.opencontainers.image.version:\\\"22.04\\\"\"], \"name\": \"axonops_axon-dash_1\"}, \"ecsInfo\": {\"clusterName\": null, \"serviceArn\": null, \"serviceName\": null, \"taskArn\": null, \"taskAvailabilityZone\": null, \"taskDefinitionArn\": null, \"taskDefinitionFamily\": null, \"taskDefinitionRevision\": null, \"type\": null, \"version\": null}, \"id\": \"2147115586493991494\", \"indicators\": [{\"category\": \"Post Exploitation\", \"description\": \"A file was executed in a container that was not a part of the container image\", \"ids\": [1446], \"tactics\": []}], \"kubernetesInfo\": {\"cluster\": null, \"controllerKind\": null, \"controllerLabels\": null, \"controllerName\": null, \"isContainerQuarantine\": null, \"namespace\": null, \"namespaceLabels\": null, \"node\": null, \"nodeLabels\": null, \"pod\": null, \"podLabels\": null}, \"mitigationStatus\": [{\"action\": \"kill\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 3, \"total\": 3}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2025-02-10T10:55:23.951728Z\", \"latestReport\": \"/threats/mitigation-report/2147115589035740263\", \"mitigationEndedAt\": \"2025-02-10T10:55:23.596000Z\", \"mitigationStartedAt\": \"2025-02-10T10:55:23.595000Z\", \"reportId\": \"2147115589035740263\", \"status\": \"success\"}, {\"action\": \"quarantine\", \"actionsCounters\": {\"failed\": 0, \"notFound\": 0, \"pendingReboot\": 0, \"success\": 46, \"total\": 46}, \"agentSupportsReport\": true, \"groupNotFound\": false, \"lastUpdate\": \"2025-02-10T10:55:24.023572Z\", \"latestReport\": \"/threats/mitigation-report/2147115589639720178\", \"mitigationEndedAt\": \"2025-02-10T10:55:23.594000Z\", \"mitigationStartedAt\": \"2025-02-10T10:55:23.594000Z\", \"reportId\": \"2147115589639720178\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"false_positive\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": null, \"classification\": \"Malware\", \"classificationSource\": \"Static\", \"cloudFilesHashVerdict\": null, \"collectionId\": \"2145125396640532798\", \"confidenceLevel\": \"suspicious\", \"createdAt\": \"2025-02-10T10:55:23.648310Z\", \"detectionEngines\": [{\"key\": \"application_control\", \"title\": \"Application Control\"}], \"detectionType\": \"dynamic\", \"engines\": [\"Application Control\"], \"externalTicketExists\": false, \"externalTicketId\": null, \"failedActions\": false, \"fileExtension\": null, \"fileExtensionType\": null, \"filePath\": \"/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun\", \"fileSize\": 78, \"fileVerificationType\": null, \"identifiedAt\": \"2025-02-10T10:55:23.587476Z\", \"incidentStatus\": \"resolved\", \"incidentStatusDescription\": \"Resolved\", \"initiatedBy\": \"agent_policy\", \"initiatedByDescription\": \"Agent Policy\", \"initiatingUserId\": null, \"initiatingUsername\": null, \"isFileless\": false, \"isValidCertificate\": null, \"macroModules\": null, \"maliciousProcessArguments\": \"/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun\", \"md5\": null, \"mitigatedPreemptively\": false, \"mitigationStatus\": \"marked_as_benign\", \"mitigationStatusDescription\": \"Marked as benign\", \"originatorProcess\": null, \"pendingActions\": false, \"processUser\": \"\", \"publisherName\": null, \"reachedEventsLimit\": null, \"rebootRequired\": false, \"rootProcessUpn\": null, \"sha1\": \"315e54b4903ac4923d3014b4ebb098fb966b1e09\", \"sha256\": \"2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0\", \"storyline\": \"2278a12c-b8f7-e37f-aaa6-286b028d3bf0\", \"threatId\": \"2147115586493991494\", \"threatName\": \"AppRun\", \"updatedAt\": \"2025-02-10T10:58:43.575450Z\"}, \"whiteningOptions\": [\"hash\", \"path\"]}", + "event": { + "category": [ + "malware" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "agent": { + "id": "2138423311915892041" + }, + "container": { + "id": "b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c", + "image": { + "name": "aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112" + }, + "name": "axonops_axon-dash_1" + }, + "file": { + "extension": "none", + "hash": { + "sha1": "315e54b4903ac4923d3014b4ebb098fb966b1e09", + "sha256": "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0" + }, + "name": "AppRun", + "path": "/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "size": 78 + }, + "host": { + "domain": "saprr.local", + "ip": [ + "1.2.3.4", + "10.20.30.40", + "5.6.7.8", + "9.10.11.12" + ], + "name": "slz0080.saprr.local", + "os": { + "family": "linux", + "version": "Linux" + } + }, + "organization": { + "id": "1588993609183209372", + "name": "0 - MDR - APRR" + }, + "related": { + "hash": [ + "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0", + "315e54b4903ac4923d3014b4ebb098fb966b1e09" + ], + "ip": [ + "1.2.3.4", + "10.20.30.40", + "5.6.7.8", + "9.10.11.12" + ] + }, + "sentinelone": { + "agentDetectionInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "agentDomain": "saprr.local", + "agentIpV4": "1.2.3.4,5.6.7.8,9.10.11.12", + "agentMitigationMode": "protect", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentRegisteredAt": "2025-01-29T11:05:23.759829Z", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "externalIp": "10.20.30.40", + "groupId": 1592057602674298966, + "groupName": "Default Group", + "siteId": 1592057602649133141, + "siteName": "Serveurs Linux" + }, + "agentRealtimeInfo": { + "activeThreats": 0, + "agentComputerName": "slz0080.saprr.local", + "agentDomain": "saprr.local", + "agentId": "2138423311915892041", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "groupId": 1604948594358127522, + "groupName": "Docker", + "networkInterfaces": [ + { + "id": "2147130287111486641", + "inet": [], + "inet6": [], + "name": "veth133e4a3", + "physical": "11:22:33:44:55:66" + }, + { + "id": "2147114829782704490", + "inet": [], + "inet6": [], + "name": "veth1ebd738", + "physical": "AA:BB:CC:DD:EE:FF" + }, + { + "id": "2147114829765927270", + "inet": [ + "9.10.11.12" + ], + "inet6": [], + "name": "br-eecebc98dd4b", + "physical": "77:88:99:00:11:22" + }, + { + "id": "2147114829757538660", + "inet": [], + "inet6": [], + "name": "vethcab2067", + "physical": "A1:B2:C3:D4:E5:F6" + }, + { + "id": "2145128987023664939", + "inet": [ + "5.6.7.8" + ], + "inet6": [], + "name": "docker0", + "physical": "1A:2B:3C:4D:5E:6F" + }, + { + "id": "2138423311932669261", + "inet": [ + "1.2.3.4" + ], + "inet6": [], + "name": "ens192", + "physical": "00:11:22:33:44:55" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanStatus": "none", + "siteId": 1592057602649133141, + "siteName": "Serveurs Linux", + "userActionsNeeded": [] + }, + "eventid": 2147115586493991494, + "indicators": [ + { + "category": "Post Exploitation", + "description": "A file was executed in a container that was not a part of the container image", + "ids": [ + 1446 + ], + "tactics": [] + } + ], + "mitigationStatus": [ + { + "action": "kill", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 3, + "total": 3 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:23.951728Z", + "latestReport": "/threats/mitigation-report/2147115589035740263", + "mitigationEndedAt": "2025-02-10T10:55:23.596000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.595000Z", + "reportId": "2147115589035740263", + "status": "success" + }, + { + "action": "quarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 46, + "total": 46 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:24.023572Z", + "latestReport": "/threats/mitigation-report/2147115589639720178", + "mitigationEndedAt": "2025-02-10T10:55:23.594000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.594000Z", + "reportId": "2147115589639720178", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "false_positive", + "analystVerdictDescription": "False positive", + "automaticallyResolved": false, + "classificationSource": "Static", + "collectionId": "2145125396640532798", + "detectionEngines": [ + { + "key": "application_control", + "title": "Application Control" + } + ], + "detectionType": "dynamic", + "engines": [ + "Application Control" + ], + "externalTicketExists": false, + "failedActions": false, + "incidentStatus": "resolved", + "incidentStatusDescription": "Resolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "isFileless": false, + "maliciousProcessArguments": "/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "mitigatedPreemptively": false, + "mitigationStatus": "marked_as_benign", + "mitigationStatusDescription": "Marked as benign", + "pendingActions": false, + "rebootRequired": false, + "storyline": "2278a12c-b8f7-e37f-aaa6-286b028d3bf0", + "threatId": "2147115586493991494", + "updatedAt": "2025-02-10T10:58:43.575450Z" + }, + "whiteningOptions": [ + "hash", + "path" + ] + }, + "threat": { + "enrichments": { + "matched": { + "occurred": "2025-02-10T10:55:23.587476Z" + } + }, + "indicator": { + "confidence": "suspicious", + "file": { + "created": "2025-02-10T10:55:23.648310Z", + "size": 78 + } + }, + "software": { + "type": "Malware" + } + } + } + + ``` + + === "user_logged_in.