From a539a270ea650bef4edb9fc1807bbfa555f8cac7 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Tue, 20 Jan 2026 16:15:36 +0000 Subject: [PATCH] Refresh intakes documentation --- .../041e915e-2fb6-4604-9b24-902c9daa2d3c.md | 634 +++- ...915e-2fb6-4604-9b24-902c9daa2d3c_sample.md | 190 +- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 3110 ++++++++++++++--- ...6706-ee4a-419b-906d-f92f3a46bcdd_sample.md | 514 ++- ...f586-5354-4171-9266-f9f049c3253a_sample.md | 118 - .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 61 +- ...57d3-4689-4fae-8033-6f1f887a70f2_sample.md | 6 +- .../46ca6fc8-3d30-434c-92ff-0e1cde564161.md | 61 +- ...6fc8-3d30-434c-92ff-0e1cde564161_sample.md | 52 +- .../4760d0bc-2194-44e5-a876-85102b18d832.md | 28 +- .../4c4f3256-c3c7-415f-9515-75261514f861.md | 4 + .../700f332f-d515-4bc5-8a62-49fa5f2c9206.md | 76 +- .../acd3374a-9738-4650-9d20-bd0a22daac40.md | 10 +- .../bf8867ee-43b7-444c-9475-a7f43754ab6d.md | 529 +-- ...67ee-43b7-444c-9475-a7f43754ab6d_sample.md | 238 +- .../c10307ea-5dd1-45c6-85aa-2a6a900df99b.md | 4 + ...> c47d2c82-494e-400c-b804-d68fb7a60859.md} | 141 +- ...2c82-494e-400c-b804-d68fb7a60859_sample.md | 118 + .../caa13404-9243-493b-943e-9848cadb1f99.md | 8 +- ...3404-9243-493b-943e-9848cadb1f99_sample.md | 6 +- .../dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md | 216 +- ...4795-a6f0-4ebb-a73d-6eb8b982afcd_sample.md | 48 + .../e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md | 10 +- ...f2f1-02d0-4d1a-be89-f2b8be4baf4e_sample.md | 4 +- .../e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md | 2 - .../ec7fd978-5526-42c8-acd5-e1b4aa752a73.md | 24 - .../ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md | 4 +- .../f5f05e2a-32fc-432d-9f00-11f490ae15f4.md | 30 + ...5e2a-32fc-432d-9f00-11f490ae15f4_sample.md | 8 + 29 files changed, 4981 insertions(+), 1273 deletions(-) delete mode 100644 _shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a_sample.md rename _shared_content/operations_center/integrations/generated/{1ef7f586-5354-4171-9266-f9f049c3253a.md => c47d2c82-494e-400c-b804-d68fb7a60859.md} (67%) create mode 100644 _shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859_sample.md diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md index 700e9c4113..e45b319d71 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md @@ -92,6 +92,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2025-07-02T09:30:49.657000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "attachments": [ { @@ -140,7 +145,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "acme.com" + } } } @@ -152,7 +160,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"subject\": \"Redacted\", \"senderEnvelope\": \"john.doe@example.com\", \"messageId\": \"11111111111111111111111111111111111111@example.com\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"accountId\": \"ANONYMIZED\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"john.doe@example.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"mimecast.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\"}", + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"subject\": \"Redacted\", \"senderEnvelope\": \"john.doe@example.com\", \"messageId\": \"11111111111111111111111111111111111111@example.com\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"accountId\": \"ANONYMIZED\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"john.doe@example.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"example.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\"}", "event": { "category": [ "email" @@ -164,6 +172,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2023-07-18T13:02:18.586000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "attachments": [ { @@ -213,7 +226,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } } } @@ -239,7 +255,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-09T21:27:29.343000Z", "destination": { "address": "5.6.7.8", - "ip": "5.6.7.8" + "ip": "5.6.7.8", + "user": { + "domain": "example.com" + } }, "email": { "direction": "Inbound", @@ -271,6 +290,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "5.6.7.8" ] + }, + "source": { + "user": { + "domain": "example.org" + } } } @@ -296,7 +320,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2025-06-13T08:01:04.202000Z", "destination": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } }, "email": { "from": { @@ -327,6 +354,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "1.2.3.4" ] + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -351,6 +383,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2023-07-18T13:02:18.545000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "from": { "address": [ @@ -383,7 +420,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } } } @@ -407,6 +447,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2024-11-06T15:10:47.558000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "from": { "address": [ @@ -425,11 +470,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "siem": { "aggregate_id": "aggregateId", "processing_id": "processingId", - "scan_results": "Restricted File Type - Found executable extension: dll" + "scan_results": "Restricted File Type - Found executable extension: dll", + "url_category": "Dangerous file extension" } }, "organization": { "id": "ANONYMIZED" + }, + "source": { + "user": { + "domain": "example.org" + } } } @@ -453,6 +504,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2024-05-14T15:14:57.146000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "direction": "Inbound", "from": { @@ -471,6 +527,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "aggregate_id": "aggregateId", "processing_id": "processingId" } + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -514,6 +575,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "organization": { "id": "ANONYMIZED" + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -561,6 +627,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "organization": { "id": "ANONYMIZED" + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -572,7 +643,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"anonymized\", \"action\": \"Acc\", \"timestamp\": 1760016329744, \"senderEnvelope\": \"johndoe@gmail.com\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"subject\": \"Redacted\", \"holdReason\": \"Oth\", \"totalSizeAttachments\": \"146254\", \"numberAttachments\": \"1\", \"attachments\": \"so-called \\\"TPS REPORTS\\\" we need to fill\", \"emailSize\": \"150580\", \"type\": \"process\", \"subtype\": \"Acc\"}", + "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"anonymized\", \"action\": \"Acc\", \"timestamp\": 1760016329744, \"senderEnvelope\": \"johndoe@example.com\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"subject\": \"Redacted\", \"holdReason\": \"Oth\", \"totalSizeAttachments\": \"146254\", \"numberAttachments\": \"1\", \"attachments\": \"so-called \\\"TPS REPORTS\\\" we need to fill\", \"emailSize\": \"150580\", \"type\": \"process\", \"subtype\": \"Acc\"}", "event": { "action": "Acc", "category": [ @@ -595,7 +666,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "from": { "address": [ - "johndoe@gmail.com" + "johndoe@example.com" ] }, "message_id": "11111111111111111111111111111111111111@example.com", @@ -611,6 +682,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "organization": { "id": "anonymized" + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -622,7 +698,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"aggregateId\": \"aggId1\", \"processingId\": \"AAA_123\", \"accountId\": \"ANONYMIZED\", \"action\": \"Acc\", \"timestamp\": 1733997069148, \"senderEnvelope\": \"johndoe@gmail.com\", \"messageId\": \"1@example.com>\", \"subject\": \"Redacted\", \"holdReason\": null, \"totalSizeAttachments\": \"183525\", \"numberAttachments\": \"0\", \"attachments\": \"\\\"~WRD0601.jpg\\\", \\\"image001.png\\\", \\\"image002.jpg\\\", \\\"image003.png\\\", \\\"image004.jpg\\\", \\\"image005.jpg\\\", \\\"image006.png\\\", \\\"image007.jpg\\\", \\\"image008.png\\\", \\\"image009.png\\\", \\\"image010.png\\\", \\\"image011.jpg\\\", \\\"image012.png\\\", \\\"image013.jpg\\\", \\\"image014.jpg\\\"\", \"emailSize\": \"204490\", \"type\": \"process\", \"subtype\": \"Acc\", \"_offset\": 292955, \"_partition\": 137}", + "message": "{\"aggregateId\": \"aggId1\", \"processingId\": \"AAA_123\", \"accountId\": \"ANONYMIZED\", \"action\": \"Acc\", \"timestamp\": 1733997069148, \"senderEnvelope\": \"johndoe@example.com\", \"messageId\": \"1@example.com>\", \"subject\": \"Redacted\", \"holdReason\": null, \"totalSizeAttachments\": \"183525\", \"numberAttachments\": \"0\", \"attachments\": \"\\\"~WRD0601.jpg\\\", \\\"image001.png\\\", \\\"image002.jpg\\\", \\\"image003.png\\\", \\\"image004.jpg\\\", \\\"image005.jpg\\\", \\\"image006.png\\\", \\\"image007.jpg\\\", \\\"image008.png\\\", \\\"image009.png\\\", \\\"image010.png\\\", \\\"image011.jpg\\\", \\\"image012.png\\\", \\\"image013.jpg\\\", \\\"image014.jpg\\\"\", \"emailSize\": \"204490\", \"type\": \"process\", \"subtype\": \"Acc\", \"_offset\": 292955, \"_partition\": 137}", "event": { "action": "Acc", "category": [ @@ -715,7 +791,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "from": { "address": [ - "johndoe@gmail.com" + "johndoe@example.com" ] }, "message_id": "1@example.com", @@ -730,6 +806,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "organization": { "id": "ANONYMIZED" + }, + "source": { + "user": { + "domain": "example.com" + } } } @@ -741,7 +822,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"ANONYMIZED\", \"timestamp\": 1715708286579, \"action\": \"Acc\", \"senderEnvelope\": \"john.doe@gmail.com\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"subject\": \"Redacted\", \"recipients\": \"admin@mcfr2.pro\", \"senderIp\": \"1.2.3.4\", \"rejectionType\": null, \"rejectionCode\": null, \"direction\": \"Inbound\", \"numberAttachments\": \"0\", \"senderHeader\": \"john.doe@gmail.com\", \"rejectionInfo\": null, \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"spamInfo\": \"[]\", \"spamProcessingDetail\": \"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\", \"virusFound\": null, \"type\": \"receipt\", \"subtype\": \"Acc\", \"_offset\": 105826, \"_partition\": 137}", + "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"ANONYMIZED\", \"timestamp\": 1715708286579, \"action\": \"Acc\", \"senderEnvelope\": \"john.doe@example.com\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"subject\": \"Redacted\", \"recipients\": \"admin@example.com\", \"senderIp\": \"1.2.3.4\", \"rejectionType\": null, \"rejectionCode\": null, \"direction\": \"Inbound\", \"numberAttachments\": \"0\", \"senderHeader\": \"john.doe@example.com\", \"rejectionInfo\": null, \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"spamInfo\": \"[]\", \"spamProcessingDetail\": \"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\", \"virusFound\": null, \"type\": \"receipt\", \"subtype\": \"Acc\", \"_offset\": 105826, \"_partition\": 137}", "event": { "action": "Acc", "category": [ @@ -754,18 +835,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2024-05-14T17:38:06.579000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "direction": "Inbound", "from": { "address": [ - "john.doe@gmail.com" + "john.doe@example.com" ] }, "message_id": "11111111111111111111111111111111111111@example.com", "subject": "Redacted", "to": { "address": [ - "admin@mcfr2.pro" + "admin@example.com" ] } }, @@ -803,7 +889,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } } } @@ -828,6 +917,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2025-06-13T08:14:13.769000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "direction": "inbound", "to": { @@ -892,7 +986,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"ANONYMIZED\", \"timestamp\": 1759863637459, \"action\": \"Acc\", \"senderEnvelope\": \"john.doe@example.com\", \"messageId\": \"33333333-3333-3333-3333-333333333333@example.com\", \"subject\": \"Redacted\", \"recipients\": \"jane.doe@acme.inc\", \"senderIp\": \"1.2.3.4\", \"rejectionType\": null, \"rejectionCode\": null, \"direction\": \"inbound\", \"numberAttachments\": \"0\", \"senderHeader\": \"john.doe@example.com\", \"rejectionInfo\": null, \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"spamInfo\": null, \"spamProcessingDetail\": {\"rbl\": {\"allow\": true, \"info\": \"\"}, \"greyEmail\": true, \"spf\": {\"allow\": true, \"info\": \"ALLOW\"}, \"dkim\": {\"allow\": true, \"info\": \"ALLOW\"}, \"dmarc\": {\"allow\": true, \"info\": \"ALLOW\"}, \"permittedSender\": {\"allow\": true, \"info\": \"NONE\"}, \"managedSender\": {\"allow\": true, \"info\": \"UNKNOWN\"}}, \"virusFound\": null, \"spamScore\": \"0\", \"spamDetectionLevel\": null, \"receiptErrors\": null, \"type\": \"receipt\", \"subtype\": \"Acc\"}", + "message": "{\"aggregateId\": \"aggregateId\", \"processingId\": \"processingId\", \"accountId\": \"ANONYMIZED\", \"timestamp\": 1759863637459, \"action\": \"Acc\", \"senderEnvelope\": \"john.doe@example.com\", \"messageId\": \"33333333-3333-3333-3333-333333333333@example.com\", \"subject\": \"Redacted\", \"recipients\": \"jane.doe@example.com\", \"senderIp\": \"1.2.3.4\", \"rejectionType\": null, \"rejectionCode\": null, \"direction\": \"inbound\", \"numberAttachments\": \"0\", \"senderHeader\": \"john.doe@example.com\", \"rejectionInfo\": null, \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"spamInfo\": null, \"spamProcessingDetail\": {\"rbl\": {\"allow\": true, \"info\": \"\"}, \"greyEmail\": true, \"spf\": {\"allow\": true, \"info\": \"ALLOW\"}, \"dkim\": {\"allow\": true, \"info\": \"ALLOW\"}, \"dmarc\": {\"allow\": true, \"info\": \"ALLOW\"}, \"permittedSender\": {\"allow\": true, \"info\": \"NONE\"}, \"managedSender\": {\"allow\": true, \"info\": \"UNKNOWN\"}}, \"virusFound\": null, \"spamScore\": \"0\", \"spamDetectionLevel\": null, \"receiptErrors\": null, \"type\": \"receipt\", \"subtype\": \"Acc\"}", "event": { "action": "Acc", "category": [ @@ -905,6 +999,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2025-10-07T19:00:37.459000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "direction": "inbound", "from": { @@ -916,7 +1015,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "subject": "Redacted", "to": { "address": [ - "jane.doe@acme.inc" + "jane.doe@example.com" ] } }, @@ -967,7 +1066,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } } } @@ -979,7 +1081,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"aggregateId\":\"aggregateId\",\"processingId\":\"processingId\",\"accountId\":\"ANONYMIZED\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@gmail.com\",\"messageId\":\"<11111111111111111111111111111111111111@example.com>\",\"subject\":\"Redacted\",\"recipients\":\"admin@mcfr.pro\",\"senderIp\":\"1.2.3.4\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@gmail.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://example.com/pages/billing.php],UrlBlock: [ORIGINAL:https://example.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}", + "message": "{\"aggregateId\":\"aggregateId\",\"processingId\":\"processingId\",\"accountId\":\"ANONYMIZED\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@example.com\",\"messageId\":\"<11111111111111111111111111111111111111@example.com>\",\"subject\":\"Redacted\",\"recipients\":\"admin@example.com\",\"senderIp\":\"1.2.3.4\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@example.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://example.com/pages/billing.php],UrlBlock: [ORIGINAL:https://example.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}", "event": { "action": "Rej", "category": [ @@ -992,18 +1094,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2025-01-07T09:35:47.621000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "direction": "Inbound", "from": { "address": [ - "john.doe@gmail.com" + "john.doe@example.com" ] }, "message_id": "11111111111111111111111111111111111111@example.com", "subject": "Redacted", "to": { "address": [ - "admin@mcfr.pro" + "admin@example.com" ] } }, @@ -1037,7 +1144,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } }, "url": { "domain": "example.com", @@ -1070,6 +1180,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2024-11-09T23:06:37.481000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, "email": { "from": { "address": [ @@ -1103,7 +1218,458 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.2.3.4", - "ip": "1.2.3.4" + "ip": "1.2.3.4", + "user": { + "domain": "example.org" + } + } + } + + ``` + + +=== "test_spam_process_01.json" + + ```json + + { + "message": "{\"aggregateId\":\"111111-111111111111111\",\"processingId\":\"222222222222-222222222222222_22222222222222_2222222222\",\"accountId\":\"org-12345678\",\"timestamp\":1757934457348,\"action\":\"Acc\",\"senderEnvelope\":\"j.doe@example.com\",\"messageId\":\"\",\"subject\":\"redacted\",\"recipients\":\"admin@corp.net\",\"senderIp\":\"1.2.3.4\",\"rejectionType\":null,\"rejectionCode\":null,\"direction\":\"inbound\",\"numberAttachments\":\"0\",\"senderHeader\":\"j.doe@example.com\",\"rejectionInfo\":null,\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"rbl\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"\\\"},\\\"greyEmail\\\":true,\\\"permittedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"NONE\\\"},\\\"managedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"}}\",\"virusFound\":null,\"spamScore\":\"0\",\"spamDetectionLevel\":null,\"receiptErrors\":null,\"type\":\"receipt\",\"subtype\":\"Acc\"}", + "event": { + "action": "Acc", + "category": [ + "email" + ], + "dataset": "receipt", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2025-09-15T11:07:37.348000Z", + "destination": { + "user": { + "domain": "corp.net" + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "j.doe@example.com" + ] + }, + "message_id": "j.doe@example.com", + "subject": "redacted", + "to": { + "address": [ + "admin@corp.net" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "111111-111111111111111", + "processing_id": "222222222222-222222222222222_22222222222222_2222222222", + "spam": { + "processing_detail": { + "greyEmail": true, + "managedSender": { + "allow": true, + "info": "UNKNOWN" + }, + "permittedSender": { + "allow": true, + "info": "NONE" + }, + "rbl": { + "allow": true, + "info": "" + } + }, + "score": 0 + }, + "subtype": "Acc" + } + }, + "organization": { + "id": "org-12345678" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } + } + } + + ``` + + +=== "test_spam_process_02.json" + + ```json + + { + "message": "{\"aggregateId\":\"1111111111111111111111\",\"processingId\":\"222222222222222222222222222222222222222222_2222222222\",\"accountId\":\"org-12345678\",\"timestamp\":1757926957543,\"action\":\"Acc\",\"senderEnvelope\":\"johndoe@example.com\",\"messageId\":\"\",\"subject\":\"redacted\",\"recipients\":\"j.doe@example.com\",\"senderIp\":\"1.2.3.4\",\"rejectionType\":null,\"rejectionCode\":null,\"direction\":\"inbound\",\"numberAttachments\":\"0\",\"senderHeader\":\"johndoe@example.com\",\"rejectionInfo\":null,\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"rbl\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"\\\"},\\\"greyEmail\\\":true,\\\"permittedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"NONE\\\"},\\\"managedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"verdict\\\":{\\\"categories\\\":[{\\\"name\\\":\\\"SPAM\\\",\\\"score\\\":12.08,\\\"risk\\\":\\\"HIGH\\\",\\\"subcategories\\\":[{\\\"name\\\":\\\"TECHNOLOGY_FEED\\\",\\\"score\\\":9.28,\\\"risk\\\":\\\"MEDIUM\\\",\\\"augmentations\\\":[]},{\\\"name\\\":\\\"HEURISTIC\\\",\\\"score\\\":2.0,\\\"risk\\\":\\\"NEGLIGIBLE\\\",\\\"augmentations\\\":[]},{\\\"name\\\":\\\"CONTENT\\\",\\\"score\\\":0.8,\\\"risk\\\":\\\"NEGLIGIBLE\\\",\\\"augmentations\\\":[{\\\"name\\\":\\\"HEADER_POORLY_STRUCTURED\\\",\\\"score\\\":0.8,\\\"risk\\\":\\\"NEGLIGIBLE\\\"}]}]}],\\\"decision\\\":\\\"SPAM\\\",\\\"description\\\":\\\"\\\",\\\"risk\\\":\\\"HIGH\\\"}}\",\"virusFound\":null,\"spamScore\":\"14\",\"spamDetectionLevel\":null,\"receiptErrors\":null,\"type\":\"receipt\",\"subtype\":\"Acc\"}", + "event": { + "action": "Acc", + "category": [ + "email" + ], + "dataset": "receipt", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2025-09-15T09:02:37.543000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "message_id": "j.doe@example.com", + "subject": "redacted", + "to": { + "address": [ + "j.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "1111111111111111111111", + "processing_id": "222222222222222222222222222222222222222222_2222222222", + "spam": { + "processing_detail": { + "greyEmail": true, + "managedSender": { + "allow": true, + "info": "UNKNOWN" + }, + "permittedSender": { + "allow": true, + "info": "NONE" + }, + "rbl": { + "allow": true, + "info": "" + }, + "verdict": { + "categories": [ + { + "name": "SPAM", + "risk": "HIGH", + "score": 12.08, + "subcategories": [ + { + "augmentations": [], + "name": "TECHNOLOGY_FEED", + "risk": "MEDIUM", + "score": 9.28 + }, + { + "augmentations": [], + "name": "HEURISTIC", + "risk": "NEGLIGIBLE", + "score": 2.0 + }, + { + "augmentations": [ + { + "name": "HEADER_POORLY_STRUCTURED", + "risk": "NEGLIGIBLE", + "score": 0.8 + } + ], + "name": "CONTENT", + "risk": "NEGLIGIBLE", + "score": 0.8 + } + ] + } + ], + "decision": "SPAM", + "description": "", + "risk": "HIGH" + } + }, + "score": 14 + }, + "subtype": "Acc" + } + }, + "organization": { + "id": "org-12345678" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } + } + } + + ``` + + +=== "test_spam_process_03.json" + + ```json + + { + "message": "{\"aggregateId\":\"11-1111111111111111111\",\"processingId\":\"2222222222222222222222222222222222222222_2222222222\",\"accountId\":\"org-12345678\",\"timestamp\":1757812871741,\"action\":\"Acc\",\"senderEnvelope\":\"johndoe@example.com\",\"messageId\":\"\",\"subject\":\"redacted\",\"recipients\":\"j.doe@example.com\",\"senderIp\":\"1.2.3.4\",\"rejectionType\":null,\"rejectionCode\":null,\"direction\":\"inbound\",\"numberAttachments\":\"0\",\"senderHeader\":\"johndoe@example.com\",\"rejectionInfo\":null,\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"rbl\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"\\\"},\\\"greyEmail\\\":true,\\\"permittedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"NONE\\\"},\\\"managedSender\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"verdict\\\":{\\\"categories\\\":[{\\\"name\\\":\\\"REQUESTED\\\",\\\"score\\\":7.5,\\\"risk\\\":\\\"MEDIUM\\\",\\\"subcategories\\\":[{\\\"name\\\":\\\"SPAM_FILTER_TESTS\\\",\\\"score\\\":7.5,\\\"risk\\\":\\\"MEDIUM\\\",\\\"augmentations\\\":[]}]}],\\\"decision\\\":\\\"REQUESTED\\\",\\\"description\\\":\\\"\\\",\\\"risk\\\":\\\"MEDIUM\\\"}}\",\"virusFound\":null,\"spamScore\":\"7\",\"spamDetectionLevel\":null,\"receiptErrors\":null,\"type\":\"receipt\",\"subtype\":\"Acc\"}", + "event": { + "action": "Acc", + "category": [ + "email" + ], + "dataset": "receipt", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2025-09-14T01:21:11.741000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "message_id": "j.doe@example.com", + "subject": "redacted", + "to": { + "address": [ + "j.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "11-1111111111111111111", + "processing_id": "2222222222222222222222222222222222222222_2222222222", + "spam": { + "processing_detail": { + "greyEmail": true, + "managedSender": { + "allow": true, + "info": "UNKNOWN" + }, + "permittedSender": { + "allow": true, + "info": "NONE" + }, + "rbl": { + "allow": true, + "info": "" + }, + "verdict": { + "categories": [ + { + "name": "REQUESTED", + "risk": "MEDIUM", + "score": 7.5, + "subcategories": [ + { + "augmentations": [], + "name": "SPAM_FILTER_TESTS", + "risk": "MEDIUM", + "score": 7.5 + } + ] + } + ], + "decision": "REQUESTED", + "description": "", + "risk": "MEDIUM" + } + }, + "score": 7 + }, + "subtype": "Acc" + } + }, + "organization": { + "id": "org-12345678" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "domain": "example.com" + } + } + } + + ``` + + +=== "test_url_category_01.json" + + ```json + + { + "message": "{\"processingId\":\"req-11111111111111111111111111111111\",\"aggregateId\":\"222222222222222222222222\",\"timestamp\":1757587137217,\"accountId\":\"org-12345678\",\"urlCategory\":\"Phishing & Fraud\",\"action\":\"Block\",\"url\":\"http://www.example.com\",\"subject\":\"redacted\",\"sourceIp\":\"1.2.3.4\",\"senderDomain\":\"example.com\",\"senderEnvelope\":\"j.doe@example.com\",\"route\":\"inbound\",\"recipients\":\"admin@example.com\",\"blockReason\":\"malicious\",\"messageId\":\"\",\"analysis\":\"null\",\"type\":\"url protect\",\"subtype\":\"Block\"}", + "event": { + "action": "Block", + "category": [ + "email" + ], + "dataset": "url protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2025-09-11T10:38:57.217000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, + "email": { + "from": { + "address": [ + "j.doe@example.com" + ] + }, + "message_id": "j.doe@example.com", + "subject": "redacted", + "to": { + "address": [ + "admin@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "222222222222222222222222", + "processing_id": "req-11111111111111111111111111111111", + "subtype": "Block", + "url_category": "Phishing & Fraud" + } + }, + "network": { + "direction": "inbound" + }, + "organization": { + "id": "org-12345678" + }, + "source": { + "user": { + "domain": "example.com" + } + }, + "url": { + "domain": "www.example.com", + "original": "http://www.example.com", + "port": 80, + "registered_domain": "example.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" + } + } + + ``` + + +=== "test_url_category_02.json" + + ```json + + { + "message": "{\"processingId\":\"req-11111111111111111111111111111111\",\"aggregateId\":\"2222222222222222222222\",\"timestamp\":1757502235455,\"accountId\":\"org-12345678\",\"urlCategory\":\"Phishing & Fraud\",\"action\":\"Block\",\"url\":\"http://www.example.com/\",\"subject\":\"redacted\",\"sourceIp\":\"1.2.3.4\",\"senderDomain\":\"example.com\",\"senderEnvelope\":\"johndoe@example.com\",\"route\":\"inbound\",\"recipients\":\"username@example.com\",\"blockReason\":\"malicious\",\"messageId\":\"\",\"analysis\":\"{\\\"Status\\\":[\\\"CustomerAll\\\",\\\"VerdictAllow\\\"],\\\"CredentialTheftEvidence\\\":[\\\"The website uses a valid certificate\\\"],\\\"CredentialTheftTags\\\":[\\\"BRAND_FOUND_IN_URL\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\",\\\"VALID_CERTIFICATE\\\"]}\",\"type\":\"url protect\",\"subtype\":\"Block\"}", + "event": { + "action": "Block", + "category": [ + "email" + ], + "dataset": "url protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2025-09-10T11:03:55.455000Z", + "destination": { + "user": { + "domain": "example.com" + } + }, + "email": { + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "message_id": "j.doe@example.com", + "subject": "redacted", + "to": { + "address": [ + "username@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "2222222222222222222222", + "processing_id": "req-11111111111111111111111111111111", + "subtype": "Block", + "url_category": "Phishing & Fraud" + } + }, + "network": { + "direction": "inbound" + }, + "organization": { + "id": "org-12345678" + }, + "source": { + "user": { + "domain": "example.com" + } + }, + "url": { + "domain": "www.example.com", + "original": "http://www.example.com/", + "path": "/", + "port": 80, + "registered_domain": "example.