From 6d3a087cc01bc84c82862554d32d155a03519952 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Fri, 21 Feb 2025 15:54:14 +0000 Subject: [PATCH] Refresh intakes documentation --- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 87 ++ ...6706-ee4a-419b-906d-f92f3a46bcdd_sample.md | 150 ++++ .../07c0cac8-f68f-11ea-adc1-0242ac120002.md | 85 ++ ...cac8-f68f-11ea-adc1-0242ac120002_sample.md | 9 + .../19cd2ed6-f90c-47f7-a46b-974354a107bb.md | 128 +++ ...2ed6-f90c-47f7-a46b-974354a107bb_sample.md | 791 ++++++++++++++++++ .../23d06c74-9311-4d56-b2ac-5d70c0b322fc.md | 235 ++++++ ...6c74-9311-4d56-b2ac-5d70c0b322fc_sample.md | 210 +++++ .../2ee6048e-8322-4575-8e47-1574946412b6.md | 112 +-- ...048e-8322-4575-8e47-1574946412b6_sample.md | 2 +- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 80 +- ...57d3-4689-4fae-8033-6f1f887a70f2_sample.md | 64 ++ .../8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md | 48 ++ ...94f8-d7bc-4c06-b96a-8808b3c6cade_sample.md | 8 + .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 89 ++ ...438c-f7c3-4001-9bcc-45fd108ba1be_sample.md | 43 + 16 files changed, 2087 insertions(+), 54 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc.md create mode 100644 _shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc_sample.md diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 71c624c915..520f6e032f 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -1397,6 +1397,54 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_drive_sample3.json" + + ```json + + { + "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T17:10:20.317Z\", \"uniqueQualifier\": \"-12345678\", \"applicationName\": \"drive\", \"customerId\": \"CUSTO1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"email\": \"\", \"profileId\": \"105250506097979753968\"}, \"events\": [{\"type\": \"access\", \"name\": \"sheets_import_range\", \"parameters\": [{\"name\": \"primary_event\", \"boolValue\": true}, {\"name\": \"billable\", \"boolValue\": false}, {\"name\": \"sheets_import_range_recipient_doc\", \"value\": \"123qwerty456\"}, {\"name\": \"owner_is_shared_drive\", \"boolValue\": true}, {\"name\": \"owner_team_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"owner\", \"value\": \"johndoe\"}, {\"name\": \"doc_id\", \"value\": \"zxcv890\"}, {\"name\": \"doc_type\", \"value\": \"spreadsheet\"}, {\"name\": \"is_encrypted\", \"boolValue\": false}, {\"name\": \"doc_title\", \"value\": \"TPS report\"}, {\"name\": \"visibility\", \"value\": \"people_with_link\"}, {\"name\": \"shared_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"actor_is_collaborator_account\", \"boolValue\": false}, {\"name\": \"owner_is_team_drive\", \"boolValue\": true}, {\"name\": \"team_drive_id\", \"value\": \"asdf678\"}]}]}", + "event": { + "action": "sheets_import_range", + "category": [ + "file" + ], + "dataset": "admin#reports#activity", + "type": [ + "access" + ] + }, + "@timestamp": "2025-02-18T17:10:20.317000Z", + "cloud": { + "account": { + "id": "CUSTO1" + } + }, + "file": { + "gid": "asdf678", + "name": "TPS report", + "owner": "johndoe", + "type": "spreadsheet" + }, + "google": { + "report": { + "parameters": { + "visibility": "people_with_link" + } + } + }, + "network": { + "application": "drive" + }, + "related": { + "user": [ + "johndoe" + ] + } + } + + ``` + + === "test_drive_view_document.json" ```json @@ -1559,6 +1607,45 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_groups_enterprise_1.json" + + ```json + + { + "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T16:00:24.311Z\", \"uniqueQualifier\": \"-123456\", \"applicationName\": \"groups_enterprise\", \"customerId\": \"CUSTOMER1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"callerType\": \"KEY\", \"key\": \"SYSTEM\"}, \"events\": [{\"type\": \"moderator_action\", \"name\": \"remove_user\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}, {\"type\": \"moderator_action\", \"name\": \"remove_member\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}]}", + "event": { + "action": [ + "remove_member", + "remove_user" + ], + "category": [ + "iam" + ], + "dataset": "admin#reports#activity", + "type": [ + "admin" + ] + }, + "@timestamp": "2025-02-18T16:00:24.311000Z", + "cloud": { + "account": { + "id": "CUSTOMER1" + } + }, + "network": { + "application": "groups_enterprise" + }, + "user": { + "email": "john.doe@example.com", + "group": { + "id": "team@example.com" + } + } + } + + ``` + + === "test_groups_entre_sample1.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md index 169377e500..66466e2200 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md @@ -1718,6 +1718,96 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_drive_sample3" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2025-02-18T17:10:20.317Z", + "uniqueQualifier": "-12345678", + "applicationName": "drive", + "customerId": "CUSTO1" + }, + "etag": "\"ABCDEF123\"", + "actor": { + "email": "", + "profileId": "105250506097979753968" + }, + "events": [ + { + "type": "access", + "name": "sheets_import_range", + "parameters": [ + { + "name": "primary_event", + "boolValue": true + }, + { + "name": "billable", + "boolValue": false + }, + { + "name": "sheets_import_range_recipient_doc", + "value": "123qwerty456" + }, + { + "name": "owner_is_shared_drive", + "boolValue": true + }, + { + "name": "owner_team_drive_id", + "value": "asdf678" + }, + { + "name": "owner", + "value": "johndoe" + }, + { + "name": "doc_id", + "value": "zxcv890" + }, + { + "name": "doc_type", + "value": "spreadsheet" + }, + { + "name": "is_encrypted", + "boolValue": false + }, + { + "name": "doc_title", + "value": "TPS report" + }, + { + "name": "visibility", + "value": "people_with_link" + }, + { + "name": "shared_drive_id", + "value": "asdf678" + }, + { + "name": "actor_is_collaborator_account", + "boolValue": false + }, + { + "name": "owner_is_team_drive", + "boolValue": true + }, + { + "name": "team_drive_id", + "value": "asdf678" + } + ] + } + ] + } + ``` + + + === "test_drive_view_document" @@ -2212,6 +2302,66 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_groups_enterprise_1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2025-02-18T16:00:24.311Z", + "uniqueQualifier": "-123456", + "applicationName": "groups_enterprise", + "customerId": "CUSTOMER1" + }, + "etag": "\"ABCDEF123\"", + "actor": { + "callerType": "KEY", + "key": "SYSTEM" + }, + "events": [ + { + "type": "moderator_action", + "name": "remove_user", + "parameters": [ + { + "name": "member_id", + "value": "john.doe@example.com" + }, + { + "name": "group_id", + "value": "team@example.com" + }, + { + "name": "member_type", + "value": "user" + } + ] + }, + { + "type": "moderator_action", + "name": "remove_member", + "parameters": [ + { + "name": "member_id", + "value": "john.doe@example.com" + }, + { + "name": "group_id", + "value": "team@example.com" + }, + { + "name": "member_type", + "value": "user" + } + ] + } + ] + } + ``` + + + === "test_groups_entre_sample1" diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index 932fa8fc80..3dd6fcef98 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -91,6 +91,78 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "accept_ok_v5.json" + + ```json + + { + "message": "5 1234567890 eni-1235b8ca123456789 5.6.7.8 1.2.3.4 50188 4433 6 1 44 1739865042 1739865042 ACCEPT OK vpc-1 subnet-1 - 2 IPv4 5.6.7.8 1.2.3.4 eu-west-1 euw1-az2 - - - - ingress -", + "event": { + "category": [ + "network" + ], + "end": "2025-02-18T07:50:42Z", + "outcome": "ok", + "start": "2025-02-18T07:50:42Z" + }, + "@timestamp": "2025-02-18T07:50:42Z", + "action": { + "name": "accept", + "outcome": "ok", + "target": "network-traffic", + "type": "forward" + }, + "aws": { + "flowlogs": { + "subnet": { + "id": "subnet-1" + }, + "tcp_flags": 2, + "vpc": { + "id": "vpc-1" + } + } + }, + "cloud": { + "account": { + "id": "1234567890" + }, + "provider": "aws" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 4433 + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eni-1235b8ca123456789" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "5.6.7.8", + "bytes": 44, + "ip": "5.6.7.8", + "packets": 1, + "port": 50188 + } + } + + ``` + + === "accept_structured.json" ```json @@ -173,6 +245,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "target": "network-traffic", "type": "forward" }, + "aws": { + "flowlogs": { + "subnet": { + "id": "subnet-aaaaaaaa012345678" + }, + "tcp_flags": 0, + "vpc": { + "id": "vpc-abcdefab012345678" + } + } + }, "cloud": { "account": { "id": "424805057484" @@ -300,6 +383,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "subnet": { "id": "subnet-0123456789abcdefg" }, + "tcp_flags": 3, "vpc": { "id": "vpc-0123456789abcdefg" } @@ -518,6 +602,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.target` | `keyword` | The target of the action | |`action.type` | `keyword` | The type of the action | |`aws.flowlogs.subnet.id` | `keyword` | The ID of the subnet | +|`aws.flowlogs.tcp_flags` | `number` | TCP flags | |`aws.flowlogs.vpc.id` | `keyword` | The ID of the VPC | |`cloud.account.id` | `keyword` | The cloud account or organization id. | |`cloud.instance.id` | `keyword` | Instance ID of the host machine. | diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md index d59a3a9cc6..17f3e0997d 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md @@ -13,6 +13,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "accept_ok_v5" + + + ```json + 5 1234567890 eni-1235b8ca123456789 5.6.7.8 1.2.3.4 50188 4433 6 1 44 1739865042 1739865042 ACCEPT OK vpc-1 subnet-1 - 2 IPv4 5.6.7.8 1.2.3.4 eu-west-1 euw1-az2 - - - - ingress - + ``` + + + === "accept_structured" diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index 5e9bc6d45a..81efde898a 