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md index 2bce2d791..0ca565254 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md @@ -473,6 +473,67 @@ In this section, you will find examples of raw logs as generated natively by the +=== "activity-type-5126-2" + + + ```json + { + "accountId": "1234", + "activityType": 5126, + "agentId": "1234", + "createdAt": "2025-01-30T07:27:16.108284Z", + "data": { + "accountName": "group", + "bluetoothAddress": "", + "computerName": "HOSTNAME", + "creator": "N/A", + "deviceClass": "00h", + "deviceInformationServiceInfoKey": "", + "deviceInformationServiceInfoValue": "", + "deviceName": "TEST", + "eventId": "{70f9e255-417f-4217-83a5-2a7c68c1cce5}", + "eventTime": "2025-01-30T07:27:30.800+00:00", + "eventType": "disconnected", + "externalServiceId": null, + "fullScopeDetails": "Group WW", + "fullScopeDetailsPath": "Global / CORP / CORP-servers", + "gattService": "", + "groupId": "1234", + "groupName": "Global / CORP / CORP-Users / Default Group", + "interface": "USB", + "ipAddress": "1.2.3.4", + "lastLoggedInUserName": "user", + "lmpVersion": "N/A", + "manufacturerName": "", + "minorClass": "N/A", + "osType": "windows", + "physicalDeviceId": null, + "productId": "2CEE", + "profileUuids": "N/A", + "realUser": null, + "ruleId": "-1", + "ruleName": null, + "ruleScopeName": null, + "ruleType": "productId", + "scopeLevel": "Group", + "scopeName": "WW ", + "siteName": "CORP-Users", + "sourceType": "API", + "uid": "", + "vendorId": "1E7D", + "version": "N/A" + }, + "groupId": "1083054176758610128", + "id": "1387019684138751044", + "primaryDescription": "USB device TEST was disconnected on HOSTNAME.", + "secondaryDescription": "IP address: 5.6.7.8", + "siteId": "1083054176741832911", + "updatedAt": "2025-01-30T07:27:14.910416Z" + } + ``` + + + === "activity-type-5126" @@ -1940,6 +2001,281 @@ In this section, you will find examples of raw logs as generated natively by the +=== "threat4" + + + ```json + { + "agentDetectionInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "agentDetectionState": null, + "agentDomain": "saprr.local", + "agentIpV4": "1.2.3.4,5.6.7.8,9.10.11.12", + "agentIpV6": "", + "agentLastLoggedInUpn": null, + "agentLastLoggedInUserMail": null, + "agentLastLoggedInUserName": "", + "agentMitigationMode": "protect", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentRegisteredAt": "2025-01-29T11:05:23.759829Z", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "assetVersion": "", + "cloudProviders": { + "ESXI": {} + }, + "externalIp": "10.20.30.40", + "groupId": "1592057602674298966", + "groupName": "Default Group", + "siteId": "1592057602649133141", + "siteName": "Serveurs Linux" + }, + "agentRealtimeInfo": { + "accountId": "1588993609183209372", + "accountName": "0 - MDR - APRR", + "activeThreats": 0, + "agentComputerName": "slz0080.saprr.local", + "agentDecommissionedAt": null, + "agentDomain": "saprr.local", + "agentId": "2138423311915892041", + "agentInfected": false, + "agentIsActive": true, + "agentIsDecommissioned": false, + "agentMachineType": "server", + "agentMitigationMode": "protect", + "agentNetworkStatus": "connected", + "agentOsName": "Linux", + "agentOsRevision": "Debian GNU/12 (bookworm) 6.1.0-29-amd64", + "agentOsType": "linux", + "agentUuid": "1f03f1fd-71b6-91e8-1790-ff46fbd57d08", + "agentVersion": "24.2.2.20", + "groupId": "1604948594358127522", + "groupName": "Docker", + "networkInterfaces": [ + { + "id": "2147130287111486641", + "inet": [], + "inet6": [], + "name": "veth133e4a3", + "physical": "11:22:33:44:55:66" + }, + { + "id": "2147114829782704490", + "inet": [], + "inet6": [], + "name": "veth1ebd738", + "physical": "AA:BB:CC:DD:EE:FF" + }, + { + "id": "2147114829765927270", + "inet": [ + "9.10.11.12" + ], + "inet6": [], + "name": "br-eecebc98dd4b", + "physical": "77:88:99:00:11:22" + }, + { + "id": "2147114829757538660", + "inet": [], + "inet6": [], + "name": "vethcab2067", + "physical": "A1:B2:C3:D4:E5:F6" + }, + { + "id": "2145128987023664939", + "inet": [ + "5.6.7.8" + ], + "inet6": [], + "name": "docker0", + "physical": "1A:2B:3C:4D:5E:6F" + }, + { + "id": "2138423311932669261", + "inet": [ + "1.2.3.4" + ], + "inet6": [], + "name": "ens192", + "physical": "00:11:22:33:44:55" + } + ], + "operationalState": "na", + "rebootRequired": false, + "scanAbortedAt": null, + "scanFinishedAt": null, + "scanStartedAt": null, + "scanStatus": "none", + "siteId": "1592057602649133141", + "siteName": "Serveurs Linux", + "storageName": null, + "storageType": null, + "userActionsNeeded": [] + }, + "containerInfo": { + "id": "b4fe7878d50485166dd5b29c43fe64df7e82b31c19701d7fa4be25d925d4656c", + "image": "aprr.jfrog.io/soc-docker-infra-stable/axon-dash:1.0.112", + "isContainerQuarantine": false, + "labels": [ + "MAINTAINER:\"AxonOps \"", + "com.docker.compose.config-hash:\"559ae0e792091b120f6f99d15da543e95d5c59e3209ed216d4077492de88ebdd\"", + "com.docker.compose.container-number:\"1\"", + "com.docker.compose.oneoff:\"False\"", + "com.docker.compose.project:\"axonops\"", + "com.docker.compose.project.config_files:\"axonops-compose.yml\"", + "com.docker.compose.project.working_dir:\"/opt/aprr/docker-app/axonops\"", + "com.docker.compose.service:\"axon-dash\"", + "com.docker.compose.version:\"1.26.0\"", + "org.opencontainers.image.ref.name:\"ubuntu\"", + "org.opencontainers.image.version:\"22.04\"" + ], + "name": "axonops_axon-dash_1" + }, + "ecsInfo": { + "clusterName": null, + "serviceArn": null, + "serviceName": null, + "taskArn": null, + "taskAvailabilityZone": null, + "taskDefinitionArn": null, + "taskDefinitionFamily": null, + "taskDefinitionRevision": null, + "type": null, + "version": null + }, + "id": "2147115586493991494", + "indicators": [ + { + "category": "Post Exploitation", + "description": "A file was executed in a container that was not a part of the container image", + "ids": [ + 1446 + ], + "tactics": [] + } + ], + "kubernetesInfo": { + "cluster": null, + "controllerKind": null, + "controllerLabels": null, + "controllerName": null, + "isContainerQuarantine": null, + "namespace": null, + "namespaceLabels": null, + "node": null, + "nodeLabels": null, + "pod": null, + "podLabels": null + }, + "mitigationStatus": [ + { + "action": "kill", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 3, + "total": 3 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:23.951728Z", + "latestReport": "/threats/mitigation-report/2147115589035740263", + "mitigationEndedAt": "2025-02-10T10:55:23.596000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.595000Z", + "reportId": "2147115589035740263", + "status": "success" + }, + { + "action": "quarantine", + "actionsCounters": { + "failed": 0, + "notFound": 0, + "pendingReboot": 0, + "success": 46, + "total": 46 + }, + "agentSupportsReport": true, + "groupNotFound": false, + "lastUpdate": "2025-02-10T10:55:24.023572Z", + "latestReport": "/threats/mitigation-report/2147115589639720178", + "mitigationEndedAt": "2025-02-10T10:55:23.594000Z", + "mitigationStartedAt": "2025-02-10T10:55:23.594000Z", + "reportId": "2147115589639720178", + "status": "success" + } + ], + "threatInfo": { + "analystVerdict": "false_positive", + "analystVerdictDescription": "False positive", + "automaticallyResolved": false, + "browserType": null, + "certificateId": null, + "classification": "Malware", + "classificationSource": "Static", + "cloudFilesHashVerdict": null, + "collectionId": "2145125396640532798", + "confidenceLevel": "suspicious", + "createdAt": "2025-02-10T10:55:23.648310Z", + "detectionEngines": [ + { + "key": "application_control", + "title": "Application Control" + } + ], + "detectionType": "dynamic", + "engines": [ + "Application Control" + ], + "externalTicketExists": false, + "externalTicketId": null, + "failedActions": false, + "fileExtension": null, + "fileExtensionType": null, + "filePath": "/opt/aprr/docker/overlay2/a5177084b94956bf219e726894bcdc99548d6af616000a391e921c3241861c49/merged/tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "fileSize": 78, + "fileVerificationType": null, + "identifiedAt": "2025-02-10T10:55:23.587476Z", + "incidentStatus": "resolved", + "incidentStatusDescription": "Resolved", + "initiatedBy": "agent_policy", + "initiatedByDescription": "Agent Policy", + "initiatingUserId": null, + "initiatingUsername": null, + "isFileless": false, + "isValidCertificate": null, + "macroModules": null, + "maliciousProcessArguments": "/bin/sh /tmp/appimage_extracted_cc1b997abf173323efdc82ad805a6806/AppRun", + "md5": null, + "mitigatedPreemptively": false, + "mitigationStatus": "marked_as_benign", + "mitigationStatusDescription": "Marked as benign", + "originatorProcess": null, + "pendingActions": false, + "processUser": "", + "publisherName": null, + "reachedEventsLimit": null, + "rebootRequired": false, + "rootProcessUpn": null, + "sha1": "315e54b4903ac4923d3014b4ebb098fb966b1e09", + "sha256": "2f7bf3ae4ca3e725f731245ee5eb67bafbadd9d70749ef41cfe9e4ab7fdc1cd0", + "storyline": "2278a12c-b8f7-e37f-aaa6-286b028d3bf0", + "threatId": "2147115586493991494", + "threatName": "AppRun", + "updatedAt": "2025-02-10T10:58:43.575450Z" + }, + "whiteningOptions": [ + "hash", + "path" + ] + } + ``` + + + === "user_logged_in" diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index b6ae3d87b..b496d72d5 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -2056,6 +2056,84 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_dns_response_complicated.json" + + ```json + + { + "message": "{\"VendorName\": \"palo alto networks\", \"DeviceSN\": \"xxxxxxxxxxxxx\", \"TimeReceived\": \"2025-02-11T10:51:15.456002Z\", \"LogType\": \"DNS\", \"Subtype\": \"realtime_dns_telemetry_response\", \"SubType\": \"realtime_dns_telemetry_response\", \"TimeGenerated\": \"2025-02-11T10:51:15.000000Z\", \"RecordType\": \"cname,cname,cname,a,a,a,a,a,a,a,a\", \"DNSResolverIP\": \"1.2.3.4\", \"ThreatID\": 0, \"DNSCategory\": \"benign\", \"ThreatName\": null, \"SourceAddress\": \"5.6.7.8\", \"FromZone\": \"RN-USDAA-1\", \"Action\": \"Allow\", \"DNSResponse\": [\"sub1.example.com.