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" } } @@ -1115,7 +1681,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"timestamp\": 1715767102752, \"accountId\": \"ANONYMIZED\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://example.net\", \"subject\": \"Redacted\", \"sourceIp\": \"1.2.3.4\", \"senderDomain\": \"gmail.com\", \"senderEnvelope\": \"janedoe@gmail.com\", \"route\": \"inbound\", \"recipients\": \"johndoe@example.pro\", \"blockReason\": \"malicious\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}", + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"timestamp\": 1715767102752, \"accountId\": \"ANONYMIZED\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://example.net\", \"subject\": \"Redacted\", \"sourceIp\": \"1.2.3.4\", \"senderDomain\": \"example.com\", \"senderEnvelope\": \"janedoe@example.com\", \"route\": \"inbound\", \"recipients\": \"johndoe@corp.net\", \"blockReason\": \"malicious\", \"messageId\": \"<11111111111111111111111111111111111111@example.com>\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}", "event": { "action": "Block", "category": [ @@ -1128,17 +1694,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2024-05-15T09:58:22.752000Z", + "destination": { + "user": { + "domain": "corp.net" + } + }, "email": { "from": { "address": [ - "janedoe@gmail.com" + "janedoe@example.com" ] }, "message_id": "11111111111111111111111111111111111111@example.com", "subject": "Redacted", "to": { "address": [ - "johndoe@example.pro" + "johndoe@corp.net" ] } }, @@ -1146,7 +1717,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "siem": { "aggregate_id": "aggregateId", "processing_id": "processingId", - "subtype": "Block" + "subtype": "Block", + "url_category": "Phishing & Fraud" } }, "network": { @@ -1155,6 +1727,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "organization": { "id": "ANONYMIZED" }, + "source": { + "user": { + "domain": "example.com" + } + }, "url": { "domain": "example.net", "original": "http://example.net", @@ -1179,6 +1756,7 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`destination.ip` | `ip` | IP address of the destination. | +|`destination.user.domain` | `keyword` | Name of the directory the user is a member of. | |`email.attachments` | `nested` | List of objects describing the attachments. | |`email.direction` | `keyword` | Direction of the message. | |`email.from.address` | `keyword` | The sender's email address. | @@ -1205,10 +1783,12 @@ The following table lists the fields that are extracted, normalized under the EC |`mimecast.siem.spam.processing_detail` | `object` | The Spam processing details for DKIM, SPF, DMARC. | |`mimecast.siem.spam.score` | `long` | The metric that measures the likelihood of the event being considered spam. | |`mimecast.siem.subtype` | `keyword` | | +|`mimecast.siem.url_category` | `keyword` | The URL category assigned by Mimecast. | |`mimecast.siem.virus_found` | `keyword` | The name of the virus found on the email, if applicable. | |`network.direction` | `keyword` | Direction of the network traffic. | |`organization.id` | `keyword` | Unique identifier for the organization. | |`source.ip` | `ip` | IP address of the source. | +|`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md index 2c4ed3650a..2375e58aa8 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md @@ -77,7 +77,7 @@ In this section, you will find examples of raw logs as generated natively by the "fileExtension": "docx", "subType": null, "senderIp": "1.2.3.4", - "senderDomain": "mimecast.com", + "senderDomain": "example.com", "timestamp": 1689685338586, "emailSize": "1648832", "md5": "68b329da9893e34099c7d8ad5cb9c940" @@ -308,7 +308,7 @@ In this section, you will find examples of raw logs as generated natively by the "accountId": "anonymized", "action": "Acc", "timestamp": 1760016329744, - "senderEnvelope": "johndoe@gmail.com", + "senderEnvelope": "johndoe@example.com", "messageId": "<11111111111111111111111111111111111111@example.com>", "subject": "Redacted", "holdReason": "Oth", @@ -333,7 +333,7 @@ In this section, you will find examples of raw logs as generated natively by the "accountId": "ANONYMIZED", "action": "Acc", "timestamp": 1733997069148, - "senderEnvelope": "johndoe@gmail.com", + "senderEnvelope": "johndoe@example.com", "messageId": "1@example.com>", "subject": "Redacted", "holdReason": null, @@ -360,16 +360,16 @@ In this section, you will find examples of raw logs as generated natively by the "accountId": "ANONYMIZED", "timestamp": 1715708286579, "action": "Acc", - "senderEnvelope": "john.doe@gmail.com", + "senderEnvelope": "john.doe@example.com", "messageId": "<11111111111111111111111111111111111111@example.com>", "subject": "Redacted", - "recipients": "admin@mcfr2.pro", + "recipients": "admin@example.com", "senderIp": "1.2.3.4", "rejectionType": null, "rejectionCode": null, "direction": "Inbound", "numberAttachments": "0", - "senderHeader": "john.doe@gmail.com", + "senderHeader": "john.doe@example.com", "rejectionInfo": null, "tlsVersion": "TLSv1.3", "tlsCipher": "TLS_AES_256_GCM_SHA384", @@ -434,7 +434,7 @@ In this section, you will find examples of raw logs as generated natively by the "senderEnvelope": "john.doe@example.com", "messageId": "33333333-3333-3333-3333-333333333333@example.com", "subject": "Redacted", - "recipients": "jane.doe@acme.inc", + "recipients": "jane.doe@example.com", "senderIp": "1.2.3.4", "rejectionType": null, "rejectionCode": null, @@ -493,16 +493,16 @@ In this section, you will find examples of raw logs as generated natively by the "accountId": "ANONYMIZED", "timestamp": 1736242547621, "action": "Rej", - "senderEnvelope": "john.doe@gmail.com", + "senderEnvelope": "john.doe@example.com", "messageId": "<11111111111111111111111111111111111111@example.com>", "subject": "Redacted", - "recipients": "admin@mcfr.pro", + "recipients": "admin@example.com", "senderIp": "1.2.3.4", "rejectionType": "Malicious QRCode Detection", "rejectionCode": "554", "direction": "Inbound", "numberAttachments": "2", - "senderHeader": "john.doe@gmail.com", + "senderHeader": "john.doe@example.com", "rejectionInfo": "[Type: [Phishing & Fraud],Url: [https://example.com/pages/billing.php],UrlBlock: [ORIGINAL:https://example.com/pages/billin]", "tlsVersion": "TLSv1.3", "tlsCipher": "TLS_AES_256_GCM_SHA384", @@ -547,6 +547,170 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_spam_process_01" + + + ```json + { + "aggregateId": "111111-111111111111111", + "processingId": "222222222222-222222222222222_22222222222222_2222222222", + "accountId": "org-12345678", + "timestamp": 1757934457348, + "action": "Acc", + "senderEnvelope": "j.doe@example.com", + "messageId": "", + "subject": "redacted", + "recipients": "admin@corp.net", + "senderIp": "1.2.3.4", + "rejectionType": null, + "rejectionCode": null, + "direction": "inbound", + "numberAttachments": "0", + "senderHeader": "j.doe@example.com", + "rejectionInfo": null, + "tlsVersion": "TLSv1.3", + "tlsCipher": "TLS_AES_256_GCM_SHA384", + "spamInfo": null, + "spamProcessingDetail": "{\"rbl\":{\"allow\":true,\"info\":\"\"},\"greyEmail\":true,\"permittedSender\":{\"allow\":true,\"info\":\"NONE\"},\"managedSender\":{\"allow\":true,\"info\":\"UNKNOWN\"}}", + "virusFound": null, + "spamScore": "0", + "spamDetectionLevel": null, + "receiptErrors": null, + "type": "receipt", + "subtype": "Acc" + } + ``` + + + +=== "test_spam_process_02" + + + ```json + { + "aggregateId": "1111111111111111111111", + "processingId": "222222222222222222222222222222222222222222_2222222222", + "accountId": "org-12345678", + "timestamp": 1757926957543, + "action": "Acc", + "senderEnvelope": "johndoe@example.com", + "messageId": "", + "subject": "redacted", + "recipients": "j.doe@example.com", + "senderIp": "1.2.3.4", + "rejectionType": null, + "rejectionCode": null, + "direction": "inbound", + "numberAttachments": "0", + "senderHeader": "johndoe@example.com", + "rejectionInfo": null, + "tlsVersion": "TLSv1.3", + "tlsCipher": "TLS_AES_256_GCM_SHA384", + "spamInfo": null, + "spamProcessingDetail": "{\"rbl\":{\"allow\":true,\"info\":\"\"},\"greyEmail\":true,\"permittedSender\":{\"allow\":true,\"info\":\"NONE\"},\"managedSender\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"verdict\":{\"categories\":[{\"name\":\"SPAM\",\"score\":12.08,\"risk\":\"HIGH\",\"subcategories\":[{\"name\":\"TECHNOLOGY_FEED\",\"score\":9.28,\"risk\":\"MEDIUM\",\"augmentations\":[]},{\"name\":\"HEURISTIC\",\"score\":2.0,\"risk\":\"NEGLIGIBLE\",\"augmentations\":[]},{\"name\":\"CONTENT\",\"score\":0.8,\"risk\":\"NEGLIGIBLE\",\"augmentations\":[{\"name\":\"HEADER_POORLY_STRUCTURED\",\"score\":0.8,\"risk\":\"NEGLIGIBLE\"}]}]}],\"decision\":\"SPAM\",\"description\":\"\",\"risk\":\"HIGH\"}}", + "virusFound": null, + "spamScore": "14", + "spamDetectionLevel": null, + "receiptErrors": null, + "type": "receipt", + "subtype": "Acc" + } + ``` + + + +=== "test_spam_process_03" + + + ```json + { + "aggregateId": "11-1111111111111111111", + "processingId": "2222222222222222222222222222222222222222_2222222222", + "accountId": "org-12345678", + "timestamp": 1757812871741, + "action": "Acc", + "senderEnvelope": "johndoe@example.com", + "messageId": "", + "subject": "redacted", + "recipients": "j.doe@example.com", + "senderIp": "1.2.3.4", + "rejectionType": null, + "rejectionCode": null, + "direction": "inbound", + "numberAttachments": "0", + "senderHeader": "johndoe@example.com", + "rejectionInfo": null, + "tlsVersion": "TLSv1.3", + "tlsCipher": "TLS_AES_256_GCM_SHA384", + "spamInfo": null, + "spamProcessingDetail": "{\"rbl\":{\"allow\":true,\"info\":\"\"},\"greyEmail\":true,\"permittedSender\":{\"allow\":true,\"info\":\"NONE\"},\"managedSender\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"verdict\":{\"categories\":[{\"name\":\"REQUESTED\",\"score\":7.5,\"risk\":\"MEDIUM\",\"subcategories\":[{\"name\":\"SPAM_FILTER_TESTS\",\"score\":7.5,\"risk\":\"MEDIUM\",\"augmentations\":[]}]}],\"decision\":\"REQUESTED\",\"description\":\"\",\"risk\":\"MEDIUM\"}}", + "virusFound": null, + "spamScore": "7", + "spamDetectionLevel": null, + "receiptErrors": null, + "type": "receipt", + "subtype": "Acc" + } + ``` + + + +=== "test_url_category_01" + + + ```json + { + "processingId": "req-11111111111111111111111111111111", + "aggregateId": "222222222222222222222222", + "timestamp": 1757587137217, + "accountId": "org-12345678", + "urlCategory": "Phishing & Fraud", + "action": "Block", + "url": "http://www.example.com", + "subject": "redacted", + "sourceIp": "1.2.3.4", + "senderDomain": "example.com", + "senderEnvelope": "j.doe@example.com", + "route": "inbound", + "recipients": "admin@example.com", + "blockReason": "malicious", + "messageId": "", + "analysis": "null", + "type": "url protect", + "subtype": "Block" + } + ``` + + + +=== "test_url_category_02" + + + ```json + { + "processingId": "req-11111111111111111111111111111111", + "aggregateId": "2222222222222222222222", + "timestamp": 1757502235455, + "accountId": "org-12345678", + "urlCategory": "Phishing & Fraud", + "action": "Block", + "url": "http://www.example.com/", + "subject": "redacted", + "sourceIp": "1.2.3.4", + "senderDomain": "example.com", + "senderEnvelope": "johndoe@example.com", + "route": "inbound", + "recipients": "username@example.com", + "blockReason": "malicious", + "messageId": "", + "analysis": "{\"Status\":[\"CustomerAll\",\"VerdictAllow\"],\"CredentialTheftEvidence\":[\"The website uses a valid certificate\"],\"CredentialTheftTags\":[\"BRAND_FOUND_IN_URL\",\"NO_IMAGES_PASSED_FILTERING\",\"REDIRECTION\",\"REMOTE_RESOURCES\",\"VALID_CERTIFICATE\"]}", + "type": "url protect", + "subtype": "Block" + } + ``` + + + === "test_url_protect_blocked" @@ -561,10 +725,10 @@ In this section, you will find examples of raw logs as generated natively by the "url": "http://example.net", "subject": "Redacted", "sourceIp": "1.2.3.4", - "senderDomain": "gmail.com", - "senderEnvelope": "janedoe@gmail.com", + "senderDomain": "example.com", + "senderEnvelope": "janedoe@example.com", "route": "inbound", - "recipients": "johndoe@example.pro", + "recipients": "johndoe@corp.net", "blockReason": "malicious", "messageId": "<11111111111111111111111111111111111111@example.com>", "analysis": "{\"CredentialTheftEvidence\":[\"The website uses an unencrypted connection\"],\"CredentialTheftTags\":[\"NO_CERTIFICATE\",\"NO_IMAGES_PASSED_FILTERING\",\"REDIRECTION\",\"REMOTE_RESOURCES\"]}", diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index d071d00eab..dc4feaa831 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -32,7 +32,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"192.0.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", "event": { "action": "MONITOR_MODE_ACCESS_DENY_EVENT", "dataset": "admin#reports#activity", @@ -43,7 +43,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-07T14:23:22.470000Z", "cloud": { "account": { - "id": "C02i38lll" + "id": "ANONYMIZED" } }, "google": { @@ -59,6 +59,43 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "MONITOR_MODE_ACCESS_DENY_EVENT", "type": "CONTEXT_AWARE_ACCESS_USER_EVENT" } + ], + "parameters_all": [ + { + "multiValue": [ + "is admin-approved IOS", + "is admin-approved android", + "Is Corporate Device" + ], + "name": "CAA_ACCESS_LEVEL_APPLIED" + }, + { + "multiValue": [ + "is admin-approved android", + "Crowdstrike Compliant Device", + "is admin-approved IOS", + "Is Corporate Device" + ], + "name": "CAA_ACCESS_LEVEL_UNSATISFIED" + }, + { + "name": "CAA_APPLICATION", + "value": "GMAIL" + }, + { + "multiValue": [ + "GMAIL" + ], + "name": "BLOCKED_API_ACCESS" + }, + { + "name": "CAA_DEVICE_ID", + "value": "UNKNOWN" + }, + { + "name": "CAA_DEVICE_STATE", + "value": "No Device Signals" + } ] } }, @@ -67,20 +104,100 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "9.3.2.1" + "192.0.2.1" ], "user": [ "john.doe" ] }, "source": { - "address": "9.3.2.1", - "ip": "9.3.2.1" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "user": { "domain": "test.com", "email": "john.doe@test.com", - "id": "117564289545555555555", + "id": "user1", + "name": "john.doe" + } + } + + ``` + + +=== "test_admin_data_source.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-12-01T11:00:20.545Z\",\"uniqueQualifier\":\"-2222222222222222222\",\"applicationName\":\"admin\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"Abc/Def\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@example.com\",\"profileId\":\"111111111111111111111\"},\"ipAddress\":\"1.2.3.4\",\"networkInfo\":{\"ipAsn\":[3215],\"regionCode\":\"FR\",\"subdivisionCode\":\"FR-IDF\"},\"events\":[{\"type\":\"SECURITY_INVESTIGATION\",\"name\":\"SECURITY_INVESTIGATION_CONTENT_ACCESS\",\"parameters\":[{\"name\":\"INVESTIGATION_DATA_SOURCE\",\"value\":\"GMAIL\"},{\"name\":\"INVESTIGATION_CONTENT_ACCESS_ENTITY_ID\",\"value\":\"( jane.doe@example.net)\"},{\"name\":\"INVESTIGATION_CONTENT_ACCESS_JUSTIFICATION\",\"value\":\"https://test.atlassian.net/jira/servicedesk/projects/ALRT/queues/custom/125/ALRT-1\"},{\"name\":\"INVESTIGATION_CONTENT_ACCESS_DEVICE\",\"value\":\"REDACTED\"}]}]}", + "event": { + "action": "SECURITY_INVESTIGATION_CONTENT_ACCESS", + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "type": [] + }, + "@timestamp": "2025-12-01T11:00:20.545000Z", + "cloud": { + "account": { + "id": "ANONYMIZED" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@example.com" + }, + "events": [ + { + "name": "SECURITY_INVESTIGATION_CONTENT_ACCESS", + "type": "SECURITY_INVESTIGATION" + } + ], + "parameters_all": [ + { + "name": "INVESTIGATION_DATA_SOURCE", + "value": "GMAIL" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_ENTITY_ID", + "value": "( jane.doe@example.net)" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_JUSTIFICATION", + "value": "https://test.atlassian.net/jira/servicedesk/projects/ALRT/queues/custom/125/ALRT-1" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_DEVICE", + "value": "REDACTED" + } + ], + "rule": { + "data_source": "GMAIL" + } + } + }, + "network": { + "application": "admin" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "id": "111111111111111111111", "name": "john.doe" } } @@ -93,7 +210,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"FE80:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}", "event": { "action": "ALERT_CENTER_VIEW", "category": [ @@ -107,7 +224,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-12T14:50:56.780000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { @@ -120,6 +237,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "ALERT_CENTER_VIEW", "type": "ALERT_CENTER" } + ], + "parameters_all": [ + { + "name": "ALERT_ID", + "value": "445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de" + } ] } }, @@ -128,20 +251,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "2222:0:333:1111:7777:5555:6666:ddd" + "fe80:0:333:1111:7777:5555:6666:ddd" ], "user": [ "test" ] }, "source": { - "address": "2222:0:333:1111:7777:5555:6666:ddd", - "ip": "2222:0:333:1111:7777:5555:6666:ddd" + "address": "fe80:0:333:1111:7777:5555:6666:ddd", + "ip": "fe80:0:333:1111:7777:5555:6666:ddd" }, "user": { "domain": "test.com", "email": "test@test.com", - "id": "10125127140", + "id": "user1", "name": "test" } } @@ -154,7 +277,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"FE80:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}", "event": { "action": [ "ALLOW_STRONG_AUTHENTICATION", @@ -177,7 +300,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-12T14:41:33.804000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { @@ -214,6 +337,88 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "type": "SECURITY_SETTINGS" } + ], + "parameters_all": [ + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "true" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "true" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "DISABLE_USERS_TO_TRUST_DEVICE" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "1 week" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "1 day" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "ALLOWED_TWO_STEP_VERIFICATION_METHOD", + "value": "NO_TELEPHONY" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + }, + { + "name": "OLD_VALUE", + "value": "INHERIT_FROM_PARENT" + }, + { + "name": "NEW_VALUE", + "value": "2019-10-31" + }, + { + "name": "ORG_UNIT_NAME", + "value": "IT" + } ] } }, @@ -222,20 +427,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "2222:0:333:1111:7777:5555:6666:ddd" + "fe80:0:333:1111:7777:5555:6666:ddd" ], "user": [ "test" ] }, "source": { - "address": "2222:0:333:1111:7777:5555:6666:ddd", - "ip": "2222:0:333:1111:7777:5555:6666:ddd" + "address": "fe80:0:333:1111:7777:5555:6666:ddd", + "ip": "fe80:0:333:1111:7777:5555:6666:ddd" }, "user": { "domain": "test.com", "email": "test@test.com", - "id": "10125127141", + "id": "user1", "name": "test" } } @@ -248,7 +453,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"jane.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jane.doe@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}", "event": { "action": "change_event", "category": [ @@ -262,19 +467,65 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-13T10:25:01.859000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "joe.done@test.com" + "email": "jane.doe@test.com" }, "events": [ { "name": "change_event", "type": "event_change" } + ], + "parameters_all": [ + { + "name": "event_id", + "value": "6qr2cujo0lkfln" + }, + { + "name": "organizer_calendar_id", + "value": "jane.doe@test.com" + }, + { + "name": "calendar_id", + "value": "jane.doe@test.com" + }, + { + "name": "event_title", + "value": "title test" + }, + { + "boolValue": false, + "name": "is_recurring" + }, + { + "name": "recurring", + "value": "no" + }, + { + "name": "client_side_encrypted", + "value": "no" + }, + { + "intValue": "63846009000", + "name": "start_time" + }, + { + "intValue": "63846010800", + "name": "end_time" + }, + { + "name": "api_kind", + "value": "caldav" + }, + { + "name": "user_agent", + "value": "macOS/12.5" + } ] } }, @@ -286,7 +537,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "joe.done" + "jane.doe" ] }, "source": { @@ -295,9 +546,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "test.com", - "email": "joe.done@test.com", - "id": "1126768166", - "name": "joe.done" + "email": "jane.doe@test.com", + "id": "user1", + "name": "jane.doe" } } @@ -309,7 +560,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"user1\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"192.0.2.1\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"john.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jane.doe@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"john.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jane.doe@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jane.doe@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}", "event": { "action": [ "add_event_guest", @@ -327,18 +578,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-13T10:36:57.929000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "destination": { "user": { - "email": "jone.done@test.com" + "email": "jane.doe@test.com" } }, "google": { "report": { "actor": { - "email": "joe.doe@test.com" + "email": "john.doe@test.com" }, "events": [ { @@ -349,6 +600,84 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "add_event_guest", "type": "event_change" } + ], + "parameters_all": [ + { + "name": "event_id", + "value": "fksdqs5mv613b" + }, + { + "name": "organizer_calendar_id", + "value": "john.doe@test.com" + }, + { + "name": "calendar_id", + "value": "jane.doe@test.com" + }, + { + "name": "event_title", + "value": "Test title" + }, + { + "boolValue": false, + "name": "is_recurring" + }, + { + "name": "recurring", + "value": "no" + }, + { + "name": "client_side_encrypted", + "value": "no" + }, + { + "intValue": "63846450000", + "name": "start_time" + }, + { + "intValue": "63846453600", + "name": "end_time" + }, + { + "name": "user_agent", + "value": "Calendly" + }, + { + "name": "event_id", + "value": "fksdqs5mv613b" + }, + { + "name": "organizer_calendar_id", + "value": "john.doe@test.com" + }, + { + "name": "calendar_id", + "value": "jane.doe@test.com" + }, + { + "name": "event_title", + "value": "Test title" + }, + { + "boolValue": false, + "name": "is_recurring" + }, + { + "name": "recurring", + "value": "no" + }, + { + "name": "client_side_encrypted", + "value": "no" + }, + { + "name": "event_guest", + "value": "jane.doe@test.com" + }, + { + "name": "user_agent", + "value": "Calendly" + } ] } }, @@ -357,21 +686,21 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "ffff:2222:333:11:aa:2222:111:11" + "192.0.2.1" ], "user": [ - "joe.doe" + "john.doe" ] }, "source": { - "address": "ffff:2222:333:11:aa:2222:111:11", - "ip": "ffff:2222:333:11:aa:2222:111:11" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "user": { "domain": "test.com", - "email": "joe.doe@test.com", - "id": "1158856535600", - "name": "joe.doe" + "email": "john.doe@test.com", + "id": "user1", + "name": "john.doe" } } @@ -383,7 +712,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"jane.doe@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}", "event": { "action": "message_posted", "category": [ @@ -397,13 +726,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-08T10:37:56.354000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "joe.done@test.com" + "email": "jane.doe@test.com" }, "chat": { "message": { @@ -418,6 +747,32 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "message_posted", "type": "user_action" } + ], + "parameters_all": [ + { + "name": "room_id", + "value": "AAAAAAAAAA" + }, + { + "name": "actor", + "value": "jane.doe@test.com" + }, + { + "name": "message_id", + "value": "spaces/AAAApr7T222/messages/oODWFIV2CtA" + }, + { + "name": "retention_state", + "value": "PERMANENT" + }, + { + "name": "room_name", + "value": "Group Chat (AAAAAAAAAA)" + }, + { + "name": "dlp_scan_status", + "value": "DLP_NOT_APPLICABLE" + } ] } }, @@ -426,14 +781,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "joe.done" + "jane.doe" ] }, "user": { "domain": "test.com", - "email": "joe.done@test.com", - "id": "1160802395241", - "name": "joe.done" + "email": "jane.doe@test.com", + "id": "user1", + "name": "jane.doe" } } @@ -445,7 +800,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"jane.doe@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}", "event": { "action": "room_created", "category": [ @@ -459,13 +814,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-12T10:01:16.430000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "joe.done@test.com" + "email": "jane.doe@test.com" }, "chat": { "room": { @@ -477,6 +832,24 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "room_created", "type": "user_action" } + ], + "parameters_all": [ + { + "name": "room_id", + "value": "AAAAAAAAA" + }, + { + "name": "actor", + "value": "jane.doe@test.com" + }, + { + "name": "external_room", + "value": "DISABLED" + }, + { + "name": "room_name", + "value": "Group Chat (AAAAAAAAA)" + } ] } }, @@ -485,14 +858,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "joe.done" + "jane.doe" ] }, "user": { "domain": "test.com", - "email": "joe.done@test.com", - "id": "1070981817756", - "name": "joe.done" + "email": "jane.doe@test.com", + "id": "user1", + "name": "jane.doe" } } @@ -504,7 +877,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:11:54.000Z\",\"uniqueQualifier\":\"8333377333333333333\",\"applicationName\":\"chrome\",\"customerId\":\"C01000364\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhI/FB6vZhPRe0T5Zqobg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506090000000000000\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_ADD_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172800000000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_USER_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNNN00AA\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"47777777-cccc-7777-7777-f16211400000000\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:11:54.000Z\",\"uniqueQualifier\":\"8333377333333333333\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhI/FB6vZhPRe0T5Zqobg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_ADD_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172800000000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_USER_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"47777777-cccc-7777-7777-f16211400000000\"}]}]}", "event": { "action": "CHROME_OS_ADD_USER", "category": [ @@ -519,7 +892,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-15T09:11:54Z", "cloud": { "account": { - "id": "C01000364" + "id": "ANONYMIZED" } }, "device": { @@ -532,11 +905,41 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROME_OS_ADD_USER", "type": "CHROME_OS_ADD_REMOVE_USER_TYPE" } + ], + "parameters_all": [ + { + "intValue": "172800000000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_AFFILIATED_USER_ADDED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "47777777-cccc-7777-7777-f16211400000000" + } ] } }, "host": { - "name": "S5NNNN00AA", + "name": "example.com", "os": { "full": "ChromeOS 16002.51.0" } @@ -544,9 +947,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "network": { "application": "chrome" }, + "related": { + "user": [ + "redacted" + ] + }, "user": { - "email": "a@test.fr", - "id": "105250506090000000000000" + "id": "user1", + "name": "redacted" } } @@ -558,7 +966,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:41:04.457Z\",\"uniqueQualifier\":\"-419957426935000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x77777\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiA/NR0JCBuKk9DM7\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060000000000000\"},\"events\":[{\"type\":\"CHROMEOS_LOCK_UNLOCK_TYPE\",\"name\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728984444444\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A66666666\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f100000000000000000\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:41:04.457Z\",\"uniqueQualifier\":\"-419957426935000000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiA/NR0JCBuKk9DM7\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_LOCK_UNLOCK_TYPE\",\"name\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728984444444\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOCK_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f100000000000000000\"}]}]}", "event": { "action": "CHROMEOS_AFFILIATED_LOCK_SUCCESS", "category": [ @@ -574,7 +982,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-15T09:41:04.457000Z", "cloud": { "account": { - "id": "C01x77777" + "id": "ANONYMIZED" } }, "device": { @@ -587,11 +995,41 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROMEOS_AFFILIATED_LOCK_SUCCESS", "type": "CHROMEOS_LOCK_UNLOCK_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1728984444444", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_AFFILIATED_LOCK_SUCCESS" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857-b741-f100000000000000000" + } ] } }, "host": { - "name": "S5NXNZ00A66666666", + "name": "example.com", "os": { "full": "ChromeOS 16002.51.0" } @@ -599,9 +1037,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "network": { "application": "chrome" }, + "related": { + "user": [ + "redacted" + ] + }, "user": { - "email": "a@test.fr", - "id": "1052505060000000000000" + "id": "user1", + "name": "redacted" } } @@ -613,7 +1056,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:15:35.760Z\",\"uniqueQualifier\":\"-5079400007310000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfbhIiAAGttWx4uxgdiOjzAg0/tTZpUjK2c3wFB9Uh\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"SYSTEM\"},\"events\":[{\"type\":\"DEVICE_BOOT_STATE_CHANGE_TYPE\",\"name\":\"DEVICE_BOOT_STATE_CHANGE\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071700000\"},{\"name\":\"DEVICE_NAME\",\"value\":\"M4NXCVNNNN2000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROME_OS_VERIFIED_MODE\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"\"},{\"name\":\"PREVIOUS_BOOT_MODE\",\"value\":\"UNKNOWN\"},{\"name\":\"NEW_BOOT_MODE\",\"value\":\"VERIFIED\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:15:35.760Z\",\"uniqueQualifier\":\"-5079400007310000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfbhIiAAGttWx4uxgdiOjzAg0/tTZpUjK2c3wFB9Uh\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"SYSTEM\"},\"events\":[{\"type\":\"DEVICE_BOOT_STATE_CHANGE_TYPE\",\"name\":\"DEVICE_BOOT_STATE_CHANGE\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071700000\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROME_OS_VERIFIED_MODE\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"\"},{\"name\":\"PREVIOUS_BOOT_MODE\",\"value\":\"UNKNOWN\"},{\"name\":\"NEW_BOOT_MODE\",\"value\":\"VERIFIED\"}]}]}", "event": { "action": "DEVICE_BOOT_STATE_CHANGE", "category": [ @@ -628,7 +1071,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-08T13:15:35.760000Z", "cloud": { "account": { - "id": "C01xxcccc" + "id": "ANONYMIZED" } }, "device": { @@ -644,26 +1087,56 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "DEVICE_BOOT_STATE_CHANGE", "type": "DEVICE_BOOT_STATE_CHANGE_TYPE" } - ] - } - }, - "host": { - "name": "M4NXCVNNNN2000000" - }, - "network": { - "application": "chrome" - } - } - - ``` - - + ], + "parameters_all": [ + { + "intValue": "1731071700000", + "name": "TIMESTAMP" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "EVENT_REASON", + "value": "CHROME_OS_VERIFIED_MODE" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "c4a7f0fa-e5d1-4a07-8f61-9eeeeeeeeeef" + }, + { + "name": "DEVICE_PLATFORM", + "value": "" + }, + { + "name": "PREVIOUS_BOOT_MODE", + "value": "UNKNOWN" + }, + { + "name": "NEW_BOOT_MODE", + "value": "VERIFIED" + } + ] + } + }, + "host": { + "name": "example.com" + }, + "network": { + "application": "chrome" + } + } + + ``` + + === "test_chrome_CRD_CLIENT_CONNECTED.json" ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:41.000Z\",\"uniqueQualifier\":\"-41312380982470000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9kD84uxgdiOjzAg0/ydpRq7PE6Sq81YCdl1\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"1032729143013\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_CONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_CONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17290000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_CONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPFPF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CONNECTION_TYPE\",\"value\":\"RELAY\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c214388888888\"},{\"name\":\"SESSION_ID\",\"value\":\"joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:41.000Z\",\"uniqueQualifier\":\"-41312380982470000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD84uxgdiOjzAg0/ydpRq7PE6Sq81YCdl1\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_CONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_CONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17290000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_CONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CONNECTION_TYPE\",\"value\":\"RELAY\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c214388888888\"},{\"name\":\"SESSION_ID\",\"value\":\"joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755\"}]}]}", "event": { "action": "CHROME_OS_CRD_CLIENT_CONNECTED", "category": [ @@ -678,7 +1151,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-21T13:47:41Z", "cloud": { "account": { - "id": "C01x7cccc" + "id": "ANONYMIZED" } }, "device": { @@ -687,7 +1160,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { @@ -695,13 +1168,51 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "CHROME_OS_CRD_CLIENT_CONNECTED_TYPE" } ], + "parameters_all": [ + { + "intValue": "17290000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_CRD_CLIENT_CONNECTED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "Admin" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "CONNECTION_TYPE", + "value": "RELAY" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.58.