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -944,6 +944,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trustType": "Azure AD joined" }, "id": "e14254f4-4288-4c00-8689-80823c4f4cb5", + "original_transfer_method": "none", "riskDetail": "none", "riskEventTypes": [], "riskEventTypes_v2": [], @@ -1018,6 +1019,131 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "sign-in_activity5.json" + + ```json + + { + "message": "{\"time\": \"2025-02-17T08:38:07.5991020Z\", \"resourceId\": \"/tenants/20cab87f-7ec5-4f28-8701-dca407137de5/providers/Microsoft.aadiam\", \"operationName\": \"Sign-in activity\", \"operationVersion\": \"1.0\", \"category\": \"SignInLogs\", \"tenantId\": \"20cab87f-7ec5-4f28-8701-dca407137de5\", \"resultType\": \"0\", \"resultSignature\": \"None\", \"durationMs\": 0, \"callerIpAddress\": \"1.2.3.4\", \"correlationId\": \"15d9ac10-2532-4b45-81b4-93f8ce58524e\", \"identity\": \"DOE John\", \"Level\": 4, \"location\": \"FR\", \"properties\": {\"id\": \"f34698ee-3f03-4bcd-b846-d418728d9c7e\", \"createdDateTime\": \"2025-02-17T08:35:37.6544801+00:00\", \"userDisplayName\": \"DOE John\", \"userPrincipalName\": \"john.doe@example.com\", \"userId\": \"c5edf645-461f-4321-b013-a1079474e5c5\", \"userAdministrativeUnits\": [{\"id\": \"9c6a6fcf-f496-4cb7-a422-3fb1e120d0bb\"}], \"appId\": \"c3cea757-d288-4465-99df-1fb3f34e51cf\", \"appDisplayName\": \"Cortex xSOAR - New - Prod\", \"ipAddress\": \"1.2.3.4\", \"status\": {\"errorCode\": 0, \"additionalDetails\": \"MFA completed in Azure AD\"}, \"clientAppUsed\": \"Browser\", \"userAgent\": \"aaa\", \"deviceDetail\": {\"deviceId\": \"\", \"operatingSystem\": \"Windows10\", \"browser\": \"Chrome 132.0.0\"}, \"location\": {\"city\": \"Paris\", \"state\": \"Paris\", \"countryOrRegion\": \"FR\", \"geoCoordinates\": {\"latitude\": 48.861000061035156, \"longitude\": 2.3380000591278076}}, \"mfaDetail\": {\"authMethod\": \"Mobile app notification\", \"authDetail\": \"+XX XXXXXXX17\"}, \"correlationId\": \"15d9ac10-2532-4b45-81b4-93f8ce58524e\", \"conditionalAccessStatus\": \"success\", \"appliedConditionalAccessPolicies\": [{\"id\": \"b23443a5-06eb-40cd-b182-6af14a1bc1aa\", \"displayName\": \"CA-REST-GRANT:MFA-SENSITIVE-SECURITY-TOOLS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"success\", \"conditionsSatisfied\": 3, \"conditionsNotSatisfied\": 0}, {\"id\": \"3b3756a3-0192-4590-acf2-b3de653a90cf\", \"displayName\": \"Baseline policy: Block-legacy-Auth\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"notEnabled\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 0}, {\"id\": \"264ca8bf-9721-4ab2-b80d-89314f417b27\", \"displayName\": \"ALL-MFA-AWS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"37dc2611-6709-4abb-aeec-8dfccb4de1ba\", \"displayName\": \"Emergency_Block_OWA\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"38c842cb-4d14-4cdb-a92e-1ddfb0d41374\", \"displayName\": \"TEMP policy for FORMS\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [\"CloudAppSecurity\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"67164fa9-b9cc-4881-898e-e3f47da7cf68\", \"displayName\": \"Global-MFA-Azure_management_admins\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"439906c7-12bd-4f17-a77d-60eb590fd6fb\", \"displayName\": \"ALL-MFA-AWS-SSO\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"7d075eb5-8279-4e56-a541-b7567103b0df\", \"displayName\": \"ALL-MFA-PRIVILEGE-ROLE-ADMIN\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"d6f43ed4-c495-4b31-81b8-7896d9062146\", \"displayName\": \"CA-ATP-MFA-TEST\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"53311e04-c361-462b-a4d0-a204fd3c3f78\", \"displayName\": \"CA001: Require multi-factor authentication for admins\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"notEnabled\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 0}, {\"id\": \"2fdb3021-fba7-49f5-a207-7591cc46fd6b\", \"displayName\": \"EMEA-Block-Access_from_Nigeria\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"notEnabled\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 0}, {\"id\": \"fb883b4d-b5c0-4561-ab24-0ace811759c2\", \"displayName\": \"ALL-Block_BasicAuth_ActiveSync\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"92a2b557-a4e7-4d50-b740-ce514127b7c6\", \"displayName\": \"ALL-GitHub-MFA\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"96515306-385c-4a37-a4d2-ce47188912e6\", \"displayName\": \"PY incident\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"a9620f5a-c8ee-47ed-a080-98f30c143a67\", \"displayName\": \"ALL-Block-undesired-IPs\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 19, \"conditionsNotSatisfied\": 1032}, {\"id\": \"81e8dacd-2ca7-4061-932f-cfb8d13f68f7\", \"displayName\": \"MFA for Windows 365\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"c148f3e3-610f-4e27-938e-d0608171774c\", \"displayName\": \"MFA ON PAM \", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"41c73785-48f6-4c90-b3b7-672455169ad9\", \"displayName\": \"CA-REST-BLOCK:MTR-WINDOWS\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"e13c8ec0-14a9-4720-8f1c-1d36c05a3554\", \"displayName\": \"CA-REST-GRANT:MFA-USER-AZURE-ADMINS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"4659aef3-8b9d-4740-98ec-621f4a50b22e\", \"displayName\": \"CA-REST-BLOCK:MTR-ANDROID\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"6b3b8d68-edfb-431e-a10d-39f9c08589c6\", \"displayName\": \"ALL-MFA\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 23, \"conditionsNotSatisfied\": 1032}, {\"id\": \"518a970e-8fde-4c9e-845b-c4c968180d5b\", \"displayName\": \"Global-MFA-Global_and_Exchange_Administrators\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"31bd9502-37ca-4b8c-a100-3e74e247315a\", \"displayName\": \"Office 365 - Terms of Use\", \"enforcedGrantControls\": [\"Office 365 -Danone End-User License Agreement\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"8c869f83-9ed8-4bad-903c-47a8596053ba\", \"displayName\": \"CA-REST-GRANT:COMPLIANT-DEVICE-APP-O365-S0-[TEST]_V3\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"331e61e1-8349-4639-ba71-72d834597879\", \"displayName\": \"CA-REST-GRANT:COMPLIANT-DEVICE-APP-TEAMS_v3\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"bcd7f7c7-72f3-44b5-bbc5-fd5f760e3999\", \"displayName\": \"CA-REST-BLOCK:FUNCTIONAL-ACCOUNT-EXTERNAL-ACCESS\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"5de0b7c0-57ea-4555-ab7a-19aa3a29c782\", \"displayName\": \"eNutrimed SSO\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"04bc46a4-788c-4fcb-8cbb-5b8add45cf0b\", \"displayName\": \"CA-REST-GRANT:COMPLIANT-DEVICE-APP-CHECKPOINT-VPN-SNRU-DANONERS\", \"enforcedGrantControls\": [\"Mfa\", \"RequireDomainJoinedDevice\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"dd794361-2afb-4388-be24-1a9662e2f4f2\", \"displayName\": \"CA-REST-GRANT:COMPLIANT-DEVICE-APP-CHECKPOINT-VPN-SNRU-PARTNERS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"fc8da609-af0b-4444-b0f2-09926141bca5\", \"displayName\": \"CA-REST-GRANT:MFA-USER-MHR-SIGN-IN-FREQUENCY-1D\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"d58597dc-b84c-4a26-ba21-54120ef6cddc\", \"displayName\": \"CA-REST-GRANT:NETWORK-AAD-GAA-WW-On_premises_directory_synchronization_service_account\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"0d2f51fa-cfeb-4494-a5d4-c9e9ef6d7c3a\", \"displayName\": \"CA-REST-GRANT:MFA-Users-ZTM-PRA-[TEST]\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"7584bb23-0fc0-4740-bebf-4708aed31b79\", \"displayName\": \"CA-REST-GRANT:MFA-USER-APPLICATION-ADMINS-USERS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"d0d7e3d2-7f51-47ab-831a-16acae7cd6b5\", \"displayName\": \"CA-REST-GRANT:MFA-USER-FIDO2\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"notApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"d6abb41f-12e4-4a61-a42c-52066a73b1de\", \"displayName\": \"ALL MFA- MacOS and iOS only - User Experience Test\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"notApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"6d55d24c-27d6-4a21-9252-0e2e00d63f9f\", \"displayName\": \"TEST unmanged devices\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [\"CloudAppSecurity\"], \"result\": \"reportOnlyFailure\", \"conditionsSatisfied\": 279, \"conditionsNotSatisfied\": 0}, {\"id\": \"99fcba63-bd21-4260-bbb0-19374f9487f3\", \"displayName\": \"[TEST]Office365 - Windows & MacOS - Managed Device Access Only\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [\"AppEnforcedRestrictions\"], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"0491b4ce-820d-41d3-86ee-9cfd7f7f1073\", \"displayName\": \"[TEST]Office 365 - Managed Device Access Only\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"91e75802-bb2d-4996-8edf-a02db93a329f\", \"displayName\": \"CyberSafe Policy\", \"enforcedGrantControls\": [\"CyberSafe Policy\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"0050e56a-4b47-433d-8ecb-295cfb13dd01\", \"displayName\": \"BlockRU\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"1f6249b1-5f0a-49cb-aa1c-73b6972a8270\", \"displayName\": \"[Proposal]Russia-UnTrustedDevices-Restriction\", \"enforcedGrantControls\": [\"RequireCompliantDevice\"], \"enforcedSessionControls\": [\"CloudAppSecurity\"], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"f767746c-8599-4fa3-8b7e-ae1cb6386340\", \"displayName\": \"CA-REST-GRANT:MFA-USER-INTUNE-ADMINS\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"c49c7b87-2897-4e5b-bbfc-89d8a808dd4f\", \"displayName\": \"CA-REST-BLOCK:GENERIC-ACCOUNTS\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"175c452f-53bb-4f86-92fe-f18bcd58dbb3\", \"displayName\": \"CA-REST-GRANT:PROMPT-USERS-PASSWORDLESS-[TEST]\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"9cd9fc24-f719-42e4-b825-c441488aaa7d\", \"displayName\": \"CA-REST-GRANT:MFA-USER-AZURE-ADMINS [TEST]\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"6041788d-cf81-406b-a577-12411635d285\", \"displayName\": \"CA-REST-BLOCK:COMPROMISE-ACCOUNTS\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"43f15136-6e81-4357-a13d-4ed60b4230ca\", \"displayName\": \"\", \"enforcedGrantControls\": [], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"37ded976-4a51-4180-8cb1-7bcf1b006db2\", \"displayName\": \"Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"6ca3423b-79e3-4461-b599-da15ad9e572f\", \"displayName\": \"CA-REST-GRANT:COMPLIANT-DEVICE-APP-DANPT-[TEST]\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"a3d88eb2-844a-47c5-8005-560cf4a98644\", \"displayName\": \"CA002 Test Windows signin MFA\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"e9409534-2050-43d5-9a61-69e548dc5502\", \"displayName\": \"CA-REST-GRANT:MFA-USER-APP-Critical-[TEST]\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"d88d273f-534b-4a29-8fe4-c7acd9835f4e\", \"displayName\": \"CA-REST-BLOCK:FUNCTIONAL-ACCOUNT-EXTERNAL-ACCESS [EXCEPTIONS REPORT ONLY]\", \"enforcedGrantControls\": [\"Block\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}, {\"id\": \"bc592209-9a19-40fa-acd4-053bf4d2730f\", \"displayName\": \"CA-REST-GRANT:MFA-Users-ZTM-GlobalProtect-[TEST]\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [\"SignInFrequency\"], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 0, \"conditionsNotSatisfied\": 1}, {\"id\": \"24703dc5-9b18-4765-b1d3-094106f81858\", \"displayName\": \"ALL MFA - MacOS and iOS only\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 19, \"conditionsNotSatisfied\": 1036}, {\"id\": \"f3462637-6289-4834-ab4a-a4fa0b0ef5ac\", \"displayName\": \"ALL-MFA - macOS fix\", \"enforcedGrantControls\": [\"Mfa\"], \"enforcedSessionControls\": [], \"result\": \"reportOnlyNotApplied\", \"conditionsSatisfied\": 1, \"conditionsNotSatisfied\": 2}], \"authenticationContextClassReferences\": [], \"originalRequestId\": \"f34698ee-3f03-4bcd-b846-d418728d9c7e\", \"isInteractive\": true, \"tokenIssuerName\": \"\", \"tokenIssuerType\": \"AzureAD\", \"authenticationProcessingDetails\": [{\"key\": \"Legacy TLS (TLS 1.0, 1.1, 3DES)\", \"value\": \"False\"}, {\"key\": \"Is CAE Token\", \"value\": \"False\"}], \"networkLocationDetails\": [{\"networkType\": \"trustedNamedLocation\", \"networkNames\": [\"Danone_Public_IPs (FR)\"]}], \"clientCredentialType\": \"none\", \"processingTimeInMilliseconds\": 158, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"none\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Windows Azure Active Directory\", \"resourceId\": \"5ba6ebdb-f8f0-4aa1-a23b-7fa9ed3db50c\", \"resourceTenantId\": \"20cab87f-7ec5-4f28-8701-dca407137de5\", \"homeTenantId\": \"20cab87f-7ec5-4f28-8701-dca407137de5\", \"tenantId\": \"20cab87f-7ec5-4f28-8701-dca407137de5\", \"authenticationDetails\": [{\"authenticationStepDateTime\": \"2025-02-17T08:35:37.6544801+00:00\", \"authenticationMethod\": \"Password\", \"authenticationMethodDetail\": \"Password Hash Sync\", \"succeeded\": true, \"authenticationStepRequirement\": \"Primary authentication\", \"StatusSequence\": 0, \"RequestSequence\": 1}, {\"authenticationStepDateTime\": \"2025-02-17T08:35:27+00:00\", \"authenticationMethod\": \"Mobile app notification\", \"succeeded\": false, \"authenticationStepResultDetail\": \"Authentication in progress\", \"authenticationStepRequirement\": \"Primary authentication\", \"StatusSequence\": 1739781327622, \"RequestSequence\": 1739781325380}], \"authenticationRequirementPolicies\": [{\"requirementProvider\": \"multiConditionalAccess\", \"detail\": \"Conditional Access\"}], \"sessionLifetimePolicies\": [{\"expirationRequirement\": \"rememberMultifactorAuthenticationOnTrustedDevices\", \"detail\": \"Remember MFA\"}, {\"expirationRequirement\": \"signInFrequencyPeriodicReauthentication\", \"detail\": \"Sign-in frequency (periodic re-authentication)\"}], \"authenticationRequirement\": \"multiFactorAuthentication\", \"alternateSignInName\": \"john.doe@example.com\", \"signInIdentifier\": \"john.doe@example.com\", \"servicePrincipalId\": \"\", \"userType\": \"Member\", \"flaggedForReview\": false, \"isTenantRestricted\": false, \"autonomousSystemNumber\": 16509, \"crossTenantAccessType\": \"none\", \"privateLinkDetails\": {}, \"ssoExtensionVersion\": \"\", \"uniqueTokenIdentifier\": \"aEQ2qLOsqkS86zz3OHIeAA\", \"authenticationStrengths\": [], \"incomingTokenType\": \"none\", \"authenticationProtocol\": \"none\", \"appServicePrincipalId\": null, \"resourceServicePrincipalId\": \"9b24f423-974c-4c96-9c87-29efac5eeb90\", \"rngcStatus\": 0, \"signInTokenProtectionStatus\": \"none\", \"tokenProtectionStatusDetails\": {\"signInSessionStatus\": \"unbound\", \"signInSessionStatusCode\": 1002}, \"originalTransferMethod\": \"none\", \"isThroughGlobalSecureAccess\": false, \"conditionalAccessAudiences\": [{\"applicationId\": \"c3cea757-d288-4465-99df-1fb3f34e51cf\", \"audienceReasons\": \"none\"}], \"sessionId\": \"d0b4d0a6-65a8-492f-aa0d-af252d1f3f75\", \"appOwnerTenantId\": \"20cab87f-7ec5-4f28-8701-dca407137de5\", \"resourceOwnerTenantId\": \"55c53d07-6186-46eb-b0b8-9940bcdc65fc\"}}", + "event": { + "action": "Sign-in activity", + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "@timestamp": "2025-02-17T08:38:07.599102Z", + "action": { + "name": "Sign-in activity", + "outcome": "success" + }, + "azuread": { + "authenticationDetails": [ + { + "RequestSequence": 1, + "StatusSequence": 0, + "authenticationMethod": "Password", + "authenticationMethodDetail": "Password Hash Sync", + "authenticationStepDateTime": "2025-02-17T08:35:37.6544801+00:00", + "authenticationStepRequirement": "Primary authentication", + "succeeded": true + }, + { + "RequestSequence": 1739781325380, + "StatusSequence": 1739781327622, + "authenticationMethod": "Mobile app notification", + "authenticationStepDateTime": "2025-02-17T08:35:27+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "Authentication in progress", + "succeeded": false + } + ], + "callerIpAddress": "1.2.3.4", + "category": "SignInLogs", + "correlationId": "15d9ac10-2532-4b45-81b4-93f8ce58524e", + "durationMs": 0, + "identity": "DOE John", + "operationName": "Sign-in activity", + "operationVersion": "1.0", + "properties": { + "appDisplayName": "Cortex xSOAR - New - Prod", + "appId": "c3cea757-d288-4465-99df-1fb3f34e51cf", + "authenticationProtocol": "none", + "correlationId": "15d9ac10-2532-4b45-81b4-93f8ce58524e", + "id": "f34698ee-3f03-4bcd-b846-d418728d9c7e", + "original_transfer_method": "none", + "riskDetail": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "session_id": "d0b4d0a6-65a8-492f-aa0d-af252d1f3f75", + "status": { + "additionalDetails": "MFA completed in Azure AD", + "errorCode": "0" + } + }, + "resourceId": "/tenants/20cab87f-7ec5-4f28-8701-dca407137de5/providers/Microsoft.aadiam", + "tenantId": "20cab87f-7ec5-4f28-8701-dca407137de5" + }, + "error": { + "code": "0", + "message": "MFA completed in Azure AD" + }, + "host": { + "os": { + "type": "Windows10" + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "service": { + "name": "Windows Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.861000061035156, + "lon": 2.3380000591278076 + }, + "region_name": "Paris" + }, + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.com", + "full_name": "DOE John", + "id": "c5edf645-461f-4321-b013-a1079474e5c5" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "aaa", + "os": { + "name": "Other" + } + } + } + + ``` + + === "update_ststoken.json" ```json @@ -1402,6 +1528,7 @@ The following table lists the fields that are extracted, normalized under the EC |`azuread.properties.deviceDetail.isManaged` | `bool` | | |`azuread.properties.deviceDetail.trustType` | `keyword` | | |`azuread.properties.id` | `keyword` | | +|`azuread.properties.original_transfer_method` | `keyword` | | |`azuread.properties.requestId` | `keyword` | | |`azuread.properties.riskDetail` | `keyword` | | |`azuread.properties.riskEventType` | `keyword` | | @@ -1412,6 +1539,7 @@ The following table lists the fields that are extracted, normalized under the EC |`azuread.properties.riskLevelDuringSignIn` | `keyword` | riskLevelDuringSignIn | |`azuread.properties.riskReasons` | `array` | | |`azuread.properties.riskState` | `keyword` | | +|`azuread.properties.session_id` | `keyword` | | |`azuread.properties.source` | `keyword` | | |`azuread.properties.status.additionalDetails` | `keyword` | | |`azuread.properties.status.errorCode` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md index 9333524c88..ffc0b08249 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md @@ -1249,6 +1249,797 @@ In this section, you will find examples of raw logs as generated natively by the +=== "sign-in_activity5" + + + ```json + { + "time": "2025-02-17T08:38:07.5991020Z", + "resourceId": "/tenants/20cab87f-7ec5-4f28-8701-dca407137de5/providers/Microsoft.aadiam", + "operationName": "Sign-in activity", + "operationVersion": "1.0", + "category": "SignInLogs", + "tenantId": "20cab87f-7ec5-4f28-8701-dca407137de5", + "resultType": "0", + "resultSignature": "None", + "durationMs": 0, + "callerIpAddress": "1.2.3.4", + "correlationId": "15d9ac10-2532-4b45-81b4-93f8ce58524e", + "identity": "DOE John", + "Level": 4, + "location": "FR", + "properties": { + "id": "f34698ee-3f03-4bcd-b846-d418728d9c7e", + "createdDateTime": "2025-02-17T08:35:37.6544801+00:00", + "userDisplayName": "DOE John", + "userPrincipalName": "john.doe@example.com", + "userId": "c5edf645-461f-4321-b013-a1079474e5c5", + "userAdministrativeUnits": [ + { + "id": "9c6a6fcf-f496-4cb7-a422-3fb1e120d0bb" + } + ], + "appId": "c3cea757-d288-4465-99df-1fb3f34e51cf", + "appDisplayName": "Cortex