From e588a80052623b19c162eab5ac2dc48b10624c14 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Wed, 20 May 2026 16:14:14 +0000 Subject: [PATCH] Refresh intakes documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 67 +++++ ...f36d-cee0-4f06-b575-9e43af779f9f_sample.md | 84 ++++++ .../07c556c0-0675-478c-9803-e7990afe78b6.md | 162 +++++++++++ ...56c0-0675-478c-9803-e7990afe78b6_sample.md | 86 ++++++ .../19cd2ed6-f90c-47f7-a46b-974354a107bb.md | 110 +++++++ ...2ed6-f90c-47f7-a46b-974354a107bb_sample.md | 138 +++++++++ .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 97 +++++++ ...4095-fa08-4101-bb02-e72f870fcbd1_sample.md | 75 +++++ .../35855de3-0728-4a83-ae19-e38e167432a1.md | 24 +- ...5de3-0728-4a83-ae19-e38e167432a1_sample.md | 10 +- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 192 ++++++++++++ ...57d3-4689-4fae-8033-6f1f887a70f2_sample.md | 122 ++++++++ .../903ec1b8-f206-4ba5-8563-db21da09cafd.md | 273 +++++++++++++++--- ...c1b8-f206-4ba5-8563-db21da09cafd_sample.md | 27 ++ .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 128 +++++++- ...339f-5dbe-4e68-9fa0-c63661820941_sample.md | 78 ++++- .../e8ca856f-8a58-490b-bea4-247b12b3d74b.md | 217 ++++++++------ ...856f-8a58-490b-bea4-247b12b3d74b_sample.md | 52 ++-- 18 files changed, 1776 insertions(+), 166 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 2afb5754bc..4df3984eae 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -3091,6 +3091,72 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_events_was_remediated.json" + + ```json + + { + "message": "{\"time\": \"2026-04-22T08:55:20.0566356Z\", \"tenantId\": \"11111111-1111-1111-1111-111111111111\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2026-04-22T08:54:07.4544604Z\", \"properties\": {\"DeviceId\": \"abcdef0123456789abcdef0123456789abcdef01\", \"DeviceName\": \"workstation-01\", \"ReportId\": 1792872386, \"InitiatingProcessId\": 0, \"InitiatingProcessCreationTime\": null, \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": \"d476b323caa8be04324c59695c5a37acfa089851\", \"MD5\": \"8a3657a582ae4b798dff61233e589069\", \"FileName\": \"wwwroot.zip\", \"FolderPath\": \"D:\\\\Harp\", \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ThreatName\\\":\\\"Trojan:Win32/Casdet!rfn\\\",\\\"WasExecutingWhileDetected\\\":false,\\\"Action\\\":2,\\\"WasRemediated\\\":true,\\\"SignatureName\\\":\\\"Trojan:Win32/Casdet!rfn\\\",\\\"IsConcrete\\\":true,\\\"ReportSource\\\":\\\"WindowsDefender\\\"}\", \"InitiatingProcessAccountSid\": \"S-1-5-21-1111111111-2222222222-3333333333-1001\", \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": null, \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"AntivirusDetection\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": null, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"InitiatingProcessUniqueId\": \"0\", \"Timestamp\": \"2026-04-22T08:53:50.6527771Z\", \"MachineGroup\": \"UnassignedGroup\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2026-04-22T08:53:50.652777Z", + "action": { + "name": "Publish", + "properties": { + "IsInitiatingProcessRemoteSession": "false", + "WasRemediated": true + }, + "type": "AntivirusDetection" + }, + "agent": { + "id": "abcdef0123456789abcdef0123456789abcdef01" + }, + "file": { + "directory": "D:\\Harp", + "hash": { + "md5": "8a3657a582ae4b798dff61233e589069", + "sha1": "d476b323caa8be04324c59695c5a37acfa089851" + }, + "name": "wwwroot.zip" + }, + "host": { + "id": "abcdef0123456789abcdef0123456789abcdef01", + "name": "workstation-01" + }, + "microsoft": { + "defender": { + "report": { + "id": "1792872386" + } + } + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0, + "user": { + "id": "S-1-5-21-1111111111-2222222222-3333333333-1001" + } + }, + "related": { + "hash": [ + "8a3657a582ae4b798dff61233e589069", + "d476b323caa8be04324c59695c5a37acfa089851" + ] + } + } + + ``` + + === "test_device_file_certificate_info.json" ```json @@ -6785,6 +6851,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.UserAgentTags` | `list` | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot | |`action.properties.UserLevelAction` | `keyword` | Action taken on the email in response to matches to a mailbox policy defined by the recipient | |`action.properties.UserLevelPolicy` | `keyword` | End-user mailbox policy that triggered the action taken on the email | +|`action.properties.WasRemediated` | `boolean` | Indicates whether the threat identified was remediated | |`agent.id` | `keyword` | Unique identifier of this agent. | |`agent.version` | `keyword` | Version of the agent. | |`client.geo.city_name` | `keyword` | City name. | diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index 9340e1421b..8f79c21200 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -2763,6 +2763,90 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_events_was_remediated" + + + ```json + { + "time": "2026-04-22T08:55:20.0566356Z", + "tenantId": "11111111-1111-1111-1111-111111111111", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2026-04-22T08:54:07.4544604Z", + "properties": { + "DeviceId": "abcdef0123456789abcdef0123456789abcdef01", + "DeviceName": "workstation-01", + "ReportId": 1792872386, + "InitiatingProcessId": 0, + "InitiatingProcessCreationTime": null, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentFileName": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFileName": "", + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "SHA1": "d476b323caa8be04324c59695c5a37acfa089851", + "MD5": "8a3657a582ae4b798dff61233e589069", + "FileName": "wwwroot.zip", + "FolderPath": "D:\\Harp", + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"ThreatName\":\"Trojan:Win32/Casdet!rfn\",\"WasExecutingWhileDetected\":false,\"Action\":2,\"WasRemediated\":true,\"SignatureName\":\"Trojan:Win32/Casdet!rfn\",\"IsConcrete\":true,\"ReportSource\":\"WindowsDefender\"}", + "InitiatingProcessAccountSid": "S-1-5-21-1111111111-2222222222-3333333333-1001", + "AppGuardContainerId": null, + "InitiatingProcessSHA256": null, + "SHA256": null, + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "AntivirusDetection", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": null, + "AccountSid": null, + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "FileSize": null, + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "InitiatingProcessUniqueId": "0", + "Timestamp": "2026-04-22T08:53:50.6527771Z", + "MachineGroup": "UnassignedGroup" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_file_certificate_info" diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index dc49552b7b..ed330934fb 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -365,6 +365,165 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "activity-type-2012.json" + + ```json + + { + "message": "{\"accountId\": \"1111111111111111111\", \"activityType\": 2012, \"agentId\": \"2222222222222222222\", \"createdAt\": \"2026-03-25T13:56:08.271507Z\", \"data\": {\"accountName\": \"ACCOUNT\", \"computerName\": \"EXAMPLE\", \"externalServiceId\": \"app-name\", \"fileContentHash\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"fileDisplayName\": \"virus.exe\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"fullScopeDetails\": \"Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT\", \"fullScopeDetailsPath\": \"Global / ACCOUNT / SITENAME/ WORKSTATION P/P\", \"groupName\": \"WORKSTATION P/P\", \"ipAddress\": null, \"isAlert\": false, \"newStatus\": null, \"originalStatus\": \"mitigated\", \"realUser\": null, \"siteName\": \"SITENAME\", \"sourceType\": \"API\", \"threatClassification\": \"Malware\", \"threatClassificationSource\": \"Static\", \"username\": \"MDR (johndoe@example.com)\"}, \"groupId\": \"3333333333333333333\", \"id\": \"5555555555555555555\", \"primaryDescription\": \"The management user MDR (johndoe@example.com) issued a remediate command to threat virus.exe on agent EXAMPLE.\", \"secondaryDescription\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"siteId\": \"6666666666666666666\", \"threatId\": \"7777777777777777777\", \"updatedAt\": \"2026-03-25T13:56:08.271509Z\", \"userId\": \"4444444444444444444\"}", + "event": { + "action": "User Issued Remediate Command", + "category": [ + "intrusion_detection" + ], + "reason": "The management user MDR (johndoe@example.com) issued a remediate command to threat virus.exe on agent EXAMPLE.", + "type": [ + "info" + ] + }, + "@timestamp": "2026-03-25T13:56:08.271507Z", + "action": { + "type": "2012" + }, + "agent": { + "id": "2222222222222222222" + }, + "file": { + "hash": { + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + }, + "name": "virus.exe", + "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe" + }, + "group": { + "id": "3333333333333333333" + }, + "host": { + "name": "EXAMPLE" + }, + "organization": { + "id": "1111111111111111111" + }, + "related": { + "hash": [ + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "MDR (johndoe@example.com)" + ] + }, + "sentinelone": { + "createdAt": "2026-03-25T13:56:08.271507Z", + "data": { + "accountName": "ACCOUNT", + "computerName": "EXAMPLE", + "externalServiceId": "app-name", + "fileDisplayName": "virus.exe", + "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT", + "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME/ WORKSTATION P/P", + "groupName": "WORKSTATION P/P", + "originalStatus": "mitigated", + "siteName": "SITENAME", + "threatClassification": "Malware", + "threatClassificationSource": "Static" + }, + "eventid": 5555555555555555555, + "secondaryDescription": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe", + "siteId": 6666666666666666666, + "threatId": "7777777777777777777", + "updatedAt": "2026-03-25T13:56:08.271509Z" + }, + "threat": { + "software": { + "type": "Malware" + } + }, + "user": { + "id": "4444444444444444444", + "name": "MDR (johndoe@example.com)" + } + } + + ``` + + +=== "activity-type-2030.json" + + ```json + + { + "message": "{\"accountId\": \"1111111111111111111\", \"activityType\": 2030, \"agentId\": \"2222222222222222222\", \"createdAt\": \"2026-03-25T13:56:05.063212Z\", \"data\": {\"accountName\": \"ACCOUNT\", \"computerName\": \"EXAMPLE\", \"escapedMaliciousProcessArguments\": \"\\\"\\\\\\\"H:\\\\\\\\Archive\\\\\\\\Photos\\\\\\\\1.png\\\\\\\"\\\"\", \"externalServiceId\": \"app-name\", \"fileDisplayName\": \"virus.exe\", \"filePath\": \"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\virus.exe\", \"fullScopeDetails\": \"Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT\", \"fullScopeDetailsPath\": \"Global / ACCOUNT / SITENAME / WORKSTATION P/P\", \"groupName\": \"WORKSTATION P/P\", \"ipAddress\": null, \"newAnalystVerdict\": \"true_positive\", \"newAnalystVerdictTitle\": \"True positive\", \"oldAnalystVerdict\": \"undefined\", \"oldAnalystVerdictTitle\": \"Undefined\", \"realUser\": null, \"siteName\": \"SITENAME\", \"sourceType\": \"API\", \"threatClassification\": \"Malware\", \"threatClassificationSource\": \"Static\", \"username\": \"MDR (johndoe@example.com)\"}, \"groupId\": \"3333333333333333333\", \"id\": \"5555555555555555555\", \"primaryDescription\": \"The management user MDR (johndoe@example.com) changed the analyst verdict for virus.exe from Undefined to True positive.