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "0f9e7f45-b777-4777-b777-c214388888888" + }, + { + "name": "SESSION_ID", + "value": "joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755" + } + ], "session": { "id": "joedoe@test.fr/chromoting_ftl_d2cd9895-eeee-5555-0000-00040059755" } } }, "host": { - "name": "PFPFPF7T0M", + "name": "example.com", "os": { "full": "ChromeOS 16002.58.0" } @@ -715,9 +1226,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "1032729143013", + "id": "user1", "name": "Admin" } } @@ -730,7 +1239,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"389668566663666666613\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/k9WnQIxoNvYgDlcL8\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103276200000043013\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1729518000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_DISCONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFFF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-7777-7777-7777-c21438884dc5\"},{\"name\":\"SESSION_ID\",\"value\":\"joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"389668566663666666613\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/k9WnQIxoNvYgDlcL8\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED_TYPE\",\"name\":\"CHROME_OS_CRD_CLIENT_DISCONNECTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1729518000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_CLIENT_DISCONNECTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-7777-7777-7777-c21438884dc5\"},{\"name\":\"SESSION_ID\",\"value\":\"joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555\"}]}]}", "event": { "action": "CHROME_OS_CRD_CLIENT_DISCONNECTED", "category": [ @@ -745,7 +1254,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-21T13:48:12Z", "cloud": { "account": { - "id": "C01xxcccc" + "id": "ANONYMIZED" } }, "device": { @@ -754,7 +1263,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { @@ -762,13 +1271,47 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "CHROME_OS_CRD_CLIENT_DISCONNECTED_TYPE" } ], + "parameters_all": [ + { + "intValue": "1729518000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_CRD_CLIENT_DISCONNECTED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "Admin" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.58.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "0f9e7f45-7777-7777-7777-c21438884dc5" + }, + { + "name": "SESSION_ID", + "value": "joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555" + } + ], "session": { "id": "joeDoe@test.fr/chromoting_ftl_dddd9999-eeee-5555-0000-55555555555" } } }, "host": { - "name": "PFFF7T0M", + "name": "example.com", "os": { "full": "ChromeOS 16002.58.0" } @@ -782,9 +1325,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "103276200000043013", + "id": "user1", "name": "Admin" } } @@ -797,7 +1338,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"-3822400088800088888\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWxgdiOjzAg0/ND9YlWuFYJrufwljQI\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"11122222222460000000\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_ENDED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_ENDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17292222222000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_ENDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPFTT0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c21438e84dc5\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:48:12.000Z\",\"uniqueQualifier\":\"-3822400088800088888\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWxgdiOjzAg0/ND9YlWuFYJrufwljQI\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_ENDED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_ENDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"17292222222000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_ENDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b777-4777-b777-c21438e84dc5\"}]}]}", "event": { "action": "CHROME_OS_CRD_HOST_ENDED", "category": [ @@ -812,7 +1353,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-21T13:48:12Z", "cloud": { "account": { - "id": "C01x7cccc" + "id": "ANONYMIZED" } }, "device": { @@ -821,18 +1362,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { "name": "CHROME_OS_CRD_HOST_ENDED", "type": "CHROME_OS_CRD_HOST_ENDED_TYPE" } + ], + "parameters_all": [ + { + "intValue": "17292222222000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_CRD_HOST_ENDED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "Admin" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.58.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "0f9e7f45-b777-4777-b777-c21438e84dc5" + } ] } }, "host": { - "name": "PFPFTT0M", + "name": "example.com", "os": { "full": "ChromeOS 16002.58.0" } @@ -846,9 +1417,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "11122222222460000000", + "id": "user1", "name": "Admin" } } @@ -861,7 +1430,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:27.000Z\",\"uniqueQualifier\":\"6345555777799998888\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/4hGqeNXoNQepbYGE\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"333222222222222223333\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_STARTED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_STARTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1724444440000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_STARTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"PFPF7T0M\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b187-4444-7777-c23338884555\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-21T13:47:27.000Z\",\"uniqueQualifier\":\"6345555777799998888\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/4hGqeNXoNQepbYGE\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_CRD_HOST_STARTED_TYPE\",\"name\":\"CHROME_OS_CRD_HOST_STARTED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1724444440000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_CRD_HOST_STARTED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"Admin\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.58.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"0f9e7f45-b187-4444-7777-c23338884555\"}]}]}", "event": { "action": "CHROME_OS_CRD_HOST_STARTED", "category": [ @@ -876,7 +1445,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-21T13:47:27Z", "cloud": { "account": { - "id": "C01xxcccc" + "id": "ANONYMIZED" } }, "device": { @@ -885,18 +1454,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { "name": "CHROME_OS_CRD_HOST_STARTED", "type": "CHROME_OS_CRD_HOST_STARTED_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1724444440000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_CRD_HOST_STARTED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "Admin" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.58.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "0f9e7f45-b187-4444-7777-c23338884555" + } ] } }, "host": { - "name": "PFPF7T0M", + "name": "example.com", "os": { "full": "ChromeOS 16002.58.0" } @@ -910,9 +1509,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "333222222222222223333", + "id": "user1", "name": "Admin" } } @@ -925,7 +1522,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", "event": { "action": "CHROME_OS_LOGIN_EVENT", "category": [ @@ -941,7 +1538,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-08T13:20:40Z", "cloud": { "account": { - "id": "C01x7c000" + "id": "ANONYMIZED" } }, "device": { @@ -954,11 +1551,45 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROME_OS_LOGIN_EVENT", "type": "CHROME_OS_LOGIN_LOGOUT_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1731072040000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_KIOSK_SESSION_LOGIN" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "-" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16033.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857" + }, + { + "name": "ORG_UNIT_NAME", + "value": "test_org" + } ] } }, "host": { - "name": "S5NXNZ00A000000", + "name": "example.com", "os": { "full": "ChromeOS 16033.51.0" } @@ -970,7 +1601,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "test_org" }, "user": { - "id": "105250506097973333333333" + "id": "user1" } } @@ -982,7 +1613,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-05T11:58:46.000Z\",\"uniqueQualifier\":\"5756634282037777777777\",\"applicationName\":\"chrome\",\"customerId\":\"C01x777777777\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Smlh/sS5BbT29sC\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060000000000000000\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_FAILURE_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1730800000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXEFJEF007901100000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"y@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.43.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"cbc28748-a199-47c1-b483-000000000000000000\"},{\"name\":\"LOGIN_FAILURE_REASON\",\"value\":\"AUTHENTICATION_ERROR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"Microsoft\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-05T11:58:46.000Z\",\"uniqueQualifier\":\"5756634282037777777777\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Smlh/sS5BbT29sC\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_FAILURE_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1730800000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.43.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"cbc28748-a199-47c1-b483-000000000000000000\"},{\"name\":\"LOGIN_FAILURE_REASON\",\"value\":\"AUTHENTICATION_ERROR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"Microsoft\"}]}]}", "event": { "action": "CHROME_OS_LOGIN_FAILURE_EVENT", "category": [ @@ -998,7 +1629,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-05T11:58:46Z", "cloud": { "account": { - "id": "C01x777777777" + "id": "ANONYMIZED" } }, "device": { @@ -1016,11 +1647,49 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "failure": { "reason": "AUTHENTICATION_ERROR" } - } + }, + "parameters_all": [ + { + "intValue": "1730800000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_AFFILIATED_LOGIN" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16033.43.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "cbc28748-a199-47c1-b483-000000000000000000" + }, + { + "name": "LOGIN_FAILURE_REASON", + "value": "AUTHENTICATION_ERROR" + }, + { + "name": "ORG_UNIT_NAME", + "value": "Microsoft" + } + ] } }, "host": { - "name": "NXEFJEF007901100000000", + "name": "example.com", "os": { "full": "ChromeOS 16033.43.0" } @@ -1031,9 +1700,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "organization": { "name": "Microsoft" }, + "related": { + "user": [ + "redacted" + ] + }, "user": { - "email": "y@test.fr", - "id": "1052505060000000000000000" + "id": "user1", + "name": "redacted" } } @@ -1045,7 +1719,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:00:38.000Z\",\"uniqueQualifier\":\"-1434962671000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C0100c000\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiAAG/lzqsleRu67H0HaxvdOJ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506000000000000000000\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGOUT_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGOUT\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ0000000001A\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f0000000000000000\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:00:38.000Z\",\"uniqueQualifier\":\"-1434962671000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2SmlhIiAAG/lzqsleRu67H0HaxvdOJ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGOUT_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_AFFILIATED_LOGOUT\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f0000000000000000\"}]}]}", "event": { "action": "CHROME_OS_LOGOUT_EVENT", "category": [ @@ -1061,7 +1735,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-15T09:00:38Z", "cloud": { "account": { - "id": "C0100c000" + "id": "ANONYMIZED" } }, "device": { @@ -1074,11 +1748,41 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROME_OS_LOGOUT_EVENT", "type": "CHROME_OS_LOGIN_LOGOUT_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1728900000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_AFFILIATED_LOGOUT" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857-b741-f0000000000000000" + } ] } }, "host": { - "name": "S5NXNZ0000000001A", + "name": "example.com", "os": { "full": "ChromeOS 16002.51.0" } @@ -1086,9 +1790,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "network": { "application": "chrome" }, + "related": { + "user": [ + "redacted" + ] + }, "user": { - "email": "a@test.fr", - "id": "105250506000000000000000000" + "id": "user1", + "name": "redacted" } } @@ -1100,7 +1809,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.651Z\",\"uniqueQualifier\":\"2420143888886666888\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7cccc\"},\"etag\":\"\\\"vj4PvLCfb9AGttWx4uxgdiOjzAg0/qXWA2OAs3YpjtVNEo9y\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103333222222222223333\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_ADDED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_ADDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"122222225555\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNN000A66661A\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc7777-cccc-8888-7777-f16211111111b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"222234\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"USB2.0 FHD UVC WebCam\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x222e\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Sonix Technology Co., Ltd.\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.651Z\",\"uniqueQualifier\":\"2420143888886666888\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9AGttWx4uxgdiOjzAg0/qXWA2OAs3YpjtVNEo9y\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_ADDED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_ADDED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"122222225555\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_ADDED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc7777-cccc-8888-7777-f16211111111b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"222234\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"USB2.0 FHD UVC WebCam\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x222e\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Sonix Technology Co., Ltd.\"}]}]}", "event": { "action": "CHROMEOS_PERIPHERAL_ADDED", "category": [ @@ -1115,7 +1824,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-11T15:56:35.651000Z", "cloud": { "account": { - "id": "C01x7cccc" + "id": "ANONYMIZED" } }, "device": { @@ -1129,18 +1838,64 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { "name": "CHROMEOS_PERIPHERAL_ADDED", "type": "CHROMEOS_PERIPHERAL_ADDED_TYPE" } + ], + "parameters_all": [ + { + "intValue": "122222225555", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_PERIPHERAL_ADDED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.44.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc7777-cccc-8888-7777-f16211111111b" + }, + { + "name": "PRODUCT_ID", + "value": "222234" + }, + { + "name": "PRODUCT_NAME", + "value": "USB2.0 FHD UVC WebCam" + }, + { + "name": "VENDOR_ID", + "value": "0x222e" + }, + { + "name": "VENDOR_NAME", + "value": "Sonix Technology Co., Ltd." + } ] } }, "host": { - "name": "S5NNN000A66661A", + "name": "example.com", "os": { "full": "ChromeOS 16002.44.0" } @@ -1150,14 +1905,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "a" + "redacted" ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "103333222222222223333", - "name": "a" + "id": "user1", + "name": "redacted" } } @@ -1169,7 +1922,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.351Z\",\"uniqueQualifier\":\"2649444888333333335\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c333\"},\"etag\":\"\\\"vj4PvAGttWx4uxgdiOjzAg0/DWFo8d88e_z7nQYg\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"a@test.fr\",\"profileId\":\"103272222224629143333\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_REMOVED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_REMOVED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728662555333\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NNN00066688AA\"},{\"name\":\"DEVICE_USER\",\"value\":\"a@test.fr\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-cccc-5555-7777-f1111122227b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2222\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x2222\"},{\"name\":\"VENDOR_NAME\",\"value\":\"\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-11T15:56:35.351Z\",\"uniqueQualifier\":\"2649444888333333335\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvAGttWx4uxgdiOjzAg0/DWFo8d88e_z7nQYg\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_REMOVED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_REMOVED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728662555333\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"redacted\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-cccc-5555-7777-f1111122227b\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2222\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x2222\"},{\"name\":\"VENDOR_NAME\",\"value\":\"\"}]}]}", "event": { "action": "CHROMEOS_PERIPHERAL_REMOVED", "category": [ @@ -1184,7 +1937,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-11T15:56:35.351000Z", "cloud": { "account": { - "id": "C01x7c333" + "id": "ANONYMIZED" } }, "device": { @@ -1196,18 +1949,64 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "a@test.fr" + "email": "redacted" }, "events": [ { "name": "CHROMEOS_PERIPHERAL_REMOVED", "type": "CHROMEOS_PERIPHERAL_REMOVED_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1728662555333", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_PERIPHERAL_REMOVED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "redacted" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.44.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-cccc-5555-7777-f1111122227b" + }, + { + "name": "PRODUCT_ID", + "value": "0x2222" + }, + { + "name": "PRODUCT_NAME", + "value": "" + }, + { + "name": "VENDOR_ID", + "value": "0x2222" + }, + { + "name": "VENDOR_NAME", + "value": "" + } ] } }, "host": { - "name": "S5NNN00066688AA", + "name": "example.com", "os": { "full": "ChromeOS 16002.44.0" } @@ -1217,14 +2016,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "a" + "redacted" ] }, "user": { - "domain": "test.fr", - "email": "a@test.fr", - "id": "103272222224629143333", - "name": "a" + "id": "user1", + "name": "redacted" } } @@ -1236,7 +2033,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"8215000000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x00000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"8215000000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", "event": { "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", "category": [ @@ -1251,7 +2048,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-08T13:17:42.050000Z", "cloud": { "account": { - "id": "C01x00000" + "id": "ANONYMIZED" } }, "device": { @@ -1269,11 +2066,57 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", "type": "CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE" } + ], + "parameters_all": [ + { + "intValue": "1731071860000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16033.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857" + }, + { + "name": "ORG_UNIT_NAME", + "value": "test_org" + }, + { + "name": "PRODUCT_ID", + "value": "0x2" + }, + { + "name": "PRODUCT_NAME", + "value": "2.0 root hub" + }, + { + "name": "VENDOR_ID", + "value": "0x1ddd" + }, + { + "name": "VENDOR_NAME", + "value": "Linux Foundation" + } ] } }, "host": { - "name": "S5NXNZ00A000000", + "name": "example.com", "os": { "full": "ChromeOS 16033.51.0" } @@ -1285,7 +2128,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "test_org" }, "user": { - "id": "105250506097979777777" + "id": "user1" } } @@ -1297,7 +2140,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:09:42.884Z\",\"uniqueQualifier\":\"436275460544100000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7ccccc\"},\"etag\":\"\\\"vj4PvLCfbtWx4uxgdiOjzAg0/175l0NK2JBeAcg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097000000000\"},\"events\":[{\"type\":\"CHROMEOS_POWERWASH_TYPE\",\"name\":\"CHROMEOS_POWERWASH_INITIATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172898338222222\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_POWERWASH_INITIATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A66821A\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f1621111111111111\"},{\"name\":\"REMOTE_REQUESTED\",\"value\":\"requested\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:09:42.884Z\",\"uniqueQualifier\":\"436275460544100000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfbtWx4uxgdiOjzAg0/175l0NK2JBeAcg\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_POWERWASH_TYPE\",\"name\":\"CHROMEOS_POWERWASH_INITIATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"172898338222222\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_POWERWASH_INITIATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b741-f1621111111111111\"},{\"name\":\"REMOTE_REQUESTED\",\"value\":\"requested\"}]}]}", "event": { "action": "CHROMEOS_POWERWASH_INITIATED", "category": [ @@ -1312,7 +2155,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-15T09:09:42.884000Z", "cloud": { "account": { - "id": "C01x7ccccc" + "id": "ANONYMIZED" } }, "device": { @@ -1325,11 +2168,45 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "CHROMEOS_POWERWASH_INITIATED", "type": "CHROMEOS_POWERWASH_TYPE" } + ], + "parameters_all": [ + { + "intValue": "172898338222222", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_POWERWASH_INITIATED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "-" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857-b741-f1621111111111111" + }, + { + "name": "REMOTE_REQUESTED", + "value": "requested" + } ] } }, "host": { - "name": "S5NXNZ00A66821A", + "name": "example.com", "os": { "full": "ChromeOS 16002.51.0" } @@ -1338,7 +2215,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "application": "chrome" }, "user": { - "id": "105250506097000000000" + "id": "user1" } } @@ -1350,7 +2227,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:31:16.000Z\",\"uniqueQualifier\":\"-378806042057000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x700000\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Sml/mtgJ4U_Y-rfHYQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250500000000000753968\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_REMOVE_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UNAFFILIATED_USER_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ0000000000A\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-6666-7777-7777-3333333333333\"},{\"name\":\"REMOVE_USER_REASON\",\"value\":\"LOCAL_USER_INITIATED\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-15T09:31:16.000Z\",\"uniqueQualifier\":\"-378806042057000000000000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfb9kD8ZfWJ2Sml/mtgJ4U_Y-rfHYQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROME_OS_ADD_REMOVE_USER_TYPE\",\"name\":\"CHROME_OS_REMOVE_USER\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1728900000000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UNAFFILIATED_USER_REMOVED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-6666-7777-7777-3333333333333\"},{\"name\":\"REMOVE_USER_REASON\",\"value\":\"LOCAL_USER_INITIATED\"}]}]}", "event": { "action": "CHROME_OS_REMOVE_USER", "category": [ @@ -1365,7 +2242,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-15T09:31:16Z", "cloud": { "account": { - "id": "C01x700000" + "id": "ANONYMIZED" } }, "device": { @@ -1379,24 +2256,58 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "CHROME_OS_ADD_REMOVE_USER_TYPE" } ], - "remove": { - "user": { - "reason": "LOCAL_USER_INITIATED" - } - } - } - }, - "host": { - "name": "S5NXNZ0000000000A", - "os": { - "full": "ChromeOS 16002.51.0" - } - }, - "network": { - "application": "chrome" - }, + "parameters_all": [ + { + "intValue": "1728900000000", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_UNAFFILIATED_USER_REMOVED" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "-" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-6666-7777-7777-3333333333333" + }, + { + "name": "REMOVE_USER_REASON", + "value": "LOCAL_USER_INITIATED" + } + ], + "remove": { + "user": { + "reason": "LOCAL_USER_INITIATED" + } + } + } + }, + "host": { + "name": "example.com", + "os": { + "full": "ChromeOS 16002.51.0" + } + }, + "network": { + "application": "chrome" + }, "user": { - "id": "105250500000000000753968" + "id": "user1" } } @@ -1408,7 +2319,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-14T09:17:57.384Z\",\"uniqueQualifier\":\"68200096415770000\",\"applicationName\":\"chrome\",\"customerId\":\"C01xxcccc\"},\"etag\":\"\\\"vj4PvLCfiAAGttWx4uxgdiOjzAg0/bTMQuHA7m4d1RjZ8u\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"1052505060979\"},\"events\":[{\"type\":\"CHROMEOS_UPDATE_TYPE\",\"name\":\"CHROMEOS_UPDATE_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"7778897477777\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UPDATE_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S50000000A668888\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CURRENT_OS_VERSION\",\"value\":\"16002.51.0\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b0000-f00000000000\"},{\"name\":\"PREVIOUS_OS_VERSION\",\"value\":\"16002.44.0\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-14T09:17:57.384Z\",\"uniqueQualifier\":\"68200096415770000\",\"applicationName\":\"chrome\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"vj4PvLCfiAAGttWx4uxgdiOjzAg0/bTMQuHA7m4d1RjZ8u\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"CHROMEOS_UPDATE_TYPE\",\"name\":\"CHROMEOS_UPDATE_SUCCESS\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"7778897477777\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_UPDATE_SUCCESS\"},{\"name\":\"DEVICE_NAME\",\"value\":\"example.com\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"CURRENT_OS_VERSION\",\"value\":\"16002.51.0\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16002.44.