\", \"sub2.example.com.\", \"example2.net.\", \"9.10.11.9\", \"12.13.14.11\", \"9.10.11.11\", \"12.13.14.15\", \"9.10.11.12\", \"12.13.14.10\", \"9.10.11.14\", \"9.10.11.4\"], \"ToZone\": null, \"DestinationUser\": null}", + "event": { + "action": "Allow", + "category": [ + "network" + ], + "dataset": "dns", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2025-02-11T10:51:15Z", + "action": { + "name": "Allow", + "outcome": "success", + "type": "realtime_dns_telemetry_response" + }, + "dns": { + "question": { + "type": "cname,cname,cname,a,a,a,a,a,a,a,a" + }, + "resolved_ip": [ + "12.13.14.10", + "12.13.14.11", + "12.13.14.15", + "9.10.11.11", + "9.10.11.12", + "9.10.11.14", + "9.10.11.4", + "9.10.11.9" + ] + }, + "log": { + "logger": "dns" + }, + "observer": { + "ingress": { + "interface": { + "alias": "RN-USDAA-1" + } + }, + "product": "PAN-OS", + "serial_number": "xxxxxxxxxxxxx" + }, + "paloalto": { + "Threat_ContentType": "realtime_dns_telemetry_response", + "dns": { + "category": "benign" + } + }, + "related": { + "ip": [ + "12.13.14.10", + "12.13.14.11", + "12.13.14.15", + "5.6.7.8", + "9.10.11.11", + "9.10.11.12", + "9.10.11.14", + "9.10.11.4", + "9.10.11.9" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + } + } + + ``` + + === "test_event_reason.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index d7aeb4221..114623f0a 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -582,6 +582,46 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_dns_response_complicated" + + + ```json + { + "VendorName": "palo alto networks", + "DeviceSN": "xxxxxxxxxxxxx", + "TimeReceived": "2025-02-11T10:51:15.456002Z", + "LogType": "DNS", + "Subtype": "realtime_dns_telemetry_response", + "SubType": "realtime_dns_telemetry_response", + "TimeGenerated": "2025-02-11T10:51:15.000000Z", + "RecordType": "cname,cname,cname,a,a,a,a,a,a,a,a", + "DNSResolverIP": "1.2.3.4", + "ThreatID": 0, + "DNSCategory": "benign", + "ThreatName": null, + "SourceAddress": "5.6.7.8", + "FromZone": "RN-USDAA-1", + "Action": "Allow", + "DNSResponse": [ + "sub1.example.com.", + "sub2.example.com.", + "example2.net.", + "9.10.11.9", + "12.13.14.11", + "9.10.11.11", + "12.13.14.15", + "9.10.11.12", + "12.13.14.10", + "9.10.11.14", + "9.10.11.4" + ], + "ToZone": null, + "DestinationUser": null + } + ``` + + + === "test_event_reason" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 326896f0b..712189675 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -1662,6 +1662,78 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_551.json" + + ```json + + { + "message": "{\"EventTime\": \"2025-02-13 09:59:16\", \"Hostname\": \"dc2.intranet.example\", \"Keywords\": 580964351930793992, \"EventType\": \"ERROR\", \"SeverityValue\": 4, \"Severity\": \"ERROR\", \"EventID\": 551, \"SourceName\": \"Microsoft-Windows-SMBServer\", \"ProviderGuid\": \"{023B183D-B1C2-4875-82FD-E2EBC8966A98}\", \"Version\": 2, \"Task\": 551, \"OpcodeValue\": 0, \"RecordNumber\": 246121596, \"ProcessID\": 4, \"ThreadID\": 1696, \"Channel\": \"Microsoft-Windows-SMBServer/Security\", \"Domain\": \"NT AUTHORITY\", \"AccountName\": \"SYSTEM\", \"UserID\": \"JOHNDOE\", \"AccountType\": \"User\", \"Message\": \"SMB Session Authentication Failure\\r\\n\\r\\nClient Name: \\\\\\\\1.2.3.4\\r\\nClient Address: 1.2.3.4:41760\\r\\nUser Name: \\r\\nSession ID: 0x123456789\\r\\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\\r\\nSPN: session setup failed before the SPN could be queried\\r\\nSPN Validation Policy: SPN optional / no validation\\r\\n\\r\\nGuidance:\\r\\n\\r\\nYou should expect this error when attempting to connect to shares using incorrect credentials.\\r\\n\\r\\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\\r\\n\\r\\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled\", \"Opcode\": \"Info\", \"EventReceivedTime\": \"2025-02-13 09:59:17\", \"SourceModuleName\": \"eventlog\", \"SourceModuleType\": \"im_msvistalog\"}", + "event": { + "code": "551", + "message": "SMB Session Authentication Failure\r\n\r\nClient Name: \\\\1.2.3.4\r\nClient Address: 1.2.3.4:41760\r\nUser Name: \r\nSession ID: 0x123456789\r\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\r\nSPN: session setup failed before the SPN could be queried\r\nSPN Validation Policy: SPN optional / no validation\r\n\r\nGuidance:\r\n\r\nYou should expect this error when attempting to connect to shares using incorrect credentials.