\", \"siteId\": \"6666666666666666666\", \"threatId\": \"7777777777777777777\", \"updatedAt\": \"2026-03-25T13:56:05.063214Z\", \"userId\": \"4444444444444444444\"}", + "event": { + "action": "Analyst Verdict Changes", + "category": [ + "intrusion_detection" + ], + "reason": "The management user MDR (johndoe@example.com) changed the analyst verdict for virus.exe from Undefined to True positive.", + "type": [ + "info" + ] + }, + "@timestamp": "2026-03-25T13:56:05.063212Z", + "action": { + "type": "2030" + }, + "agent": { + "id": "2222222222222222222" + }, + "file": { + "name": "virus.exe", + "path": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe" + }, + "group": { + "id": "3333333333333333333" + }, + "host": { + "name": "EXAMPLE" + }, + "organization": { + "id": "1111111111111111111" + }, + "related": { + "user": [ + "MDR (johndoe@example.com)" + ] + }, + "sentinelone": { + "createdAt": "2026-03-25T13:56:05.063212Z", + "data": { + "accountName": "ACCOUNT", + "computerName": "EXAMPLE", + "escapedMaliciousProcessArguments": "\"\\\"H:\\\\Archive\\\\Photos\\\\1.png\\\"\"", + "externalServiceId": "app-name", + "fileDisplayName": "virus.exe", + "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT", + "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME / WORKSTATION P/P", + "groupName": "WORKSTATION P/P", + "newAnalystVerdict": "true_positive", + "oldAnalystVerdict": "undefined", + "siteName": "SITENAME", + "threatClassification": "Malware", + "threatClassificationSource": "Static" + }, + "eventid": 5555555555555555555, + "siteId": 6666666666666666666, + "threatId": "7777777777777777777", + "updatedAt": "2026-03-25T13:56:05.063214Z" + }, + "threat": { + "software": { + "type": "Malware" + } + }, + "user": { + "id": "4444444444444444444", + "name": "MDR (johndoe@example.com)" + } + } + + ``` + + === "activity-type-25.json" ```json @@ -3957,6 +4116,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.exclusionType` | `keyword` | | |`sentinelone.data.expiration` | `keyword` | | |`sentinelone.data.externalIp` | `keyword` | | +|`sentinelone.data.externalServiceId` | `keyword` | | |`sentinelone.data.externalip` | `keyword` | | |`sentinelone.data.fileDisplayName` | `keyword` | | |`sentinelone.data.fullScopeDetails` | `keyword` | | @@ -4002,10 +4162,12 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.modulepath` | `keyword` | | |`sentinelone.data.modulesha1` | `keyword` | | |`sentinelone.data.neteventdirection` | `keyword` | | +|`sentinelone.data.newAnalystVerdict` | `keyword` | | |`sentinelone.data.newGroupId` | `keyword` | | |`sentinelone.data.newGroupName` | `keyword` | | |`sentinelone.data.newStatus` | `keyword` | | |`sentinelone.data.numberOfEvents` | `int` | | +|`sentinelone.data.oldAnalystVerdict` | `keyword` | | |`sentinelone.data.oldGroupId` | `keyword` | | |`sentinelone.data.oldGroupName` | `keyword` | | |`sentinelone.data.order` | `long` | | diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md index 2faf4ae1c8..648c014bf6 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md @@ -220,6 +220,92 @@ In this section, you will find examples of raw logs as generated natively by the +=== "activity-type-2012" + + + ```json + { + "accountId": "1111111111111111111", + "activityType": 2012, + "agentId": "2222222222222222222", + "createdAt": "2026-03-25T13:56:08.271507Z", + "data": { + "accountName": "ACCOUNT", + "computerName": "EXAMPLE", + "externalServiceId": "app-name", + "fileContentHash": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "fileDisplayName": "virus.exe", + "filePath": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe", + "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT", + "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME/ WORKSTATION P/P", + "groupName": "WORKSTATION P/P", + "ipAddress": null, + "isAlert": false, + "newStatus": null, + "originalStatus": "mitigated", + "realUser": null, + "siteName": "SITENAME", + "sourceType": "API", + "threatClassification": "Malware", + "threatClassificationSource": "Static", + "username": "MDR (johndoe@example.com)" + }, + "groupId": "3333333333333333333", + "id": "5555555555555555555", + "primaryDescription": "The management user MDR (johndoe@example.com) issued a remediate command to threat virus.exe on agent EXAMPLE.", + "secondaryDescription": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe", + "siteId": "6666666666666666666", + "threatId": "7777777777777777777", + "updatedAt": "2026-03-25T13:56:08.271509Z", + "userId": "4444444444444444444" + } + ``` + + + +=== "activity-type-2030" + + + ```json + { + "accountId": "1111111111111111111", + "activityType": 2030, + "agentId": "2222222222222222222", + "createdAt": "2026-03-25T13:56:05.063212Z", + "data": { + "accountName": "ACCOUNT", + "computerName": "EXAMPLE", + "escapedMaliciousProcessArguments": "\"\\\"H:\\\\Archive\\\\Photos\\\\1.png\\\"\"", + "externalServiceId": "app-name", + "fileDisplayName": "virus.exe", + "filePath": "\\Device\\HarddiskVolume3\\Program Files\\WindowsApps\\virus.exe", + "fullScopeDetails": "Group WORKSTATION P/P in Site SITENAME of Account ACCOUNT", + "fullScopeDetailsPath": "Global / ACCOUNT / SITENAME / WORKSTATION P/P", + "groupName": "WORKSTATION P/P", + "ipAddress": null, + "newAnalystVerdict": "true_positive", + "newAnalystVerdictTitle": "True positive", + "oldAnalystVerdict": "undefined", + "oldAnalystVerdictTitle": "Undefined", + "realUser": null, + "siteName": "SITENAME", + "sourceType": "API", + "threatClassification": "Malware", + "threatClassificationSource": "Static", + "username": "MDR (johndoe@example.com)" + }, + "groupId": "3333333333333333333", + "id": "5555555555555555555", + "primaryDescription": "The management user MDR (johndoe@example.com) changed the analyst verdict for virus.exe from Undefined to True positive.", + "siteId": "6666666666666666666", + "threatId": "7777777777777777777", + "updatedAt": "2026-03-25T13:56:05.063214Z", + "userId": "4444444444444444444" + } + ``` + + + === "activity-type-25" diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index 3caa288f8c..e6f2ae42c7 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -2196,6 +2196,116 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "sign-in_activity8.json" + + ```json + + { + "message": "{\"time\": \"2026-05-17T03:43:48.5122452Z\", \"resourceId\": \"/tenants/55555555-5555-5555-5555-555555555555/providers/Microsoft.aadiam\", \"operationName\": \"Sign-in activity\", \"operationVersion\": \"1.0\", \"category\": \"MicrosoftServicePrincipalSignInLogs\", \"tenantId\": \"55555555-5555-5555-5555-555555555555\", \"resultType\": \"50053\", \"resultSignature\": \"FAILURE\", \"resultDescription\": \"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\", \"durationMs\": 0, \"callerIpAddress\": \"1.1.1.1\", \"correlationId\": \"44444444-4444-4444-4444-444444444444\", \"level\": \"4\", \"location\": \"KZ\", \"properties\": {\"id\": \"66666666-6666-6666-6666-666666666666\", \"createdDateTime\": \"2026-05-17T03:42:49.402236+00:00\", \"userDisplayName\": \"\", \"userPrincipalName\": \"\", \"userId\": \"\", \"agent\": {\"agentType\": \"notAgentic\", \"agentSubjectType\": \"notAgentic\"}, \"appId\": \"22222222-2222-2222-2222-222222222222\", \"appDisplayName\": \"Office 365 Exchange Online\", \"ipAddress\": \"1.1.1.1\", \"ipAddressFromResourceProvider\": \"\", \"status\": {\"errorCode\": 50053, \"failureReason\": \"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\"}, \"clientAppUsed\": \"Unknown\", \"userAgent\": \"AGENT_NAME\", \"deviceDetail\": {\"deviceId\": \"\", \"operatingSystem\": \"\", \"browser\": \"\", \"isCompliant\": false, \"isManaged\": false, \"trustType\": \"Azure AD registered\"}, \"location\": {\"city\": \"Astana\", \"state\": \"Astana\", \"countryOrRegion\": \"KZ\", \"geoCoordinates\": {\"latitude\": 51.16667175292969, \"longitude\": 71.44999694824219}}, \"correlationId\": \"44444444-4444-4444-4444-444444444444\", \"conditionalAccessStatus\": \"notApplied\", \"appliedConditionalAccessPolicies\": [], \"authenticationContextClassReferences\": [], \"originalRequestId\": \"66666666-6666-6666-6666-666666666666\", \"isInteractive\": false, \"tokenIssuerName\": \"\", \"tokenIssuerType\": \"AzureAD\", \"authenticationProcessingDetails\": [{\"key\": \"Legacy TLS (TLS 1.0, 1.1, 3DES)\", \"value\": \"False\"}, {\"key\": \"Is Legacy Store Used\", \"value\": \"False\"}, {\"key\": \"Is CAE Token\", \"value\": \"False\"}], \"clientCredentialType\": \"clientAssertion\", \"processingTimeInMilliseconds\": 55, \"riskDetail\": \"none\", \"riskLevelAggregated\": \"none\", \"riskLevelDuringSignIn\": \"high\", \"riskState\": \"none\", \"riskEventTypes\": [], \"riskEventTypes_v2\": [], \"resourceDisplayName\": \"Office 365 Exchange Online\", \"resourceId\": \"22222222-2222-2222-2222-222222222222\", \"resourceTenantId\": \"55555555-5555-5555-5555-555555555555\", \"homeTenantId\": \"55555555-5555-5555-5555-555555555555\", \"tenantId\": \"55555555-5555-5555-5555-555555555555\", \"homeTenantName\": \"\", \"authenticationDetails\": [], \"authenticationRequirementPolicies\": [], \"sessionLifetimePolicies\": [], \"authenticationRequirement\": \"\", \"alternateSignInName\": \"john.doe@example.com\", \"signInIdentifier\": \"john.doe@example.com\", \"servicePrincipalName\": \"Office 365 Exchange Online\", \"signInEventTypes\": [\"servicePrincipal\"], \"servicePrincipalId\": \"11111111-1111-1111-1111-111111111111\", \"federatedCredentialId\": \"\", \"userType\": \"Member\", \"flaggedForReview\": false, \"isTenantRestricted\": false, \"autonomousSystemNumber\": 9123, \"crossTenantAccessType\": \"none\", \"privateLinkDetails\": {}, \"servicePrincipalCredentialKeyId\": \"\", \"servicePrincipalCredentialThumbprint\": \"\", \"uniqueTokenIdentifier\": \"REDACTED\", \"authenticationStrengths\": [], \"incomingTokenType\": \"none\", \"authenticationProtocol\": \"none\", \"appServicePrincipalId\": null, \"resourceServicePrincipalId\": \"11111111-1111-1111-1111-111111111111\", \"signInTokenProtectionStatus\": \"none\", \"tokenProtectionStatusDetails\": {\"signInSessionStatus\": \"none\", \"signInSessionStatusCode\": 0}, \"originalTransferMethod\": \"none\", \"isThroughGlobalSecureAccess\": false, \"globalSecureAccessIpAddress\": \"\", \"conditionalAccessAudiences\": [], \"sessionId\": \"\", \"appOwnerTenantId\": \"33333333-3333-3333-3333-333333333333\", \"resourceOwnerTenantId\": \"33333333-3333-3333-3333-333333333333\", \"sourceAppClientId\": \"\", \"redirectUrl\": \"\"}}", + "event": { + "action": "Sign-in activity", + "category": [ + "authentication" + ], + "outcome": "failure", + "reason": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.", + "type": [ + "start" + ] + }, + "@timestamp": "2026-05-17T03:43:48.512245Z", + "action": { + "name": "Sign-in activity", + "outcome": "failure" + }, + "azuread": { + "authenticationDetails": [], + "callerIpAddress": "1.1.1.1", + "category": "MicrosoftServicePrincipalSignInLogs", + "correlationId": "44444444-4444-4444-4444-444444444444", + "durationMs": 0, + "operationName": "Sign-in activity", + "operationVersion": "1.0", + "properties": { + "appDisplayName": "Office 365 Exchange Online", + "appId": "22222222-2222-2222-2222-222222222222", + "authenticationProtocol": "none", + "conditionalAccessStatus": "notApplied", + "correlationId": "44444444-4444-4444-4444-444444444444", + "deviceDetail": { + "isCompliant": false, + "isManaged": false, + "trustType": "Azure AD registered" + }, + "id": "66666666-6666-6666-6666-666666666666", + "incomingTokenType": "none", + "original_transfer_method": "none", + "resourceId": "22222222-2222-2222-2222-222222222222", + "resourceOwnerTenantId": "33333333-3333-3333-3333-333333333333", + "riskDetail": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "high", + "riskState": "none", + "servicePrincipalId": "11111111-1111-1111-1111-111111111111", + "servicePrincipalName": "Office 365 Exchange Online", + "status": { + "errorCode": "50053", + "failureReason": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password." + }, + "tokenIssuerType": "AzureAD", + "uniqueTokenIdentifier": "REDACTED", + "userType": "Member" + }, + "resourceId": "/tenants/55555555-5555-5555-5555-555555555555/providers/Microsoft.aadiam", + "resultDescription": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.", + "resultSignature": "FAILURE", + "tenantId": "55555555-5555-5555-5555-555555555555" + }, + "error": { + "code": "50053", + "message": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password." + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "service": { + "name": "Office 365 Exchange Online", + "type": "ldap" + }, + "source": { + "address": "1.1.1.1", + "geo": { + "city_name": "Astana", + "location": { + "lat": 51.16667175292969, + "lon": 71.44999694824219 + }, + "region_name": "Astana" + }, + "ip": "1.1.1.1" + }, + "user": { + "email": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AGENT_NAME", + "os": { + "name": "Other" + } + } + } + + ``` + + === "update_ststoken.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md index ef683ef9eb..0fbc2347b9 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md @@ -2873,6 +2873,144 @@ In this section, you will find examples of raw logs as generated natively by the +=== "sign-in_activity8" + + + ```json + { + "time": "2026-05-17T03:43:48.5122452Z", + "resourceId": "/tenants/55555555-5555-5555-5555-555555555555/providers/Microsoft.aadiam", + "operationName": "Sign-in activity", + "operationVersion": "1.0", + "category": "MicrosoftServicePrincipalSignInLogs", + "tenantId": "55555555-5555-5555-5555-555555555555", + "resultType": "50053", + "resultSignature": "FAILURE", + "resultDescription": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.", + "durationMs": 0, + "callerIpAddress": "1.1.1.1", + "correlationId": "44444444-4444-4444-4444-444444444444", + "level": "4", + "location": "KZ", + "properties": { + "id": "66666666-6666-6666-6666-666666666666", + "createdDateTime": "2026-05-17T03:42:49.402236+00:00", + "userDisplayName": "", + "userPrincipalName": "", + "userId": "", + "agent": { + "agentType": "notAgentic", + "agentSubjectType": "notAgentic" + }, + "appId": "22222222-2222-2222-2222-222222222222", + "appDisplayName": "Office 365 Exchange Online", + "ipAddress": "1.1.1.1", + "ipAddressFromResourceProvider": "", + "status": { + "errorCode": 50053, + "failureReason": "The account is locked, you've tried to sign in too many times with an incorrect user ID or password." + }, + "clientAppUsed": "Unknown", + "userAgent": "AGENT_NAME", + "deviceDetail": { + "deviceId": "", + "operatingSystem": "", + "browser": "", + "isCompliant": false, + "isManaged": false, + "trustType": "Azure AD registered" + }, + "location": { + "city": "Astana", + "state": "Astana", + "countryOrRegion": "KZ", + "geoCoordinates": { + "latitude": 51.16667175292969, + "longitude": 71.44999694824219 + } + }, + "correlationId": "44444444-4444-4444-4444-444444444444", + "conditionalAccessStatus": "notApplied", + "appliedConditionalAccessPolicies": [], + "authenticationContextClassReferences": [], + "originalRequestId": "66666666-6666-6666-6666-666666666666", + "isInteractive": false, + "tokenIssuerName": "", + "tokenIssuerType": "AzureAD", + "authenticationProcessingDetails": [ + { + "key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", + "value": "False" + }, + { + "key": "Is Legacy Store Used", + "value": "False" + }, + { + "key": "Is CAE Token", + "value": "False" + } + ], + "clientCredentialType": "clientAssertion", + "processingTimeInMilliseconds": 55, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "high", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Office 365 Exchange Online", + "resourceId": "22222222-2222-2222-2222-222222222222", + "resourceTenantId": "55555555-5555-5555-5555-555555555555", + "homeTenantId": "55555555-5555-5555-5555-555555555555", + "tenantId": "55555555-5555-5555-5555-555555555555", + "homeTenantName": "", + "authenticationDetails": [], + "authenticationRequirementPolicies": [], + "sessionLifetimePolicies": [], + "authenticationRequirement": "", + "alternateSignInName": "john.doe@example.com", + "signInIdentifier": "john.doe@example.com", + "servicePrincipalName": "Office 365 Exchange Online", + "signInEventTypes": [ + "servicePrincipal" + ], + "servicePrincipalId": "11111111-1111-1111-1111-111111111111", + "federatedCredentialId": "", + "userType": "Member", + "flaggedForReview": false, + "isTenantRestricted": false, + "autonomousSystemNumber": 9123, + "crossTenantAccessType": "none", + "privateLinkDetails": {}, + "servicePrincipalCredentialKeyId": "", + "servicePrincipalCredentialThumbprint": "", + "uniqueTokenIdentifier": "REDACTED", + "authenticationStrengths": [], + "incomingTokenType": "none", + "authenticationProtocol": "none", + "appServicePrincipalId": null, + "resourceServicePrincipalId": "11111111-1111-1111-1111-111111111111", + "signInTokenProtectionStatus": "none", + "tokenProtectionStatusDetails": { + "signInSessionStatus": "none", + "signInSessionStatusCode": 0 + }, + "originalTransferMethod": "none", + "isThroughGlobalSecureAccess": false, + "globalSecureAccessIpAddress": "", + "conditionalAccessAudiences": [], + "sessionId": "", + "appOwnerTenantId": "33333333-3333-3333-3333-333333333333", + "resourceOwnerTenantId": "33333333-3333-3333-3333-333333333333", + "sourceAppClientId": "", + "redirectUrl": "" + } + } + ``` + + + === "update_ststoken" diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index b859950350..995d1c38b2 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -1749,6 +1749,102 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "windows_ntlm.json" + + ```json + + { + "message": "{\"action\":{\"properties\":{\"AvFlags\":\"0x6\",\"AvFlagsStr\":\"MIC Provided, Target unverified\",\"ChannelBindingStatus\":\"Supported\",\"ClientIP\":\"192.0.2.68\",\"ClientNetworkName\":\"Null\",\"DomainName\":\"example\",\"Keywords\":\"0x8000000000000000\",\"Mic Status\":\"Protected\",\"NegotiatedFlags\":\"0xE2888215\",\"NtlmVersion\":\"NTLMv2\",\"ProcessName\":\"svchost\",\"ProcessPID\":\"0x758\",\"ProviderGuid\":\"{AC43300D-5FCC-4800-8E99-1BD3F85F0320}\",\"RemoteClientMachine\":\"SERVER01\",\"ServiceBinding\":\"HOSTNAME.example.com\",\"SessionKeyStatus\":\"Present\",\"Severity\":\"WARNING\",\"SourceName\":\"Microsoft-Windows-NTLM\",\"Status\":\"0xC000015B\",\"StatusMsg\":\"A user has requested a type of logon (e.g., interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.\",\"TargetDomain\":\"RPCSS/host02.example.com\",\"TargetMachine\":\"example.com\",\"Username\":\"testuser\"},\"id\":4023},\"event\":{\"provider\":\"Microsoft-Windows-NTLM\",\"code\":4023},\"agent\":{\"id\":\"927d2332e633af996810d527e758d1a6cf19c049130f44c6fe6a7cf805882e46\",\"version\":\"v1.9.1+5107dad0124d33e6131b4b7e372893087aca50d3\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"HOSTNAME\",\"ip\":[\"fe80::216b:582d:261d:ca03\",\"198.51.100.128\"]},\"process\":{\"hash\":{\"md5\":\"85d4d595fe7dc3ed6213adf32b83dc73\",\"sha1\":\"b09abc0b6e7de15151057b4ac75a9051fa9fdea9\",\"sha256\":\"0d8420567f868b7df9d89567dbf8f86f1a7df51fc8719d28cb904b0b066d20f2\"},\"thread\":{\"id\":35748},\"executable\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"name\":\"lsass.exe\",\"pid\":1548},\"sekoiaio\":{\"process\":{\"guid\":\"692339c1-152c-5d2f-9458-e4ee11934f81\"}},\"@timestamp\":\"2026-05-11T08:23:36.6425808Z\"}", + "event": { + "code": "4023", + "provider": "Microsoft-Windows-NTLM" + }, + "@timestamp": "2026-05-11T08:23:36.642580Z", + "action": { + "id": 4023, + "properties": { + "AvFlags": "0x6", + "AvFlagsStr": "MIC Provided, Target unverified", + "ChannelBindingStatus": "Supported", + "ClientIP": "192.0.2.68", + "ClientNetworkName": "Null", + "DomainName": "example", + "Keywords": "0x8000000000000000", + "Mic Status": "Protected", + "NegotiatedFlags": "0xE2888215", + "NtlmVersion": "NTLMv2", + "ProcessName": "svchost", + "ProcessPID": "0x758", + "ProviderGuid": "{AC43300D-5FCC-4800-8E99-1BD3F85F0320}", + "RemoteClientMachine": "SERVER01", + "ServiceBinding": "HOSTNAME.example.com", + "SessionKeyStatus": "Present", + "Severity": "WARNING", + "SourceName": "Microsoft-Windows-NTLM", + "Status": "0xC000015B", + "StatusMsg": "A user has requested a type of logon (e.g., interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.", + "TargetDomain": "RPCSS/host02.example.com", + "TargetMachine": "example.com", + "Username": "testuser" + } + }, + "agent": { + "id": "927d2332e633af996810d527e758d1a6cf19c049130f44c6fe6a7cf805882e46", + "version": "v1.9.1+5107dad0124d33e6131b4b7e372893087aca50d3" + }, + "host": { + "hostname": "hostname", + "ip": [ + "198.51.100.128", + "fe80::216b:582d:261d:ca03" + ], + "name": "hostname", + "os": { + "type": "windows" + } + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "hash": { + "md5": "85d4d595fe7dc3ed6213adf32b83dc73", + "sha1": "b09abc0b6e7de15151057b4ac75a9051fa9fdea9", + "sha256": "0d8420567f868b7df9d89567dbf8f86f1a7df51fc8719d28cb904b0b066d20f2" + }, + "name": "lsass.exe", + "pid": 1548, + "thread": { + "id": 35748 + } + }, + "related": { + "hash": [ + "0d8420567f868b7df9d89567dbf8f86f1a7df51fc8719d28cb904b0b066d20f2", + "85d4d595fe7dc3ed6213adf32b83dc73", + "b09abc0b6e7de15151057b4ac75a9051fa9fdea9" + ], + "hosts": [ + "hostname" + ], + "ip": [ + "192.0.2.68", + "198.51.100.128", + "fe80::216b:582d:261d:ca03" + ] + }, + "sekoiaio": { + "process": { + "guid": "692339c1-152c-5d2f-9458-e4ee11934f81" + } + }, + "source": { + "address": "192.0.2.68", + "ip": "192.0.2.68" + } + } + + ``` + + @@ -1792,6 +1888,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sekoiaio.client.name` | `keyword` | Name of the client | |`sekoiaio.server.name` | `keyword` | Name of the server | |`sekoiaio.server.os.type` | `keyword` | OS type of the server | +|`source.ip` | `ip` | IP address of the source. | |`tags` | `keyword` | List of keywords used to tag each event. | |`user.target.domain` | `keyword` | Name of the directory the user is a member of. | |`user.target.