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857-b0000-f00000000000\"},{\"name\":\"PREVIOUS_OS_VERSION\",\"value\":\"16002.44.0\"}]}]}", "event": { "action": "CHROMEOS_UPDATE_SUCCESS", "category": [ @@ -1423,7 +2334,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-14T09:17:57.384000Z", "cloud": { "account": { - "id": "C01xxcccc" + "id": "ANONYMIZED" } }, "device": { @@ -1441,11 +2352,49 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "old_version": "16002.44.0" } - } + }, + "parameters_all": [ + { + "intValue": "7778897477777", + "name": "TIMESTAMP" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_UPDATE_SUCCESS" + }, + { + "name": "DEVICE_NAME", + "value": "example.com" + }, + { + "name": "DEVICE_USER", + "value": "-" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "CURRENT_OS_VERSION", + "value": "16002.51.0" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16002.44.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857-b0000-f00000000000" + }, + { + "name": "PREVIOUS_OS_VERSION", + "value": "16002.44.0" + } + ] } }, "host": { - "name": "S50000000A668888", + "name": "example.com", "os": { "full": "ChromeOS 16002.44.0", "version": "16002.51.0" @@ -1455,7 +2404,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "application": "chrome" }, "user": { - "id": "1052505060979" + "id": "user1" } } @@ -1467,7 +2416,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-03-18T13:32:31.497Z\", \"uniqueQualifier\": \"-6347820133480887822\", \"applicationName\": \"admin\", \"customerId\": \"C0345lbe6\"}, \"etag\": \"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\", \"actor\": {\"callerType\": \"USER\", \"email\": \"john@example.com\", \"profileId\": \"11223344556677889900\"}, \"ipAddress\": \"1.2.3.4\", \"events\": [{\"type\": \"USER_SETTINGS\", \"name\": \"DELETE_USER\", \"parameters\": [{\"name\": \"USER_EMAIL\", \"value\": \"jane@example.com\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-03-18T13:32:31.497Z\",\"uniqueQualifier\":\"-6347820133480887822\",\"applicationName\":\"admin\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"johndoe@example.com\",\"profileId\":\"user1\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"janedoe@example.com\"}]}]}", "event": { "action": "DELETE_USER", "category": [ @@ -1481,19 +2430,25 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2025-03-18T13:32:31.497000Z", "cloud": { "account": { - "id": "C0345lbe6" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "john@example.com" + "email": "johndoe@example.com" }, "events": [ { "name": "DELETE_USER", "type": "USER_SETTINGS" } + ], + "parameters_all": [ + { + "name": "USER_EMAIL", + "value": "janedoe@example.com" + } ] } }, @@ -1505,7 +2460,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "john" + "johndoe" ] }, "source": { @@ -1514,11 +2469,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "example.com", - "email": "john@example.com", - "id": "11223344556677889900", - "name": "john", + "email": "johndoe@example.com", + "id": "user1", + "name": "johndoe", "target": { - "email": "jane@example.com" + "email": "janedoe@example.com" } } } @@ -1531,7 +2486,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}", + "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ANONYMIZED\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"johndoe@example.com\",\"profileId\":\"user1\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}", "event": { "action": "edit", "category": [ @@ -1546,7 +2501,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2014-03-17T15:39:18.460000Z", "cloud": { "account": { - "id": "ABC123xyz" + "id": "ANONYMIZED" } }, "file": { @@ -1558,7 +2513,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "kim@example.com" + "email": "johndoe@example.com" }, "events": [ { @@ -1568,7 +2523,69 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "parameters": { "visibility": "shared_internally" - } + }, + "parameters_all": [ + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": true, + "name": "billable" + }, + { + "boolValue": true, + "name": "owner_is_shared_drive" + }, + { + "name": "owner_team_drive_id", + "value": "AAAAAALLLLLL" + }, + { + "name": "owner", + "value": "RH " + }, + { + "name": "doc_id", + "value": "5555763535" + }, + { + "name": "doc_type", + "value": "folder" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "Divers" + }, + { + "name": "visibility", + "value": "shared_internally" + }, + { + "name": "shared_drive_id", + "value": "112-EIUBHDIUBEBUD" + }, + { + "name": "originating_app_id", + "value": "691301496089" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": true, + "name": "owner_is_team_drive" + }, + { + "name": "team_drive_id", + "value": "111-EIUBHDIUBEBUD" + } + ] } }, "network": { @@ -1580,7 +2597,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "user": [ "RH ", - "kim" + "johndoe" ] }, "source": { @@ -1589,9 +2606,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "example.com", - "email": "kim@example.com", - "id": "users unique Google Workspace profile ID", - "name": "kim" + "email": "johndoe@example.com", + "id": "user1", + "name": "johndoe" } } @@ -1603,7 +2620,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}", + "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ANONYMIZED\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"johndoe@example.com\",\"profileId\":\"user1\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}", "event": { "action": "edit", "category": [ @@ -1618,7 +2635,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2014-03-17T15:39:18.460000Z", "cloud": { "account": { - "id": "ABC123xyz" + "id": "ANONYMIZED" } }, "file": { @@ -1629,13 +2646,39 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "kim@example.com" + "email": "johndoe@example.com" }, "events": [ { "name": "edit", "type": "access" } + ], + "parameters_all": [ + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": false, + "name": "owner_is_shared_drive" + }, + { + "name": "doc_id", + "value": "1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8" + }, + { + "name": "doc_title", + "value": "Meeting notes" + }, + { + "name": "doc_type", + "value": "document" + }, + { + "name": "owner", + "value": "mary@example.com" + } ] } }, @@ -1647,7 +2690,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "kim", + "johndoe", "mary@example.com" ] }, @@ -1657,9 +2700,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "example.com", - "email": "kim@example.com", - "id": "users unique Google Workspace profile ID", - "name": "kim" + "email": "johndoe@example.com", + "id": "user1", + "name": "johndoe" } } @@ -1671,7 +2714,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T17:10:20.317Z\", \"uniqueQualifier\": \"-12345678\", \"applicationName\": \"drive\", \"customerId\": \"CUSTO1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"email\": \"\", \"profileId\": \"105250506097979753968\"}, \"events\": [{\"type\": \"access\", \"name\": \"sheets_import_range\", \"parameters\": [{\"name\": \"primary_event\", \"boolValue\": true}, {\"name\": \"billable\", \"boolValue\": false}, {\"name\": \"sheets_import_range_recipient_doc\", \"value\": \"123qwerty456\"}, {\"name\": \"owner_is_shared_drive\", \"boolValue\": true}, {\"name\": \"owner_team_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"owner\", \"value\": \"johndoe\"}, {\"name\": \"doc_id\", \"value\": \"zxcv890\"}, {\"name\": \"doc_type\", \"value\": \"spreadsheet\"}, {\"name\": \"is_encrypted\", \"boolValue\": false}, {\"name\": \"doc_title\", \"value\": \"TPS report\"}, {\"name\": \"visibility\", \"value\": \"people_with_link\"}, {\"name\": \"shared_drive_id\", \"value\": \"asdf678\"}, {\"name\": \"actor_is_collaborator_account\", \"boolValue\": false}, {\"name\": \"owner_is_team_drive\", \"boolValue\": true}, {\"name\": \"team_drive_id\", \"value\": \"asdf678\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-02-18T17:10:20.317Z\",\"uniqueQualifier\":\"-12345678\",\"applicationName\":\"drive\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"ABCDEF123\\\"\",\"actor\":{\"email\":\"\",\"profileId\":\"105250506097979753968\"},\"events\":[{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"123qwerty456\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"asdf678\"},{\"name\":\"owner\",\"value\":\"johndoe\"},{\"name\":\"doc_id\",\"value\":\"zxcv890\"},{\"name\":\"doc_type\",\"value\":\"spreadsheet\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"TPS report\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"asdf678\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"asdf678\"}]}]}", "event": { "action": "sheets_import_range", "category": [ @@ -1685,7 +2728,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2025-02-18T17:10:20.317000Z", "cloud": { "account": { - "id": "CUSTO1" + "id": "ANONYMIZED" } }, "file": { @@ -1704,7 +2747,69 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "parameters": { "visibility": "people_with_link" - } + }, + "parameters_all": [ + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": false, + "name": "billable" + }, + { + "name": "sheets_import_range_recipient_doc", + "value": "123qwerty456" + }, + { + "boolValue": true, + "name": "owner_is_shared_drive" + }, + { + "name": "owner_team_drive_id", + "value": "asdf678" + }, + { + "name": "owner", + "value": "johndoe" + }, + { + "name": "doc_id", + "value": "zxcv890" + }, + { + "name": "doc_type", + "value": "spreadsheet" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "TPS report" + }, + { + "name": "visibility", + "value": "people_with_link" + }, + { + "name": "shared_drive_id", + "value": "asdf678" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": true, + "name": "owner_is_team_drive" + }, + { + "name": "team_drive_id", + "value": "asdf678" + } + ] } }, "network": { @@ -1720,14 +2825,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "test_drive_view_document.json" +=== "test_drive_update_label.json" ```json { - "message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"john.doe@example.org\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-12-08T07:12:18.897Z\",\"uniqueQualifier\":\"-2222222222222222222\",\"applicationName\":\"drive\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"Abc/Def\\\"\",\"actor\":{\"email\":\"john.doe@example.com\",\"profileId\":\"111111111111111111111\"},\"events\":[{\"type\":\"access\",\"name\":\"label_field_changed\",\"parameters\":[{\"name\":\"label\",\"value\":\"labels/A1B2C3@83\"},{\"name\":\"label_title\",\"value\":\"Classification\"},{\"name\":\"reason\",\"value\":\"user_action\"},{\"name\":\"field_id\",\"value\":\"ABCD1234\"},{\"name\":\"field\",\"value\":\"Classification\"},{\"name\":\"new_value\",\"multiValue\":[\"C0 Public\"]},{\"name\":\"old_value\",\"multiValue\":[\"C1 Restricted\"]},{\"name\":\"new_value_id\",\"multiValue\":[\"DEF123\"]},{\"name\":\"old_value_id\",\"multiValue\":[\"TEST123\"]},{\"name\":\"new_field_value\",\"multiValue\":[\"DEF123\"]},{\"name\":\"old_field_value\",\"multiValue\":[\"TEST123\"]},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"john.doe@example.com\"},{\"name\":\"doc_id\",\"value\":\"DOCUMENTID\"},{\"name\":\"doc_type\",\"value\":\"spreadsheet\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"tps report\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}],\"resourceIds\":[\"DOCUMENTID\"]}],\"resourceDetails\":[{\"id\":\"DOCUMENTID\",\"title\":\"tps report\",\"type\":\"DRIVE_ITEM\",\"relation\":\"DRIVE_PRIMARY\",\"appliedLabels\":[{\"id\":\"ANONYMIZED\",\"title\":\"Classification\",\"reason\":{\"reasonType\":\"USER_APPLIED\"},\"fieldValues\":[{\"id\":\"ABCD1234\",\"displayName\":\"Classification\",\"type\":\"SELECTION\",\"selectionValue\":{\"id\":\"DEF123\",\"displayName\":\"C0 Public\",\"badged\":true},\"reason\":{\"reasonType\":\"USER_APPLIED\"}}]}]}]}", "event": { - "action": "view", + "action": "label_field_changed", "category": [ "file" ], @@ -1736,54 +2841,152 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "access" ] }, - "@timestamp": "2023-09-04T08:42:51.615000Z", + "@timestamp": "2025-12-08T07:12:18.897000Z", "cloud": { "account": { - "id": "111111111" + "id": "ANONYMIZED" } }, "file": { - "gid": "DDD_111111111111111", - "name": "MyDocs", - "owner": "J.DOE", - "type": "folder" + "name": "tps report", + "owner": "john.doe@example.com", + "type": "spreadsheet" }, "google": { "report": { "actor": { - "email": "john.doe@example.org" + "email": "john.doe@example.com" + }, + "drive": { + "new_classification": [ + "C0 Public" + ], + "old_classification": [ + "C1 Restricted" + ] }, "events": [ { - "name": "view", + "name": "label_field_changed", "type": "access" } ], "parameters": { - "visibility": "people_within_domain_with_link" - } + "visibility": "private" + }, + "parameters_all": [ + { + "name": "label", + "value": "labels/A1B2C3@83" + }, + { + "name": "label_title", + "value": "Classification" + }, + { + "name": "reason", + "value": "user_action" + }, + { + "name": "field_id", + "value": "ABCD1234" + }, + { + "name": "field", + "value": "Classification" + }, + { + "multiValue": [ + "C0 Public" + ], + "name": "new_value" + }, + { + "multiValue": [ + "C1 Restricted" + ], + "name": "old_value" + }, + { + "multiValue": [ + "DEF123" + ], + "name": "new_value_id" + }, + { + "multiValue": [ + "TEST123" + ], + "name": "old_value_id" + }, + { + "multiValue": [ + "DEF123" + ], + "name": "new_field_value" + }, + { + "multiValue": [ + "TEST123" + ], + "name": "old_field_value" + }, + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": false, + "name": "owner_is_shared_drive" + }, + { + "name": "owner", + "value": "john.doe@example.com" + }, + { + "name": "doc_id", + "value": "DOCUMENTID" + }, + { + "name": "doc_type", + "value": "spreadsheet" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "tps report" + }, + { + "name": "visibility", + "value": "private" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": false, + "name": "owner_is_team_drive" + } + ] } }, "network": { "application": "drive" }, "related": { - "ip": [ - "1.2.3.4" - ], "user": [ - "J.DOE", - "john.doe" + "john.doe", + "john.doe@example.com" ] }, - "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" - }, "user": { - "domain": "example.org", - "email": "john.doe@example.org", - "id": "444444444444444444444", + "domain": "example.com", + "email": "john.doe@example.com", + "id": "111111111111111111111", "name": "john.doe" } } @@ -1791,61 +2994,380 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "test_end_call.json" +=== "test_drive_view_document.json" ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"john.doe@example.org\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n", "event": { - "action": "call_ended", + "action": "view", "category": [ - "session" + "file" ], "dataset": "admin#reports#activity", "type": [ - "connection" + "access" ] }, - "@timestamp": "2024-11-14T12:07:37.366000Z", - "client": { - "geo": { - "region_name": "Paris" - } - }, + "@timestamp": "2023-09-04T08:42:51.615000Z", "cloud": { "account": { - "id": "C030x4pai" + "id": "111111111" } }, + "file": { + "gid": "DDD_111111111111111", + "name": "MyDocs", + "owner": "J.DOE", + "type": "folder" + }, "google": { "report": { + "actor": { + "email": "john.doe@example.org" + }, "events": [ { - "name": "call_ended", - "type": "call" + "name": "view", + "type": "access" } ], - "meet": { - "code": "ABCDEFGHIJ" - } - } - }, - "network": { - "application": "meet", - "transport": "udp" - }, - "related": { - "ip": [ - "1.2.3.4" - ] - }, - "source": { - "address": "1.2.3.4", + "parameters": { + "visibility": "people_within_domain_with_link" + }, + "parameters_all": [ + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": true, + "name": "billable" + }, + { + "boolValue": true, + "name": "owner_is_shared_drive" + }, + { + "name": "owner_team_drive_id", + "value": "DDD_111111111111111" + }, + { + "name": "owner", + "value": "J.DOE" + }, + { + "name": "doc_id", + "value": "333333333333333333333333333333333" + }, + { + "name": "doc_type", + "value": "folder" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "MyDocs" + }, + { + "name": "visibility", + "value": "people_within_domain_with_link" + }, + { + "name": "shared_drive_id", + "value": "DDD_222222222222222" + }, + { + "name": "originating_app_id", + "value": "666666666666" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": true, + "name": "owner_is_team_drive" + }, + { + "name": "team_drive_id", + "value": "DDD_888888888888888" + } + ] + } + }, + "network": { + "application": "drive" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "J.DOE", + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example.org", + "email": "john.doe@example.org", + "id": "444444444444444444444", + "name": "john.doe" + } + } + + ``` + + +=== "test_end_call.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"redacted\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "ANONYMIZED" + } + }, + "google": { + "report": { + "events": [ + { + "name": "call_ended", + "type": "call" + } + ], + "meet": { + "code": "ABCDEFGHIJ" + }, + "parameters_all": [ + { + "intValue": "173", + "name": "video_send_seconds" + }, + { + "intValue": "61", + "name": "screencast_recv_bitrate_kbps_mean" + }, + { + "name": "location_country", + "value": "FR" + }, + { + "name": "identifier_type", + "value": "device_id" + }, + { + "intValue": "0", + "name": "audio_send_bitrate_kbps_mean" + }, + { + "intValue": "2", + "name": "video_send_packet_loss_max" + }, + { + "name": "endpoint_id", + "value": "boq_hlane_QGKxiQcCZvF" + }, + { + "name": "device_type", + "value": "meet_hardware" + }, + { + "intValue": "0", + "name": "video_send_packet_loss_mean" + }, + { + "intValue": "1568", + "name": "screencast_recv_long_side_median_pixels" + }, + { + "name": "calendar_event_id", + "value": "3ckjqg60dq5j4eu9cgjtdb396c" + }, + { + "intValue": "0", + "name": "screencast_send_seconds" + }, + { + "intValue": "30", + "name": "video_send_fps_mean" + }, + { + "intValue": "0", + "name": "audio_send_packet_loss_max" + }, + { + "intValue": "1", + "name": "network_send_jitter_msec_mean" + }, + { + "intValue": "29", + "name": "screencast_recv_fps_mean" + }, + { + "intValue": "33", + "name": "audio_recv_seconds" + }, + { + "intValue": "0", + "name": "network_congestion" + }, + { + "intValue": "74", + "name": "network_estimated_download_kbps_mean" + }, + { + "intValue": "0", + "name": "audio_send_packet_loss_mean" + }, + { + "name": "network_transport_protocol", + "value": "udp" + }, + { + "intValue": "15317", + "name": "duration_seconds" + }, + { + "intValue": "19", + "name": "video_send_bitrate_kbps_mean" + }, + { + "name": "identifier", + "value": "644e7990-c69d-4e09-8cd2-6ae52406c21c" + }, + { + "name": "location_region", + "value": "Paris" + }, + { + "intValue": "0", + "name": "audio_recv_packet_loss_max" + }, + { + "intValue": "0", + "name": "audio_recv_packet_loss_mean" + }, + { + "intValue": "2", + "name": "network_recv_jitter_msec_max" + }, + { + "name": "organizer_email", + "value": "redacted" + }, + { + "intValue": "980", + "name": "screencast_recv_short_side_median_pixels" + }, + { + "boolValue": false, + "name": "is_external" + }, + { + "intValue": "1", + "name": "network_recv_jitter_msec_mean" + }, + { + "name": "ip_address", + "value": "1.2.3.4" + }, + { + "intValue": "15316", + "name": "audio_send_seconds" + }, + { + "name": "display_name", + "value": "OLYMPUS (Paris-106T, 8)" + }, + { + "intValue": "0", + "name": "screencast_recv_packet_loss_max" + }, + { + "intValue": "0", + "name": "video_recv_seconds" + }, + { + "intValue": "8", + "name": "network_rtt_msec_mean" + }, + { + "intValue": "320", + "name": "video_send_long_side_median_pixels" + }, + { + "intValue": "0", + "name": "screencast_recv_packet_loss_mean" + }, + { + "name": "conference_id", + "value": "rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA" + }, + { + "intValue": "14874", + "name": "screencast_recv_seconds" + }, + { + "name": "product_type", + "value": "meet" + }, + { + "intValue": "7", + "name": "network_estimated_upload_kbps_mean" + }, + { + "intValue": "180", + "name": "video_send_short_side_median_pixels" + }, + { + "name": "meeting_code", + "value": "ABCDEFGHIJ" + } + ] + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", "ip": "1.2.3.4" }, "user": { - "email": "tt.test@test.fr" + "email": "redacted" } } @@ -1857,7 +3379,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"redacted\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", "event": { "action": "call_ended", "category": [ @@ -1871,7 +3393,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-14T11:32:12.301000Z", "cloud": { "account": { - "id": "C030x4pai" + "id": "ANONYMIZED" } }, "google": { @@ -1884,7 +3406,169 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "meet": { "code": "BUSOHGFTVB" - } + }, + "parameters_all": [ + { + "intValue": "725", + "name": "video_send_seconds" + }, + { + "intValue": "13", + "name": "audio_send_bitrate_kbps_mean" + }, + { + "intValue": "0", + "name": "video_send_packet_loss_max" + }, + { + "name": "endpoint_id", + "value": "boq_hlane_UJtqXZcvBo3" + }, + { + "name": "device_type", + "value": "web" + }, + { + "intValue": "0", + "name": "video_send_packet_loss_mean" + }, + { + "intValue": "480", + "name": "video_recv_long_side_median_pixels" + }, + { + "name": "calendar_event_id", + "value": "6cm94j8lp55a9880oj2o0rb3e6" + }, + { + "intValue": "0", + "name": "screencast_send_seconds" + }, + { + "intValue": "30", + "name": "video_send_fps_mean" + }, + { + "intValue": "0", + "name": "audio_send_packet_loss_max" + }, + { + "intValue": "270", + "name": "video_recv_short_side_median_pixels" + }, + { + "intValue": "0", + "name": "video_recv_packet_loss_mean" + }, + { + "intValue": "1", + "name": "network_send_jitter_msec_mean" + }, + { + "intValue": "3647", + "name": "audio_recv_seconds" + }, + { + "intValue": "0", + "name": "network_congestion" + }, + { + "intValue": "1158", + "name": "network_estimated_download_kbps_mean" + }, + { + "intValue": "0", + "name": "audio_send_packet_loss_mean" + }, + { + "name": "network_transport_protocol", + "value": "tcp" + }, + { + "intValue": "3651", + "name": "duration_seconds" + }, + { + "intValue": "375", + "name": "video_send_bitrate_kbps_mean" + }, + { + "intValue": "9", + "name": "audio_recv_packet_loss_max" + }, + { + "intValue": "23", + "name": "video_recv_fps_mean" + }, + { + "intValue": "0", + "name": "audio_recv_packet_loss_mean" + }, + { + "intValue": "98", + "name": "network_recv_jitter_msec_max" + }, + { + "name": "organizer_email", + "value": "redacted" + }, + { + "boolValue": true, + "name": "is_external" + }, + { + "intValue": "3", + "name": "network_recv_jitter_msec_mean" + }, + { + "intValue": "3647", + "name": "audio_send_seconds" + }, + { + "name": "display_name", + "value": "Yuki" + }, + { + "intValue": "3638", + "name": "video_recv_seconds" + }, + { + "intValue": "11", + "name": "network_rtt_msec_mean" + }, + { + "intValue": "480", + "name": "video_send_long_side_median_pixels" + }, + { + "name": "conference_id", + "value": "aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA" + }, + { + "intValue": "3627", + "name": "screencast_recv_seconds" + }, + { + "name": "product_type", + "value": "meet" + }, + { + "intValue": "105", + "name": "network_estimated_upload_kbps_mean" + }, + { + "intValue": "270", + "name": "video_send_short_side_median_pixels" + }, + { + "intValue": "0", + "name": "video_recv_packet_loss_max" + }, + { + "name": "meeting_code", + "value": "BUSOHGFTVB" + } + ] } }, "network": { @@ -1892,7 +3576,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "tcp" }, "user": { - "email": "tt.test@test.fr" + "email": "redacted" } } @@ -1904,7 +3588,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\": \"admin#reports#activity\", \"id\": {\"time\": \"2025-02-18T16:00:24.311Z\", \"uniqueQualifier\": \"-123456\", \"applicationName\": \"groups_enterprise\", \"customerId\": \"CUSTOMER1\"}, \"etag\": \"\\\"ABCDEF123\\\"\", \"actor\": {\"callerType\": \"KEY\", \"key\": \"SYSTEM\"}, \"events\": [{\"type\": \"moderator_action\", \"name\": \"remove_user\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}, {\"type\": \"moderator_action\", \"name\": \"remove_member\", \"parameters\": [{\"name\": \"member_id\", \"value\": \"john.doe@example.com\"}, {\"name\": \"group_id\", \"value\": \"team@example.com\"}, {\"name\": \"member_type\", \"value\": \"user\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-02-18T16:00:24.311Z\",\"uniqueQualifier\":\"-123456\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"ABCDEF123\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"SYSTEM\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"member_id\",\"value\":\"john.doe@example.com\"},{\"name\":\"group_id\",\"value\":\"team@example.com\"},{\"name\":\"member_type\",\"value\":\"user\"}]},{\"type\":\"moderator_action\",\"name\":\"remove_member\",\"parameters\":[{\"name\":\"member_id\",\"value\":\"john.doe@example.com\"},{\"name\":\"group_id\",\"value\":\"team@example.com\"},{\"name\":\"member_type\",\"value\":\"user\"}]}]}", "event": { "action": [ "remove_member", @@ -1921,7 +3605,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2025-02-18T16:00:24.311000Z", "cloud": { "account": { - "id": "CUSTOMER1" + "id": "ANONYMIZED" } }, "google": { @@ -1935,6 +3619,32 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "remove_member", "type": "moderator_action" } + ], + "parameters_all": [ + { + "name": "member_id", + "value": "john.doe@example.com" + }, + { + "name": "group_id", + "value": "team@example.com" + }, + { + "name": "member_type", + "value": "user" + }, + { + "name": "member_id", + "value": "john.doe@example.com" + }, + { + "name": "group_id", + "value": "team@example.com" + }, + { + "name": "member_type", + "value": "user" + } ] } }, @@ -1957,7 +3667,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}", "event": { "action": "delete_group", "category": [ @@ -1971,85 +3681,221 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-11T15:20:33.157000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "joe.done@test.com" + "email": "jane.doe@test.com" }, "events": [ { - "name": "delete_group", - "type": "moderator_action" - } - ] - } - }, - "network": { - "application": "groups_enterprise" - }, - "related": { - "user": [ - "joe.done" - ] - }, - "user": { - "domain": "test.com", - "email": "joe.done@test.com", - "group": { - "id": "testgroup@test.com" - }, - "id": "109472445", - "name": "joe.done" - } - } - - ``` - - -=== "test_meet_sample1.json" - - ```json - - { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}", - "event": { - "action": "call_ended", - "category": [ - "session" - ], - "dataset": "admin#reports#activity", - "type": [ - "connection" - ] - }, - "@timestamp": "2024-03-13T11:02:40.037000Z", - "client": { - "geo": { - "region_name": "Argenteuil" - } - }, - "cloud": { - "account": { - "id": "C03foh000" - } - }, - "google": { - "report": { - "actor": { - "email": "jone.doe@test.com" - }, - "events": [ + "name": "delete_group", + "type": "moderator_action" + } + ], + "parameters_all": [ + { + "name": "group_id", + "value": "testgroup@test.com" + } + ] + } + }, + "network": { + "application": "groups_enterprise" + }, + "related": { + "user": [ + "jane.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "jane.doe@test.com", + "group": { + "id": "testgroup@test.com" + }, + "id": "user1", + "name": "jane.doe" + } + } + + ``` + + +=== "test_meet_sample1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jane.