\r\n\r\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\r\n\r\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled", + "provider": "Microsoft-Windows-SMBServer" + }, + "action": { + "id": 551, + "properties": { + "AccountName": "SYSTEM", + "AccountType": "User", + "Domain": "NT AUTHORITY", + "EventType": "ERROR", + "Keywords": "580964351930793992", + "OpcodeValue": 0, + "ProviderGuid": "{023B183D-B1C2-4875-82FD-E2EBC8966A98}", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-SMBServer", + "Task": 551 + }, + "record_id": 246121596, + "type": "Microsoft-Windows-SMBServer/Security" + }, + "host": { + "hostname": "dc2.intranet.example", + "name": "dc2.intranet.example" + }, + "log": { + "hostname": "dc2.intranet.example", + "level": "error" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 4, + "pid": 4, + "thread": { + "id": 1696 + } + }, + "related": { + "hosts": [ + "dc2.intranet.example" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "NT AUTHORITY", + "id": "JOHNDOE", + "name": "SYSTEM" + } + } + + ``` + + === "Event_56.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index eda91ef2d..e9eaf67a1 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -850,6 +850,40 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_551" + + ``` + { + "EventTime": "2025-02-13 09:59:16", + "Hostname": "dc2.intranet.example", + "Keywords": 580964351930793992, + "EventType": "ERROR", + "SeverityValue": 4, + "Severity": "ERROR", + "EventID": 551, + "SourceName": "Microsoft-Windows-SMBServer", + "ProviderGuid": "{023B183D-B1C2-4875-82FD-E2EBC8966A98}", + "Version": 2, + "Task": 551, + "OpcodeValue": 0, + "RecordNumber": 246121596, + "ProcessID": 4, + "ThreadID": 1696, + "Channel": "Microsoft-Windows-SMBServer/Security", + "Domain": "NT AUTHORITY", + "AccountName": "SYSTEM", + "UserID": "JOHNDOE", + "AccountType": "User", + "Message": "SMB Session Authentication Failure\r\n\r\nClient Name: \\\\1.2.3.4\r\nClient Address: 1.2.3.4:41760\r\nUser Name: \r\nSession ID: 0x123456789\r\nStatus: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)\r\nSPN: session setup failed before the SPN could be queried\r\nSPN Validation Policy: SPN optional / no validation\r\n\r\nGuidance:\r\n\r\nYou should expect this error when attempting to connect to shares using incorrect credentials.\r\n\r\nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.\r\n\r\nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled", + "Opcode": "Info", + "EventReceivedTime": "2025-02-13 09:59:17", + "SourceModuleName": "eventlog", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "Event_56" ``` diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index 8b4507e8e..d68800471 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -27,6 +27,125 @@ In details, the following table denotes the type of events produced by this inte This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. +=== "common_log_format_1.json" + + ```json + + { + "message": "1.2.3.4 - johndoe [05/02/2025 11:30:29] \"GET https://sub.example.com/1.png HTTP/1.1\" 200 - - 1000 Business Services", + "event": { + "category": [ + "network", + "web" + ] + }, + "@timestamp": "2025-05-02T11:30:29Z", + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "johndoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "sub.example.com", + "full": "https://sub.example.com/1.png", + "original": "https://sub.example.com/1.png", + "path": "/1.png", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "subdomain": "sub", + "top_level_domain": "com" + }, + "user": { + "name": "johndoe" + } + } + + ``` + + +=== "common_log_format_2.json" + + ```json + + { + "message": "5.6.7.8 - janedoe [05/02/2025 11:31:06] \"CONNECT https://example.com:443 HTTP/1.1\" 200 -", + "event": { + "category": [ + "network", + "web" + ] + }, + "@timestamp": "2025-05-02T11:31:06Z", + "destination": { + "address": "https://example.com", + "domain": "https://example.com", + "port": 443, + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "http": { + "request": { + "method": "CONNECT" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "Squid", + "type": "proxy", + "vendor": "Squid" + }, + "related": { + "hosts": [ + "https://example.com" + ], + "ip": [ + "5.6.7.8" + ], + "user": [ + "janedoe" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "user": { + "name": "janedoe" + } + } + + ``` + + === "connect.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md index 831cf9390..eec8ff688 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_sample.md @@ -4,6 +4,22 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "common_log_format_1" + + ``` + 1.2.3.4 - johndoe [05/02/2025 11:30:29] "GET https://sub.example.com/1.png HTTP/1.1" 200 - - 1000 Business Services + ``` + + + +=== "common_log_format_2" + + ``` + 5.6.7.8 - janedoe [05/02/2025 11:31:06] "CONNECT https://example.com:443 HTTP/1.1" 200 - + ``` + + + === "connect" ``` diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 03de6aaa1..cd8f9612d 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -3606,6 +3606,74 