xSOAR - New - Prod", + "ipAddress": "1.2.3.4", + "status": { + "errorCode": 0, + "additionalDetails": "MFA completed in Azure AD" + }, + "clientAppUsed": "Browser", + "userAgent": "aaa", + "deviceDetail": { + "deviceId": "", + "operatingSystem": "Windows10", + "browser": "Chrome 132.0.0" + }, + "location": { + "city": "Paris", + "state": "Paris", + "countryOrRegion": "FR", + "geoCoordinates": { + "latitude": 48.861000061035156, + "longitude": 2.3380000591278076 + } + }, + "mfaDetail": { + "authMethod": "Mobile app notification", + "authDetail": "+XX XXXXXXX17" + }, + "correlationId": "15d9ac10-2532-4b45-81b4-93f8ce58524e", + "conditionalAccessStatus": "success", + "appliedConditionalAccessPolicies": [ + { + "id": "b23443a5-06eb-40cd-b182-6af14a1bc1aa", + "displayName": "CA-REST-GRANT:MFA-SENSITIVE-SECURITY-TOOLS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "success", + "conditionsSatisfied": 3, + "conditionsNotSatisfied": 0 + }, + { + "id": "3b3756a3-0192-4590-acf2-b3de653a90cf", + "displayName": "Baseline policy: Block-legacy-Auth", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "notEnabled", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 0 + }, + { + "id": "264ca8bf-9721-4ab2-b80d-89314f417b27", + "displayName": "ALL-MFA-AWS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "37dc2611-6709-4abb-aeec-8dfccb4de1ba", + "displayName": "Emergency_Block_OWA", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "38c842cb-4d14-4cdb-a92e-1ddfb0d41374", + "displayName": "TEMP policy for FORMS", + "enforcedGrantControls": [], + "enforcedSessionControls": [ + "CloudAppSecurity" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "67164fa9-b9cc-4881-898e-e3f47da7cf68", + "displayName": "Global-MFA-Azure_management_admins", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "439906c7-12bd-4f17-a77d-60eb590fd6fb", + "displayName": "ALL-MFA-AWS-SSO", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "7d075eb5-8279-4e56-a541-b7567103b0df", + "displayName": "ALL-MFA-PRIVILEGE-ROLE-ADMIN", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "d6f43ed4-c495-4b31-81b8-7896d9062146", + "displayName": "CA-ATP-MFA-TEST", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "53311e04-c361-462b-a4d0-a204fd3c3f78", + "displayName": "CA001: Require multi-factor authentication for admins", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "notEnabled", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 0 + }, + { + "id": "2fdb3021-fba7-49f5-a207-7591cc46fd6b", + "displayName": "EMEA-Block-Access_from_Nigeria", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "notEnabled", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 0 + }, + { + "id": "fb883b4d-b5c0-4561-ab24-0ace811759c2", + "displayName": "ALL-Block_BasicAuth_ActiveSync", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "92a2b557-a4e7-4d50-b740-ce514127b7c6", + "displayName": "ALL-GitHub-MFA", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "96515306-385c-4a37-a4d2-ce47188912e6", + "displayName": "PY incident", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "a9620f5a-c8ee-47ed-a080-98f30c143a67", + "displayName": "ALL-Block-undesired-IPs", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 19, + "conditionsNotSatisfied": 1032 + }, + { + "id": "81e8dacd-2ca7-4061-932f-cfb8d13f68f7", + "displayName": "MFA for Windows 365", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "c148f3e3-610f-4e27-938e-d0608171774c", + "displayName": "MFA ON PAM ", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "41c73785-48f6-4c90-b3b7-672455169ad9", + "displayName": "CA-REST-BLOCK:MTR-WINDOWS", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "e13c8ec0-14a9-4720-8f1c-1d36c05a3554", + "displayName": "CA-REST-GRANT:MFA-USER-AZURE-ADMINS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "4659aef3-8b9d-4740-98ec-621f4a50b22e", + "displayName": "CA-REST-BLOCK:MTR-ANDROID", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "6b3b8d68-edfb-431e-a10d-39f9c08589c6", + "displayName": "ALL-MFA", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 23, + "conditionsNotSatisfied": 1032 + }, + { + "id": "518a970e-8fde-4c9e-845b-c4c968180d5b", + "displayName": "Global-MFA-Global_and_Exchange_Administrators", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "31bd9502-37ca-4b8c-a100-3e74e247315a", + "displayName": "Office 365 - Terms of Use", + "enforcedGrantControls": [ + "Office 365 -Danone End-User License Agreement" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "8c869f83-9ed8-4bad-903c-47a8596053ba", + "displayName": "CA-REST-GRANT:COMPLIANT-DEVICE-APP-O365-S0-[TEST]_V3", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "331e61e1-8349-4639-ba71-72d834597879", + "displayName": "CA-REST-GRANT:COMPLIANT-DEVICE-APP-TEAMS_v3", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "bcd7f7c7-72f3-44b5-bbc5-fd5f760e3999", + "displayName": "CA-REST-BLOCK:FUNCTIONAL-ACCOUNT-EXTERNAL-ACCESS", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "5de0b7c0-57ea-4555-ab7a-19aa3a29c782", + "displayName": "eNutrimed SSO", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "04bc46a4-788c-4fcb-8cbb-5b8add45cf0b", + "displayName": "CA-REST-GRANT:COMPLIANT-DEVICE-APP-CHECKPOINT-VPN-SNRU-DANONERS", + "enforcedGrantControls": [ + "Mfa", + "RequireDomainJoinedDevice" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "dd794361-2afb-4388-be24-1a9662e2f4f2", + "displayName": "CA-REST-GRANT:COMPLIANT-DEVICE-APP-CHECKPOINT-VPN-SNRU-PARTNERS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "fc8da609-af0b-4444-b0f2-09926141bca5", + "displayName": "CA-REST-GRANT:MFA-USER-MHR-SIGN-IN-FREQUENCY-1D", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "d58597dc-b84c-4a26-ba21-54120ef6cddc", + "displayName": "CA-REST-GRANT:NETWORK-AAD-GAA-WW-On_premises_directory_synchronization_service_account", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "0d2f51fa-cfeb-4494-a5d4-c9e9ef6d7c3a", + "displayName": "CA-REST-GRANT:MFA-Users-ZTM-PRA-[TEST]", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "7584bb23-0fc0-4740-bebf-4708aed31b79", + "displayName": "CA-REST-GRANT:MFA-USER-APPLICATION-ADMINS-USERS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "d0d7e3d2-7f51-47ab-831a-16acae7cd6b5", + "displayName": "CA-REST-GRANT:MFA-USER-FIDO2", + "enforcedGrantControls": [], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "notApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "d6abb41f-12e4-4a61-a42c-52066a73b1de", + "displayName": "ALL MFA- MacOS and iOS only - User Experience Test", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "notApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "6d55d24c-27d6-4a21-9252-0e2e00d63f9f", + "displayName": "TEST unmanged devices", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [ + "CloudAppSecurity" + ], + "result": "reportOnlyFailure", + "conditionsSatisfied": 279, + "conditionsNotSatisfied": 0 + }, + { + "id": "99fcba63-bd21-4260-bbb0-19374f9487f3", + "displayName": "[TEST]Office365 - Windows & MacOS - Managed Device Access Only", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [ + "AppEnforcedRestrictions" + ], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "0491b4ce-820d-41d3-86ee-9cfd7f7f1073", + "displayName": "[TEST]Office 365 - Managed Device Access Only", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "91e75802-bb2d-4996-8edf-a02db93a329f", + "displayName": "CyberSafe Policy", + "enforcedGrantControls": [ + "CyberSafe Policy" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "0050e56a-4b47-433d-8ecb-295cfb13dd01", + "displayName": "BlockRU", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "1f6249b1-5f0a-49cb-aa1c-73b6972a8270", + "displayName": "[Proposal]Russia-UnTrustedDevices-Restriction", + "enforcedGrantControls": [ + "RequireCompliantDevice" + ], + "enforcedSessionControls": [ + "CloudAppSecurity" + ], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "f767746c-8599-4fa3-8b7e-ae1cb6386340", + "displayName": "CA-REST-GRANT:MFA-USER-INTUNE-ADMINS", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "c49c7b87-2897-4e5b-bbfc-89d8a808dd4f", + "displayName": "CA-REST-BLOCK:GENERIC-ACCOUNTS", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "175c452f-53bb-4f86-92fe-f18bcd58dbb3", + "displayName": "CA-REST-GRANT:PROMPT-USERS-PASSWORDLESS-[TEST]", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "9cd9fc24-f719-42e4-b825-c441488aaa7d", + "displayName": "CA-REST-GRANT:MFA-USER-AZURE-ADMINS [TEST]", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "6041788d-cf81-406b-a577-12411635d285", + "displayName": "CA-REST-BLOCK:COMPROMISE-ACCOUNTS", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "43f15136-6e81-4357-a13d-4ed60b4230ca", + "displayName": "", + "enforcedGrantControls": [], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "37ded976-4a51-4180-8cb1-7bcf1b006db2", + "displayName": "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "6ca3423b-79e3-4461-b599-da15ad9e572f", + "displayName": "CA-REST-GRANT:COMPLIANT-DEVICE-APP-DANPT-[TEST]", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "a3d88eb2-844a-47c5-8005-560cf4a98644", + "displayName": "CA002 Test Windows signin MFA", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "e9409534-2050-43d5-9a61-69e548dc5502", + "displayName": "CA-REST-GRANT:MFA-USER-APP-Critical-[TEST]", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "d88d273f-534b-4a29-8fe4-c7acd9835f4e", + "displayName": "CA-REST-BLOCK:FUNCTIONAL-ACCOUNT-EXTERNAL-ACCESS [EXCEPTIONS REPORT ONLY]", + "enforcedGrantControls": [ + "Block" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + }, + { + "id": "bc592209-9a19-40fa-acd4-053bf4d2730f", + "displayName": "CA-REST-GRANT:MFA-Users-ZTM-GlobalProtect-[TEST]", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [ + "SignInFrequency" + ], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 0, + "conditionsNotSatisfied": 1 + }, + { + "id": "24703dc5-9b18-4765-b1d3-094106f81858", + "displayName": "ALL MFA - MacOS and iOS only", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 19, + "conditionsNotSatisfied": 1036 + }, + { + "id": "f3462637-6289-4834-ab4a-a4fa0b0ef5ac", + "displayName": "ALL-MFA - macOS fix", + "enforcedGrantControls": [ + "Mfa" + ], + "enforcedSessionControls": [], + "result": "reportOnlyNotApplied", + "conditionsSatisfied": 1, + "conditionsNotSatisfied": 2 + } + ], + "authenticationContextClassReferences": [], + "originalRequestId": "f34698ee-3f03-4bcd-b846-d418728d9c7e", + "isInteractive": true, + "tokenIssuerName": "", + "tokenIssuerType": "AzureAD", + "authenticationProcessingDetails": [ + { + "key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", + "value": "False" + }, + { + "key": "Is CAE Token", + "value": "False" + } + ], + "networkLocationDetails": [ + { + "networkType": "trustedNamedLocation", + "networkNames": [ + "Danone_Public_IPs (FR)" + ] + } + ], + "clientCredentialType": "none", + "processingTimeInMilliseconds": 158, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Windows Azure Active Directory", + "resourceId": "5ba6ebdb-f8f0-4aa1-a23b-7fa9ed3db50c", + "resourceTenantId": "20cab87f-7ec5-4f28-8701-dca407137de5", + "homeTenantId": "20cab87f-7ec5-4f28-8701-dca407137de5", + "tenantId": "20cab87f-7ec5-4f28-8701-dca407137de5", + "authenticationDetails": [ + { + "authenticationStepDateTime": "2025-02-17T08:35:37.6544801+00:00", + "authenticationMethod": "Password", + "authenticationMethodDetail": "Password Hash Sync", + "succeeded": true, + "authenticationStepRequirement": "Primary authentication", + "StatusSequence": 0, + "RequestSequence": 1 + }, + { + "authenticationStepDateTime": "2025-02-17T08:35:27+00:00", + "authenticationMethod": "Mobile app notification", + "succeeded": false, + "authenticationStepResultDetail": "Authentication in progress", + "authenticationStepRequirement": "Primary authentication", + "StatusSequence": 1739781327622, + "RequestSequence": 1739781325380 + } + ], + "authenticationRequirementPolicies": [ + { + "requirementProvider": "multiConditionalAccess", + "detail": "Conditional Access" + } + ], + "sessionLifetimePolicies": [ + { + "expirationRequirement": "rememberMultifactorAuthenticationOnTrustedDevices", + "detail": "Remember MFA" + }, + { + "expirationRequirement": "signInFrequencyPeriodicReauthentication", + "detail": "Sign-in frequency (periodic re-authentication)" + } + ], + "authenticationRequirement": "multiFactorAuthentication", + "alternateSignInName": "john.doe@example.com", + "signInIdentifier": "john.doe@example.com", + "servicePrincipalId": "", + "userType": "Member", + "flaggedForReview": false, + "isTenantRestricted": false, + "autonomousSystemNumber": 16509, + "crossTenantAccessType": "none", + "privateLinkDetails": {}, + "ssoExtensionVersion": "", + "uniqueTokenIdentifier": "aEQ2qLOsqkS86zz3OHIeAA", + "authenticationStrengths": [], + "incomingTokenType": "none", + "authenticationProtocol": "none", + "appServicePrincipalId": null, + "resourceServicePrincipalId": "9b24f423-974c-4c96-9c87-29efac5eeb90", + "rngcStatus": 0, + "signInTokenProtectionStatus": "none", + "tokenProtectionStatusDetails": { + "signInSessionStatus": "unbound", + "signInSessionStatusCode": 1002 + }, + "originalTransferMethod": "none", + "isThroughGlobalSecureAccess": false, + "conditionalAccessAudiences": [ + { + "applicationId": "c3cea757-d288-4465-99df-1fb3f34e51cf", + "audienceReasons": "none" + } + ], + "sessionId": "d0b4d0a6-65a8-492f-aa0d-af252d1f3f75", + "appOwnerTenantId": "20cab87f-7ec5-4f28-8701-dca407137de5", + "resourceOwnerTenantId": "55c53d07-6186-46eb-b0b8-9940bcdc65fc" + } + } + ``` + + + === "update_ststoken" diff --git a/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc.md b/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc.md new file mode 100644 index 0000000000..240639296d --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc.md @@ -0,0 +1,235 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Office 365 account logs` | Activity logs that provide data related to user accounts in Office 365. | +| `Office 365 audit logs` | Logs that detail actions taken by users and admins within Office 365 applications. | +| `Office 365 trace logs` | Logs that help in troubleshooting and monitoring the performance of Office 365 services. | +| `Third-party application logs` | Logs from applications not developed by Microsoft that can report security-relevant events. | +| `Windows event logs` | Logs generated by Windows systems that provide crucial information about system events, errors, and security. | +| `Web application firewall logs` | Security logs related to the actions of a web application firewall protecting a web applications. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `intrusion_detection` | +| Type | `info` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. + +=== "test_alert_1.json" + + ```json + + { + "message": "{\"additional_properties\":{},\"id\":\"/subscriptions/f1fa95bf-0000-0000-0000-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/13000000-0000-0000-0000-9b8460000000\",\"name\":\"13000000-0000-0000-0000-9b8460000000\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"system_data\":null,\"etag\":\"2e002c01-0000-0d00-0000-67a000000000\",\"additional_data\":{\"additional_properties\":{},\"alerts_count\":0,\"bookmarks_count\":0,\"comments_count\":0,\"alert_product_names\":[],\"tactics\":[]},\"classification\":\"FalsePositive\",\"classification_comment\":\"Not a malicious activity\",\"classification_reason\":\"IncorrectAlertLogic\",\"created_time_utc\":\"2025-02-03T13:32:12.236416+00:00\",\"description\":\"connector test\",\"incident_url\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-0000-0000-0000-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/13000000-0000-0000-0000-9b8460000000\",\"incident_number\":11,\"labels\":[{\"additional_properties\":{},\"label_name\":\"test\",\"label_type\":\"User\"}],\"last_activity_time_utc\":\"2025-02-03T13:32:11.509000+00:00\",\"last_modified_time_utc\":\"2025-02-03T13:32:12.236416+00:00\",\"owner\":{\"additional_properties\":{},\"assigned_to\":\"joe doe\",\"email\":\"joe.doe@test.com\",\"user_principal_name\":\"joe.doe@test.com\",\"object_id\":\"40f54000-0000-0000-0000-4c990e00000000\"},\"related_analytic_rule_ids\":[],\"severity\":\"Medium\",\"status\":\"New\",\"title\":\"test 11\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2025-02-03T13:32:12.236416Z", + "kind": "alert", + "reason": "connector test", + "type": [ + "info" + ], + "url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-0000-0000-0000-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/13000000-0000-0000-0000-9b8460000000" + }, + "@timestamp": "2025-02-03T13:32:12.236416Z", + "log": { + "level": "Medium" + }, + "microsoft": { + "sentinel": { + "classification": { + "comment": "Not a malicious activity", + "reason": "IncorrectAlertLogic", + "type": "FalsePositive" + }, + "incident": { + "number": "11" + }, + "status": "New", + "title": "test 11" + } + }, + "observer": { + "product": "Sentinel", + "vendor": "Microsoft" + }, + "user": { + "email": "joe.doe@test.com" + } + } + + ``` + + +=== "test_alert_2.json" + + ```json + + { + "message": "{\"additional_properties\":{},\"id\":\"/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/2f880001-0000-0000-0000-30000d1a3000\",\"name\":\"2f880001-0000-0000-0000-30000d1a3000\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"system_data\":null,\"etag\":\"2d001bf8-0000-0d00-0000-67a000000000\",\"additional_data\":{\"additional_properties\":{},\"alerts_count\":0,\"bookmarks_count\":0,\"comments_count\":0,\"alert_product_names\":[],\"tactics\":[]},\"classification\":null,\"classification_comment\":null,\"classification_reason\":null,\"created_time_utc\":\"2025-02-03T13:29:41.551768+00:00\",\"description\":\"connector test\",\"incident_url\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/2f884fd1-aa45-4d80-8118-30accd1a389b\",\"incident_number\":10,\"labels\":[{\"additional_properties\":{},\"label_name\":\"test\",\"label_type\":\"User\"}],\"last_activity_time_utc\":\"2025-02-03T13:29:40.831000+00:00\",\"last_modified_time_utc\":\"2025-02-03T13:29:41.551768+00:00\",\"owner\":{\"additional_properties\":{},\"assigned_to\":\"joe doe\",\"email\":\"joe.doe@test.com\",\"user_principal_name\":\"joe.doe@test.com\",\"object_id\":\"40f54fde-0000-0000-0000-4c990e00000000\"},\"related_analytic_rule_ids\":[],\"severity\":\"Medium\",\"status\":\"New\",\"title\":\"test 10\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2025-02-03T13:29:41.551768Z", + "kind": "alert", + "reason": "connector test", + "type": [ + "info" + ], + "url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/2f884fd1-aa45-4d80-8118-30accd1a389b" + }, + "@timestamp": "2025-02-03T13:29:41.551768Z", + "log": { + "level": "Medium" + }, + "microsoft": { + "sentinel": { + "incident": { + "number": "10" + }, + "status": "New", + "title": "test 10" + } + }, + "observer": { + "product": "Sentinel", + "vendor": "Microsoft" + }, + "user": { + "email": "joe.doe@test.com" + } + } + + ``` + + +=== "test_alert_without_user_1.json" + + ```json + + { + "message": "{\"additional_properties\":{},\"id\":\"/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a\",\"name\":\"368693b4-8888-4444-cccc-aafff2232292\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"system_data\":null,\"etag\":\"\\\"5b022666-0000-0d00-0000-ccb5cccc0000\\\"\",\"additional_data\":{\"additional_properties\":{},\"alerts_count\":0,\"bookmarks_count\":0,\"comments_count\":0,\"alert_product_names\":[],\"tactics\":[]},\"classification\":null,\"classification_comment\":null,\"classification_reason\":null,\"created_time_utc\":\"2025-02-19T11:36:38.757960+00:00\",\"description\":\":D\",\"incident_url\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/36666344-8888-bbbb-cccc-a111fff3339a\",\"incident_number\":14,\"labels\":[{\"additional_properties\":{},\"label_name\":\"test_label\",\"label_type\":\"User\"}],\"last_activity_time_utc\":\"2025-02-19T11:36:38.207000+00:00\",\"last_modified_time_utc\":\"2025-02-19T11:36:38.757960+00:00\",\"owner\":{\"additional_properties\":{},\"assigned_to\":null,\"email\":null,\"user_principal_name\":null,\"object_id\":null},\"related_analytic_rule_ids\":[],\"severity\":\"Low\",\"status\":\"Active\",\"title\":\"Test 22\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2025-02-19T11:36:38.757960Z", + "kind": "alert", + "reason": ":D", + "type": [ + "info" + ], + "url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/36666344-8888-bbbb-cccc-a111fff3339a" + }, + "@timestamp": "2025-02-19T11:36:38.757960Z", + "log": { + "level": "Low" + }, + "microsoft": { + "sentinel": { + "incident": { + "number": "14" + }, + "status": "Active", + "title": "Test 22" + } + }, + "observer": { + "product": "Sentinel", + "vendor": "Microsoft" + } + } + + ``` + + +=== "test_alert_without_user_2.json" + + ```json + + { + "message": "{\"additional_properties\":{},\"id\":\"/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/integration/providers/Microsoft.OperationalInsights/workspaces/Integration/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a\",\"name\":\"368693b4-8d49-4bd7-ac9c-a6f1f2232a9a\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"system_data\":null,\"etag\":\"\\\"5b02465b-0000-0d00-0000-67b5c2460000\\\"\",\"additional_data\":{\"additional_properties\":{},\"alerts_count\":0,\"bookmarks_count\":0,\"comments_count\":0,\"alert_product_names\":[],\"tactics\":[]},\"classification\":null,\"classification_comment\":null,\"classification_reason\":null,\"created_time_utc\":\"2025-02-19T11:36:38.757960+00:00\",\"description\":\":D\",\"incident_url\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/integration/providers/Microsoft.OperationalInsights/workspaces/Integration/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a\",\"incident_number\":14,\"labels\":[{\"additional_properties\":{},\"label_name\":\"tagada\",\"label_type\":\"User\"}],\"last_activity_time_utc\":\"2025-02-19T11:36:38.207000+00:00\",\"last_modified_time_utc\":\"2025-02-19T11:36:38.757960+00:00\",\"owner\":{\"additional_properties\":{},\"assigned_to\":null,\"email\":null,\"user_principal_name\":null,\"object_id\":null},\"related_analytic_rule_ids\":[],\"severity\":\"Low\",\"status\":\"Active\",\"title\":\"Test 22\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2025-02-19T11:36:38.757960Z", + "kind": "alert", + "reason": ":D", + "type": [ + "info" + ], + "url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/integration/providers/Microsoft.OperationalInsights/workspaces/Integration/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a" + }, + "@timestamp": "2025-02-19T11:36:38.757960Z", + "log": { + "level": "Low" + }, + "microsoft": { + "sentinel": { + "incident": { + "number": "14" + }, + "status": "Active", + "title": "Test 22" + } + }, + "observer": { + "product": "Sentinel", + "vendor": "Microsoft" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`event.url` | `keyword` | Event investigation URL | +|`log.level` | `keyword` | Log level of the log event. | +|`microsoft.sentinel.classification.comment` | `keyword` | Comment on the classification of the alert | +|`microsoft.sentinel.classification.reason` | `keyword` | Reason for the classification of the alert | +|`microsoft.sentinel.classification.type` | `keyword` | Type of the classification | +|`microsoft.sentinel.incident.number` | `keyword` | Incident number of the alert | +|`microsoft.sentinel.status` | `keyword` | Status of the alert | +|`microsoft.sentinel.title` | `keyword` | Title of the alert | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`user.email` | `keyword` | User email address. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Microsoft/microsoft-sentinel). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc_sample.md b/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc_sample.md new file mode 100644 index 0000000000..a1f0cb781e --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/23d06c74-9311-4d56-b2ac-5d70c0b322fc_sample.md @@ -0,0 +1,210 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_alert_1" + + + ```json + { + "additional_properties": {}, + "id": "/subscriptions/f1fa95bf-0000-0000-0000-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/13000000-0000-0000-0000-9b8460000000", + "name": "13000000-0000-0000-0000-9b8460000000", + "type": "Microsoft.SecurityInsights/Incidents", + "system_data": null, + "etag": "2e002c01-0000-0d00-0000-67a000000000", + "additional_data": { + "additional_properties": {}, + "alerts_count": 0, + "bookmarks_count": 0, + "comments_count": 0, + "alert_product_names": [], + "tactics": [] + }, + "classification": "FalsePositive", + "classification_comment": "Not a malicious activity", + "classification_reason": "IncorrectAlertLogic", + "created_time_utc": "2025-02-03T13:32:12.236416+00:00", + "description": "connector test", + "incident_url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-0000-0000-0000-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/13000000-0000-0000-0000-9b8460000000", + "incident_number": 11, + "labels": [ + { + "additional_properties": {}, + "label_name": "test", + "label_type": "User" + } + ], + "last_activity_time_utc": "2025-02-03T13:32:11.509000+00:00", + "last_modified_time_utc": "2025-02-03T13:32:12.236416+00:00", + "owner": { + "additional_properties": {}, + "assigned_to": "joe doe", + "email": "joe.doe@test.com", + "user_principal_name": "joe.doe@test.com", + "object_id": "40f54000-0000-0000-0000-4c990e00000000" + }, + "related_analytic_rule_ids": [], + "severity": "Medium", + "status": "New", + "title": "test 11" + } + ``` + + + +=== "test_alert_2" + + + ```json + { + "additional_properties": {}, + "id": "/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/2f880001-0000-0000-0000-30000d1a3000", + "name": "2f880001-0000-0000-0000-30000d1a3000", + "type": "Microsoft.SecurityInsights/Incidents", + "system_data": null, + "etag": "2d001bf8-0000-0d00-0000-67a000000000", + "additional_data": { + "additional_properties": {}, + "alerts_count": 0, + "bookmarks_count": 0, + "comments_count": 0, + "alert_product_names": [], + "tactics": [] + }, + "classification": null, + "classification_comment": null, + "classification_reason": null, + "created_time_utc": "2025-02-03T13:29:41.551768+00:00", + "description": "connector test", + "incident_url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/2f884fd1-aa45-4d80-8118-30accd1a389b", + "incident_number": 10, + "labels": [ + { + "additional_properties": {}, + "label_name": "test", + "label_type": "User" + } + ], + "last_activity_time_utc": "2025-02-03T13:29:40.831000+00:00", + "last_modified_time_utc": "2025-02-03T13:29:41.551768+00:00", + "owner": { + "additional_properties": {}, + "assigned_to": "joe doe", + "email": "joe.doe@test.com", + "user_principal_name": "joe.doe@test.com", + "object_id": "40f54fde-0000-0000-0000-4c990e00000000" + }, + "related_analytic_rule_ids": [], + "severity": "Medium", + "status": "New", + "title": "test 10" + } + ``` + + + +=== "test_alert_without_user_1" + + + ```json + { + "additional_properties": {}, + "id": "/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a", + "name": "368693b4-8888-4444-cccc-aafff2232292", + "type": "Microsoft.SecurityInsights/Incidents", + "system_data": null, + "etag": "\"5b022666-0000-0d00-0000-ccb5cccc0000\"", + "additional_data": { + "additional_properties": {}, + "alerts_count": 0, + "bookmarks_count": 0, + "comments_count": 0, + "alert_product_names": [], + "tactics": [] + }, + "classification": null, + "classification_comment": null, + "classification_reason": null, + "created_time_utc": "2025-02-19T11:36:38.757960+00:00", + "description": ":D", + "incident_url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/test/providers/Microsoft.OperationalInsights/workspaces/Test/providers/Microsoft.SecurityInsights/Incidents/36666344-8888-bbbb-cccc-a111fff3339a", + "incident_number": 14, + "labels": [ + { + "additional_properties": {}, + "label_name": "test_label", + "label_type": "User" + } + ], + "last_activity_time_utc": "2025-02-19T11:36:38.207000+00:00", + "last_modified_time_utc": "2025-02-19T11:36:38.757960+00:00", + "owner": { + "additional_properties": {}, + "assigned_to": null, + "email": null, + "user_principal_name": null, + "object_id": null + }, + "related_analytic_rule_ids": [], + "severity": "Low", + "status": "Active", + "title": "Test 22" + } + ``` + + + +=== "test_alert_without_user_2" + + + ```json + { + "additional_properties": {}, + "id": "/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/integration/providers/Microsoft.OperationalInsights/workspaces/Integration/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a", + "name": "368693b4-8d49-4bd7-ac9c-a6f1f2232a9a", + "type": "Microsoft.SecurityInsights/Incidents", + "system_data": null, + "etag": "\"5b02465b-0000-0d00-0000-67b5c2460000\"", + "additional_data": { + "additional_properties": {}, + "alerts_count": 0, + "bookmarks_count": 0, + "comments_count": 