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"jane.doe@test.com\"},{\"name\":\"ip_address\",\"value\":\"192.0.2.1\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-03-13T11:02:40.037000Z", + "client": { + "geo": { + "region_name": "Argenteuil" + } + }, + "cloud": { + "account": { + "id": "ANONYMIZED" + } + }, + "google": { + "report": { + "actor": { + "email": "jane.doe@test.com" + }, + "events": [ + { + "name": "call_ended", + "type": "call" + } + ], + "meet": { + "code": "GMGSZDDDDD" + }, + "parameters_all": [ + { + "intValue": "0", + "name": "video_send_seconds" + }, + { + "name": "location_country", + "value": "FR" + }, + { + "name": "identifier_type", + "value": "email_address" + }, + { + "name": "endpoint_id", + "value": "dSzi5ZfqD8I" + }, + { + "name": "device_type", + "value": "web" + }, + { + "intValue": "0", + "name": "screencast_send_packet_loss_mean" + }, + { + "name": "calendar_event_id", + "value": "glb41ldt739tcf0bun7p9htaqr" + }, + { + "intValue": "83", + "name": "screencast_send_seconds" + }, + { + "intValue": "1080", + "name": "screencast_send_short_side_median_pixels" + }, + { + "intValue": "1", + "name": "screencast_send_packet_loss_max" + }, + { + "intValue": "29", + "name": "screencast_send_fps_mean" + }, + { + "intValue": "0", + "name": "audio_recv_seconds" + }, + { + "intValue": "0", + "name": "network_congestion" + }, + { + "intValue": "1", + "name": "network_estimated_download_kbps_mean" + }, + { + "name": "network_transport_protocol", + "value": "udp" + }, + { + "intValue": "1498", + "name": "duration_seconds" + }, + { + "name": "identifier", + "value": "jane.doe@test.com" + }, + { + "name": "location_region", + "value": "Argenteuil" + }, + { + "intValue": "791", + "name": "screencast_send_bitrate_kbps_mean" + }, + { + "name": "organizer_email", + "value": "jane.doe@test.com" + }, + { + "name": "ip_address", + "value": "192.0.2.1" + }, + { + "intValue": "0", + "name": "audio_send_seconds" + }, + { + "name": "display_name", + "value": "Test SEGLA" + }, + { + "intValue": "0", + "name": "video_recv_seconds" + }, + { + "intValue": "1920", + "name": "screencast_send_long_side_median_pixels" + }, + { + "intValue": "12", + "name": "network_rtt_msec_mean" + }, + { + "name": "conference_id", + "value": "SQEGZkIp70zCVuvX_PtXDxI" + }, + { + "intValue": "0", + "name": "screencast_recv_seconds" + }, + { + "name": "product_type", + "value": "meet" + }, { - "name": "call_ended", - "type": "call" + "intValue": "0", + "name": "network_estimated_upload_kbps_mean" + }, + { + "name": "meeting_code", + "value": "GMGSZDDDDD" + }, + { + "boolValue": false, + "name": "is_external" } - ], - "meet": { - "code": "GMGSZDDDDD" - } + ] } }, "network": { @@ -2058,21 +3904,21 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "5555:333:333:5555:5555:5555:5555:5555" + "192.0.2.1" ], "user": [ - "jone.doe" + "jane.doe" ] }, "source": { - "address": "5555:333:333:5555:5555:5555:5555:5555", - "ip": "5555:333:333:5555:5555:5555:5555:5555" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "user": { "domain": "test.com", - "email": "joe.done@test.com", - "id": "1098488062555", - "name": "jone.doe" + "email": "jane.doe@test.com", + "id": "user1", + "name": "jane.doe" } } @@ -2084,7 +3930,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jane.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jane.doe@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}", "event": { "action": "presentation_started", "category": [ @@ -2098,13 +3944,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-13T10:31:23.630000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "jone.done@test.com" + "email": "jane.doe@test.com" }, "events": [ { @@ -2114,7 +3960,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "meet": { "code": "BWXXZYNUUU" - } + }, + "parameters_all": [ + { + "boolValue": false, + "name": "is_external" + }, + { + "name": "meeting_code", + "value": "BWXXZYNUUU" + }, + { + "name": "conference_id", + "value": "iVYNZWWtL3-mwtWyAGIeDxIWOAkI" + }, + { + "name": "action_time", + "value": "2024-03-13T10:31:23.630220Z" + }, + { + "name": "identifier", + "value": "jane.doe@test.com" + }, + { + "name": "identifier_type", + "value": "email_address" + } + ] } }, "network": { @@ -2122,14 +3994,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "jone.done" + "jane.doe" ] }, "user": { "domain": "test.com", - "email": "jone.done@test.com", - "id": "1070981817756", - "name": "jone.done" + "email": "jane.doe@test.com", + "id": "user1", + "name": "jane.doe" } } @@ -2141,7 +4013,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2025-08-12T06:27:17.877Z\",\n \"uniqueQualifier\": \"id-1\",\n \"applicationName\": \"login\",\n \"customerId\": \"customer-1\"\n },\n \"etag\": \"\\\"etag-placeholder\\\"\",\n \"actor\": {\n \"callerType\": \"USER\",\n \"email\": \"user1@example.com\",\n \"profileId\": \"profile-1\"\n },\n \"ipAddress\": \"192.0.2.20\",\n \"networkInfo\": {\n \"ipAsn\": [12345],\n \"regionCode\": \"XX\",\n \"subdivisionCode\": \"XX-YYY\"\n },\n \"events\": [\n {\n \"type\": \"blocked_sender_change\",\n \"name\": \"blocked_sender\",\n \"parameters\": [\n {\n \"name\": \"affected_email_address\",\n \"value\": \"noreply@example.org\"\n }\n ]\n }\n ]\n}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2025-08-12T06:27:17.877Z\",\"uniqueQualifier\":\"id-1\",\"applicationName\":\"login\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"etag-placeholder\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"user1@example.com\",\"profileId\":\"user1\"},\"ipAddress\":\"192.0.2.20\",\"networkInfo\":{\"ipAsn\":[12345],\"regionCode\":\"XX\",\"subdivisionCode\":\"XX-YYY\"},\"events\":[{\"type\":\"blocked_sender_change\",\"name\":\"blocked_sender\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"noreply@example.org\"}]}]}", "event": { "action": "blocked_sender", "dataset": "admin#reports#activity" @@ -2149,7 +4021,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2025-08-12T06:27:17.877000Z", "cloud": { "account": { - "id": "customer-1" + "id": "ANONYMIZED" } }, "google": { @@ -2162,6 +4034,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "blocked_sender", "type": "blocked_sender_change" } + ], + "parameters_all": [ + { + "name": "affected_email_address", + "value": "noreply@example.org" + } ] } }, @@ -2183,7 +4061,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "domain": "example.com", "email": "user1@example.com", - "id": "profile-1", + "id": "user1", "name": "user1", "target": { "email": "noreply@example.org" @@ -2199,7 +4077,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\\u00e9tecter le partage de International - Num\\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", "event": { "action": "action_complete", "dataset": "admin#reports#activity", @@ -2210,7 +4088,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-07T14:21:46.270000Z", "cloud": { "account": { - "id": "C02i38888" + "id": "ANONYMIZED" } }, "google": { @@ -2224,6 +4102,92 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "action_complete_type" } ], + "parameters_all": [ + { + "name": "data_source", + "value": "DRIVE" + }, + { + "name": "resource_id", + "value": "1K23Am8JmHL9vgGwUjUPaq0000000" + }, + { + "name": "resource_owner_email", + "value": "john.doe@test.com" + }, + { + "name": "rule_resource_name", + "value": "policies/aka00000000000" + }, + { + "name": "rule_name", + "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN" + }, + { + "name": "rule_type", + "value": "DLP" + }, + { + "multiMessageValue": [ + { + "parameter": [ + { + "name": "detector_id", + "value": "IBAN_CODE" + }, + { + "name": "detector_type", + "value": "PREDEFINED_DLP" + }, + { + "name": "display_name", + "value": "IBAN_CODE" + } + ] + } + ], + "name": "matched_detectors" + }, + { + "multiMessageValue": [ + { + "parameter": [ + { + "name": "action_type", + "value": "DRIVE_WARN_ON_EXTERNAL_SHARING" + } + ] + } + ], + "name": "triggered_actions" + }, + { + "multiValue": [ + "john.doe@test.com" + ], + "name": "resource_recipients" + }, + { + "name": "scan_type", + "value": "DRIVE_ONLINE_SCAN" + }, + { + "name": "matched_trigger", + "value": "DRIVE_SHARE" + }, + { + "name": "severity", + "value": "LOW" + }, + { + "name": "resource_type", + "value": "DOCUMENT" + }, + { + "name": "resource_title", + "value": "8157822-2024-11-7-15-21-0" + } + ], "rule": { "data_source": "DRIVE", "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", @@ -2244,7 +4208,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "domain": "test.com", "email": "john.doe@test.com", - "id": "113328670183616666666", + "id": "user1", "name": "john.doe" } } @@ -2257,7 +4221,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\\u00e9tecter le partage de International - Num\\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", "event": { "action": "content_matched", "dataset": "admin#reports#activity", @@ -2268,7 +4232,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-07T14:21:46.270000Z", "cloud": { "account": { - "id": "C02i38888" + "id": "ANONYMIZED" } }, "google": { @@ -2282,6 +4246,88 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "content_matched_type" } ], + "parameters_all": [ + { + "name": "data_source", + "value": "DRIVE" + }, + { + "name": "resource_id", + "value": "1K23Am8JmHL9vgGwUjUPaqDZV" + }, + { + "name": "resource_owner_email", + "value": "john.doe@test.com" + }, + { + "name": "rule_resource_name", + "value": "policies/aka000000000" + }, + { + "name": "rule_name", + "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN" + }, + { + "name": "rule_type", + "value": "DLP" + }, + { + "multiMessageValue": [ + { + "parameter": [ + { + "name": "detector_id", + "value": "IBAN_CODE" + }, + { + "name": "detector_type", + "value": "PREDEFINED_DLP" + }, + { + "name": "display_name", + "value": "IBAN_CODE" + } + ] + } + ], + "name": "matched_detectors" + }, + { + "multiMessageValue": [ + { + "parameter": [ + { + "name": "action_type", + "value": "DRIVE_WARN_ON_EXTERNAL_SHARING" + } + ] + } + ], + "name": "triggered_actions" + }, + { + "multiValue": [ + "john.doe@test.com" + ], + "name": "resource_recipients" + }, + { + "name": "scan_type", + "value": "DRIVE_ONLINE_SCAN" + }, + { + "name": "severity", + "value": "LOW" + }, + { + "name": "resource_type", + "value": "DOCUMENT" + }, + { + "name": "resource_title", + "value": "8157822-2024-11-7-15-21-0" + } + ], "rule": { "data_source": "DRIVE", "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", @@ -2302,7 +4348,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "domain": "test.com", "email": "john.doe@test.com", - "id": "11332867018361686666666", + "id": "user1", "name": "john.doe" } } @@ -2315,7 +4361,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"192.0.2.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "event": { "action": "login_success", "category": [ @@ -2330,7 +4376,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-07T14:26:15.515000Z", "cloud": { "account": { - "id": "C00000000" + "id": "ANONYMIZED" } }, "google": { @@ -2344,6 +4390,24 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "login" } ], + "parameters_all": [ + { + "name": "orgunit_path", + "value": "/test/implementation" + }, + { + "name": "initiated_by", + "value": "sp" + }, + { + "name": "application_name", + "value": "AWS" + }, + { + "name": "saml_status_code", + "value": "SUCCESS_URI" + } + ], "saml": { "application_name": "AWS", "initiator": "sp", @@ -2356,20 +4420,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "2.1.3.2" + "192.0.2.1" ], "user": [ "John.doe" ] }, "source": { - "address": "2.1.3.2", - "ip": "2.1.3.2" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "user": { "domain": "test.com", "email": "John.doe@test.com", - "id": "10344515534360000000", + "id": "user1", "name": "John.doe" } } @@ -2382,7 +4446,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"192.0.2.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "event": { "action": "login_success", "category": [ @@ -2397,7 +4461,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-11-07T14:24:58.191000Z", "cloud": { "account": { - "id": "C000000000" + "id": "ANONYMIZED" } }, "google": { @@ -2411,6 +4475,24 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "login" } ], + "parameters_all": [ + { + "name": "orgunit_path", + "value": "/test/dev" + }, + { + "name": "initiated_by", + "value": "sp" + }, + { + "name": "application_name", + "value": "AWS Client VPN" + }, + { + "name": "saml_status_code", + "value": "SUCCESS_URI" + } + ], "saml": { "application_name": "AWS Client VPN", "initiator": "sp", @@ -2423,20 +4505,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "8.6.15.1" + "192.0.2.1" ], "user": [ "John.doe" ] }, "source": { - "address": "8.6.15.1", - "ip": "8.6.15.1" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "user": { "domain": "test.com", "email": "John.doe@test.com", - "id": "113844576558700000000", + "id": "user1", "name": "John.doe" } } @@ -2449,7 +4531,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@example.net\",\"profileId\":\"user1\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@example.net\"}]}]}", "event": { "action": "SUSPEND_USER", "category": [ @@ -2463,13 +4545,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-07-09T14:05:42.528000Z", "cloud": { "account": { - "id": "C03foh000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "john.doe@test.fr" + "email": "john.doe@example.net" }, "events": [ { @@ -2479,8 +4561,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "parameters": { "name": "USER_EMAIL", - "value": "jdoe@test.fr" - } + "value": "jdoe@example.net" + }, + "parameters_all": [ + { + "name": "USER_EMAIL", + "value": "jdoe@example.net" + } + ] } }, "network": { @@ -2499,12 +4587,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "1.2.3.4" }, "user": { - "domain": "test.fr", - "email": "john.doe@test.fr", - "id": "102788027662650927386", + "domain": "example.net", + "email": "john.doe@example.net", + "id": "user1", "name": "john.doe", "target": { - "email": "jdoe@test.fr" + "email": "jdoe@example.net" } } } @@ -2517,7 +4605,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"johndoe@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"redacted\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}", "event": { "action": [ "change_user_access", @@ -2535,7 +4623,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-01-17T11:09:39.840000Z", "cloud": { "account": { - "id": "XXXXXX" + "id": "ANONYMIZED" } }, "file": { @@ -2546,7 +4634,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "google": { "report": { "actor": { - "email": "senduser@test.com" + "email": "johndoe@test.com" }, "events": [ { @@ -2560,7 +4648,129 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "parameters": { "visibility": "shared_externally" - } + }, + "parameters_all": [ + { + "boolValue": false, + "name": "primary_event" + }, + { + "boolValue": true, + "name": "billable" + }, + { + "boolValue": false, + "name": "owner_is_shared_drive" + }, + { + "name": "owner", + "value": "owner@test.com" + }, + { + "name": "doc_id", + "value": "1111111111" + }, + { + "name": "doc_type", + "value": "document" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "Doc Temp" + }, + { + "name": "visibility", + "value": "shared_externally" + }, + { + "name": "originating_app_id", + "value": "111111" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": false, + "name": "owner_is_team_drive" + }, + { + "boolValue": true, + "name": "primary_event" + }, + { + "boolValue": true, + "name": "billable" + }, + { + "name": "visibility_change", + "value": "external" + }, + { + "name": "target_user", + "value": "redacted" + }, + { + "multiValue": [ + "none" + ], + "name": "old_value" + }, + { + "multiValue": [ + "can_edit" + ], + "name": "new_value" + }, + { + "name": "old_visibility", + "value": "shared_internally" + }, + { + "boolValue": false, + "name": "owner_is_shared_drive" + }, + { + "name": "owner", + "value": "owner@test.com" + }, + { + "name": "doc_id", + "value": "11111" + }, + { + "name": "doc_type", + "value": "document" + }, + { + "boolValue": false, + "name": "is_encrypted" + }, + { + "name": "doc_title", + "value": "Doc Temp" + }, + { + "name": "visibility", + "value": "shared_externally" + }, + { + "name": "originating_app_id", + "value": "11111" + }, + { + "boolValue": false, + "name": "actor_is_collaborator_account" + }, + { + "boolValue": false, + "name": "owner_is_team_drive" + } + ] } }, "network": { @@ -2571,8 +4781,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "0.0.0.0" ], "user": [ - "owner@test.com", - "senduser" + "johndoe", + "owner@test.com" ] }, "source": { @@ -2581,11 +4791,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "test.com", - "email": "senduser@test.com", + "email": "johndoe@test.com", "id": "11111", - "name": "senduser", + "name": "johndoe", "target": { - "email": "targetuser@test.fr" + "email": "redacted" } } } @@ -2598,7 +4808,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JOHN.DOE@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"user1\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}", "event": { "action": "authorize", "category": [ @@ -2613,22 +4823,76 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-13T11:24:59.810000Z", "client": { "user": { - "id": "11057316681905" + "id": "user1" } }, "cloud": { "account": { - "id": "C03foh04q" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "JONE.DOE@test.com" + "email": "JOHN.DOE@test.com" }, "events": [ " [{'name': 'authorize', 'type': Undefined}]" ], + "parameters_all": [ + { + "name": "client_id", + "value": "user1" + }, + { + "name": "app_name", + "value": "Test Log Workspace" + }, + { + "name": "client_type", + "value": "WEB" + }, + { + "multiMessageValue": [ + { + "parameter": [ + { + "name": "scope_name", + "value": "https://www.googleapis.com/auth/admin.reports.audit.readonly" + }, + { + "multiValue": [ + "GSUITE_ADMIN" + ], + "name": "product_bucket" + } + ] + }, + { + "parameter": [ + { + "name": "scope_name", + "value": "https://www.googleapis.com/auth/admin.reports.usage.readonly" + }, + { + "multiValue": [ + "GSUITE_ADMIN" + ], + "name": "product_bucket" + } + ] + } + ], + "name": "scope_data" + }, + { + "multiValue": [ + "https://www.googleapis.com/auth/admin.reports.audit.readonly", + "https://www.googleapis.com/auth/admin.reports.usage.readonly" + ], + "name": "scope" + } + ], "token": { "app_name": "Test Log Workspace", "type": "WEB" @@ -2643,7 +4907,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "JONE.DOE" + "JOHN.DOE" ] }, "source": { @@ -2652,9 +4916,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "test.com", - "email": "JONE.DOE@test.com", - "id": "109472445", - "name": "JONE.DOE" + "email": "JOHN.DOE@test.com", + "id": "user1", + "name": "JOHN.DOE" } } @@ -2666,7 +4930,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOHN.DOE@test.com\",\"profileId\":\"user1\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"user1\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}", "event": { "action": "activity", "category": [ @@ -2681,18 +4945,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-03-13T11:25:23.391000Z", "client": { "user": { - "id": "110573166819" + "id": "user1" } }, "cloud": { "account": { - "id": "C03foh5555" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "JOE.DONE@test.com" + "email": "JOHN.DOE@test.com" }, "events": [ { @@ -2700,6 +4964,36 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "auth" } ], + "parameters_all": [ + { + "name": "api_name", + "value": "admin" + }, + { + "name": "method_name", + "value": "reports.activities.list" + }, + { + "name": "client_id", + "value": "user1" + }, + { + "intValue": "7", + "name": "num_response_bytes" + }, + { + "name": "product_bucket", + "value": "GSUITE_ADMIN" + }, + { + "name": "app_name", + "value": "Test Log Workspace" + }, + { + "name": "client_type", + "value": "WEB" + } + ], "token": { "app_name": "Test Log Workspace", "type": "WEB" @@ -2714,7 +5008,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.1.1.1" ], "user": [ - "JOE.DONE" + "JOHN.DOE" ] }, "source": { @@ -2723,9 +5017,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "test.com", - "email": "JOE.DONE@test.com", - "id": "1094724450", - "name": "JOE.DONE" + "email": "JOHN.DOE@test.com", + "id": "user1", + "name": "JOHN.DOE" } } @@ -2737,7 +5031,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}", + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"ANONYMIZED\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"redacted\",\"profileId\":\"user1\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}", "event": { "action": "view_cross_matter_litigation_hold_report", "dataset": "admin#reports#activity", @@ -2748,35 +5042,28 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2024-10-24T12:15:09.887000Z", "cloud": { "account": { - "id": "C020000000" + "id": "ANONYMIZED" } }, "google": { "report": { "actor": { - "email": "joe.done@test.cloud" + "email": "redacted" }, "events": [ { "name": "view_cross_matter_litigation_hold_report", "type": "user_action" } - ] + ], + "parameters_all": [] } }, "network": { "application": "vault" }, - "related": { - "user": [ - "joe.done" - ] - }, "user": { - "domain": "test.cloud", - "email": "joe.done@test.cloud", - "id": "10055276727227777777777", - "name": "joe.done" + "id": "user1" } } @@ -2813,6 +5100,8 @@ The following table lists the fields that are extracted, normalized under the EC |`google.report.boot_mode.old` | `keyword` | Old boot mode | |`google.report.chat.message.id` | `keyword` | Message id | |`google.report.chat.room.name` | `keyword` | Room name | +|`google.report.drive.new_classification` | `keyword` | | +|`google.report.drive.old_classification` | `keyword` | | |`google.report.events` | `array` | List of events | |`google.report.host.os.old_version` | `keyword` | Previous OS version | |`google.report.login.failure.reason` | `keyword` | Login failure reason | @@ -2820,6 +5109,7 @@ The following table lists the fields that are extracted, normalized under the EC |`google.report.parameters.name` | `keyword` | Name of the item associated with the activity | |`google.report.parameters.value` | `keyword` | Value of the item associated with the activity | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | +|`google.report.parameters_all` | `array` | Parameter value pairs for various applications | |`google.report.remove.user.reason` | `keyword` | Remove user reason | |`google.report.rule.data_source` | `keyword` | Data source | |`google.report.rule.name` | `keyword` | Name of the rule | diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md index 53f3231a03..58a349cf0d 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md @@ -14,15 +14,15 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-07T14:23:22.470Z", "uniqueQualifier": "-7203312395540000000", "applicationName": "context_aware_access", - "customerId": "C02i38lll" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", "actor": { "callerType": "USER", "email": "john.doe@test.com", - "profileId": "117564289545555555555" + "profileId": "user1" }, - "ipAddress": "9.3.2.1", + "ipAddress": "192.0.2.1", "events": [ { "type": "CONTEXT_AWARE_ACCESS_USER_EVENT", @@ -71,6 +71,61 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_admin_data_source" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2025-12-01T11:00:20.545Z", + "uniqueQualifier": "-2222222222222222222", + "applicationName": "admin", + "customerId": "ANONYMIZED" + }, + "etag": "\"Abc/Def\"", + "actor": { + "callerType": "USER", + "email": "john.doe@example.com", + "profileId": "111111111111111111111" + }, + "ipAddress": "1.2.3.4", + "networkInfo": { + "ipAsn": [ + 3215 + ], + "regionCode": "FR", + "subdivisionCode": "FR-IDF" + }, + "events": [ + { + "type": "SECURITY_INVESTIGATION", + "name": "SECURITY_INVESTIGATION_CONTENT_ACCESS", + "parameters": [ + { + "name": "INVESTIGATION_DATA_SOURCE", + "value": "GMAIL" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_ENTITY_ID", + "value": "( jane.doe@example.net)" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_JUSTIFICATION", + "value": "https://test.atlassian.net/jira/servicedesk/projects/ALRT/queues/custom/125/ALRT-1" + }, + { + "name": "INVESTIGATION_CONTENT_ACCESS_DEVICE", + "value": "REDACTED" + } + ] + } + ] + } + ``` + + + === "test_admin_sample1" @@ -81,15 +136,15 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-12T14:50:56.780Z", "uniqueQualifier": "-68755428425", "applicationName": "admin", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"", "actor": { "callerType": "USER", "email": "test@test.com", - "profileId": "10125127140" + "profileId": "user1" }, - "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd", + "ipAddress": "FE80:000:333:1111:7777:5555:6666:ddd", "events": [ { "type": "ALERT_CENTER", @@ -117,14 +172,14 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-12T14:41:33.804Z", "uniqueQualifier": "-4779949128172", "applicationName": "admin", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"", "actor": { "email": "test@test.com", - "profileId": "10125127141" + "profileId": "user1" }, - "ipAddress": "2222:000:333:1111:7777:5555:6666:ddd", + "ipAddress": "FE80:000:333:1111:7777:5555:6666:ddd", "events": [ { "type": "SECURITY_SETTINGS", @@ -264,12 +319,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T10:25:01.859Z", "uniqueQualifier": "-119782077599", "applicationName": "calendar", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\"", "actor": { - "email": "joe.done@test.com", - "profileId": "1126768166" + "email": "jane.doe@test.com", + "profileId": "user1" }, "ownerDomain": "sekoia.io", "ipAddress": "1.2.3.4", @@ -284,11 +339,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_calendar_id", - "value": "joe.done@test.com" + "value": "jane.doe@test.com" }, { "name": "calendar_id", - "value": "joe.done@test.com" + "value": "jane.doe@test.com" }, { "name": "event_title", @@ -340,15 +395,15 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T10:36:57.929Z", "uniqueQualifier": "2480088525820", "applicationName": "calendar", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", "actor": { - "email": "joe.doe@test.com", - "profileId": "1158856535600" + "email": "john.doe@test.com", + "profileId": "user1" }, "ownerDomain": "test.com", - "ipAddress": "ffff:2222:333:11:aa:2222:111:11", + "ipAddress": "192.0.2.1", "events": [ { "type": "event_change", @@ -360,11 +415,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_calendar_id", - "value": "joe.doe@test.com" + "value": "john.doe@test.com" }, { "name": "calendar_id", - "value": "jone.done@test.com" + "value": "jane.doe@test.com" }, { "name": "event_title", @@ -406,11 +461,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_calendar_id", - "value": "joe.doe@test.com" + "value": "john.doe@test.com" }, { "name": "calendar_id", - "value": "jone.done@test.com" + "value": "jane.doe@test.com" }, { "name": "event_title", @@ -430,7 +485,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "event_guest", - "value": "jone.done@test.com" + "value": "jane.doe@test.com" }, { "name": "user_agent", @@ -454,13 +509,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-08T10:37:56.354Z", "uniqueQualifier": "-75128508411076", "applicationName": "chat", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\"", "actor": { "callerType": "USER", - "email": "joe.done@test.com", - "profileId": "1160802395241" + "email": "jane.doe@test.com", + "profileId": "user1" }, "events": [ { @@ -473,7 +528,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "actor", - "value": "joe.done@test.com" + "value": "jane.doe@test.com" }, { "name": "message_id", @@ -509,13 +564,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-12T10:01:16.430Z", "uniqueQualifier": "-2323518099402", "applicationName": "chat", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\"", "actor": { "callerType": "USER", - "email": "joe.done@test.com", - "profileId": "1070981817756" + "email": "jane.doe@test.com", + "profileId": "user1" }, "events": [ { @@ -528,7 +583,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "actor", - "value": "joe.done@test.com" + "value": "jane.doe@test.com" }, { "name": "external_room", @@ -556,12 +611,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-15T09:11:54.000Z", "uniqueQualifier": "8333377333333333333", "applicationName": "chrome", - "customerId": "C01000364" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhI/FB6vZhPRe0T5Zqobg\"", "actor": { "callerType": "USER", - "profileId": "105250506090000000000000" + "profileId": "user1" }, "events": [ { @@ -578,11 +633,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NNNN00AA" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "a@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -614,12 +669,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-15T09:41:04.457Z", "uniqueQualifier": "-419957426935000000000", "applicationName": "chrome", - "customerId": "C01x77777" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhIiA/NR0JCBuKk9DM7\"", "actor": { "callerType": "USER", - "profileId": "1052505060000000000000" + "profileId": "user1" }, "events": [ { @@ -636,11 +691,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ00A66666666" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "a@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -672,7 +727,7 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-08T13:15:35.760Z", "uniqueQualifier": "-5079400007310000000", "applicationName": "chrome", - "customerId": "C01xxcccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfbhIiAAGttWx4uxgdiOjzAg0/tTZpUjK2c3wFB9Uh\"", "actor": { @@ -690,7 +745,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "M4NXCVNNNN2000000" + "value": "example.com" }, { "name": "EVENT_REASON", @@ -730,13 +785,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-21T13:47:41.000Z", "uniqueQualifier": "-41312380982470000000", "applicationName": "chrome", - "customerId": "C01x7cccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD84uxgdiOjzAg0/ydpRq7PE6Sq81YCdl1\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "1032729143013" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -753,7 +808,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "PFPFPF7T0M" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -797,13 +852,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-21T13:48:12.000Z", "uniqueQualifier": "389668566663666666613", "applicationName": "chrome", - "customerId": "C01xxcccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/k9WnQIxoNvYgDlcL8\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "103276200000043013" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -820,7 +875,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "PFFF7T0M" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -860,13 +915,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-21T13:48:12.000Z", "uniqueQualifier": "-3822400088800088888", "applicationName": "chrome", - "customerId": "C01x7cccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWxgdiOjzAg0/ND9YlWuFYJrufwljQI\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "11122222222460000000" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -883,7 +938,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "PFPFTT0M" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -919,13 +974,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-21T13:47:27.000Z", "uniqueQualifier": "6345555777799998888", "applicationName": "chrome", - "customerId": "C01xxcccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kDttWx4uxgdiOjzAg0/4hGqeNXoNQepbYGE\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "333222222222222223333" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -942,7 +997,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "PFPF7T0M" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -978,12 +1033,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-08T13:20:40.000Z", "uniqueQualifier": "-2392455694764444444444", "applicationName": "chrome", - "customerId": "C01x7c000" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\"", "actor": { "callerType": "USER", - "profileId": "105250506097973333333333" + "profileId": "user1" }, "events": [ { @@ -1000,7 +1055,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ00A000000" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -1040,12 +1095,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-05T11:58:46.000Z", "uniqueQualifier": "5756634282037777777777", "applicationName": "chrome", - "customerId": "C01x777777777" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWJ2Smlh/sS5BbT29sC\"", "actor": { "callerType": "USER", - "profileId": "1052505060000000000000000" + "profileId": "user1" }, "events": [ { @@ -1062,11 +1117,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "NXEFJEF007901100000000" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "y@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -1106,12 +1161,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-15T09:00:38.000Z", "uniqueQualifier": "-1434962671000000000000", "applicationName": "chrome", - "customerId": "C0100c000" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWJ2SmlhIiAAG/lzqsleRu67H0HaxvdOJ\"", "actor": { "callerType": "USER", - "profileId": "105250506000000000000000000" + "profileId": "user1" }, "events": [ { @@ -1128,11 +1183,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ0000000001A" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "a@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -1164,13 +1219,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-11T15:56:35.651Z", "uniqueQualifier": "2420143888886666888", "applicationName": "chrome", - "customerId": "C01x7cccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9AGttWx4uxgdiOjzAg0/qXWA2OAs3YpjtVNEo9y\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "103333222222222223333" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -1187,11 +1242,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NNN000A66661A" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "a@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -1239,13 +1294,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-11T15:56:35.351Z", "uniqueQualifier": "2649444888333333335", "applicationName": "chrome", - "customerId": "C01x7c333" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvAGttWx4uxgdiOjzAg0/DWFo8d88e_z7nQYg\"", "actor": { "callerType": "USER", - "email": "a@test.fr", - "profileId": "103272222224629143333" + "email": "redacted", + "profileId": "user1" }, "events": [ { @@ -1262,11 +1317,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NNN00066688AA" + "value": "example.com" }, { "name": "DEVICE_USER", - "value": "a@test.fr" + "value": "redacted" }, { "name": "CLIENT_TYPE", @@ -1314,12 +1369,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-08T13:17:42.050Z", "uniqueQualifier": "8215000000000000000", "applicationName": "chrome", - "customerId": "C01x00000" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zF\"", "actor": { "callerType": "USER", - "profileId": "105250506097979777777" + "profileId": "user1" }, "events": [ { @@ -1336,7 +1391,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ00A000000" + "value": "example.com" }, { "name": "CLIENT_TYPE", @@ -1388,12 +1443,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-15T09:09:42.884Z", "uniqueQualifier": "436275460544100000000", "applicationName": "chrome", - "customerId": "C01x7ccccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfbtWx4uxgdiOjzAg0/175l0NK2JBeAcg\"", "actor": { "callerType": "USER", - "profileId": "105250506097000000000" + "profileId": "user1" }, "events": [ { @@ -1410,7 +1465,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ00A66821A" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -1450,12 +1505,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-15T09:31:16.000Z", "uniqueQualifier": "-378806042057000000000000", "applicationName": "chrome", - "customerId": "C01x700000" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfb9kD8ZfWJ2Sml/mtgJ4U_Y-rfHYQ\"", "actor": { "callerType": "USER", - "profileId": "105250500000000000753968" + "profileId": "user1" }, "events": [ { @@ -1472,7 +1527,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S5NXNZ0000000000A" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -1512,12 +1567,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-14T09:17:57.384Z", "uniqueQualifier": "68200096415770000", "applicationName": "chrome", - "customerId": "C01xxcccc" + "customerId": "ANONYMIZED" }, "etag": "\"vj4PvLCfiAAGttWx4uxgdiOjzAg0/bTMQuHA7m4d1RjZ8u\"", "actor": { "callerType": "USER", - "profileId": "1052505060979" + "profileId": "user1" }, "events": [ { @@ -1534,7 +1589,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "DEVICE_NAME", - "value": "S50000000A668888" + "value": "example.com" }, { "name": "DEVICE_USER", @@ -1578,13 +1633,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2025-03-18T13:32:31.497Z", "uniqueQualifier": "-6347820133480887822", "applicationName": "admin", - "customerId": "C0345lbe6" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", "actor": { "callerType": "USER", - "email": "john@example.com", - "profileId": "11223344556677889900" + "email": "johndoe@example.com", + "profileId": "user1" }, "ipAddress": "1.2.3.4", "events": [ @@ -1594,7 +1649,7 @@ In this section, you will find examples of raw logs as generated natively by the "parameters": [ { "name": "USER_EMAIL", - "value": "jane@example.com" + "value": "janedoe@example.com" } ] } @@ -1614,12 +1669,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2014-03-17T15:39:18.460Z", "uniqQualifier": "reports unique ID", "applicationName": "drive", - "customerId": "ABC123xyz" + "customerId": "ANONYMIZED" }, "actor": { "callerType": "USER", - "email": "kim@example.com", - "profileId": "users unique Google Workspace profile ID", + "email": "johndoe@example.com", + "profileId": "user1", "key": "consumer key of requestor in an OAuth 2LO request" }, "ownerDomain": "domain of the source owner", @@ -1707,12 +1762,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2014-03-17T15:39:18.460Z", "uniqQualifier": "reports unique ID", "applicationName": "drive", - "customerId": "ABC123xyz" + "customerId": "ANONYMIZED" }, "actor": { "callerType": "USER", - "email": "kim@example.com", - "profileId": "users unique Google Workspace profile ID", + "email": "johndoe@example.com", + "profileId": "user1", "key": "consumer key of requestor in an OAuth 2LO request" }, "ownerDomain": "domain of the source owner", @@ -1764,7 +1819,7 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2025-02-18T17:10:20.317Z", "uniqueQualifier": "-12345678", "applicationName": "drive", - "customerId": "CUSTO1" + "customerId": "ANONYMIZED" }, "etag": "\"ABCDEF123\"", "actor": { @@ -1844,6 +1899,167 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_drive_update_label" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2025-12-08T07:12:18.897Z", + "uniqueQualifier": "-2222222222222222222", + "applicationName": "drive", + "customerId": "ANONYMIZED" + }, + "etag": "\"Abc/Def\"", + "actor": { + "email": "john.doe@example.com", + "profileId": "111111111111111111111" + }, + "events": [ + { + "type": "access", + "name": "label_field_changed", + "parameters": [ + { + "name": "label", + "value": "labels/A1B2C3@83" + }, + { + "name": "label_title", + "value": "Classification" + }, + { + "name": "reason", + "value": "user_action" + }, + { + "name": "field_id", + "value": "ABCD1234" + }, + { + "name": "field", + "value": "Classification" + }, + { + "name": "new_value", + "multiValue": [ + "C0 Public" + ] + }, + { + "name": "old_value", + "multiValue": [ + "C1 Restricted" + ] + }, + { + "name": "new_value_id", + "multiValue": [ + "DEF123" + ] + }, + { + "name": "old_value_id", + "multiValue": [ + "TEST123" + ] + }, + { + "name": "new_field_value", + "multiValue": [ + "DEF123" + ] + }, + { + "name": "old_field_value", + "multiValue": [ + "TEST123" + ] + }, + { + "name": "primary_event", + "boolValue": true + }, + { + "name": "owner_is_shared_drive", + "boolValue": false + }, + { + "name": "owner", + "value": "john.doe@example.com" + }, + { + "name": "doc_id", + "value": "DOCUMENTID" + }, + { + "name": "doc_type", + "value": "spreadsheet" + }, + { + "name": "is_encrypted", + "boolValue": false + }, + { + "name": "doc_title", + "value": "tps report" + }, + { + "name": "visibility", + "value": "private" + }, + { + "name": "actor_is_collaborator_account", + "boolValue": false + }, + { + "name": "owner_is_team_drive", + "boolValue": false + } + ], + "resourceIds": [ + "DOCUMENTID" + ] + } + ], + "resourceDetails": [ + { + "id": "DOCUMENTID", + "title": "tps report", + "type": "DRIVE_ITEM", + "relation": "DRIVE_PRIMARY", + "appliedLabels": [ + { + "id": "ANONYMIZED", + "title": "Classification", + "reason": { + "reasonType": "USER_APPLIED" + }, + "fieldValues": [ + { + "id": "ABCD1234", + "displayName": "Classification", + "type": "SELECTION", + "selectionValue": { + "id": "DEF123", + "displayName": "C0 Public", + "badged": true + }, + "reason": { + "reasonType": "USER_APPLIED" + } + } + ] + } + ] + } + ] + } + ``` + + + === "test_drive_view_document" @@ -1944,7 +2160,7 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-14T12:07:37.366Z", "uniqueQualifier": "-3853857772415670247", "applicationName": "meet", - "customerId": "C030x4pai" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\"", "actor": { @@ -2070,7 +2286,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_email", - "value": "tt.test@test.fr" + "value": "redacted" }, { "name": "screencast_recv_short_side_median_pixels", @@ -2158,7 +2374,7 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-14T11:32:12.301Z", "uniqueQualifier": "-6765941919309710661", "applicationName": "meet", - "customerId": "C030x4pai" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\"", "actor": { @@ -2272,7 +2488,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_email", - "value": "tt.test@test.fr" + "value": "redacted" }, { "name": "is_external", @@ -2348,7 +2564,7 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2025-02-18T16:00:24.311Z", "uniqueQualifier": "-123456", "applicationName": "groups_enterprise", - "customerId": "CUSTOMER1" + "customerId": "ANONYMIZED" }, "etag": "\"ABCDEF123\"", "actor": { @@ -2408,13 +2624,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-11T15:20:33.157Z", "uniqueQualifier": "-92180609786", "applicationName": "groups_enterprise", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", "actor": { "callerType": "USER", - "email": "joe.done@test.com", - "profileId": "109472445" + "email": "jane.doe@test.com", + "profileId": "user1" }, "events": [ { @@ -2443,13 +2659,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T11:02:40.037Z", "uniqueQualifier": "235176017661", "applicationName": "meet", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", "actor": { "callerType": "USER", - "email": "jone.doe@test.com", - "profileId": "1098488062555" + "email": "jane.doe@test.com", + "profileId": "user1" }, "events": [ { @@ -2522,7 +2738,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "identifier", - "value": "jone.doe@test.com" + "value": "jane.doe@test.com" }, { "name": "location_region", @@ -2534,11 +2750,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "organizer_email", - "value": "joe.done@test.com" + "value": "jane.doe@test.com" }, { "name": "ip_address", - "value": "5555:333:333:5555:5555:5555:5555:5555" + "value": "192.0.2.1" }, { "name": "audio_send_seconds", @@ -2602,13 +2818,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T10:31:23.630Z", "uniqueQualifier": "47501654195", "applicationName": "meet", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", "actor": { "callerType": "USER", - "email": "jone.done@test.com", - "profileId": "1070981817756" + "email": "jane.doe@test.com", + "profileId": "user1" }, "events": [ { @@ -2633,7 +2849,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "identifier", - "value": "jone.done@test.com" + "value": "jane.doe@test.com" }, { "name": "identifier_type", @@ -2657,13 +2873,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2025-08-12T06:27:17.877Z", "uniqueQualifier": "id-1", "applicationName": "login", - "customerId": "customer-1" + "customerId": "ANONYMIZED" }, "etag": "\"etag-placeholder\"", "actor": { "callerType": "USER", "email": "user1@example.com", - "profileId": "profile-1" + "profileId": "user1" }, "ipAddress": "192.0.2.20", "networkInfo": { @@ -2700,12 +2916,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-07T14:21:46.270Z", "uniqueQualifier": "233165468629800000000", "applicationName": "rules", - "customerId": "C02i38888" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", "actor": { "email": "john.doe@test.com", - "profileId": "113328670183616666666" + "profileId": "user1" }, "events": [ { @@ -2814,12 +3030,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-07T14:21:46.270Z", "uniqueQualifier": "-49907177521610000000", "applicationName": "rules", - "customerId": "C02i38888" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\"", "actor": { "email": "john.doe@test.com", - "profileId": "11332867018361686666666" + "profileId": "user1" }, "events": [ { @@ -2924,14 +3140,14 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-07T14:26:15.515Z", "uniqueQualifier": "4091348940000000", "applicationName": "saml", - "customerId": "C00000000" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", "actor": { "email": "John.doe@test.com", - "profileId": "10344515534360000000" + "profileId": "user1" }, - "ipAddress": "2.1.3.2", + "ipAddress": "192.0.2.1", "events": [ { "type": "login", @@ -2971,14 +3187,14 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-11-07T14:24:58.191Z", "uniqueQualifier": "-318965716033600000", "applicationName": "saml", - "customerId": "C000000000" + "customerId": "ANONYMIZED" }, "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", "actor": { "email": "John.doe@test.com", - "profileId": "113844576558700000000" + "profileId": "user1" }, - "ipAddress": "8.6.15.1", + "ipAddress": "192.0.2.1", "events": [ { "type": "login", @@ -3018,13 +3234,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-07-09T14:05:42.528Z", "uniqueQualifier": "0123456789101112131", "applicationName": "admin", - "customerId": "C03foh000" + "customerId": "ANONYMIZED" }, "etag": "BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0", "actor": { "callerType": "USER", - "email": "john.doe@test.fr", - "profileId": "102788027662650927386" + "email": "john.doe@example.net", + "profileId": "user1" }, "ipAddress": "1.2.3.4", "events": [ @@ -3034,7 +3250,7 @@ In this section, you will find examples of raw logs as generated natively by the "parameters": [ { "name": "USER_EMAIL", - "value": "jdoe@test.fr" + "value": "jdoe@example.net" } ] } @@ -3054,11 +3270,11 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-01-17T11:09:39.840Z", "uniqueQualifier": "111111", "applicationName": "drive", - "customerId": "XXXXXX" + "customerId": "ANONYMIZED" }, "etag": "aaa-aaa/aaa", "actor": { - "email": "senduser@test.com", + "email": "johndoe@test.com", "profileId": "11111" }, "ipAddress": "0.0.0.0", @@ -3135,7 +3351,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "target_user", - "value": "targetuser@test.fr" + "value": "redacted" }, { "name": "old_value", @@ -3211,12 +3427,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T11:24:59.810Z", "uniqueQualifier": "515960775816012389", "applicationName": "token", - "customerId": "C03foh04q" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\"", "actor": { - "email": "JONE.DOE@test.com", - "profileId": "109472445" + "email": "JOHN.DOE@test.com", + "profileId": "user1" }, "ipAddress": "1.2.3.4", "events": [ @@ -3225,7 +3441,7 @@ In this section, you will find examples of raw logs as generated natively by the "parameters": [ { "name": "client_id", - "value": "11057316681905" + "value": "user1" }, { "name": "app_name", @@ -3293,12 +3509,12 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-03-13T11:25:23.391Z", "uniqueQualifier": "-38605878274", "applicationName": "token", - "customerId": "C03foh5555" + "customerId": "ANONYMIZED" }, "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\"", "actor": { - "email": "JOE.DONE@test.com", - "profileId": "1094724450" + "email": "JOHN.DOE@test.com", + "profileId": "user1" }, "ipAddress": "1.1.1.1", "events": [ @@ -3316,7 +3532,7 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "client_id", - "value": "110573166819" + "value": "user1" }, { "name": "num_response_bytes", @@ -3352,13 +3568,13 @@ In this section, you will find examples of raw logs as generated natively by the "time": "2024-10-24T12:15:09.887Z", "uniqueQualifier": "38392508037850000000", "applicationName": "vault", - "customerId": "C020000000" + "customerId": "ANONYMIZED" }, "etag": "\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\"", "actor": { "callerType": "USER", - "email": "joe.done@test.cloud", - "profileId": "10055276727227777777777" + "email": "redacted", + "profileId": "user1" }, "events": [ { diff --git a/_shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a_sample.md b/_shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a_sample.md deleted file mode 100644 index 47fbe472f5..0000000000 --- a/_shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a_sample.md +++ /dev/null @@ -1,118 +0,0 @@ - -### Raw Events Samples - -In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. - - -=== "AUTHN_ATTEMPT" - - ``` - 2025-12-09 08:23:52,682 trackingid="tid:D68VmhNKbQi3z3csgj0Hn_lc3iM" transactionid="2zjC3jlLX20MRKHaYiRX2ukOo" event="AUTHN_ATTEMPT" subject="" ip="192.0.2.11" connectionid="https://testcorpx.testsite.com" protocol="SAML20" pfhost="host06.test.internal.testcorp" role="IdP" status="success" responsetime="5" assertionid="" attrackingid="" attributes="" authenticationsourceid="adapter.AdpUserIdentificationForm" authnsessionexpiry="" connectionname="TestLearn" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.abc.cloud.testcorpx" X-Forwarded-Host="hub-mtls.auth.testcorpx.com" trustedNetwork="YES" requestid="" sri="D68VmhNKaQi3z3csgj0Hn_lc3iM" virtualserverid=https://hub-mtls.auth.testcorpx.com - ``` - - - -=== "AUTHN_REQUEST" - - ``` - 2025-08-30 22:27:50,026 trackingid="tid:EfRuCLHmleA0JggggnFQHAaUiKI" transactionid="sbK3tzaevezYmWSQcJgCoJppH" event="AUTHN_REQUEST" subject="testuser1" ip="192.0.2.10" connectionid="https://eu.testapp.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/" protocol="SAML20" pfhost="host05.test.internal.testcorp" role="SP" status="inprogress" responsetime="6" assertionid="" attrackingid="" attributes="" authenticationsourceid="idpConnection.https://login.auth.example.com/PasswordProtectedTransport" authnsessionexpiry="" connectionname="TestApp (Vendor)" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="wXY3g0jmB0nnThH_bfO-z.Y82Lo" sri="EfRuCLHmleA0JggggnFQHAaUiKI" virtualserverid="https://hub-mtls.auth.example.com" - ``` - - - -=== "AUTHN_SESSIONS_DELETED" - - ``` - 2025-09-01 15:15:34,068 trackingid="tid:nkWHFLhf2dsvdFckMbwF1NU_j8g" transactionid="snJEcQqMQvYQe2WIsraji9ZtK" event="AUTHN_SESSIONS_DELETED" subject="" ip="192.0.2.12" connectionid="" protocol="" pfhost="host01.test.internal.testcorp" role="IdP" status="success" responsetime="44" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="nkWHFLhf2dsvdFckMbwF1NU_j8g..tbPV" virtualserverid="" - ``` - - - -=== "AUTHN_SESSION_CREATED" - - ``` - 2025-08-30 22:27:50,474 trackingid="tid:vpYkkHbUv895EJQob3vhMrTbIgc" transactionid="DW83XpRRPgoKBAY7gru6YIR81" event="AUTHN_SESSION_CREATED" subject="" ip="192.0.2.10" connectionid="https://hub.auth.example.com/PasswordProtectedTransport" protocol="SAML20" pfhost="host03.test.internal.testcorp" role="IdP" status="" responsetime="50" assertionid="" attrackingid="" attributes="" authenticationsourceid="adapter.AdpRequestedUser" authnsessionexpiry="2025-08-30 23:27:50.474+0000" connectionname="HUB Password Only" granttype="" X-Forwarded-Vip="login.auth.test.internal.testcorp" X-Forwarded-Host="login.auth.example.com" trustedNetwork="YES" requestid="" sri="vpYkkHbUv895EJQob3vhMrTbIgc..s3rm" virtualserverid="https://login.auth.example.com/PasswordProtectedTransport" - ``` - - - -=== "AUTHN_SESSION_USED" - - ``` - 2025-09-02 12:08:59,880 trackingid="tid:fu6aEL29MEj1AKRn3_wSMGWwo5A" transactionid="wHZWQNR6r0JHSW9yizXSXC8zD" event="AUTHN_SESSION_USED" subject="" ip="192.0.2.16" connectionid="https://testapp-uat.corp.testcorp/" protocol="SAML20" pfhost="host04.test.internal.testcorp" role="IdP" status="" responsetime="30" assertionid="" attrackingid="" attributes="" authenticationsourceid="idpConnection.https://login.auth.example.com/strong" authnsessionexpiry="2025-09-02 14:35:59.863+0000" connectionname="TestID UAT saml" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="HqFnER4GNYadajPW5xa6.JSIr-A" sri="fu6aEL29MEj1AKRn3_wSMGWwo5A..trpv" virtualserverid="https://hub-mtls.auth.example.com" - ``` - - - -=== "OAuth" - - ``` - 2025-09-02 04:49:16,008 trackingid="tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ" transactionid="Jk8NwdiVkax3KfSl9AtzarYxC" event="OAuth" subject="testuser1" ip="192.0.2.14" connectionid="01957ee4-3206-7f2b-a0c5-d6794cd50d40" protocol="OAuth20" pfhost="host04.test.internal.testcorp" role="AS" status="failure" responsetime="88" assertionid="e-x8HOQUiqLKkGO-Qjsn5G4ySqZ" attrackingid="" attributes="SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" authenticationsourceid="" authnsessionexpiry="" connectionname="TestPortal" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH" sri="SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL" virtualserverid="https://hub.auth.example.com/strong" - ``` - - - -=== "SLO" - - ``` - 2025-09-01 17:03:55,086 trackingid="tid:4QVg-5IEEJKY_3L7G70fbISqvZQ" transactionid="kYweNpnacjZIqO2hVKMiz2GSN" event="SLO" subject="" ip="192.0.2.13" connectionid="01957ee4-3206-7f2b-a0c5-d6794cd50d40" protocol="OIDC" pfhost="host02.test.internal.testcorp" role="AS" status="success" responsetime="17" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="TestPortal" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP" virtualserverid="https://hub-mtls.auth.example.com" - ``` - - - -=== "SRI_REVOKED" - - ``` - 2025-09-01 17:03:57,186 trackingid="tid:4QVg-5IEEJKY_3L7G70fbISqvZQ" transactionid="BPMc3SYoQHrXqskFsBQVe1bVR" event="SRI_REVOKED" subject="" ip="192.0.2.13" connectionid="" protocol="" pfhost="host02.test.internal.testcorp" role="IdP" status="success" responsetime="57" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP" virtualserverid="" - ``` - - - -=== "SSO" - - ``` - 2025-09-02 02:10:08,024 trackingid="tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg" transactionid="LyPg0FbetfoyVw624lDxuktdk" event="SSO" subject="testuser1" ip="192.0.2.15" connectionid="https://app01.testvendor.com/ssoagent" protocol="SAML20" pfhost="host04.test.internal.testcorp" role="IdP" status="failure" responsetime="86" assertionid="sC7AvBm1doxsGBy7ehlR1ik.4ZS" attrackingid="" attributes="SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" authenticationsourceid="" authnsessionexpiry="" connectionname="TestRegion_HRM" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="o8ere_Dij45ft_zFRmzhBt6wimN" sri="ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_" virtualserverid="https://hub-mtls.auth.example.com" - ``` - - - -=== "cookies" - - ``` - 2025-09-02 11:02:32,869 tid:Z8I1vdotGu084PB7b2HrQ0A1kKU DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{OXS-U2A=hashedValue:Z8I1vdotGu084PB7b2HrQ0A1kKU; path=/; maxAge=-1; domain=.auth-int.example.com} - ``` - - - -=== "heartbeat" - - ``` - 2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://hub-mtls.auth-int.test.internal.testcorp/pf/heartbeat.ping - ``` - - - -=== "http_access" - - ``` - 192.168.1.100 - john.doe [02/Sep/2025:13:02:34 +0000] "GET /pf/heartbeat.ping HTTP/1.1" 200 156 - ``` - - - -=== "locale" - - ``` - 2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [com.pingidentity.locale.LocaleUtil] Locale Override: none - ``` - - - -=== "tracking" - - ``` - 2025-09-02 11:02:34,352 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] The incoming request does not contain a unique identifier. Assigning auto-generated request ID: C1CjegPq3VckLYpvYlzZEGTBe - ``` - - - diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 7b2f3800ad..8c71111921 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -265,6 +265,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "groups": [], "level": "medium", + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "2971" }, @@ -371,6 +372,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"name\":\"EXAMPLE\"}" ], "level": "medium", + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "2912" }, @@ -491,6 +493,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" } }, + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "16364" }, @@ -599,6 +602,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}" ], "level": "medium", + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "1343" }, @@ -690,6 +694,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "properties": { "MemberName": "DOEJ", + "PrivilegeList": "-", "SubjectDomainName": "example.com", "SubjectLogonId": "0x1234567", "SubjectUserName": "user1", @@ -714,6 +719,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"66666666-7777-8888-9999-000000000000\",\"name\":\"Postes de travail : Lot 3\"}" ], "level": "medium", + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "20528" }, @@ -850,6 +856,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"dc34f9c9-9fff-4b2c-8362-6f3b718818ff\",\"name\":\"Postes de travail\"}" ], "level": "critical", + "quarantine_label": "NO_ACTION", "status": "investigating", "threat_key": "4257" }, @@ -955,6 +962,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"dc34f9c9-9fff-4b2c-8362-6f3b718818ff\",\"name\":\"Postes de travail\"}" ], "level": "critical", + "quarantine_label": "NO_ACTION", "status": "investigating", "threat_key": "4257" }, @@ -1154,6 +1162,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "{\"id\":\"7248a5c0-096d-4680-b552-75abdbf063a9\",\"name\":\"GRP_PC_ADM_DSI\"}" ], "level": "high", + "quarantine_label": "NO_ACTION", "status": "new", "threat_key": "efb493dd-5087-4e41-8ddb-670fe3f98de8" }, @@ -1386,7 +1395,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"event_data\":{\"RestrictedAdminMode\":\"-\",\"SubjectUserName\":\"-\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundUserName\":\"-\",\"ElevatedToken\":\"ANONYMIZED\",\"VirtualAccount\":\"ANONYMIZED\",\"ProcessId\":\"0x0\",\"AuthenticationPackageName\":\"NTLM\",\"LogonProcessName\":\"NtLmSsp\",\"IpPort\":\"-\",\"WorkstationName\":\"WORKSTATION_NAME\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IpAddress\":\"-\",\"TargetLinkedLogonId\":\"0x0\",\"SubjectDomainName\":\"-\",\"TargetOutboundDomainName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"SubjectLogonId\":\"0x0\",\"TargetLogonId\":\"0x6accabcc3\",\"LogonType\":\"3\",\"TargetUserSid\":\"user1\",\"LmPackageName\":\"NTLM V2\",\"TargetUserName\":\"johndoe\",\"TransmittedServices\":\"-\",\"TargetDomainName\":\"EXAMPLE\",\"ProcessName\":\"-\",\"KeyLength\":\"128\"},\"groups\":[],\"type\":\"wineventlog\",\"computer_name\":\"example.local\",\"destination\":\"syslog\",\"record_number\":177355019,\"@Version\":\"1\",\"log_name\":\"Security\",\"@event_create_date\":\"2024-11-05T11:10:19.543Z\",\"level\":\"log_always\",\"timestamp\":\"2024-11-05T11:10:20.274688148Z\",\"process_id\":704,\"user_data\":{},\"log_type\":\"eventlog\",\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"user\":{\"domain\":\"\",\"identifier\":\"\",\"name\":\"\",\"type\":\"unknown\"},\"tenant\":\"ANONYMIZED\",\"thread_id\":9168,\"agent\":{\"dnsdomainname\":\"example.local\",\"osproducttype\":\"Windows