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md index 029aa41930..d606e3bfbc 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1_sample.md @@ -1324,3 +1324,78 @@ In this section, you will find examples of raw logs as generated natively by the +=== "windows_ntlm" + + + ```json + { + "action": { + "properties": { + "AvFlags": "0x6", + "AvFlagsStr": "MIC Provided, Target unverified", + "ChannelBindingStatus": "Supported", + "ClientIP": "192.0.2.68", + "ClientNetworkName": "Null", + "DomainName": "example", + "Keywords": "0x8000000000000000", + "Mic Status": "Protected", + "NegotiatedFlags": "0xE2888215", + "NtlmVersion": "NTLMv2", + "ProcessName": "svchost", + "ProcessPID": "0x758", + "ProviderGuid": "{AC43300D-5FCC-4800-8E99-1BD3F85F0320}", + "RemoteClientMachine": "SERVER01", + "ServiceBinding": "HOSTNAME.example.com", + "SessionKeyStatus": "Present", + "Severity": "WARNING", + "SourceName": "Microsoft-Windows-NTLM", + "Status": "0xC000015B", + "StatusMsg": "A user has requested a type of logon (e.g., interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.", + "TargetDomain": "RPCSS/host02.example.com", + "TargetMachine": "example.com", + "Username": "testuser" + }, + "id": 4023 + }, + "event": { + "provider": "Microsoft-Windows-NTLM", + "code": 4023 + }, + "agent": { + "id": "927d2332e633af996810d527e758d1a6cf19c049130f44c6fe6a7cf805882e46", + "version": "v1.9.1+5107dad0124d33e6131b4b7e372893087aca50d3" + }, + "host": { + "os": { + "type": "windows" + }, + "hostname": "HOSTNAME", + "ip": [ + "fe80::216b:582d:261d:ca03", + "198.51.100.128" + ] + }, + "process": { + "hash": { + "md5": "85d4d595fe7dc3ed6213adf32b83dc73", + "sha1": "b09abc0b6e7de15151057b4ac75a9051fa9fdea9", + "sha256": "0d8420567f868b7df9d89567dbf8f86f1a7df51fc8719d28cb904b0b066d20f2" + }, + "thread": { + "id": 35748 + }, + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 1548 + }, + "sekoiaio": { + "process": { + "guid": "692339c1-152c-5d2f-9458-e4ee11934f81" + } + }, + "@timestamp": "2026-05-11T08:23:36.6425808Z" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md index 7f85a5909a..72590dc267 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md @@ -243,6 +243,26 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_miscellaneous_7.json" + + ```json + + { + "message": "conn=91520 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=", + "event": { + "action": "search result", + "category": [ + "network" + ], + "type": [ + "info" + ] + } + } + + ``` + + === "test_mod_1.json" ```json @@ -300,7 +320,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "\" conn=6521 op=3 SRCH base=\"\"ou=people,ou=IN,o=example\"\" scope=2 deref=0 filter=\"\"(&(exampleRole=example_admin)(uid=mhs))\"\"\"", + "message": "\" conn=6521 op=3 SRCH base=\"\"ou=people,ou=IN,o=internal,dc=test\"\" scope=2 deref=0 filter=\"\"(&(exampleRole=example_admin)(uid=mhs))\"\"\"", "event": { "action": "srch", "category": [ @@ -311,7 +331,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "domain": "people.IN.example" + "domain": "people.IN.internal.test" } } diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1_sample.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1_sample.md index 6b8066f3a3..b52a4adfb7 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1_sample.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1_sample.md @@ -76,6 +76,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_miscellaneous_7" + + ``` + conn=91520 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= + ``` + + + === "test_mod_1" ``` @@ -95,7 +103,7 @@ In this section, you will find examples of raw logs as generated natively by the === "test_search_1" ``` - " conn=6521 op=3 SRCH base=""ou=people,ou=IN,o=example"" scope=2 deref=0 filter=""(&(exampleRole=example_admin)(uid=mhs))""" + " conn=6521 op=3 SRCH base=""ou=people,ou=IN,o=internal,dc=test"" scope=2 deref=0 filter=""(&(exampleRole=example_admin)(uid=mhs))""" ``` diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 83f629b7da..0258e39ea1 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -2780,6 +2780,115 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "network7.json" + + ```json + + { + "message": "{\"@event_create_date\": \"2026-03-27T12:54:52.265072Z\", \"@timestamp\": \"2026-03-27T12:50:09.925801+00:00\", \"conn_type\": 0, \"connection_closed_time\": \"2026-03-27T12:54:52.713756Z\", \"connection_start_time\": \"2026-03-27T12:54:52.265072Z\", \"connection_successful\": true, \"connection_unique_id\": \"11111111-1111-1111-1111-111111111111\", \"daddr\": \"1.2.3.4\", \"daddr_geoip\": {\"as_org\": \"ANONYMIZED\", \"country_code\": \"US\", \"country_name\": \"United States\"}, \"direction\": \"out\", \"dnames\": [\"one.example.org\", \"two.example.org\", \"three.example.org\", \"four.example.org\"], \"dport\": 80, \"event_id\": 8194, \"groups\": [], \"image_name\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"incoming_bytes\": 37995, \"initiated\": true, \"is_ipv6\": false, \"kind\": \"complete\", \"log_type\": \"network\", \"outgoing_bytes\": 300, \"pid\": 18952, \"process_unique_id\": \"33333333-3333-3333-3333-333333333333\", \"saddr\": \"2.2.2.2\", \"saddr_geoip\": {}, \"sport\": 64083, \"timestamp\": \"2026-03-27T12:54:52.265072Z\", \"username\": \"NT AUTHORITY\\\\NETWORK SERVICE\", \"tenant\": \"REDACTED\", \"agent\": {\"additional_info\": {}, \"agentid\": \"22222222-2222-2222-2222-222222222222\", \"dnsdomainname\": \"example.net\", \"domainname\": \"EXAMPLE\", \"hostname\": \"HOSTNAME\", \"ipaddress\": \"2.2.2.2\", \"osproducttype\": \"Windows 11 Pro\", \"ostype\": \"windows\", \"osversion\": \"10.0.26100\", \"producttype\": \"workstation\", \"version\": \"5.5.25\"}}", + "event": { + "category": [ + "network" + ], + "code": "8194", + "dataset": "network", + "type": [ + "connection" + ] + }, + "@timestamp": "2026-03-27T12:54:52.265072Z", + "agent": { + "id": "22222222-2222-2222-2222-222222222222", + "name": "harfanglab" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 80 + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "one.example.org", + "name": "4.3.2.1.in-addr.arpa", + "type": "PTR" + }, + { + "class": "IN", + "data": "two.example.org", + "name": "4.3.2.1.in-addr.arpa", + "type": "PTR" + }, + { + "class": "IN", + "data": "three.example.org", + "name": "4.3.2.1.in-addr.arpa", + "type": "PTR" + }, + { + "class": "IN", + "data": "four.example.org", + "name": "4.3.2.1.in-addr.arpa", + "type": "PTR" + } + ] + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "HOSTNAME", + "ip": [ + "2.2.2.2" + ], + "name": "HOSTNAME", + "os": { + "full": "Windows 11 Pro", + "type": "windows", + "version": "10.0.26100" + } + }, + "log": { + "hostname": "HOSTNAME" + }, + "network": { + "direction": "outbound" + }, + "organization": { + "id": "REDACTED" + }, + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "pid": 18952 + }, + "related": { + "hosts": [ + "HOSTNAME" + ], + "ip": [ + "1.2.3.4", + "2.2.2.2" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 64083 + }, + "user": { + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" + } + } + + ``` + + === "powershell.json" ```json @@ -2837,6 +2946,86 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "powershell_2.json" + + ```json + + { + "message": "{\"@event_create_date\": \"2026-04-22T09:30:38.636093Z\", \"@timestamp\": \"2026-04-22T09:30:44.133930+00:00\", \"groups\": [{\"id\": \"33333333-3333-3333-3333-333333333333\", \"name\": \"Poste utilisateur\"}], \"hashes\": {\"md5\": \"68b329da9893e34099c7d8ad5cb9c940\", \"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"}, \"incomplete\": false, \"log_type\": \"powershell\", \"pid\": 65724, \"process_image_path\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"process_unique_id\": \"44444444-4444-4444-4444-444444444444\", \"script_block\": \"REDACTED\", \"script_path\": \"C:\\\\Users\\\\JohnDoe\\\\AppData\\\\Local\\\\Temp\\\\ps-script-11111111-1111-1111-1111-111111111111.ps1\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"signature_info\": {\"root_info\": {\"display_name\": \"\", \"issuer_name\": \"\", \"not_after\": \"1970-01-01T00:00:00Z\", \"not_before\": \"1970-01-01T00:00:00Z\"}, \"signed_authenticode\": false, \"signed_catalog\": false, \"signer_info\": {\"display_name\": \"\", \"issuer_name\": \"\", \"not_after\": \"1970-01-01T00:00:00Z\", \"not_before\": \"1970-01-01T00:00:00Z\"}}, \"signed\": false, \"tenant\": \"TENANT\", \"agent\": {\"additional_info\": {}, \"agentid\": \"22222222-2222-2222-2222-222222222222\", \"domainname\": \"WORKGROUP\", \"hostname\": \"EXAMPLE\", \"ipaddress\": \"1.1.1.1\", \"osproducttype\": \"Windows 11 Pro\", \"ostype\": \"windows\", \"osversion\": \"10.0.26200\", \"producttype\": \"workstation\", \"version\": \"5.6.44\"}}", + "event": { + "dataset": "powershell" + }, + "@timestamp": "2026-04-22T09:30:38.636093Z", + "action": { + "properties": { + "Path": "C:\\Users\\JohnDoe\\AppData\\Local\\Temp\\ps-script-11111111-1111-1111-1111-111111111111.ps1", + "ScriptBlockText": "REDACTED" + } + }, + "agent": { + "id": "22222222-2222-2222-2222-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } + }, + "harfanglab": { + "groups": [ + "{\"id\":\"33333333-3333-3333-3333-333333333333\",\"name\":\"Poste utilisateur\"}" + ], + "signature": { + "signed_authenticode": false, + "signed_catalog": false + } + }, + "host": { + "domain": "WORKGROUP", + "hostname": "EXAMPLE", + "ip": [ + "1.1.1.1" + ], + "name": "EXAMPLE", + "os": { + "full": "Windows 11 Pro", + "type": "windows", + "version": "10.0.26200" + } + }, + "log": { + "hostname": "EXAMPLE" + }, + "organization": { + "id": "TENANT" + }, + "process": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 65724 + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "hosts": [ + "EXAMPLE" + ], + "ip": [ + "1.1.1.1" + ] + }, + "user": { + "roles": "Posteutilisateur" + } + } + + ``` + + === "process-event.json" ```json @@ -5841,6 +6030,7 @@ The following table lists the fields that are extracted, normalized under the EC |`dll.hash.sha256` | `keyword` | SHA256 hash. | |`dll.name` | `keyword` | Name of the library. | |`dll.path` | `keyword` | Full file path of the library. | +|`dns.answers` | `object` | Array of DNS answers. | |`dns.question.name` | `keyword` | The name being queried. | |`dns.question.type` | `keyword` | The type of record being queried. | |`dns.resolved_ip` | `ip` | Array containing all IPs seen in answers.data | @@ -5899,6 +6089,8 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed | |`harfanglab.process.powershell.script_path` | `keyword` | The powershell script path | |`harfanglab.rule_level` | `keyword` | Rule level | +|`harfanglab.signature.signed_authenticode` | `boolean` | | +|`harfanglab.signature.signed_catalog` | `boolean` | | |`harfanglab.status` | `keyword` | The status of the event | |`harfanglab.threat_id` | `keyword` | Id of the threat | |`harfanglab.threat_key` | `keyword` | The key of the threat | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md index a6a6cb0d74..1b62e745fa 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md @@ -2373,6 +2373,67 @@ In this section, you will find examples of raw logs as generated natively by the +=== "network7" + + + ```json + { + "@event_create_date": "2026-03-27T12:54:52.265072Z", + "@timestamp": "2026-03-27T12:50:09.925801+00:00", + "conn_type": 0, + "connection_closed_time": "2026-03-27T12:54:52.713756Z", + "connection_start_time": "2026-03-27T12:54:52.265072Z", + "connection_successful": true, + "connection_unique_id": "11111111-1111-1111-1111-111111111111", + "daddr": "1.2.3.4", + "daddr_geoip": { + "as_org": "ANONYMIZED", + "country_code": "US", + "country_name": "United States" + }, + "direction": "out", + "dnames": [ + "one.example.org", + "two.example.org", + "three.example.org", + "four.example.org" + ], + "dport": 80, + "event_id": 8194, + "groups": [], + "image_name": "C:\\Windows\\System32\\svchost.exe", + "incoming_bytes": 37995, + "initiated": true, + "is_ipv6": false, + "kind": "complete", + "log_type": "network", + "outgoing_bytes": 300, + "pid": 18952, + "process_unique_id": "33333333-3333-3333-3333-333333333333", + "saddr": "2.2.2.2", + "saddr_geoip": {}, + "sport": 64083, + "timestamp": "2026-03-27T12:54:52.265072Z", + "username": "NT AUTHORITY\\NETWORK SERVICE", + "tenant": "REDACTED", + "agent": { + "additional_info": {}, + "agentid": "22222222-2222-2222-2222-222222222222", + "dnsdomainname": "example.net", + "domainname": "EXAMPLE", + "hostname": "HOSTNAME", + "ipaddress": "2.2.2.2", + "osproducttype": "Windows 11 Pro", + "ostype": "windows", + "osversion": "10.0.26100", + "producttype": "workstation", + "version": "5.5.25" + } + } + ``` + + + === "powershell" @@ -2414,6 +2475,67 @@ In this section, you will find examples of raw logs as generated natively by the +=== "powershell_2" + + + ```json + { + "@event_create_date": "2026-04-22T09:30:38.636093Z", + "@timestamp": "2026-04-22T09:30:44.133930+00:00", + "groups": [ + { + "id": "33333333-3333-3333-3333-333333333333", + "name": "Poste utilisateur" + } + ], + "hashes": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "incomplete": false, + "log_type": "powershell", + "pid": 65724, + "process_image_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "process_unique_id": "44444444-4444-4444-4444-444444444444", + "script_block": "REDACTED", + "script_path": "C:\\Users\\JohnDoe\\AppData\\Local\\Temp\\ps-script-11111111-1111-1111-1111-111111111111.ps1", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "signature_info": { + "root_info": { + "display_name": "", + "issuer_name": "", + "not_after": "1970-01-01T00:00:00Z", + "not_before": "1970-01-01T00:00:00Z" + }, + "signed_authenticode": false, + "signed_catalog": false, + "signer_info": { + "display_name": "", + "issuer_name": "", + "not_after": "1970-01-01T00:00:00Z", + "not_before": "1970-01-01T00:00:00Z" + } + }, + "signed": false, + "tenant": "TENANT", + "agent": { + "additional_info": {}, + "agentid": "22222222-2222-2222-2222-222222222222", + "domainname": "WORKGROUP", + "hostname": "EXAMPLE", + "ipaddress": "1.1.1.1", + "osproducttype": "Windows 11 Pro", + "ostype": "windows", + "osversion": "10.0.26200", + "producttype": "workstation", + "version": "5.6.44" + } + } + ``` + + + === "process-event" diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index db9183375b..3b8180e812 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -1741,7 +1741,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.test.local', From: 1.1.1.1.", + "reason": "authenticated for user 'user1'", "type": [ "start" ] @@ -1920,9 +1920,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication request is timed out.", + "reason": "Authentication request is timed out", "type": [ - "info" + "start" ] }, "@timestamp": "2024-12-16T19:19:04.851000Z", @@ -1992,9 +1992,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "User is not in allowlist.", + "reason": "User is not in allowlist", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-26T09:22:28.691000Z", @@ -2056,9 +2056,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Invalid username/password.", + "reason": "Invalid username/password", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-11T09:34:26.348000Z", @@ -2128,7 +2128,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication request is timed out.", + "reason": "Authentication request is timed out", "type": [ "start" ] @@ -2200,9 +2200,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication request is timed out.", + "reason": "Authentication request is timed out", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-26T09:12:07.623000Z", @@ -2272,9 +2272,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Invalid username/password.", + "reason": "Invalid username/password", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-24T13:58:27.897000Z", @@ -2344,9 +2344,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Invalid username/password.", + "reason": "Invalid username/password", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-24T13:58:27.897000Z", @@ -2416,9 +2416,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "User is in locked users list.", + "reason": "User is in locked users list", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-21T07:25:51.399000Z", @@ -2480,9 +2480,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "User is in locked users list.", + "reason": "User is in locked users list", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-21T07:25:51.399000Z", @@ -2544,9 +2544,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication profile not found for the user.", + "reason": "Authentication profile not found for the user", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-19T06:27:10.089000Z", @@ -2604,9 +2604,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'ESA-AUTH',", + "reason": "Internal error, e.g. network connection, DNS failure or remote server down", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-11T08:35:29.424000Z", @@ -2630,7 +2630,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "EventID": "auth-fail", - "Threat_ContentType": "auth" + "Threat_ContentType": "auth", + "authentication": { + "profile": "ESA-AUTH" + } }, "related": { "user": [ @@ -2657,9 +2660,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Invalid username/password.", + "reason": "Invalid username/password", "type": [ - "info" + "start" ] }, "@timestamp": "2025-02-11T09:34:26.348000Z", @@ -2729,7 +2732,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user 'user1'. auth profile 'FWPA', vsys 'shared', server profile 'RADIUS_RSA', server address '1.1.1.1', auth protocol 'PAP', admin role 'superreader', From: 2.2.2.2.", + "reason": "authenticated for user 'user1'", "type": [ "start" ] @@ -2801,7 +2804,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user 'jane.doe'. auth profile 'ESA-AUTH', vsys 'vsys1', server profile 'ESA', server address '1.1.1.1', auth protocol 'PAP', From: 2.2.2.2.", + "reason": "authenticated for user 'jane.doe'", "type": [ "start" ] @@ -2873,7 +2876,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user 'JOHNDOE'. EAP outer identity 'JOHNDOE', inner identity 'JOHNDOE', auth profile 'AUTH PROFILE', vsys 'vsys1', server profile 'PROFILE', server address '1.1.1.1', auth protocol 'PEAP-MSCHAPv2', admin role 'Read ALL', From: 2.2.2.2.", + "reason": "authenticated for user 'JOHNDOE'", "type": [ "start" ] @@ -3667,7 +3670,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user user1. auth profile FFFF, vsys shared, server profile server-test, server address 2.2.2.2, auth protocol PAP, admin role superuser, From: 1.1.1.1.", + "reason": "authenticated for user user1", "type": [ "start" ] @@ -5112,9 +5115,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication request is timed out.", + "reason": "Authentication request is timed out", "type": [ - "info" + "start" ] }, "@timestamp": "2024-12-16T19:19:04.851000Z", @@ -5184,9 +5187,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "failure", - "reason": "Authentication request is timed out.", + "reason": "Authentication request is timed out", "type": [ - "info" + "start" ] }, "@timestamp": "2025-01-21T10:57:23.294000Z", @@ -5244,6 +5247,141 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_system_event_16.json" + + ```json + + { + "message": "1,2026/05/13 15:33:28,ANONYMIZED,SYSTEM,auth,2817,2026/05/13 15:33:29,,auth-success,Azure-NEW,0,0,general,informational,\"SAML SSO authenticated for user 'john.doe@example.com'. auth profile 'Azure-NEW', vsys 'vsys1', server profile 'Azure-Auth-NEW', IdP entityID 'https://sts.windows.net/11111111-1111-1111-1111-111111111111/', From: 1.2.3.4.\",1234567890,0x8000000000000000,0,0,0,0,,REDACTED,0,0,2026-05-13T15:33:29.251+02:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "outcome": "success", + "reason": "SAML SSO authenticated for user 'john.doe@example.com'", + "type": [ + "start" + ] + }, + "@timestamp": "2026-05-13T13:33:29.251000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "log": { + "hostname": "REDACTED", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "REDACTED", + "product": "PAN-OS", + "serial_number": "ANONYMIZED" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authentication": { + "profile": "Azure-NEW" + }, + "server": { + "profile": "Azure-Auth-NEW" + }, + "vsys": "vsys1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "name": "john.doe" + } + } + + ``` + + +=== "test_system_event_17.json" + + ```json + + { + "message": "1,2026/05/13 15:29:47,ANONYMIZED,SYSTEM,auth,2817,2026/05/13 15:29:48,,auth-fail,Azure-NEW,0,0,general,medium,\"failed authentication for user 'john.doe@example.com'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'Azure-NEW', vsys 'vsys1', From: 1.2.3.4.