0, + "alert_product_names": [], + "tactics": [] + }, + "classification": null, + "classification_comment": null, + "classification_reason": null, + "created_time_utc": "2025-02-19T11:36:38.757960+00:00", + "description": ":D", + "incident_url": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/f1fa95bf-631e-48e9-bbc7-910a79dc1f7b/resourceGroups/integration/providers/Microsoft.OperationalInsights/workspaces/Integration/providers/Microsoft.SecurityInsights/Incidents/368693b4-8d49-4bd7-ac9c-a6f1f2232a9a", + "incident_number": 14, + "labels": [ + { + "additional_properties": {}, + "label_name": "tagada", + "label_type": "User" + } + ], + "last_activity_time_utc": "2025-02-19T11:36:38.207000+00:00", + "last_modified_time_utc": "2025-02-19T11:36:38.757960+00:00", + "owner": { + "additional_properties": {}, + "assigned_to": null, + "email": null, + "user_principal_name": null, + "object_id": null + }, + "related_analytic_rule_ids": [], + "severity": "Low", + "status": "Active", + "title": "Test 22" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md index dc5a7142df..1a2c019b49 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md @@ -33,7 +33,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-06-23T15:56:46Z" }, "@timestamp": "2023-06-23T15:56:46Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -148,12 +147,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "smtp.smtpout.example.org", + "id": "FFFFFFFFFFFF-AAAAAAAAAAA", "name": "smtp.smtpout.example.org" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.2-004" @@ -195,7 +200,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2020-05-11T16:56:56Z" }, "@timestamp": "2020-05-11T16:56:56Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -259,6 +263,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "mailhost.example.es", + "id": "4202A33F31B0BAAB537A-FBD06D401234", "name": "mailhost.example.es" }, "network": { @@ -305,7 +310,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2019-08-13T15:15:45Z" }, "@timestamp": "2019-08-13T15:15:45Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -389,12 +393,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "esa1.hc3033-47.iphmx.com", + "id": "420D4F36AAEBC0093B4F-B9E72189A021", "name": "esa1.hc3033-47.iphmx.com" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C300V Email Security Virtual Appliance", "vendor": "Cisco", "version": "13.0.0-252" @@ -436,7 +446,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-03-01T19:02:03Z" }, "@timestamp": "2023-03-01T19:02:03Z", - "cef": {}, "cisco": { "esa": { "delivery": { @@ -493,12 +502,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "unknown", + "id": "254be28187994bc7a37f496ceac54edd", "name": "unknown" }, "network": { "direction": "outbound" }, "observer": { + "egress": { + "interface": { + "name": "OutgoingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" @@ -540,7 +555,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-03-01T19:02:03Z" }, "@timestamp": "2023-03-01T19:02:03Z", - "cef": {}, "cisco": { "esa": { "delivery": { @@ -597,12 +611,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "unknown", + "id": "254be28187994bc7a37f496ceac54edd", "name": "unknown" }, "network": { "direction": "outbound" }, "observer": { + "egress": { + "interface": { + "name": "OutgoingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" @@ -644,7 +664,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-03-01T19:02:02Z" }, "@timestamp": "2023-03-01T19:02:02Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -726,12 +745,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "outbound.example.com", + "id": "254be28187994bc7a37f496ceac54edd", "name": "outbound.example.com" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" @@ -773,7 +798,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-03-01T19:02:02Z" }, "@timestamp": "2023-03-01T19:02:02Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -844,12 +868,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "outboun", + "id": "254be28187994bc7a37f496ceac54edd", "name": "outboun" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" @@ -886,7 +916,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-03-01T19:01:45Z" }, "@timestamp": "2023-03-01T19:01:45Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -991,12 +1020,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "hostname": "outbound.example.com", + "id": "254be28187994bc7a37f496ceac54edd", "name": "outbound.example.com" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" @@ -1034,7 +1069,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "event": { "severity": 5 }, - "cef": {}, "cisco": { "esa": { "delivery": { @@ -1046,6 +1080,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email": { "local_id": "11111111" }, + "host": { + "id": "254be28187994bc7a37f496ceac54edd" + }, "observer": { "type": "C390 Email Security Appliance", "vendor": "Cisco", @@ -1061,7 +1098,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=00F66XXXX-FCH2025V2LQ ESAMID=351452154 ESAICID=317589723 ESADCID=192175459 ESADLPVerdict=NOT EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Jun 13 08:02:06 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=192.168.128.137 ESAAttachmentDetails={'bob.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed'}, 'BodyScanner': {}}, 'Signature Jean Dupont.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4'}, 'BodyScanner': {}}, 'FICHE.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354'}, 'BodyScanner': {}}} ESAFriendlyFrom=Marc Dupont ESAGMVerdict=NEGATIVE startTime=Mon Jun 13 08:02:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=m.dupont@corp.fr cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Switzerland ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr>' ESAMsgSize=418081 ESAOFVerdict=POSITIVE duser=evil@corp.fr ESAHeloDomain=ov-3bd8ca.ch2.telecom.com ESAHeloIP=192.168.10.244 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'lol@evil.fr'}, 'helo': {'result': 'None', 'sender': 'postmaster@ov-3bd8ca.ch2.telecom.com'}, 'pra': {'result': 'None', 'sender': 'm.dupont@corp.fr'}} sourceHostName=ov-3bd8ca.ch2.telecom.com ESASenderGroup=SUSPECTLIST sourceAddress=192.168.1.244 msg='\\=?UTF-8?Q?N\\=c2\\=b0_CORP\\= \\=?UTF-8?Q?020?\\='", + "message": "CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=00F66XXXX-FCH2025V2LQ ESAMID=351452154 ESAICID=317589723 ESADCID=192175459 ESADLPVerdict=NOT EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Jun 13 08:02:06 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=5.6.7.8 ESAAttachmentDetails={'bob.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed'}, 'BodyScanner': {}}, 'Signature Jean Dupont.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4'}, 'BodyScanner': {}}, 'FICHE.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354'}, 'BodyScanner': {}}} ESAFriendlyFrom=Marc Dupont ESAGMVerdict=NEGATIVE startTime=Mon Jun 13 08:02:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=m.dupont@corp.fr cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Switzerland ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr>' ESAMsgSize=418081 ESAOFVerdict=POSITIVE duser=evil@corp.fr ESAHeloDomain=example.org ESAHeloIP=192.168.10.244 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'lol@evil.fr'}, 'helo': {'result': 'None', 'sender': 'postmaster@example.org'}, 'pra': {'result': 'None', 'sender': 'm.dupont@corp.fr'}} sourceHostName=example.org ESASenderGroup=SUSPECTLIST sourceAddress=1.2.3.4 msg='\\=?UTF-8?Q?N\\=c2\\=b0_CORP\\= \\=?UTF-8?Q?020?\\='", "event": { "action": "delivered", "end": "2023-06-13T08:02:06Z", @@ -1069,7 +1106,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start": "2023-06-13T08:02:04Z" }, "@timestamp": "2023-06-13T08:02:04Z", - "cef": {}, "cisco": { "esa": { "authentication": { @@ -1080,7 +1116,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "verdict": "pass" }, "spf": { - "verdict": "{\"helo\":{\"result\":\"None\",\"sender\":\"postmaster@ov-3bd8ca.ch2.telecom.com\"},\"mailfrom\":{\"result\":\"Pass\",\"sender\":\"lol@evil.fr\"},\"pra\":{\"result\":\"None\",\"sender\":\"m.dupont@corp.fr\"}}" + "verdict": "{\"helo\":{\"result\":\"None\",\"sender\":\"postmaster@example.org\"},\"mailfrom\":{\"result\":\"Pass\",\"sender\":\"lol@evil.fr\"},\"pra\":{\"result\":\"None\",\"sender\":\"m.dupont@corp.fr\"}}" } }, "delivery": { @@ -1090,7 +1126,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "message_size": "418081" }, "helo": { - "domain": "ov-3bd8ca.ch2.telecom.com", + "domain": "example.org", "ip": "192.168.10.244" }, "injection": { @@ -1157,35 +1193,41 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "host": { - "hostname": "ov-3bd8ca.ch2.telecom.com", - "name": "ov-3bd8ca.ch2.telecom.com" + "hostname": "example.org", + "id": "00F66XXXX-FCH2025V2LQ", + "name": "example.org" }, "network": { "direction": "inbound" }, "observer": { + "ingress": { + "interface": { + "name": "IncomingMail" + } + }, "type": "C390 Email Security Appliance", "vendor": "Cisco", "version": "14.2.1-015" }, "related": { "hosts": [ - "ov-3bd8ca.ch2.telecom.com" + "example.org" ], "ip": [ - "192.168.1.244", - "192.168.128.137" + "1.2.3.4", + "5.6.7.8" ] }, "rule": { "name": "DEFAULT" }, "server": { - "ip": "192.168.128.137" + "ip": "5.6.7.8" }, "source": { - "address": "192.168.1.244", - "ip": "192.168.1.244" + "address": "1.2.3.4", + "ip": "1.2.3.4" } } @@ -1220,13 +1262,6 @@ The following table lists the fields that are extracted, normalized under the EC |`cisco.esa.status` | `keyword` | | |`cisco.esa.url` | `keyword` | the declaration of the cisco urls | |`cisco.esa.url_domain` | `keyword` | | -|`destination.domain` | `keyword` | The domain name of the destination. | -|`destination.ip` | `ip` | IP address of the destination. | -|`destination.mac` | `keyword` | MAC address of the destination. | -|`destination.nat.ip` | `ip` | Destination NAT ip | -|`destination.nat.port` | `long` | Destination NAT Port | -|`destination.port` | `long` | Port of the destination. | -|`destination.user.id` | `keyword` | Unique identifier of the user. | |`email.attachments` | `array` | A list of objects describing the attachment files sent along with an email message | |`email.from.address` | `array` | A list of source email | |`email.local_id` | `keyword` | Unique identifier given by the source. | @@ -1235,41 +1270,20 @@ The following table lists the fields that are extracted, normalized under the EC |`email.to.address` | `array` | A list of destination email | |`event.action` | `keyword` | The action captured by the event. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.severity` | `long` | Numeric severity of the event. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | -|`event.timezone` | `keyword` | Event time zone. | -|`file.inode` | `keyword` | Inode representing the file in the filesystem. | -|`file.mtime` | `date` | Last time the file content was modified. | -|`file.name` | `keyword` | Name of the file including the extension, without the directory. | -|`file.path` | `keyword` | Full path to the file, including the file name. | -|`file.size` | `long` | File size in bytes. | -|`file.type` | `keyword` | File type (file, dir, or symlink). | -|`host.domain` | `keyword` | Name of the directory the group is a member of. | |`host.hostname` | `keyword` | Hostname of the host. | |`host.id` | `keyword` | Unique host id. | |`host.name` | `keyword` | Name of the host. | -|`host.network.egress.bytes` | `long` | The number of bytes sent on all network interfaces. | -|`host.network.ingress.bytes` | `long` | The number of bytes received on all network interfaces. | -|`http.request.method` | `keyword` | HTTP request method. | -|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | |`log.syslog.facility.name` | `keyword` | Syslog text-based facility of the event. | -|`network.protocol` | `keyword` | Application protocol name. | |`observer.egress.interface.name` | `keyword` | Interface name | |`observer.ingress.interface.name` | `keyword` | Interface name | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`observer.version` | `keyword` | Observer version. | -|`process.name` | `keyword` | Process name. | |`rule.name` | `keyword` | Rule name | |`server.ip` | `ip` | IP address of the server. | -|`service.name` | `keyword` | Name of the service. | -|`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | -|`source.mac` | `keyword` | MAC address of the source. | -|`source.nat.ip` | `ip` | Source NAT ip | -|`source.nat.port` | `long` | Source NAT port | -|`source.port` | `long` | Port of the source. | |`url.domain` | `keyword` | Domain of the url. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6_sample.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6_sample.md index 42cc8ceb93..987a4a927a 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6_sample.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6_sample.md @@ -81,7 +81,7 @@ In this section, you will find examples of raw logs as generated natively by the === "test_ingest_log9" ``` - CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=00F66XXXX-FCH2025V2LQ ESAMID=351452154 ESAICID=317589723 ESADCID=192175459 ESADLPVerdict=NOT EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Jun 13 08:02:06 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=192.168.128.137 ESAAttachmentDetails={'bob.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed'}, 'BodyScanner': {}}, 'Signature Jean Dupont.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4'}, 'BodyScanner': {}}, 'FICHE.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354'}, 'BodyScanner': {}}} ESAFriendlyFrom=Marc Dupont ESAGMVerdict=NEGATIVE startTime=Mon Jun 13 08:02:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=m.dupont@corp.fr cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Switzerland ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr>' ESAMsgSize=418081 ESAOFVerdict=POSITIVE duser=evil@corp.fr ESAHeloDomain=ov-3bd8ca.ch2.telecom.com ESAHeloIP=192.168.10.244 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'lol@evil.fr'}, 'helo': {'result': 'None', 'sender': 'postmaster@ov-3bd8ca.ch2.telecom.com'}, 'pra': {'result': 'None', 'sender': 'm.dupont@corp.fr'}} sourceHostName=ov-3bd8ca.ch2.telecom.com ESASenderGroup=SUSPECTLIST sourceAddress=192.168.1.244 msg='\=?UTF-8?Q?N\=c2\=b0_CORP\= \=?UTF-8?Q?020?\=' + CEF:0|Cisco|C390 Email Security Appliance|14.2.1-015|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=00F66XXXX-FCH2025V2LQ ESAMID=351452154 ESAICID=317589723 ESADCID=192175459 ESADLPVerdict=NOT EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Mon Jun 13 08:02:06 2023 ESADKIMVerdict=pass ESADMARCVerdict=pass dvc=5.6.7.8 ESAAttachmentDetails={'bob.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '2062932a5c017252038b001b14e1dfd09501742faeb7275da8e031eacfa963ed'}, 'BodyScanner': {}}, 'Signature Jean Dupont.png': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'a0e121e017afed94380de0658e51f4bed14f6cffc3d7f2026f5c3cafcf8273f4'}, 'BodyScanner': {}}, 'FICHE.pdf': {'AMP': {'Verdict': 'LOWRISK', 'fileHash': 'e4b2d60cea9c09a0871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354'}, 'BodyScanner': {}}} ESAFriendlyFrom=Marc Dupont ESAGMVerdict=NEGATIVE startTime=Mon Jun 13 08:02:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=m.dupont@corp.fr cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Switzerland ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<17f42d91-1908-aecb-adfd-a6e9c92e623e@corp.fr>' ESAMsgSize=418081 ESAOFVerdict=POSITIVE duser=evil@corp.fr ESAHeloDomain=example.org ESAHeloIP=192.168.10.244 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'lol@evil.fr'}, 'helo': {'result': 'None', 'sender': 'postmaster@example.org'}, 'pra': {'result': 'None', 'sender': 'm.dupont@corp.fr'}} sourceHostName=example.org ESASenderGroup=SUSPECTLIST sourceAddress=1.2.3.4 msg='\=?UTF-8?Q?N\=c2\=b0_CORP\= \=?UTF-8?Q?020?\=' ``` diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 52aac66334..fff75f5a3e 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -2490,7 +2490,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "JONE doe" + "doe" ] }, "rule": { @@ -2498,7 +2498,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Ransomware Detected via Canary File" }, "user": { - "name": "JONE doe", + "domain": "JONE", + "name": "doe", "roles": "testgroup,testgroup1,testgroup2" } } @@ -2556,7 +2557,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "NT AUTHORITY SYSTEM" + "SYSTEM" ] }, "rule": { @@ -2564,7 +2565,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Suspicious Process Spawned by Java Application" }, "user": { - "name": "NT AUTHORITY SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } @@ -3186,6 +3188,76 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "wineventlog6.json" + + ```json + + { + "message": "{\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"SubjectDomainName\":\"EXAMPLE\",\"ClientProcessId\":\"9380\",\"SubjectUserName\":\"JDOE$\",\"ParentProcessId\":\"4432\",\"SubjectUserSid\":\"S-1-5-18\",\"RpcCallClientLocality\":\"0\",\"FQDN\":\"jdoe.example.local\",\"ClientProcessStartKey\":\"11111111111111111\",\"TaskContent\":\"\\r\\n\\r\\n \\r\\n 2017-01-01T00:00:00\\r\\n Microsoft Office\\r\\n 16.0.0\\r\\n This task ensures that your Microsoft Office installation can check for feature updates.\\r\\n \\\\Microsoft\\\\Office\\\\Office Feature Updates\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T02:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T06:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T10:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T14:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T18:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n 2017-01-01T22:10:00\\r\\n PT1H\\r\\n true\\r\\n PT4H\\r\\n \\r\\n 1\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n \\r\\n S-1-5-22-111\\r\\n LeastPrivilege\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n true\\r\\n true\\r\\n true\\r\\n false\\r\\n true\\r\\n \\r\\n false\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n true\\r\\n false\\r\\n PT1H\\r\\n 7\\r\\n \r\n\r\n \r\n 2017-01-01T00:00:00\r\n Microsoft Office\r\n 16.0.0\r\n This task ensures that your Microsoft Office installation can check for feature updates.\r\n \\Microsoft\\Office\\Office Feature Updates\r\n \r\n \r\n \r\n 2017-01-01T02:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T06:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T10:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T14:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T18:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T22:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n S-1-5-22-111\r\n LeastPrivilege\r\n \r\n \r\n \r\n IgnoreNew\r\n true\r\n true\r\n true\r\n false\r\n true\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n true\r\n false\r\n PT1H\r\n 7\r\n \r\n\r\n \r\n 2017-01-01T00:00:00\r\n Microsoft Office\r\n 16.0.0\r\n This task ensures that your Microsoft Office installation can check for feature updates.\r\n \\Microsoft\\Office\\Office Feature Updates\r\n \r\n \r\n \r\n 2017-01-01T02:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T06:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T10:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T14:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T18:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n 2017-01-01T22:10:00\r\n PT1H\r\n true\r\n PT4H\r\n \r\n 1\r\n \r\n \r\n \r\n \r\n \r\n S-1-5-22-111\r\n LeastPrivilege\r\n \r\n \r\n \r\n IgnoreNew\r\n true\r\n true\r\n true\r\n false\r\n true\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n true\r\n false\r\n PT1H\r\n 7\r\n