Server 2022 Datacenter\",\"domain\":null,\"osversion\":\"10.0.20348\",\"ostype\":\"windows\",\"distroid\":null,\"domainname\":\"EXAMPLE\",\"additional_info\":{},\"version\":\"4.1.6\",\"hostname\":\"EXAMPLE\",\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\"},\"event_id\":4624,\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"source_name\":\"Microsoft-Windows-Security-Auditing\"}", + "message": "{\"event_data\":{\"RestrictedAdminMode\":\"-\",\"SubjectUserName\":\"-\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundUserName\":\"-\",\"ElevatedToken\":\"ANONYMIZED\",\"VirtualAccount\":\"ANONYMIZED\",\"ProcessId\":\"0x0\",\"AuthenticationPackageName\":\"NTLM\",\"LogonProcessName\":\"NtLmSsp\",\"IpPort\":\"-\",\"WorkstationName\":\"WORKSTATION_NAME\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IpAddress\":\"-\",\"TargetLinkedLogonId\":\"0x0\",\"SubjectDomainName\":\"-\",\"TargetOutboundDomainName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"SubjectLogonId\":\"0x0\",\"TargetLogonId\":\"0x6accabcc3\",\"LogonType\":\"3\",\"TargetUserSid\":\"00000000-0000-0000-0000-000000000000\",\"LmPackageName\":\"NTLM V2\",\"TargetUserName\":\"johndoe\",\"TransmittedServices\":\"-\",\"TargetDomainName\":\"EXAMPLE\",\"ProcessName\":\"-\",\"KeyLength\":\"128\"},\"groups\":[],\"type\":\"wineventlog\",\"computer_name\":\"example.local\",\"destination\":\"syslog\",\"record_number\":177355019,\"@Version\":\"1\",\"log_name\":\"Security\",\"@event_create_date\":\"2024-11-05T11:10:19.543Z\",\"level\":\"log_always\",\"timestamp\":\"2024-11-05T11:10:20.274688148Z\",\"process_id\":704,\"user_data\":{},\"log_type\":\"eventlog\",\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"user\":{\"domain\":\"\",\"identifier\":\"\",\"name\":\"\",\"type\":\"unknown\"},\"tenant\":\"ANONYMIZED\",\"thread_id\":9168,\"agent\":{\"dnsdomainname\":\"example.local\",\"osproducttype\":\"Windows Server 2022 Datacenter\",\"domain\":null,\"osversion\":\"10.0.20348\",\"ostype\":\"windows\",\"distroid\":null,\"domainname\":\"EXAMPLE\",\"additional_info\":{},\"version\":\"4.1.6\",\"hostname\":\"EXAMPLE\",\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\"},\"event_id\":4624,\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"source_name\":\"Microsoft-Windows-Security-Auditing\"}", "event": { "action": "authentication_network", "category": [ @@ -1409,19 +1418,28 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "AuthenticationPackageName": "NTLM", "ElevatedToken": "ANONYMIZED", "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp", "LogonType": "3", "ProcessId": "0x0", + "ProcessName": "-", + "RestrictedAdminMode": "-", + "SubjectDomainName": "-", "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "EXAMPLE", "TargetLinkedLogonId": "0x0", "TargetLogonId": "0x6accabcc3", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", "TargetUserName": "johndoe", - "TargetUserSid": "user1", + "TargetUserSid": "00000000-0000-0000-0000-000000000000", + "TransmittedServices": "-", "VirtualAccount": "ANONYMIZED", "WorkstationName": "WORKSTATION_NAME" } @@ -1483,7 +1501,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "S-1-0-0", "target": { "domain": "EXAMPLE", - "id": "user1", + "id": "00000000-0000-0000-0000-000000000000", "name": "johndoe" } } @@ -1838,6 +1856,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4732, "properties": { "MemberName": "DOEJ", + "PrivilegeList": "-", "SubjectDomainName": "example.com", "SubjectLogonId": "0x90288b5", "SubjectUserName": "user1", @@ -3952,6 +3971,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4728, "properties": { "MemberName": "JONE Doe", + "PrivilegeList": "-", "SubjectDomainName": "TEST", "SubjectLogonId": "0x99913777", "SubjectUserName": "testuser", @@ -4098,6 +4118,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 4728, "properties": { "MemberName": "JONE Doe", + "PrivilegeList": "-", "SubjectDomainName": "TEST", "SubjectLogonId": "0x99913777", "SubjectUserName": "testuser", @@ -4323,7 +4344,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"@event_create_date\": \"2025-12-12T12:11:21.659078Z\", \"computer_name\": \"HOSTNAME.example.internal\", \"event_data\": {\"CallingStationID\": \"1.2.3.4\", \"NASPortType\": \"Virtuel\", \"NASIPv6Address\": \"-\", \"SubjectMachineSID\": \"S-1-0-0\", \"AccountSessionIdentifier\": \"33333333333333333333333333333333\", \"FullyQualifiedSubjectMachineName\": \"-\", \"LoggingResult\": \"Les informations de suivi ont \\u00e9t\\u00e9 inscrites dans le fichier journal local.\", \"SubjectMachineName\": \"-\", \"ProxyPolicyName\": \"Utiliser l'authentification Windows pour tous les utilisateurs\", \"NASPort\": \"-\", \"CalledStationID\": \"192.168.100.254\", \"FullyQualifiedSubjectUserName\": \"EXAMPLE\\\\attack\", \"NASIPv4Address\": \"192.168.100.254\", \"SubjectUserSid\": \"S-1-0-0\", \"AuthenticationType\": \"PAP\", \"Reason\": \"L\\u2019authentification a \\u00e9chou\\u00e9 en raison d\\u2019une non-correspondance des informations d\\u2019identification de l\\u2019utilisateur. Le nom d\\u2019utilisateur fourni ne correspond pas \\u00e0 un compte d\\u2019utilisateur existant ou le mot de passe est incorrect.\", \"SubjectUserName\": \"attack\", \"NetworkPolicyName\": \"-\", \"ClientName\": \"REDACTED\", \"SubjectDomainName\": \"EXAMPLE\", \"NASIdentifier\": \"TEST\", \"AuthenticationServer\": \"HOSTNAME.example.internal\", \"ReasonCode\": \"16\", \"AuthenticationProvider\": \"Windows\", \"ClientIPAddress\": \"192.168.100.254\", \"EAPType\": \"-\"}, \"event_date\": \"2025-12-12T12:11:21.659078Z\", \"event_id\": 6273, \"groups\": [], \"keywords\": [\"AuditFailure\", \"ReservedKeyword63\"], \"level\": \"log_always\", \"log_name\": \"Security\", \"log_type\": \"eventlog\", \"process_id\": 760, \"provider_guid\": \"11111111-1111-1111-1111-111111111111\", \"record_number\": 45515394, \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"thread_id\": 5896, \"type\": \"wineventlog\", \"user\": {}, \"user_data\": {}, \"@timestamp\": \"2025-12-12T12:11:36.647847+00:00\", \"tenant\": \"ANONYMIZED\", \"agent\": {\"additional_info\": {}, \"agentid\": \"22222222-2222-2222-2222-222222222222\", \"dnsdomainname\": \"example.internal\", \"domainname\": \"EXAMPLE\", \"hostname\": \"HOSTNAME\", \"ipaddress\": \"5.6.7.8\", \"osproducttype\": \"Windows Server 2019 Datacenter\", \"ostype\": \"windows\", \"osversion\": \"10.0.17763\", \"producttype\": \"server\", \"version\": \"5.2.24\"}}", + "message": "{\"@event_create_date\":\"2025-12-12T12:11:21.659078Z\",\"computer_name\":\"HOSTNAME.example.internal\",\"event_data\":{\"CallingStationID\":\"1.2.3.4\",\"NASPortType\":\"Virtuel\",\"NASIPv6Address\":\"-\",\"SubjectMachineSID\":\"S-1-0-0\",\"AccountSessionIdentifier\":\"33333333333333333333333333333333\",\"FullyQualifiedSubjectMachineName\":\"-\",\"LoggingResult\":\"Les informations de suivi ont \\u00e9t\\u00e9 inscrites dans le fichier journal local.\",\"SubjectMachineName\":\"-\",\"ProxyPolicyName\":\"Utiliser l'authentification Windows pour tous les utilisateurs\",\"NASPort\":\"-\",\"CalledStationID\":\"192.168.100.254\",\"FullyQualifiedSubjectUserName\":\"EXAMPLE\\\\attack\",\"NASIPv4Address\":\"192.168.100.254\",\"SubjectUserSid\":\"S-1-0-0\",\"AuthenticationType\":\"PAP\",\"Reason\":\"L\\u2019authentification a \\u00e9chou\\u00e9 en raison d\\u2019une non-correspondance des informations d\\u2019identification de l\\u2019utilisateur. Le nom d\\u2019utilisateur fourni ne correspond pas \\u00e0 un compte d\\u2019utilisateur existant ou le mot de passe est incorrect.\",\"SubjectUserName\":\"user1\",\"NetworkPolicyName\":\"-\",\"ClientName\":\"REDACTED\",\"SubjectDomainName\":\"EXAMPLE\",\"NASIdentifier\":\"TEST\",\"AuthenticationServer\":\"HOSTNAME.example.internal\",\"ReasonCode\":\"16\",\"AuthenticationProvider\":\"Windows\",\"ClientIPAddress\":\"192.168.100.254\",\"EAPType\":\"-\"},\"event_date\":\"2025-12-12T12:11:21.659078Z\",\"event_id\":6273,\"groups\":[],\"keywords\":[\"AuditFailure\",\"ReservedKeyword63\"],\"level\":\"log_always\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"process_id\":760,\"provider_guid\":\"11111111-1111-1111-1111-111111111111\",\"record_number\":45515394,\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"thread_id\":5896,\"type\":\"wineventlog\",\"user\":{},\"user_data\":{},\"@timestamp\":\"2025-12-12T12:11:36.647847+00:00\",\"tenant\":\"ANONYMIZED\",\"agent\":{\"additional_info\":{},\"agentid\":\"22222222-2222-2222-2222-222222222222\",\"dnsdomainname\":\"example.internal\",\"domainname\":\"EXAMPLE\",\"hostname\":\"HOSTNAME\",\"ipaddress\":\"5.6.7.8\",\"osproducttype\":\"Windows Server 2019 Datacenter\",\"ostype\":\"windows\",\"osversion\":\"10.0.17763\",\"producttype\":\"server\",\"version\":\"5.2.24\"}}", "event": { "code": "6273", "dataset": "eventlog", @@ -4337,7 +4358,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": 6273, "properties": { "SubjectDomainName": "EXAMPLE", - "SubjectUserName": "attack", + "SubjectUserName": "user1", "SubjectUserSid": "S-1-0-0" } }, @@ -4376,7 +4397,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "5.6.7.8" ], "user": [ - "attack" + "user1" ] }, "source": { @@ -4385,7 +4406,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "EXAMPLE", - "name": "attack" + "name": "user1" } } @@ -4736,7 +4757,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"level\":\"LOG_ALWAYS\",\"@Version\":\"1\",\"@event_create_date\":\"2023-04-20T14:48:59.809Z\",\"groups\":[{\"name\":\"Group 1\",\"id\":\"954bc41c-bfae-4d24-9606-add4e1ab4280\"},{\"name\":\"Group 2\",\"id\":\"a9458e5a-fbd1-466a-8e0a-d25c2948aa61\"}],\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"log_type\":\"eventlog\",\"event_data\":{\"IpPort\":\"17780\",\"ProcessName\":\"-\",\"SubjectDomainName\":\"-\",\"TargetUserSid\":\"user1\",\"LogonProcessName\":\"Kerbe\",\"RestrictedAdminMode\":\"-\",\"LogonType\":\"3\",\"ElevatedToken\":\"ANONYMIZED\",\"TargetOutboundDomainName\":\"-\",\"SubjectUserName\":\"-\",\"AuthenticationPackageName\":\"Kerberos\",\"VirtualAccount\":\"%%1843\",\"WorkstationName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonGuid\":\"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\",\"TargetLinkedLogonId\":\"0x0\",\"SubjectLogonId\":\"0x0\",\"TransmittedServices\":\"-\",\"TargetLogonId\":\"0x6accabcc3\",\"TargetDomainName\":\"example.org\",\"TargetOutboundUserName\":\"-\",\"LmPackageName\":\"-\",\"TargetUserName\":\"john.doe$\",\"ProcessId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"KeyLength\":\"0\",\"SubjectUserSid\":\"S-1-0-0\"},\"@timestamp\":\"2023-04-20T14:49:02.914471Z\",\"thread_id\":11111,\"provider_guid\":\"4d8dc5df-a605-4c76-b699-bc72464a8114\",\"event\":{\"original\":\"{\\\"computer_name\\\":\\\"sfreort.gosis.lan\\\",\\\"event_date\\\":\\\"2023/04/20 14:48:59.809\\\",\\\"event_id\\\":4624,\\\"keywords\\\":[\\\"AuditSuccess\\\",\\\"ReservedKeyword63\\\"],\\\"level\\\":\\\"LOG_ALWAYS\\\",\\\"log_name\\\":\\\"Security\\\",\\\"log_type\\\":\\\"eventlog\\\",\\\"type\\\":\\\"wineventlog\\\",\\\"user\\\":{\\\"domain\\\":\\\"\\\",\\\"identifier\\\":\\\"\\\",\\\"name\\\":\\\"\\\",\\\"type\\\":\\\"unknown\\\"},\\\"event_data\\\":{\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"LogonType\\\":\\\"3\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"TargetLogonId\\\":\\\"0x6accabcc3\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"SubjectDomainName\\\":\\\"-\\\",\\\"AuthenticationPackageName\\\":\\\"Kerbes\\\",\\\"WorkstationName\\\":\\\"-\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"IpAddress\\\":\\\"1.2.3.4\\\",\\\"LogonGuid\\\":\\\"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TargetUserSid\\\":\\\"S-1-5-21-11111111111-111111111111-11111111-111\\\",\\\"TargetDomainName\\\":\\\"example.org\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"IpPort\\\":\\\"17780\\\",\\\"TargetUserName\\\":\\\"john.doe$\\\",\\\"ProcessName\\\":\\\"-\\\"},\\\"process_id\\\":772,\\\"provider_guid\\\":\\\"54849625-5478-4994-a5ba-3e3b0328c30d\\\",\\\"record_number\\\":1069291078,\\\"source_name\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"thread_id\\\":29956,\\\"user_data\\\":{},\\\"groups\\\":[{\\\"id\\\":\\\"2dccd722-6db5-4727-88d2-042b0d8655c3\\\",\\\"name\\\":\\\"Group 1\\\"},{\\\"id\\\":\\\"a9458e5a-fbd1-466a-8e0a-d25c2955aa61\\\",\\\"name\\\":\\\"Group 2\\\"}],\\\"destination\\\":\\\"sys\\\",\\\"agent\\\":{\\\"agentid\\\":\\\"ef3cd644-1867-4917-ac79-148c2ccd55d5\\\",\\\"hostname\\\":\\\"sfreart\\\",\\\"domain\\\":null,\\\"domainname\\\":\\\"EXAMPLE\\\",\\\"dnsdomainname\\\":\\\"example.org\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"10.0.14393\\\",\\\"distroid\\\":null,\\\"osproducttype\\\":\\\"Windows Server 2016 Standard\\\",\\\"version\\\":\\\"2.25.4-post0\\\",\\\"additional_info\\\":null}}\"},\"type\":\"wineventlog\",\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"tenant\":\"ANONYMIZED\",\"destination\":\"sys\",\"agent\":{\"hostname\":\"example.com\",\"osversion\":\"10.0.14393\",\"version\":\"2.25.4-post0\",\"domainname\":\"EXAMPLE\",\"distroid\":null,\"additional_info\":null,\"agentid\":\"3f17a3fe-3490-4b8f-8de4-9dcdf92c68b0\",\"osproducttype\":\"Windows Server 2016 Standard\",\"dnsdomainname\":\"example.org\",\"ostype\":\"windows\",\"domain\":null},\"log_name\":\"Security\",\"event_id\":4624,\"user\":{\"name\":\"\",\"identifier\":\"\",\"domain\":\"\",\"type\":\"unknown\"},\"user_data\":{},\"computer_name\":\"sfreort.example.org\",\"process_id\":772,\"record_number\":1069291078}", + "message": "{\"level\":\"LOG_ALWAYS\",\"@Version\":\"1\",\"@event_create_date\":\"2023-04-20T14:48:59.809Z\",\"groups\":[{\"name\":\"Group 1\",\"id\":\"954bc41c-bfae-4d24-9606-add4e1ab4280\"},{\"name\":\"Group 2\",\"id\":\"a9458e5a-fbd1-466a-8e0a-d25c2948aa61\"}],\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"log_type\":\"eventlog\",\"event_data\":{\"IpPort\":\"17780\",\"ProcessName\":\"-\",\"SubjectDomainName\":\"-\",\"TargetUserSid\":\"00000000-0000-0000-0000-000000000000\",\"LogonProcessName\":\"Kerbe\",\"RestrictedAdminMode\":\"-\",\"LogonType\":\"3\",\"ElevatedToken\":\"ANONYMIZED\",\"TargetOutboundDomainName\":\"-\",\"SubjectUserName\":\"-\",\"AuthenticationPackageName\":\"Kerberos\",\"VirtualAccount\":\"%%1843\",\"WorkstationName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonGuid\":\"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\",\"TargetLinkedLogonId\":\"0x0\",\"SubjectLogonId\":\"0x0\",\"TransmittedServices\":\"-\",\"TargetLogonId\":\"0x6accabcc3\",\"TargetDomainName\":\"example.org\",\"TargetOutboundUserName\":\"-\",\"LmPackageName\":\"-\",\"TargetUserName\":\"john.doe$\",\"ProcessId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"KeyLength\":\"0\",\"SubjectUserSid\":\"S-1-0-0\"},\"@timestamp\":\"2023-04-20T14:49:02.914471Z\",\"thread_id\":11111,\"provider_guid\":\"4d8dc5df-a605-4c76-b699-bc72464a8114\",\"event\":{\"original\":\"{\\\"computer_name\\\":\\\"sfreort.gosis.lan\\\",\\\"event_date\\\":\\\"2023/04/20 14:48:59.809\\\",\\\"event_id\\\":4624,\\\"keywords\\\":[\\\"AuditSuccess\\\",\\\"ReservedKeyword63\\\"],\\\"level\\\":\\\"LOG_ALWAYS\\\",\\\"log_name\\\":\\\"Security\\\",\\\"log_type\\\":\\\"eventlog\\\",\\\"type\\\":\\\"wineventlog\\\",\\\"user\\\":{\\\"domain\\\":\\\"\\\",\\\"identifier\\\":\\\"\\\",\\\"name\\\":\\\"\\\",\\\"type\\\":\\\"unknown\\\"},\\\"event_data\\\":{\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"LogonType\\\":\\\"3\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"TargetLogonId\\\":\\\"0x6accabcc3\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"SubjectDomainName\\\":\\\"-\\\",\\\"AuthenticationPackageName\\\":\\\"Kerbes\\\",\\\"WorkstationName\\\":\\\"-\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"IpAddress\\\":\\\"1.2.3.4\\\",\\\"LogonGuid\\\":\\\"{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TargetUserSid\\\":\\\"S-1-5-21-11111111111-111111111111-11111111-111\\\",\\\"TargetDomainName\\\":\\\"example.org\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"IpPort\\\":\\\"17780\\\",\\\"TargetUserName\\\":\\\"john.doe$\\\",\\\"ProcessName\\\":\\\"-\\\"},\\\"process_id\\\":772,\\\"provider_guid\\\":\\\"54849625-5478-4994-a5ba-3e3b0328c30d\\\",\\\"record_number\\\":1069291078,\\\"source_name\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"thread_id\\\":29956,\\\"user_data\\\":{},\\\"groups\\\":[{\\\"id\\\":\\\"2dccd722-6db5-4727-88d2-042b0d8655c3\\\",\\\"name\\\":\\\"Group 1\\\"},{\\\"id\\\":\\\"a9458e5a-fbd1-466a-8e0a-d25c2955aa61\\\",\\\"name\\\":\\\"Group 2\\\"}],\\\"destination\\\":\\\"sys\\\",\\\"agent\\\":{\\\"agentid\\\":\\\"ef3cd644-1867-4917-ac79-148c2ccd55d5\\\",\\\"hostname\\\":\\\"sfreart\\\",\\\"domain\\\":null,\\\"domainname\\\":\\\"EXAMPLE\\\",\\\"dnsdomainname\\\":\\\"example.org\\\",\\\"ostype\\\":\\\"windows\\\",\\\"osversion\\\":\\\"10.0.14393\\\",\\\"distroid\\\":null,\\\"osproducttype\\\":\\\"Windows Server 2016 Standard\\\",\\\"version\\\":\\\"2.25.4-post0\\\",\\\"additional_info\\\":null}}\"},\"type\":\"wineventlog\",\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"tenant\":\"ANONYMIZED\",\"destination\":\"sys\",\"agent\":{\"hostname\":\"example.com\",\"osversion\":\"10.0.14393\",\"version\":\"2.25.4-post0\",\"domainname\":\"EXAMPLE\",\"distroid\":null,\"additional_info\":null,\"agentid\":\"3f17a3fe-3490-4b8f-8de4-9dcdf92c68b0\",\"osproducttype\":\"Windows Server 2016 Standard\",\"dnsdomainname\":\"example.org\",\"ostype\":\"windows\",\"domain\":null},\"log_name\":\"Security\",\"event_id\":4624,\"user\":{\"name\":\"\",\"identifier\":\"\",\"domain\":\"\",\"type\":\"unknown\"},\"user_data\":{},\"computer_name\":\"sfreort.example.org\",\"process_id\":772,\"record_number\":1069291078}", "event": { "action": "authentication_network", "category": [ @@ -4762,18 +4783,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "IpAddress": "1.2.3.4", "IpPort": "17780", "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}", "LogonProcessName": "Kerbe", "LogonType": "3", "ProcessId": "0x0", + "ProcessName": "-", + "RestrictedAdminMode": "-", + "SubjectDomainName": "-", "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "example.org", "TargetLinkedLogonId": "0x0", "TargetLogonId": "0x6accabcc3", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", "TargetUserName": "john.doe$", - "TargetUserSid": "user1", - "VirtualAccount": "%%1843" + "TargetUserSid": "00000000-0000-0000-0000-000000000000", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "-" } }, "agent": { @@ -4847,7 +4877,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "roles": "Group1,Group2", "target": { "domain": "example.org", - "id": "user1", + "id": "00000000-0000-0000-0000-000000000000", "name": "john.doe$" } } @@ -4935,15 +4965,21 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "IpAddress": "192.0.2.1", "IpPort": "0", "KeyLength": "0", + "LmPackageName": "-", "LogonProcessName": "NtLmSsp ", "LogonType": "3", "ProcessId": "0x0", + "ProcessName": "-", "Status": "0xc000006d", "SubStatus": "0xc000006a", + "SubjectDomainName": "-", "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetUserName": "ADMINISTRATOR", - "TargetUserSid": "S-1-0-0" + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "-" } }, "agent": { @@ -5115,6 +5151,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "properties": { "AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t", "AccessMask": "0x12019f", + "AccessReason": "-", "IpAddress": "10.84.128.186", "IpPort": "50846", "ObjectType": "File", diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md index aa54da9e35..a40d564287 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md @@ -1423,7 +1423,7 @@ In this section, you will find examples of raw logs as generated natively by the "SubjectLogonId": "0x0", "TargetLogonId": "0x6accabcc3", "LogonType": "3", - "TargetUserSid": "user1", + "TargetUserSid": "00000000-0000-0000-0000-000000000000", "LmPackageName": "NTLM V2", "TargetUserName": "johndoe", "TransmittedServices": "-", @@ -3765,7 +3765,7 @@ In this section, you will find examples of raw logs as generated natively by the "SubjectUserSid": "S-1-0-0", "AuthenticationType": "PAP", "Reason": "L\u2019authentification a \u00e9chou\u00e9 en raison d\u2019une non-correspondance des informations d\u2019identification de l\u2019utilisateur. Le nom d\u2019utilisateur fourni ne correspond pas \u00e0 un compte d\u2019utilisateur existant ou le mot de passe est incorrect.", - "SubjectUserName": "attack", + "SubjectUserName": "user1", "NetworkPolicyName": "-", "ClientName": "REDACTED", "SubjectDomainName": "EXAMPLE", @@ -4320,7 +4320,7 @@ In this section, you will find examples of raw logs as generated natively by the "IpPort": "17780", "ProcessName": "-", "SubjectDomainName": "-", - "TargetUserSid": "user1", + "TargetUserSid": "00000000-0000-0000-0000-000000000000", "LogonProcessName": "Kerbe", "RestrictedAdminMode": "-", "LogonType": "3", diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index fce59daa8c..88c75a6163 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -32,7 +32,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"clickIP\":\"192.0.2.1\",\"clickTime\":\"2016-06-24T19:17:44.000Z\",\"GUID\":\"b27dbea0-87d5-463b-b93c-4e8b708289ce\",\"id\":\"8c8b4895-a277-449f-r797-547e3c89b25a\",\"messageID\":\"8c6cfedd-3050-4d65-8c09-c5f65c38da81\",\"recipient\":\"bruce.wayne@pharmtech.zz\",\"sender\":\"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz\",\"senderIP\":\"192.0.2.255\",\"threatID\":\"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50\",\"threatTime\":\"2016-06-24T19:17:46.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50\",\"threatStatus\":\"active\",\"url\":\"http://badguy.zz/\",\"userAgent\":\"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0\",\"type\":\"click\",\"status\":\"permitted\"}\n", + "message": "{\"campaignId\":\"22222222-2222-2222-2222-222222222222\",\"classification\":\"MALWARE\",\"clickIP\":\"1.1.1.1\",\"clickTime\":\"2016-06-24T19:17:44.000Z\",\"GUID\":\"44444444-4444-4444-4444-444444444444\",\"id\":\"8c8b4895-a277-449f-r797-547e3c89b25a\",\"messageID\":\"11111111-1111-1111-1111-111111111111\",\"recipient\":\"bruce.wayne@pharmtech.zz\",\"sender\":\"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz\",\"senderIP\":\"2.2.2.2\",\"threatID\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"threatTime\":\"2016-06-24T19:17:46.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"threatStatus\":\"active\",\"url\":\"http://badguy.zz/\",\"userAgent\":\"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0\",\"type\":\"click\",\"status\":\"permitted\"}\n", "event": { "action": "permitted", "category": [ @@ -45,8 +45,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2016-06-24T19:17:44Z", "email": { - "local_id": "b27dbea0-87d5-463b-b93c-4e8b708289ce", - "message_id": "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "local_id": "44444444-4444-4444-4444-444444444444", + "message_id": "11111111-1111-1111-1111-111111111111", "sender": { "address": [ "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz" @@ -73,12 +73,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "192.0.2.255" + "2.2.2.2" ] }, "source": { - "address": "192.0.2.255", - "ip": "192.0.2.255" + "address": "2.2.2.2", + "ip": "2.2.2.2" }, "threat": { "enrichments": [ @@ -86,7 +86,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "indicator": { "first_seen": "2016-06-24T19:17:46Z", "last_seen": "2016-06-24T19:17:46Z", - "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "reference": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "type": "domain-name", "url": { "original": "http://badguy.zz/" @@ -125,7 +125,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"spamScore\": 0, \"phishScore\": 0, \"threatsInfoMap\": [{\"threatID\": \"dad16dd544c5794640c66b28752fb51ebe9691e6967140154df649c7c34163d3\", \"threatStatus\": \"active\", \"classification\": \"malware\", \"detectionType\": \"COMPROMISED_WEBSITE\", \"threatUrl\": \"https://threatinsight.proofpoint.com/3f680b51-880c-4f9c-b799-cade8d72933c/threat/email/dad16dd544c5794640c66b28752fb51ebe9691e6967140154df649c7c34163d3\", \"threatTime\": \"2025-04-28T04:27:24.000Z\", \"threat\": \"http://some.threat.com\", \"campaignID\": null, \"actors\": [], \"threatType\": \"url\"}], \"messageTime\": \"2025-04-23T21:05:55.000Z\", \"impostorScore\": 0.0, \"malwareScore\": 0, \"cluster\": \"example_hosted\", \"subject\": \"TPS reports!\", \"quarantineFolder\": null, \"quarantineRule\": null, \"policyRoutes\": [\"default_inbound\", \"mydomains_from_hdr\"], \"modulesRun\": [\"av\", \"dkimv\", \"spf\", \"spam\", \"dmarc\", \"pdr\", \"urldefense\"], \"messageSize\": 3002, \"headerFrom\": \"Danette \", \"headerReplyTo\": null, \"fromAddress\": [\"john.doe@example.com\"], \"ccAddresses\": [], \"replyToAddress\": [], \"toAddresses\": [\"jane.doe@example.com\"], \"xmailer\": \"WPMailSMTP/Mailer/smtp 4.3.0\", \"messageParts\": [{\"disposition\": \"inline\", \"sha256\": \"8332769f27b046b73ef2e81a8a884ffddfb25a84690bf81438aa4037c9b1c424\", \"md5\": \"4db414b9eff5f60a8da81875afc7de2f\", \"filename\": \"text.txt\", \"sandboxStatus\": null, \"oContentType\": \"text/plain\", \"contentType\": \"text/plain\"}], \"completelyRewritten\": true, \"id\": \"00e21729-63e6-4899-a165-9397a7235a63\", \"QID\": \"0987656\", \"GUID\": \"123456789\", \"sender\": \"111111111111111111111111111111111111@email.example.com\", \"recipient\": [\"jane.doe@example.com\"], \"senderIP\": \"1.2.3.4\", \"messageID\": \"<111111111111111111111111111111111111@us-west-2.amazonses.com>\", \"status\": \"delivered\", \"type\": \"message\"}", + "message": "{\"spamScore\": 0, \"phishScore\": 0, \"threatsInfoMap\": [{\"threatID\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"threatStatus\": \"active\", \"classification\": \"malware\", \"detectionType\": \"COMPROMISED_WEBSITE\", \"threatUrl\": \"https://threatinsight.proofpoint.com/11111111-1111-1111-1111-111111111111/threat/email/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"threatTime\": \"2025-04-28T04:27:24.000Z\", \"threat\": \"http://some.threat.com\", \"campaignID\": null, \"actors\": [], \"threatType\": \"url\"}], \"messageTime\": \"2025-04-23T21:05:55.000Z\", \"impostorScore\": 0.0, \"malwareScore\": 0, \"cluster\": \"example_hosted\", \"subject\": \"TPS reports!\", \"quarantineFolder\": null, \"quarantineRule\": null, \"policyRoutes\": [\"default_inbound\", \"mydomains_from_hdr\"], \"modulesRun\": [\"av\", \"dkimv\", \"spf\", \"spam\", \"dmarc\", \"pdr\", \"urldefense\"], \"messageSize\": 3002, \"headerFrom\": \"Danette \", \"headerReplyTo\": null, \"fromAddress\": [\"john.doe@example.com\"], \"ccAddresses\": [], \"replyToAddress\": [], \"toAddresses\": [\"jane.doe@example.com\"], \"xmailer\": \"WPMailSMTP/Mailer/smtp 4.3.0\", \"messageParts\": [{\"disposition\": \"inline\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\", \"filename\": \"text.txt\", \"sandboxStatus\": null, \"oContentType\": \"text/plain\", \"contentType\": \"text/plain\"}], \"completelyRewritten\": true, \"id\": \"22222222-2222-2222-2222-222222222222\", \"QID\": \"0987656\", \"GUID\": \"123456789\", \"sender\": \"111111111111111111111111111111111111@email.example.com\", \"recipient\": [\"jane.doe@example.com\"], \"senderIP\": \"1.1.1.1\", \"messageID\": \"<111111111111111111111111111111111111@us-west-2.amazonses.com>\", \"status\": \"delivered\", \"type\": \"message\"}", "event": { "action": "delivered", "category": [ @@ -142,8 +142,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "file": { "hash": { - "md5": "4db414b9eff5f60a8da81875afc7de2f", - "sha256": "8332769f27b046b73ef2e81a8a884ffddfb25a84690bf81438aa4037c9b1c424" + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, "mime_type": "text/plain", "name": "text.txt" @@ -200,6 +200,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "detection_types": [ "COMPROMISED_WEBSITE" ], + "policy_routes": [ + "default_inbound", + "mydomains_from_hdr" + ], "scores": { "impostor": 0.0, "malware": 0, @@ -211,12 +215,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "1.2.3.4" + "1.1.1.1" ] }, "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4" + "address": "1.1.1.1", + "ip": "1.1.1.1" }, "threat": { "enrichments": [ @@ -224,7 +228,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "indicator": { "first_seen": "2025-04-28T04:27:24Z", "last_seen": "2025-04-28T04:27:24Z", - "reference": "https://threatinsight.proofpoint.com/3f680b51-880c-4f9c-b799-cade8d72933c/threat/email/dad16dd544c5794640c66b28752fb51ebe9691e6967140154df649c7c34163d3", + "reference": "https://threatinsight.proofpoint.com/11111111-1111-1111-1111-111111111111/threat/email/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "type": "domain-name", "url": { "original": "http://some.threat.com" @@ -252,7 +256,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"GUID\":\"c26dbea0-80d5-463b-b93c-4e8b708219ce\",\"status\":\"delivered\",\"type\":\"message\",\"QID\":\"r2FNwRHF004109\",\"ccAddresses\":[\"bruce.wayne@university-of-education.zz\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":[\"badguy@evil.zz\"],\"headerCC\":\"\\\"Bruce Wayne\\\" \",\"headerFrom\":\"\\\"A. Badguy\\\" \",\"headerReplyTo\":null,\"headerTo\":\"\\\"Clark Kent\\\" ; \\\"Diana Prince\\\" \",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"20160624211145.62086.mail@evil.zz\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"008c5926ca861023c1d2a36653fd88e2\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"Invoice for Pharmtech.pdf\",\"md5\":\"5873c7d37608e0d49bcaa6f32b6c731f\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\"}],\"messageTime\":\"2016-06-24T21:18:38.000Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"replyToAddress\":null,\"sender\":\"e99d7ed5580193f36a51f597bc2c0210@evil.zz\",\"senderIP\":\"192.0.2.255\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"threat\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\",\"threatId\":\"2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\",\"threatStatus\":\"active\",\"threatTime\":\"2016-06-24T21:18:38.000Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca\"},{\"campaignId\":\"46e01b8a-c899-404d-bcd9-189bb393d1a7\",\"classification\":\"MALWARE\",\"threat\":\"badsite.zz\",\"threatId\":\"3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa\",\"threatTime\":\"2016-06-24T21:18:07.000Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa\"}],\"toAddresses\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"xmailer\":\"Spambot v2.5\"}", + "message": "{\"GUID\":\"11111111-1111-1111-1111-111111111111\",\"status\":\"delivered\",\"type\":\"message\",\"QID\":\"r2FNwRHF004109\",\"ccAddresses\":[\"bruce.wayne@university-of-education.zz\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":[\"badguy@evil.zz\"],\"headerCC\":\"\\\"Bruce Wayne\\\" \",\"headerFrom\":\"\\\"A. Badguy\\\" \",\"headerReplyTo\":null,\"headerTo\":\"\\\"Clark Kent\\\" ; \\\"Diana Prince\\\" \",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"20160624211145.62086.mail@evil.zz\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"Invoice for Pharmtech.pdf\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"}],\"messageTime\":\"2016-06-24T21:18:38.000Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"replyToAddress\":null,\"sender\":\"e99d7ed5580193f36a51f597bc2c0210@evil.zz\",\"senderIP\":\"1.1.1.