\",1234567890,0x8000000000000000,0,0,0,0,,REDACTED,0,0,2026-05-13T15:29:48.068+02:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "outcome": "failure", + "reason": "Internal error, e.g. network connection, DNS failure or remote server down", + "type": [ + "start" + ] + }, + "@timestamp": "2026-05-13T13:29:48.068000Z", + "action": { + "name": "auth-fail", + "type": "auth" + }, + "log": { + "hostname": "REDACTED", + "level": "medium", + "logger": "system" + }, + "observer": { + "name": "REDACTED", + "product": "PAN-OS", + "serial_number": "ANONYMIZED" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-fail", + "Threat_ContentType": "auth", + "authentication": { + "profile": "Azure-NEW" + }, + "vsys": "vsys1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "name": "john.doe" + } + } + + ``` + + === "test_system_event_1_json.json" ```json @@ -6563,7 +6701,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "authenticated for user 'admin'. From: 1.1.1.1.", + "reason": "authenticated for user 'admin'", "type": [ "info" ] @@ -6685,7 +6823,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "system", "outcome": "success", - "reason": "Kerberos SSO authenticated for user 'johndoe'. realm 'RXX-R.XXXX', auth profile 'Auth_Seq_RAL', vsys 'shared',", + "reason": "Kerberos SSO authenticated for user 'johndoe'", "type": [ "start" ] @@ -6711,7 +6849,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "DGHierarchyLevel3": "0", "DGHierarchyLevel4": "0", "EventID": "auth-success", - "Threat_ContentType": "auth" + "Threat_ContentType": "auth", + "authentication": { + "profile": "Auth_Seq_RAL" + }, + "vsys": "shared" }, "related": { "user": [ @@ -6726,6 +6868,65 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_username2.json" + + ```json + + { + "message": "1,2026/04/28 13:38:24,111111111111111,SYSTEM,auth,2817,2026/04/28 13:38:25,,auth-success,Auth_Seq_NAME,0,0,general,informational,\"Kerberos SSO authenticated for user 'test01@DOMAIN'. realm 'DOMAIN', auth profile 'Auth_Seq_NAME', vsys 'shared',\",1234567890123456789,0x0,0,0,0,0,,HOSTNAME,0,0,2026-04-28T13:38:25.366+02:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "outcome": "success", + "reason": "Kerberos SSO authenticated for user 'test01@DOMAIN'", + "type": [ + "start" + ] + }, + "@timestamp": "2026-04-28T11:38:25.366000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "log": { + "hostname": "HOSTNAME", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "HOSTNAME", + "product": "PAN-OS", + "serial_number": "111111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authentication": { + "profile": "Auth_Seq_NAME" + }, + "vsys": "shared" + }, + "related": { + "user": [ + "test01" + ] + }, + "user": { + "domain": "DOMAIN", + "email": "test01@DOMAIN", + "name": "test01" + } + } + + ``` + + === "test_web_authentication_json.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index b9504492bf..bd5b21dc6b 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -1692,6 +1692,24 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_system_event_16" + + + ```json + 1,2026/05/13 15:33:28,ANONYMIZED,SYSTEM,auth,2817,2026/05/13 15:33:29,,auth-success,Azure-NEW,0,0,general,informational,"SAML SSO authenticated for user 'john.doe@example.com'. auth profile 'Azure-NEW', vsys 'vsys1', server profile 'Azure-Auth-NEW', IdP entityID 'https://sts.windows.net/11111111-1111-1111-1111-111111111111/', From: 1.2.3.4.",1234567890,0x8000000000000000,0,0,0,0,,REDACTED,0,0,2026-05-13T15:33:29.251+02:00 + ``` + + + +=== "test_system_event_17" + + + ```json + 1,2026/05/13 15:29:47,ANONYMIZED,SYSTEM,auth,2817,2026/05/13 15:29:48,,auth-fail,Azure-NEW,0,0,general,medium,"failed authentication for user 'john.doe@example.com'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile 'Azure-NEW', vsys 'vsys1', From: 1.2.3.4.",1234567890,0x8000000000000000,0,0,0,0,,REDACTED,0,0,2026-05-13T15:29:48.068+02:00 + ``` + + + === "test_system_event_1_json" @@ -2483,6 +2501,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_username2" + + + ```json + 1,2026/04/28 13:38:24,111111111111111,SYSTEM,auth,2817,2026/04/28 13:38:25,,auth-success,Auth_Seq_NAME,0,0,general,informational,"Kerberos SSO authenticated for user 'test01@DOMAIN'. realm 'DOMAIN', auth profile 'Auth_Seq_NAME', vsys 'shared',",1234567890123456789,0x0,0,0,0,0,,HOSTNAME,0,0,2026-04-28T13:38:25.366+02:00 + ``` + + + === "test_web_authentication_json" diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index da020cb26e..cf1cd8f403 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -341,7 +341,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"a.et.nytimes.com\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"None\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"None\",\"fileclass\": \"None\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"None\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", + "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"a.et.nytimes.com\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"Test dlp\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"Test dictionaries\",\"fileclass\": \"Test\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"Test2\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", "event": { "action": "allowed", "category": [ @@ -416,11 +416,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "zscaler": { "zia": { + "appclass": "General Browsing", "appname": "General Browsing", "department": "Financial%20Dept", + "dlpdictionaries": "Test dictionaries", + "dlpengine": "Test dlp", "event_id": "1111111111111111111", + "fileclass": "Test", "keyprotectiontype": "N/A", "location": "Road%20Warrior", + "pagerisk": "0", "product": "NSS", "source_type": "zscalernss-web", "threat": { @@ -428,6 +433,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "class": "threat class # 1", "name": "Threat Name 1" }, + "unscannabletype": "Test2", "url_category": "News and Media", "vendor": "Zscaler" } @@ -442,7 +448,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9ea4b61fd3501b07\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"None\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"None\",\"fileclass\": \"None\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"None\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", + "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9ea4b61fd3501b07\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"Test dlp\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"Test dictionaries\",\"fileclass\": \"Test\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"Test2\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", "event": { "action": "allowed", "category": [ @@ -519,11 +525,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "zscaler": { "zia": { + "appclass": "General Browsing", "appname": "General Browsing", "department": "Financial%20Dept", + "dlpdictionaries": "Test dictionaries", + "dlpengine": "Test dlp", "event_id": "1111111111111111111", + "fileclass": "Test", "keyprotectiontype": "N/A", "location": "Road%20Warrior", + "pagerisk": "0", "product": "NSS", "source_type": "zscalernss-web", "threat": { @@ -531,6 +542,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "class": "threat class # 1", "name": "Threat Name 1" }, + "unscannabletype": "Test2", "url_category": "News and Media", "vendor": "Zscaler" } @@ -545,7 +557,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" : {\"datetime\":\"2024-08-26 13:27:54\",\"reason\":\"Allowed\",\"event_id\":\"1111111111111111\",\"protocol\":\"HTTPS\",\"action\":\"Allowed\",\"transactionsize\":\"1706\",\"responsesize\":\"758\",\"requestsize\":\"948\",\"urlcategory\":\"Online Chat\",\"serverip\":\"1.2.3.4\",\"requestmethod\":\"GET\",\"refererURL\":\"exemple.url.com/\",\"useragent\":\"Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36\",\"product\":\"NSS\",\"location\":\"FR-Re\",\"ClientIP\":\"5.6.7.8\",\"status\":\"200\",\"user\":\"john.doe@mail.com\",\"url\":\"api.chat.org/bot/sendmessage\",\"vendor\":\"Zscaler\",\"hostname\":\"api.chat.org\",\"clientpublicIP\":\"5.6.7.8\",\"threatcategory\":\"None\",\"threatname\":\"None\",\"filetype\":\"None\",\"appname\":\"Random Chat\",\"pagerisk\":\"10\",\"department\":\"FR\",\"urlsupercategory\":\"Internet Communication\",\"appclass\":\"Sales and Marketing\",\"dlpengine\":\"None\",\"urlclass\":\"Business Use\",\"threatclass\":\"None\",\"dlpdictionaries\":\"None\",\"fileclass\":\"None\",\"bwthrottle\":\"NO\",\"contenttype\":\"application/json\",\"unscannabletype\":\"None\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"keyprotectiontype\":\"Software Protection\"}}", + "message": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" : {\"datetime\":\"2024-08-26 13:27:54\",\"reason\":\"Allowed\",\"event_id\":\"1111111111111111\",\"protocol\":\"HTTPS\",\"action\":\"Allowed\",\"transactionsize\":\"1706\",\"responsesize\":\"758\",\"requestsize\":\"948\",\"urlcategory\":\"Online Chat\",\"serverip\":\"1.2.3.4\",\"requestmethod\":\"GET\",\"refererURL\":\"exemple.url.com/\",\"useragent\":\"Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36\",\"product\":\"NSS\",\"location\":\"FR-Re\",\"ClientIP\":\"5.6.7.8\",\"status\":\"200\",\"user\":\"john.doe@mail.com\",\"url\":\"api.chat.org/bot/sendmessage\",\"vendor\":\"Zscaler\",\"hostname\":\"api.chat.org\",\"clientpublicIP\":\"5.6.7.8\",\"threatcategory\":\"None\",\"threatname\":\"None\",\"filetype\":\"None\",\"appname\":\"Random Chat\",\"pagerisk\":\"10\",\"department\":\"FR\",\"urlsupercategory\":\"Internet Communication\",\"appclass\":\"Sales and Marketing\",\"dlpengine\":\"Test dlp\",\"urlclass\":\"Business Use\",\"threatclass\":\"None\",\"dlpdictionaries\":\"Test dictionaries\",\"fileclass\":\"Test\",\"bwthrottle\":\"NO\",\"contenttype\":\"application/json\",\"unscannabletype\":\"Test2\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"keyprotectiontype\":\"Software Protection\"}}", "event": { "action": "allowed", "category": [ @@ -616,13 +628,117 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "zscaler": { "zia": { + "appclass": "Sales and Marketing", "appname": "Random Chat", "department": "FR", + "dlpdictionaries": "Test dictionaries", + "dlpengine": "Test dlp", "event_id": "1111111111111111", + "fileclass": "Test", "keyprotectiontype": "Software Protection", "location": "FR-Re", + "pagerisk": "10", "product": "NSS", "source_type": "zscalernss-web", + "unscannabletype": "Test2", + "url_category": "Online Chat", + "vendor": "Zscaler" + } + } + } + + ``` + + +=== "test_event_web4.json" + + ```json + + { + "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2024-08-26 13:27:54\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111\",\"protocol\": \"HTTPS\",\"action\": \"Allowed\",\"transactionsize\": \"1706\",\"responsesize\": \"758\",\"requestsize\": \"948\",\"urlcategory\": \"Online Chat\",\"serverip\": \"1.2.3.4\",\"requestmethod\": \"GET\",\"refererURL\": \"exemple.url.com/\",\"useragent\": \"Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36\",\"product\": \"NSS\",\"location\": \"FR-Re\",\"ClientIP\": \"5.6.7.8\",\"status\": \"200\",\"user\": \"john.doe@mail.com\",\"url\": \"api.chat.org/bot/sendmessage\",\"vendor\": \"Zscaler\",\"hostname\": \"api.chat.org\",\"clientpublicIP\": \"5.6.7.8\",\"threatcategory\": \"None\",\"threatname\": \"None\",\"filetype\": \"None\",\"appname\": \"Random Chat\",\"pagerisk\": \"10\",\"department\": \"FR\",\"urlsupercategory\": \"Internet Communication\",\"appclass\": \"Sales and Marketing\",\"dlpengine\": \"Test dlp\",\"urlclass\": \"Business Use\",\"threatclass\": \"None\",\"dlpdictionaries\": \"Test dictionaries\",\"fileclass\": \"Test\",\"bwthrottle\": \"NO\",\"contenttype\": \"application/json\",\"unscannabletype\": \"Test2\",\"deviceowner\": \"NA\",\"devicehostname\": \"NA\",\"keyprotectiontype\": \"Software Protection\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "dataset": "web", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-26T13:27:54Z", + "destination": { + "address": "api.chat.org", + "domain": "api.chat.org", + "ip": "1.2.3.4", + "registered_domain": "chat.org", + "subdomain": "api", + "top_level_domain": "org" + }, + "http": { + "request": { + "bytes": 948, + "method": "GET", + "referrer": "exemple.url.com/" + }, + "response": { + "bytes": 758, + "mime_type": "application/json" + } + }, + "network": { + "protocol": "HTTPS" + }, + "related": { + "hosts": [ + "api.chat.