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "security_compliance_alert_8.json" + + ```json + + { + "message": "{\"CreationTime\": \"2025-01-31T23:11:21\", \"Id\": \"3af6fbb3-040e-4ecc-4e18-08dd424c935a\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"abcdef123\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"test@example.com\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"BIURO\", \"AlertId\": \"b69ac1d6-7546-4f1b-a15f-fca0b5a7d005\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"test@example.com\\\",\\\"tid\\\":\\\"abcdef123-ecef-4cb1-a848-794d17916b7b\\\",\\\"ts\\\":\\\"2025-01-31T23:09:52.0000000Z\\\",\\\"te\\\":\\\"2025-01-31T23:09:52.0000000Z\\\",\\\"op\\\":\\\"CompromisedAccount\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"BIURO@SEPARATOR.PL\\\",\\\"ut\\\":\\\"System\\\",\\\"ssic\\\":\\\"0\\\",\\\"lon\\\":\\\"CompromisedAccount\\\"}\", \"EntityType\": \"User\", \"Name\": \"User restricted from sending email\", \"PolicyId\": \"5bd8e1ef-44f4-4a67-b40f-48fd576ec779\", \"Severity\": \"High\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Active\"}", + "event": { + "action": "AlertEntityGenerated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2025-01-31T23:11:21Z", + "action": { + "id": 40, + "name": "AlertEntityGenerated", + "outcome": "success", + "target": "user" + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "User restricted from sending email", + "entity_type": "User", + "id": "b69ac1d6-7546-4f1b-a15f-fca0b5a7d005", + "severity": "High", + "source": "Office 365 Security & Compliance", + "status": "Active" + }, + "audit": { + "object_id": "test@example.com" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "abcdef123" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "5bd8e1ef-44f4-4a67-b40f-48fd576ec779" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + === "security_compliance_alert_malicious_url.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index bf8d6b678..4e9e4bd9e 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -2074,6 +2074,45 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_compliance_alert_8" + + + ```json + { + "CreationTime": "2025-01-31T23:11:21", + "Id": "3af6fbb3-040e-4ecc-4e18-08dd424c935a", + "Operation": "AlertEntityGenerated", + "OrganizationId": "abcdef123", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "test@example.com", + "UserId": "SecurityComplianceAlerts", + "AlertEntityId": "BIURO", + "AlertId": "b69ac1d6-7546-4f1b-a15f-fca0b5a7d005", + "AlertLinks": [ + { + "AlertLinkHref": "" + } + ], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "{\"etype\":\"User\",\"eid\":\"test@example.com\",\"tid\":\"abcdef123-ecef-4cb1-a848-794d17916b7b\",\"ts\":\"2025-01-31T23:09:52.0000000Z\",\"te\":\"2025-01-31T23:09:52.0000000Z\",\"op\":\"CompromisedAccount\",\"tdc\":\"1\",\"suid\":\"BIURO@SEPARATOR.PL\",\"ut\":\"System\",\"ssic\":\"0\",\"lon\":\"CompromisedAccount\"}", + "EntityType": "User", + "Name": "User restricted from sending email", + "PolicyId": "5bd8e1ef-44f4-4a67-b40f-48fd576ec779", + "Severity": "High", + "Source": "Office 365 Security & Compliance", + "Status": "Active" + } + ``` + + + === "security_compliance_alert_malicious_url" diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index f780e0820..3d7c4c567 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -476,6 +476,115 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_authentication_sso_with_slashes.json" + + ```json + + { + "message": "{\n \"uuid\": \"ea4adf13-1469-4059-9d2c-7cfdb464b123\",\n \"actor\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n \"client\": {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"zone\": \"null\",\n \"device\": \"Unknown\",\n \"ipAddress\": \"1.2.3.4\",\n \"userAgent\": {\n \"os\": \"Unknown\",\n \"browser\": \"UNKNOWN\",\n \"rawUserAgent\": \"axios/0.19.2\"\n },\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n },\n \"device\": null,\n \"target\": [\n {\n \"id\": \"kdYO9RZnIHNhV6vii333b\",\n \"type\": \"AppInstance\",\n \"alternateId\": \"Architecture Website\",\n \"detailEntry\": {\n \"signOnModeType\": \"OPENID_CONNECT\"\n },\n \"displayName\": \"OpenID Connect Client\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"AppUser\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n },\n {\n \"id\": \"eWiaLPtSTpjyy1BIwNFXg\",\n \"type\": \"User\",\n \"alternateId\": \"john.doe@example.org\\\\\",\n \"detailEntry\": null,\n \"displayName\": \"John Doe\"\n }\n ],\n \"outcome\": {\n \"reason\": null,\n \"result\": \"SUCCESS\"\n },\n \"request\": {\n \"ipChain\": [\n {\n \"ip\": \"1.2.3.4\",\n \"source\": null,\n \"version\": \"V4\",\n \"geographicalContext\": {\n \"city\": \"Paris\",\n \"state\": \"Ile-de-France\",\n \"country\": \"France\",\n \"postalCode\": null,\n \"geolocation\": {\n \"lat\": 