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "server": { + "ip": "1.2.3.4" + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "url": { + "domain": "api.chat.org", + "original": "api.chat.org/bot/sendmessage", + "path": "bot/sendmessage" + }, + "user": { + "email": "john.doe@mail.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36", + "os": { + "name": "Windows" + }, + "version": "128.0.0" + }, + "zscaler": { + "zia": { + "appclass": "Sales and Marketing", + "appname": "Random Chat", + "department": "FR", + "dlpdictionaries": "Test dictionaries", + "dlpengine": "Test dlp", + "event_id": "1111111111111111", + "fileclass": "Test", + "keyprotectiontype": "Software Protection", + "location": "FR-Re", + "pagerisk": "10", + "product": "NSS", + "source_type": "zscalernss-web", + "unscannabletype": "Test2", "url_category": "Online Chat", "vendor": "Zscaler" } @@ -908,15 +1024,20 @@ The following table lists the fields that are extracted, normalized under the EC |`user.email` | `keyword` | User email address. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | +|`zscaler.zia.appclass` | `keyword` | ZScaler app class | |`zscaler.zia.appname` | `keyword` | ZScaler app name | |`zscaler.zia.audit.log_type` | `keyword` | ZScaler audit log type | |`zscaler.zia.avgduration` | `keyword` | ZScaler average duration | |`zscaler.zia.category` | `keyword` | ZScaler category | |`zscaler.zia.department` | `keyword` | ZScaler department | +|`zscaler.zia.dlpdictionaries` | `keyword` | ZScaler DLP (Data Loss Prevention) dictionaries | +|`zscaler.zia.dlpengine` | `keyword` | ZScaler DLP (Data Loss Prevention) engine, i.e. a collection of one or more DLP dictionaries, combined using logical operators, which can be used in DLP policies to detect specific content in the users' traffic | |`zscaler.zia.event.outcome` | `keyword` | ZScaler event outcome | |`zscaler.zia.event_id` | `keyword` | ZScaler event ID | +|`zscaler.zia.fileclass` | `keyword` | ZScaler file class | |`zscaler.zia.keyprotectiontype` | `keyword` | ZScaler key protection type | |`zscaler.zia.location` | `keyword` | ZScaler gateway location or sub-location of the source | +|`zscaler.zia.pagerisk` | `keyword` | Web page risk index score evaluated by Suspicious Content Protection (Page Risk), to identify potentially harmful content | |`zscaler.zia.product` | `keyword` | ZScaler product | |`zscaler.zia.resource` | `keyword` | ZScaler resource | |`zscaler.zia.source_type` | `keyword` | ZScaler source type | @@ -927,6 +1048,7 @@ The following table lists the fields that are extracted, normalized under the EC |`zscaler.zia.tunnel.ikeversion` | `keyword` | ZScaler IKE Version of the tunnel | |`zscaler.zia.tunnel.status` | `keyword` | ZScaler status of the tunnel | |`zscaler.zia.tuntype` | `keyword` | ZScaler tunel type | +|`zscaler.zia.unscannabletype` | `keyword` | ZScaler unscannable type | |`zscaler.zia.url_category` | `keyword` | The category of the destination URL | |`zscaler.zia.vendor` | `keyword` | ZScaler vendor | diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md index ce9970e15a..4bf682a679 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md @@ -222,14 +222,14 @@ In this section, you will find examples of raw logs as generated natively by the "department": "Financial%20Dept", "urlsupercategory": "News and Media", "appclass": "General Browsing", - "dlpengine": "None", + "dlpengine": "Test dlp", "urlclass": "Bandwidth Loss", "threatclass": "threat class # 1", - "dlpdictionaries": "None", - "fileclass": "None", + "dlpdictionaries": "Test dictionaries", + "fileclass": "Test", "bwthrottle": "NO", "contenttype": "Other", - "unscannabletype": "None", + "unscannabletype": "Test2", "deviceowner": "johndoe", "devicehostname": " ", "keyprotectiontype": "N/A" @@ -276,14 +276,14 @@ In this section, you will find examples of raw logs as generated natively by the "department": "Financial%20Dept", "urlsupercategory": "News and Media", "appclass": "General Browsing", - "dlpengine": "None", + "dlpengine": "Test dlp", "urlclass": "Bandwidth Loss", "threatclass": "threat class # 1", - "dlpdictionaries": "None", - "fileclass": "None", + "dlpdictionaries": "Test dictionaries", + "fileclass": "Test", "bwthrottle": "NO", "contenttype": "Other", - "unscannabletype": "None", + "unscannabletype": "Test2", "deviceowner": "johndoe", "devicehostname": " ", "keyprotectiontype": "N/A" @@ -330,14 +330,68 @@ In this section, you will find examples of raw logs as generated natively by the "department": "FR", "urlsupercategory": "Internet Communication", "appclass": "Sales and Marketing", - "dlpengine": "None", + "dlpengine": "Test dlp", "urlclass": "Business Use", "threatclass": "None", - "dlpdictionaries": "None", - "fileclass": "None", + "dlpdictionaries": "Test dictionaries", + "fileclass": "Test", "bwthrottle": "NO", "contenttype": "application/json", - "unscannabletype": "None", + "unscannabletype": "Test2", + "deviceowner": "NA", + "devicehostname": "NA", + "keyprotectiontype": "Software Protection" + } + } + ``` + + + +=== "test_event_web4" + + + ```json + { + "sourcetype": "zscalernss-web", + "event": { + "datetime": "2024-08-26 13:27:54", + "reason": "Allowed", + "event_id": "1111111111111111", + "protocol": "HTTPS", + "action": "Allowed", + "transactionsize": "1706", + "responsesize": "758", + "requestsize": "948", + "urlcategory": "Online Chat", + "serverip": "1.2.3.4", + "requestmethod": "GET", + "refererURL": "exemple.url.com/", + "useragent": "Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36", + "product": "NSS", + "location": "FR-Re", + "ClientIP": "5.6.7.8", + "status": "200", + "user": "john.doe@mail.com", + "url": "api.chat.org/bot/sendmessage", + "vendor": "Zscaler", + "hostname": "api.chat.org", + "clientpublicIP": "5.6.7.8", + "threatcategory": "None", + "threatname": "None", + "filetype": "None", + "appname": "Random Chat", + "pagerisk": "10", + "department": "FR", + "urlsupercategory": "Internet Communication", + "appclass": "Sales and Marketing", + "dlpengine": "Test dlp", + "urlclass": "Business Use", + "threatclass": "None", + "dlpdictionaries": "Test dictionaries", + "fileclass": "Test", + "bwthrottle": "NO", + "contenttype": "application/json", + "unscannabletype": "Test2", "deviceowner": "NA", "devicehostname": "NA", "keyprotectiontype": "Software Protection" diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index 401a9eba07..962da78eef 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -67,7 +67,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:09:55 client01,10.8.0.4,", + "message": "2023-10-31 15:09:55 hostname,10.8.0.4,", "event": { "category": [ "network" @@ -78,15 +78,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:09:55Z", "client": { - "address": "client01", - "domain": "client01", + "address": "hostname", + "domain": "hostname", "nat": { "ip": "10.8.0.4" } }, "related": { "hosts": [ - "client01" + "hostname" ], "ip": [ "10.8.0.4" @@ -102,7 +102,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: Learn: 10.8.0.6 -> client01/165.225.204.88:59321", + "message": "2023-10-31 15:09:59 hostname/198.51.100.1:59321 MULTI: Learn: 10.8.0.6 -> hostname/198.51.100.1:59321", "event": { "category": [ "network" @@ -113,9 +113,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:09:59Z", "client": { - "address": "client01", - "domain": "client01", - "ip": "165.225.204.88", + "address": "hostname", + "domain": "hostname", + "ip": "198.51.100.1", "nat": { "ip": "10.8.0.6" }, @@ -123,11 +123,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "client01" + "hostname" ], "ip": [ "10.8.0.6", - "165.225.204.88" + "198.51.100.1" ] } } @@ -140,7 +140,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: primary virtual IP for client01/165.225.204.88:59321: 10.8.0.6", + "message": "2023-10-31 15:09:59 hostname/198.51.100.1:59321 MULTI: primary virtual IP for hostname/198.51.100.1:59321: 10.8.0.6", "event": { "category": [ "network" @@ -151,9 +151,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:09:59Z", "client": { - "address": "client01", - "domain": "client01", - "ip": "165.225.204.88", + "address": "hostname", + "domain": "hostname", + "ip": "198.51.100.1", "nat": { "ip": "10.8.0.6" }, @@ -161,11 +161,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "client01" + "hostname" ], "ip": [ "10.8.0.6", - "165.225.204.88" + "198.51.100.1" ] } } @@ -178,7 +178,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:09:59 165.225.204.88:59321 [client01] Peer Connection Initiated with [AF_INET]165.225.204.88:59321", + "message": "2023-10-31 15:09:59 198.51.100.1:59321 [hostname] Peer Connection Initiated with [AF_INET]198.51.100.1:59321", "event": { "category": [ "network" @@ -189,17 +189,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:09:59Z", "client": { - "address": "client01", - "domain": "client01", - "ip": "165.225.204.88", + "address": "hostname", + "domain": "hostname", + "ip": "198.51.100.1", "port": 59321 }, "related": { "hosts": [ - "client01" + "hostname" ], "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -212,7 +212,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=1, CN=Easy-RSA CA", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 VERIFY OK: depth=1, CN=Easy-RSA CA", "event": { "category": [ "network" @@ -224,13 +224,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -243,25 +243,25 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=0, CN=client01", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 VERIFY OK: depth=0, CN=hostname", "event": { "category": [ "network" ], - "reason": "VERIFY OK: depth=0, CN=client01", + "reason": "VERIFY OK: depth=0, CN=hostname", "type": [ "info" ] }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -274,7 +274,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUB=1", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_COMP_STUB=1", "event": { "category": [ "network" @@ -286,13 +286,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -305,7 +305,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUBv2=1", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_COMP_STUBv2=1", "event": { "category": [ "network" @@ -317,13 +317,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -336,12 +336,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:10:21 SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", + "message": "2023-10-31 15:10:21 SENT CONTROL [hostname]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", "event": { "category": [ "network" ], - "reason": "SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", + "reason": "SENT CONTROL [hostname]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", "type": [ "info" ] @@ -504,7 +504,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_VER=2.6.6", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_VER=2.6.6", "event": { "category": [ "network" @@ -516,13 +516,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -565,7 +565,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:09:55 ifconfig_pool_read(), in='client01,10.8.0.4,'", + "message": "2023-10-31 15:09:55 ifconfig_pool_read(), in='hostname,10.8.0.4,'", "event": { "category": [ "network" @@ -577,13 +577,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:09:55Z", "client": { - "address": "client01", - "domain": "client01", + "address": "hostname", + "domain": "hostname", "ip": "10.8.0.4" }, "related": { "hosts": [ - "client01" + "hostname" ], "ip": [ "10.8.0.4" @@ -844,7 +844,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PLAT=linux", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_PLAT=linux", "event": { "category": [ "network" @@ -856,13 +856,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -906,12 +906,49 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "client_information_31.json" + + ```json + + { + "message": "Tue Mar 31 22:04:38 2026 JDoe/1.2.3.4:12399 peer info: IV_VER=2.6.6", + "event": { + "category": [ + "network" + ], + "reason": "peer info: IV_VER=2.6.6", + "type": [ + "info" + ] + }, + "@timestamp": "2026-03-31T22:04:38Z", + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 12399 + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDoe" + ] + }, + "user": { + "name": "JDoe" + } + } + + ``` + + === "client_information_4.json" ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_TCPNL=1", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_TCPNL=1", "event": { "category": [ "network" @@ -923,13 +960,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -942,7 +979,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_MTU=1600", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_MTU=1600", "event": { "category": [ "network" @@ -954,13 +991,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -973,7 +1010,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_NCP=2", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_NCP=2", "event": { "category": [ "network" @@ -985,13 +1022,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -1004,7 +1041,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305", "event": { "category": [ "network" @@ -1016,13 +1053,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -1035,7 +1072,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PROTO=990", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_PROTO=990", "event": { "category": [ "network" @@ -1047,13 +1084,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -1066,7 +1103,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_LZO_STUB=1", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_LZO_STUB=1", "event": { "category": [ "network" @@ -1078,13 +1115,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] } } @@ -1223,7 +1260,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "LDAP user \"xxxxxxx\" was not found.", + "message": "LDAP user \"JDoe\" was not found.", "event": { "category": [ "authentication" @@ -1235,11 +1272,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "xxxxxxx" + "JDoe" ] }, "user": { - "name": "xxxxxxx" + "name": "JDoe" } } @@ -1251,7 +1288,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "Unable to bind as XXX", + "message": "Unable to bind as JDoe", "event": { "category": [ "authentication" @@ -1263,11 +1300,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "XXX" + "JDoe" ] }, "user": { - "name": "XXX" + "name": "JDoe" } } @@ -1279,7 +1316,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-10-31 15:11:18 165.225.204.88:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256", + "message": "2023-10-31 15:11:18 198.51.100.1:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256", "event": { "category": [ "network" @@ -1290,13 +1327,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-10-31T15:11:18Z", "client": { - "address": "165.225.204.88", - "ip": "165.225.204.88", + "address": "198.51.100.1", + "ip": "198.51.100.1", "port": 62586 }, "related": { "ip": [ - "165.225.204.88" + "198.51.100.1" ] }, "tls": { @@ -1353,7 +1390,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "Tue Aug 12 08:26:29 2025 us=285967 192.0.2.12:65244 TLS: Username/Password authentication succeeded for username 'user-placeholder1'", + "message": "Tue Aug 12 08:26:29 2025 us=285967 192.0.2.12:65244 TLS: Username/Password authentication succeeded for username 'Alice'", "event": { "category": [ "network" @@ -1374,11 +1411,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "192.0.2.12" ], "user": [ - "user-placeholder1" + "Alice" ] }, "user": { - "name": "user-placeholder1" + "name": "Alice" } } diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md index 8b57a34fd1..496e3372b4 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md @@ -15,7 +15,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_connection_0" ``` - 2023-10-31 15:09:55 client01,10.8.0.4, + 2023-10-31 15:09:55 hostname,10.8.0.4, ``` @@ -23,7 +23,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_connection_1" ``` - 2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: Learn: 10.8.0.6 -> client01/165.225.204.88:59321 + 2023-10-31 15:09:59 hostname/198.51.100.1:59321 MULTI: Learn: 10.8.0.6 -> hostname/198.51.100.1:59321 ``` @@ -31,7 +31,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_connection_2" ``` - 2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: primary virtual IP for client01/165.225.204.88:59321: 10.8.0.6 + 2023-10-31 15:09:59 hostname/198.51.100.1:59321 MULTI: primary virtual IP for hostname/198.51.100.1:59321: 10.8.0.6 ``` @@ -39,7 +39,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_connection_3" ``` - 2023-10-31 15:09:59 165.225.204.88:59321 [client01] Peer Connection Initiated with [AF_INET]165.225.204.88:59321 + 2023-10-31 15:09:59 198.51.100.1:59321 [hostname] Peer Connection Initiated with [AF_INET]198.51.100.1:59321 ``` @@ -47,7 +47,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_0" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=1, CN=Easy-RSA CA + 2023-10-31 15:11:18 198.51.100.1:62586 VERIFY OK: depth=1, CN=Easy-RSA CA ``` @@ -55,7 +55,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_1" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=0, CN=client01 + 2023-10-31 15:11:18 198.51.100.1:62586 VERIFY OK: depth=0, CN=hostname ``` @@ -63,7 +63,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_10" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUB=1 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_COMP_STUB=1 ``` @@ -71,7 +71,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_11" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUBv2=1 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_COMP_STUBv2=1 ``` @@ -79,7 +79,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_12" ``` - 2023-10-31 15:10:21 SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1) + 2023-10-31 15:10:21 SENT CONTROL [hostname]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1) ``` @@ -143,7 +143,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_2" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_VER=2.6.6 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_VER=2.6.6 ``` @@ -159,7 +159,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_21" ``` - 2023-10-31 15:09:55 ifconfig_pool_read(), in='client01,10.8.0.4,' + 2023-10-31 15:09:55 ifconfig_pool_read(), in='hostname,10.8.0.4,' ``` @@ -231,7 +231,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_3" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PLAT=linux + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_PLAT=linux ``` @@ -244,10 +244,18 @@ In this section, you will find examples of raw logs as generated natively by the +=== "client_information_31" + + ``` + Tue Mar 31 22:04:38 2026 JDoe/1.2.3.4:12399 peer info: IV_VER=2.6.6 + ``` + + + === "client_information_4" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_TCPNL=1 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_TCPNL=1 ``` @@ -255,7 +263,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_5" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_MTU=1600 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_MTU=1600 ``` @@ -263,7 +271,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_6" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_NCP=2 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_NCP=2 ``` @@ -271,7 +279,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_7" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 ``` @@ -279,7 +287,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_8" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PROTO=990 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_PROTO=990 ``` @@ -287,7 +295,7 @@ In this section, you will find examples of raw logs as generated natively by the === "client_information_9" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_LZO_STUB=1 + 2023-10-31 15:11:18 198.51.100.1:62586 peer info: IV_LZO_STUB=1 ``` @@ -335,7 +343,7 @@ In this section, you will find examples of raw logs as generated natively by the === "ldap_user_not_found" ``` - LDAP user "xxxxxxx" was not found. + LDAP user "JDoe" was not found. ``` @@ -343,7 +351,7 @@ In this section, you will find examples of raw logs as generated natively by the === "ldap_user_not_found_2" ``` - Unable to bind as XXX + Unable to bind as JDoe ``` @@ -351,7 +359,7 @@ In this section, you will find examples of raw logs as generated natively by the === "tls_information_0" ``` - 2023-10-31 15:11:18 165.225.204.88:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 + 2023-10-31 15:11:18 198.51.100.1:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 ``` @@ -367,7 +375,7 @@ In this section, you will find examples of raw logs as generated natively by the === "tls_information_2" ``` - Tue Aug 12 08:26:29 2025 us=285967 192.0.2.12:65244 TLS: Username/Password authentication succeeded for username 'user-placeholder1' + Tue Aug 12 08:26:29 2025 us=285967 192.0.2.12:65244 TLS: Username/Password authentication succeeded for username 'Alice' ```