48.856944,\n \"lon\": 2.351389\n }\n }\n }\n ]\n },\n \"version\": \"0\",\n \"severity\": \"INFO\",\n \"eventType\": \"user.authentication.sso\",\n \"published\": \"2022-11-15T08:05:07.656Z\",\n \"transaction\": {\n \"id\": \"jI80snAs0ZMym5tvc8Jbp\",\n \"type\": \"WEB\",\n \"detail\": {}\n },\n \"displayMessage\": \"User single sign on to app\",\n \"legacyEventType\": \"app.auth.sso\",\n \"securityContext\": {\n \"isp\": \"Easttel\",\n \"asOrg\": \"Easttel\",\n \"domain\": \"example.org\",\n \"isProxy\": false,\n \"asNumber\": 3741\n },\n \"authenticationContext\": {\n \"issuer\": null,\n \"interface\": null,\n \"credentialType\": null,\n \"externalSessionId\": \"unknown\",\n \"authenticationStep\": 0,\n \"credentialProvider\": null,\n \"authenticationProvider\": null\n }\n}\n", + "event": { + "action": "user.authentication.sso", + "category": [ + "authentication" + ], + "dataset": "system-log", + "reason": "User single sign on to app", + "type": [ + "start" + ] + }, + "@timestamp": "2022-11-15T08:05:07.656000Z", + "observer": { + "vendor": "Okta" + }, + "okta": { + "system": { + "actor": { + "alternate_id": "john.doe@example.org", + "display_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User" + }, + "outcome": { + "result": "SUCCESS" + }, + "severity": "INFO", + "target": { + "alternateId": "Architecture Website", + "displayName": "OpenID Connect Client", + "id": "kdYO9RZnIHNhV6vii333b", + "type": "AppInstance" + }, + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB" + } + } + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.org" + ] + }, + "source": { + "address": "example.org", + "as": { + "number": 3741, + "organization": { + "name": "Easttel" + } + }, + "domain": "example.org", + "geo": { + "city_name": "Paris", + "country_name": "France", + "location": { + "lat": 48.856944, + "lon": 2.351389 + }, + "region_name": "Ile-de-France" + }, + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org", + "user": { + "id": "eWiaLPtSTpjyy1BIwNFXg" + } + }, + "user": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org", + "target": { + "email": "john.doe@example.org", + "full_name": "John Doe", + "id": "eWiaLPtSTpjyy1BIwNFXg", + "name": "john.doe@example.org" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "axios", + "original": "axios/0.19.2", + "os": { + "name": "Other" + }, + "version": "0.19.2" + } + } + + ``` + + === "test_login.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md index 54503693e..fbcf3ddbc 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7_sample.md @@ -442,6 +442,121 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_authentication_sso_with_slashes" + + + ```json + { + "uuid": "ea4adf13-1469-4059-9d2c-7cfdb464b123", + "actor": { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + }, + "client": { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "zone": "null", + "device": "Unknown", + "ipAddress": "1.2.3.4", + "userAgent": { + "os": "Unknown", + "browser": "UNKNOWN", + "rawUserAgent": "axios/0.19.2" + }, + "geographicalContext": { + "city": "Paris", + "state": "Ile-de-France", + "country": "France", + "postalCode": null, + "geolocation": { + "lat": 48.856944, + "lon": 2.351389 + } + } + }, + "device": null, + "target": [ + { + "id": "kdYO9RZnIHNhV6vii333b", + "type": "AppInstance", + "alternateId": "Architecture Website", + "detailEntry": { + "signOnModeType": "OPENID_CONNECT" + }, + "displayName": "OpenID Connect Client" + }, + { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "AppUser", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + }, + { + "id": "eWiaLPtSTpjyy1BIwNFXg", + "type": "User", + "alternateId": "john.doe@example.org\\", + "detailEntry": null, + "displayName": "John Doe" + } + ], + "outcome": { + "reason": null, + "result": "SUCCESS" + }, + "request": { + "ipChain": [ + { + "ip": "1.2.3.4", + "source": null, + "version": "V4", + "geographicalContext": { + "city": "Paris", + "state": "Ile-de-France", + "country": "France", + "postalCode": null, + "geolocation": { + "lat": 48.856944, + "lon": 2.351389 + } + } + } + ] + }, + "version": "0", + "severity": "INFO", + "eventType": "user.authentication.sso", + "published": "2022-11-15T08:05:07.656Z", + "transaction": { + "id": "jI80snAs0ZMym5tvc8Jbp", + "type": "WEB", + "detail": {} + }, + "displayMessage": "User single sign on to app", + "legacyEventType": "app.auth.sso", + "securityContext": { + "isp": "Easttel", + "asOrg": "Easttel", + "domain": "example.org", + "isProxy": false, + "asNumber": 3741 + }, + "authenticationContext": { + "issuer": null, + "interface": null, + "credentialType": null, + "externalSessionId": "unknown", + "authenticationStep": 0, + "credentialProvider": null, + "authenticationProvider": null + } + } + ``` + + + === "test_login"