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"22222222-2222-2222-2222-222222222222\",\"classification\":\"MALWARE\",\"threat\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"threatId\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"threatStatus\":\"active\",\"threatTime\":\"2016-06-24T21:18:38.000Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"},{\"campaignId\":\"22222222-2222-2222-2222-222222222222\",\"classification\":\"MALWARE\",\"threat\":\"badsite.zz\",\"threatId\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"threatTime\":\"2016-06-24T21:18:07.000Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\"}],\"toAddresses\":[\"clark.kent@pharmtech.zz\",\"diana.prince@pharmtech.zz\"],\"xmailer\":\"Spambot v2.5\"}", "event": { "action": "delivered", "category": [ @@ -269,8 +273,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "file": { "hash": { - "md5": "008c5926ca861023c1d2a36653fd88e2", - "sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, "mime_type": "text/plain", "name": "text.txt" @@ -279,8 +283,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "file": { "hash": { - "md5": "5873c7d37608e0d49bcaa6f32b6c731f", - "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, "mime_type": "application/pdf", "name": "Invoice for Pharmtech.pdf" @@ -297,7 +301,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "badguy@evil.zz" ] }, - "local_id": "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "local_id": "11111111-1111-1111-1111-111111111111", "message_id": "20160624211145.62086.mail@evil.zz", "sender": { "address": [ @@ -341,6 +345,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "classifications": [ "malware" ], + "policy_routes": [ + "default_inbound", + "executives" + ], "scores": { "impostor": 0, "malware": 100, @@ -352,15 +360,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "192.0.2.255" + "1.1.1.1" ] }, "rule": { "name": "module.sandbox.threat" }, "source": { - "address": "192.0.2.255", - "ip": "192.0.2.255" + "address": "1.1.1.1", + "ip": "1.1.1.1" }, "threat": { "enrichments": [ @@ -368,12 +376,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "indicator": { "file": { "hash": { - "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } }, "first_seen": "2016-06-24T21:18:38Z", "last_seen": "2016-06-24T21:18:38Z", - "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "reference": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "type": "file" } }, @@ -381,7 +389,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "indicator": { "first_seen": "2016-06-24T21:18:07Z", "last_seen": "2016-06-24T21:18:07Z", - "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa", + "reference": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "type": "domain-name", "url": { "original": "badsite.zz" @@ -431,6 +439,7 @@ The following table lists the fields that are extracted, normalized under the EC |`proofpoint.tap.modules` | `array` | The list of modules which processed the message | |`proofpoint.tap.threat.classifications` | `array` | The list of classifications of the threat | |`proofpoint.tap.threat.detection_types` | `keyword` | The list of detection types | +|`proofpoint.tap.threat.policy_routes` | `array` | The policy routes that the message matched during processing by PPS | |`proofpoint.tap.threat.scores.impostor` | `number` | The impostor score of the message | |`proofpoint.tap.threat.scores.malware` | `number` | The malware score of the message | |`proofpoint.tap.threat.scores.phish` | `number` | The phish score of the message | diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161_sample.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161_sample.md index 50f4f95844..0388c2e686 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161_sample.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161_sample.md @@ -9,19 +9,19 @@ In this section, you will find examples of raw logs as generated natively by the ```json { - "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "campaignId": "22222222-2222-2222-2222-222222222222", "classification": "MALWARE", - "clickIP": "192.0.2.1", + "clickIP": "1.1.1.1", "clickTime": "2016-06-24T19:17:44.000Z", - "GUID": "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "GUID": "44444444-4444-4444-4444-444444444444", "id": "8c8b4895-a277-449f-r797-547e3c89b25a", - "messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "messageID": "11111111-1111-1111-1111-111111111111", "recipient": "bruce.wayne@pharmtech.zz", "sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", - "senderIP": "192.0.2.255", - "threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP": "2.2.2.2", + "threatID": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatTime": "2016-06-24T19:17:46.000Z", - "threatURL": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "threatURL": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatStatus": "active", "url": "http://badguy.zz/", "userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", @@ -41,11 +41,11 @@ In this section, you will find examples of raw logs as generated natively by the "phishScore": 0, "threatsInfoMap": [ { - "threatID": "dad16dd544c5794640c66b28752fb51ebe9691e6967140154df649c7c34163d3", + "threatID": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatStatus": "active", "classification": "malware", "detectionType": "COMPROMISED_WEBSITE", - "threatUrl": "https://threatinsight.proofpoint.com/3f680b51-880c-4f9c-b799-cade8d72933c/threat/email/dad16dd544c5794640c66b28752fb51ebe9691e6967140154df649c7c34163d3", + "threatUrl": "https://threatinsight.proofpoint.com/11111111-1111-1111-1111-111111111111/threat/email/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatTime": "2025-04-28T04:27:24.000Z", "threat": "http://some.threat.com", "campaignID": null, @@ -88,8 +88,8 @@ In this section, you will find examples of raw logs as generated natively by the "messageParts": [ { "disposition": "inline", - "sha256": "8332769f27b046b73ef2e81a8a884ffddfb25a84690bf81438aa4037c9b1c424", - "md5": "4db414b9eff5f60a8da81875afc7de2f", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "md5": "68b329da9893e34099c7d8ad5cb9c940", "filename": "text.txt", "sandboxStatus": null, "oContentType": "text/plain", @@ -97,14 +97,14 @@ In this section, you will find examples of raw logs as generated natively by the } ], "completelyRewritten": true, - "id": "00e21729-63e6-4899-a165-9397a7235a63", + "id": "22222222-2222-2222-2222-222222222222", "QID": "0987656", "GUID": "123456789", "sender": "111111111111111111111111111111111111@email.example.com", "recipient": [ "jane.doe@example.com" ], - "senderIP": "1.2.3.4", + "senderIP": "1.1.1.1", "messageID": "<111111111111111111111111111111111111@us-west-2.amazonses.com>", "status": "delivered", "type": "message" @@ -118,7 +118,7 @@ In this section, you will find examples of raw logs as generated natively by the ```json { - "GUID": "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "GUID": "11111111-1111-1111-1111-111111111111", "status": "delivered", "type": "message", "QID": "r2FNwRHF004109", @@ -142,19 +142,19 @@ In this section, you will find examples of raw logs as generated natively by the "contentType": "text/plain", "disposition": "inline", "filename": "text.txt", - "md5": "008c5926ca861023c1d2a36653fd88e2", + "md5": "68b329da9893e34099c7d8ad5cb9c940", "oContentType": "text/plain", "sandboxStatus": "unsupported", - "sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, { "contentType": "application/pdf", "disposition": "attached", "filename": "Invoice for Pharmtech.pdf", - "md5": "5873c7d37608e0d49bcaa6f32b6c731f", + "md5": "68b329da9893e34099c7d8ad5cb9c940", "oContentType": "application/pdf", "sandboxStatus": "threat", - "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } ], "messageTime": "2016-06-24T21:18:38.000Z", @@ -177,28 +177,28 @@ In this section, you will find examples of raw logs as generated natively by the ], "replyToAddress": null, "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz", - "senderIP": "192.0.2.255", + "senderIP": "1.1.1.1", "spamScore": 4, "subject": "Please find a totally safe invoice attached.", "threatsInfoMap": [ { - "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "campaignId": "22222222-2222-2222-2222-222222222222", "classification": "MALWARE", - "threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", - "threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "threat": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "threatId": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatStatus": "active", "threatTime": "2016-06-24T21:18:38.000Z", "threatType": "ATTACHMENT", - "threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + "threatUrl": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" }, { - "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "campaignId": "22222222-2222-2222-2222-222222222222", "classification": "MALWARE", "threat": "badsite.zz", - "threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa", + "threatId": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", "threatTime": "2016-06-24T21:18:07.000Z", "threatType": "url", - "threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa" + "threatUrl": "https://threatinsight.proofpoint.com/#/33333333-3333-3333-3333-333333333333/threat/u/01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" } ], "toAddresses": [ diff --git a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md index 78a76c8a60..9d579ff6ff 100644 --- a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md +++ b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md @@ -44,7 +44,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T13:43:37Z", + "@timestamp": "2026-02-07T13:43:37Z", "log": { "level": "INFO" }, @@ -80,7 +80,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T13:50:57Z", + "@timestamp": "2026-02-07T13:50:57Z", "log": { "level": "INFO" }, @@ -116,7 +116,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T13:51:51Z", + "@timestamp": "2026-02-07T13:51:51Z", "log": { "level": "NOTIFY" }, @@ -152,7 +152,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T13:59:14Z", + "@timestamp": "2026-02-07T13:59:14Z", "log": { "level": "WARN" }, @@ -188,7 +188,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T13:59:22Z", + "@timestamp": "2026-02-07T13:59:22Z", "ekinops": { "oneos": { "origin": "VTY" @@ -229,7 +229,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T15:40:11Z", + "@timestamp": "2026-02-07T15:40:11Z", "log": { "level": "NOTIFY" }, @@ -262,7 +262,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "change" ] }, - "@timestamp": "2025-02-07T15:40:11Z", + "@timestamp": "2026-02-07T15:40:11Z", "log": { "level": "NOTIFY" }, @@ -295,7 +295,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-02-07T13:58:11Z", + "@timestamp": "2026-02-07T13:58:11Z", "ekinops": { "oneos": { "origin": "VTY" @@ -336,7 +336,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-02-07T13:58:07Z", + "@timestamp": "2026-02-07T13:58:07Z", "ekinops": { "oneos": { "origin": "VTY" @@ -377,7 +377,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "end" ] }, - "@timestamp": "2025-02-07T14:46:37Z", + "@timestamp": "2026-02-07T14:46:37Z", "ekinops": { "oneos": { "origin": "ssh" @@ -426,7 +426,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-02-07T15:40:11Z", + "@timestamp": "2026-02-07T15:40:11Z", "log": { "level": "NOTIFY" }, @@ -455,7 +455,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-02-07T15:40:11Z", + "@timestamp": "2026-02-07T15:40:11Z", "log": { "level": "NOTIFY" }, @@ -483,7 +483,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "denied" ] }, - "@timestamp": "2025-02-07T13:50:57Z", + "@timestamp": "2026-02-07T13:50:57Z", "destination": { "address": "5.6.7.8", "ip": "5.6.7.8", @@ -533,7 +533,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "allowed" ] }, - "@timestamp": "2025-02-07T13:50:57Z", + "@timestamp": "2026-02-07T13:50:57Z", "destination": { "address": "5.6.7.8", "ip": "5.6.7.8", diff --git a/_shared_content/operations_center/integrations/generated/4c4f3256-c3c7-415f-9515-75261514f861.md b/_shared_content/operations_center/integrations/generated/4c4f3256-c3c7-415f-9515-75261514f861.md index d49b868312..4819713425 100644 --- a/_shared_content/operations_center/integrations/generated/4c4f3256-c3c7-415f-9515-75261514f861.md +++ b/_shared_content/operations_center/integrations/generated/4c4f3256-c3c7-415f-9515-75261514f861.md @@ -39,6 +39,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "Security logs", "module": "akamai.waf", + "reason": "System Command Access", "type": [ "info" ] @@ -139,6 +140,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "Security logs", "module": "akamai.waf", + "reason": "Unknown Bots (Declared Bots)", "type": [ "info" ] @@ -214,6 +216,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "dataset": "Security logs", "module": "akamai.waf", + "reason": "Web Attackers (High Threat)", "type": [ "denied" ] @@ -291,6 +294,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.module` | `keyword` | Name of the module this data is coming from. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`http.request.id` | `keyword` | HTTP request ID. | |`http.request.method` | `keyword` | HTTP request method. | |`http.request.referrer` | `keyword` | Referrer for this HTTP request. | diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md index 1bebe67c1a..8c8c5081ea 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md @@ -46,7 +46,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T18:30:13.311000Z", + "@timestamp": "2026-10-19T18:30:13.311000Z", "cisco": { "ios": { "event": { @@ -92,7 +92,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T18:30:17.105000Z", + "@timestamp": "2026-10-19T18:30:17.105000Z", "cisco": { "ios": { "event": { @@ -139,7 +139,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-10-19T18:29:00.044000Z", + "@timestamp": "2026-10-19T18:29:00.044000Z", "cisco": { "ios": { "event": { @@ -190,7 +190,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-10-19T14:09:54.450000Z", + "@timestamp": "2026-10-19T14:09:54.450000Z", "cisco": { "ios": { "event": { @@ -242,7 +242,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-10-19T19:32:12.312000Z", + "@timestamp": "2026-10-19T19:32:12.312000Z", "cisco": { "ios": { "event": { @@ -299,7 +299,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T16:36:37.558000Z", + "@timestamp": "2026-10-19T16:36:37.558000Z", "cisco": { "ios": { "event": { @@ -351,7 +351,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-11-25T22:06:10Z", + "@timestamp": "2026-11-25T22:06:10Z", "cisco": { "ios": { "event": { @@ -451,7 +451,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-17T19:09:03.674000Z", + "@timestamp": "2026-10-17T19:09:03.674000Z", "cisco": { "ios": { "event": { @@ -501,7 +501,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-21T12:12:05.185000Z", + "@timestamp": "2026-10-21T12:12:05.185000Z", "cisco": { "ios": { "event": { @@ -557,7 +557,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-21T15:28:54.673000Z", + "@timestamp": "2026-10-21T15:28:54.673000Z", "cisco": { "ios": { "event": { @@ -598,7 +598,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-18T21:22:51.122000Z", + "@timestamp": "2026-10-18T21:22:51.122000Z", "cisco": { "ios": { "chaddr": "02:00:00:00:00:00", @@ -636,7 +636,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T19:17:18.139000Z", + "@timestamp": "2026-10-19T19:17:18.139000Z", "cisco": { "ios": { "event": { @@ -673,7 +673,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T19:07:39.018000Z", + "@timestamp": "2026-10-19T19:07:39.018000Z", "cisco": { "ios": { "event": { @@ -730,7 +730,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-14T10:45:43.767000Z", + "@timestamp": "2026-10-14T10:45:43.767000Z", "cisco": { "ios": { "event": { @@ -783,7 +783,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-09T13:39:49.840000Z", + "@timestamp": "2026-10-09T13:39:49.840000Z", "cisco": { "ios": { "event": { @@ -1038,7 +1038,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T19:40:06.358000Z", + "@timestamp": "2026-10-19T19:40:06.358000Z", "cisco": { "ios": { "event": { @@ -1189,7 +1189,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-08-26T18:04:18.523000Z", + "@timestamp": "2026-08-26T18:04:18.523000Z", "cisco": { "ios": { "event": { @@ -1234,7 +1234,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-08-26T18:04:18.523000Z", + "@timestamp": "2026-08-26T18:04:18.523000Z", "cisco": { "ios": { "event": { @@ -1278,7 +1278,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-21T16:35:43.579000Z", + "@timestamp": "2026-10-21T16:35:43.579000Z", "cisco": { "ios": { "event": { @@ -1425,7 +1425,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T16:48:08.954000Z", + "@timestamp": "2026-10-19T16:48:08.954000Z", "cisco": { "ios": { "event": { @@ -1476,7 +1476,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-03T15:04:20.701000Z", + "@timestamp": "2026-09-03T15:04:20.701000Z", "cisco": { "ios": { "event": { @@ -1516,7 +1516,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-01T23:18:56.250000Z", + "@timestamp": "2026-09-01T23:18:56.250000Z", "cisco": { "ios": { "event": { @@ -1558,7 +1558,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-23T21:23:10.961000Z", + "@timestamp": "2026-09-23T21:23:10.961000Z", "cisco": { "ios": { "event": { @@ -1603,7 +1603,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T17:42:33.805000Z", + "@timestamp": "2026-10-19T17:42:33.805000Z", "cisco": { "ios": { "event": { @@ -1653,7 +1653,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T14:34:56.009000Z", + "@timestamp": "2026-10-19T14:34:56.009000Z", "cisco": { "ios": { "event": { @@ -1703,7 +1703,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-02T09:26:39.491000Z", + "@timestamp": "2026-09-02T09:26:39.491000Z", "cisco": { "ios": { "event": { @@ -1745,7 +1745,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-21T16:01:50.992000Z", + "@timestamp": "2026-10-21T16:01:50.992000Z", "cisco": { "ios": { "event": { @@ -1784,7 +1784,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-21T04:38:26.102000Z", + "@timestamp": "2026-10-21T04:38:26.102000Z", "cisco": { "ios": { "event": { @@ -1828,7 +1828,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-07T11:45:50.613000Z", + "@timestamp": "2026-09-07T11:45:50.613000Z", "cisco": { "ios": { "event": { @@ -1868,7 +1868,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "end" ] }, - "@timestamp": "2025-10-19T19:34:54.471000Z", + "@timestamp": "2026-10-19T19:34:54.471000Z", "cisco": { "ios": { "event": { @@ -1921,7 +1921,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "start" ] }, - "@timestamp": "2025-10-19T19:42:11.137000Z", + "@timestamp": "2026-10-19T19:42:11.137000Z", "cisco": { "ios": { "event": { @@ -1970,7 +1970,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "end" ] }, - "@timestamp": "2025-10-19T19:44:38.902000Z", + "@timestamp": "2026-10-19T19:44:38.902000Z", "cisco": { "ios": { "event": { @@ -2013,7 +2013,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-19T19:42:15.674000Z", + "@timestamp": "2026-10-19T19:42:15.674000Z", "cisco": { "ios": { "event": { @@ -2059,7 +2059,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-21T13:51:52.854000Z", + "@timestamp": "2026-09-21T13:51:52.854000Z", "cisco": { "ios": { "event": { @@ -2104,7 +2104,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-02-21T06:59:55.692000Z", + "@timestamp": "2026-02-21T06:59:55.692000Z", "cisco": { "ios": { "event": { @@ -2212,7 +2212,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-19T02:27:38.159000Z", + "@timestamp": "2026-09-19T02:27:38.159000Z", "cisco": { "ios": { "event": { @@ -2268,7 +2268,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-09-19T02:32:40.312000Z", + "@timestamp": "2026-09-19T02:32:40.312000Z", "cisco": { "ios": { "event": { @@ -2313,7 +2313,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2025-10-14T00:38:17.216000Z", + "@timestamp": "2026-10-14T00:38:17.216000Z", "cisco": { "ios": { "event": { diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md index 70be6487ac..ce1a872739 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md @@ -38,12 +38,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "intrusion_detection" ], "kind": "alert", - "start": "2025-01-20T18:53:00Z", + "start": "2026-01-20T18:53:00Z", "type": [ "info" ] }, - "@timestamp": "2025-01-20T18:53:00Z", + "@timestamp": "2026-01-20T18:53:00Z", "cloud": { "account": { "name": "Example account" @@ -85,14 +85,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "intrusion_detection" ], "duration": 495000000000, - "end": "2025-09-06T08:09:00Z", + "end": "2026-09-06T08:09:00Z", "kind": "alert", - "start": "2025-09-06T08:01:00Z", + "start": "2026-09-06T08:01:00Z", "type": [ "info" ] }, - "@timestamp": "2025-09-06T08:01:00Z", + "@timestamp": "2026-09-06T08:01:00Z", "cloud": { "account": { "name": "Account name" diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md index 7737413227..59a8561546 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md @@ -24,10 +24,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"ACCOUNT SCORING\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", + "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https://example.com/\",\"category\":\"ACCOUNT SCORING\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", "event": { "action": "ACCOUNT SCORING", - "url": "https:/198.51.100.94/accounts/522" + "url": "https://example.com/" }, "observer": { "ip": "198.51.100.94", @@ -177,10 +177,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"114285\", \"account_id\": 123456, \"headend_addr\": \"1.2.3.4\", \"account_uid\": \"test@test.local\", \"threat\": 33, \"certainty\": 37, \"quadrant\": \"low\", \"score_decreases\": true, \"privilege\": 1, \"href\": \"https://1.2.3.4/accounts/123456\", \"category\": \"ACCOUNT SCORING\", \"tags\": [], \"host_access_history\": [{\"id\": 4643650, \"name\": \"pp2400248.test.local\", \"privilege\": 8, \"privilegeCategory\": \"High\", \"lastSeen\": \"2025-02-20T15:53:14+00:00\"}, {\"id\": 1254083, \"name\": \"SV55555 - C - PROD - ADFS\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:32:48+00:00\"}], \"service_access_history\": [{\"id\": 92576826, \"uid\": \"rpc/sv00000.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:14+00:00\"}, {\"id\": 30587336, \"uid\": \"cifs/sv11111.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:11+00:00\"}, {\"id\": 21, \"uid\": \"cifs/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:09+00:00\"}, {\"id\": 30586482, \"uid\": \"ldap/sv11111.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:05+00:00\"}, {\"id\": 92579338, \"uid\": \"cifs/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:52:38+00:00\"}, {\"id\": 770251, \"uid\": \"sv00000$@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T08:02:57+00:00\"}, {\"id\": 4, \"uid\": \"krbtgt/test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T05:29:33+00:00\"}, {\"id\": 11, \"uid\": \"http/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:33:06+00:00\"}, {\"id\": 10043, \"uid\": \"cifs/sv00000.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:32:59+00:00\"}, {\"id\": 59846485, \"uid\": \"host/sv55555.test.local@test.local\", \"privilege\": 9, \"privilegeCategory\": \"High\", \"lastSeen\": \"2025-02-19T06:32:48+00:00\"}], \"last_detection_type\": \"Privilege Anomaly: Unusual Trio\", \"vectra_timestamp\": \"1740568831\"}", + "message": "-: {\"version\": \"114285\", \"account_id\": 123456, \"headend_addr\": \"1.2.3.4\", \"account_uid\": \"test@test.local\", \"threat\": 33, \"certainty\": 37, \"quadrant\": \"low\", \"score_decreases\": true, \"privilege\": 1, \"href\": \"https://example.com/\", \"category\": \"ACCOUNT SCORING\", \"tags\": [], \"host_access_history\": [{\"id\": 4643650, \"name\": \"pp2400248.test.local\", \"privilege\": 8, \"privilegeCategory\": \"High\", \"lastSeen\": \"2025-02-20T15:53:14+00:00\"}, {\"id\": 1254083, \"name\": \"SV55555 - C - PROD - ADFS\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:32:48+00:00\"}], \"service_access_history\": [{\"id\": 92576826, \"uid\": \"rpc/sv00000.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:14+00:00\"}, {\"id\": 30587336, \"uid\": \"cifs/sv11111.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:11+00:00\"}, {\"id\": 21, \"uid\": \"cifs/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:09+00:00\"}, {\"id\": 30586482, \"uid\": \"ldap/sv11111.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:53:05+00:00\"}, {\"id\": 92579338, \"uid\": \"cifs/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T15:52:38+00:00\"}, {\"id\": 770251, \"uid\": \"sv00000$@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T08:02:57+00:00\"}, {\"id\": 4, \"uid\": \"krbtgt/test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-20T05:29:33+00:00\"}, {\"id\": 11, \"uid\": \"http/sv55555.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:33:06+00:00\"}, {\"id\": 10043, \"uid\": \"cifs/sv00000.test.local@test.local\", \"privilege\": null, \"privilegeCategory\": null, \"lastSeen\": \"2025-02-19T06:32:59+00:00\"}, {\"id\": 59846485, \"uid\": \"host/sv55555.test.local@test.local\", \"privilege\": 9, \"privilegeCategory\": \"High\", \"lastSeen\": \"2025-02-19T06:32:48+00:00\"}], \"last_detection_type\": \"Privilege Anomaly: Unusual Trio\", \"vectra_timestamp\": \"1740568831\"}", "event": { "action": "ACCOUNT SCORING", - "url": "https://1.2.3.4/accounts/123456" + "url": "https://example.com/" }, "observer": { "ip": "1.2.3.4", @@ -338,34 +338,32 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"src_name\": \"IP-255.255.255.1\", \"src_ip\": \"255.255.255.1\", \"src_hid\": 11111, \"dest_name\": \"push.services.mozilla.com\", \"dest_ip\": \"255.255.255.2\", \"dest_id\": \"external\", \"timestamp\": 1111111222.0, \"campaign_name\": \"push.services.mozilla.com-13\", \"campaign_id\": 222, \"campaign_link\": \"https://255.255.255.3/campaigns/222\", \"action\": \"ADD\", \"reason\": \"Connection\", \"version\": \"6.8\", \"headend_addr\": \"255.255.255.3\", \"dvchost\": \"255.255.255.3\", \"vectra_timestamp\": \"1111111111\"}", + "message": "-: {\"src_name\": \"IP-192.0.2.1\", \"src_ip\": \"192.0.2.1\", \"src_hid\": 11111, \"dest_name\": \"push.services.mozilla.com\", \"dest_ip\": \"192.0.2.1\", \"dest_id\": \"external\", \"timestamp\": 1111111222.0, \"campaign_name\": \"push.services.mozilla.com-13\", \"campaign_id\": 222, \"campaign_link\": \"https://192.0.2.1/campaigns/222\", \"action\": \"ADD\", \"reason\": \"Connection\", \"version\": \"6.8\", \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"vectra_timestamp\": \"1111111111\"}", "action": { "name": "ADD" }, "destination": { - "address": "255.255.255.2", - "ip": "255.255.255.2" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "observer": { - "ip": "255.255.255.3", - "name": "255.255.255.3", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ - "255.255.255.1", - "255.255.255.2", - "255.255.255.3" + "192.0.2.1" ] }, "source": { - "address": "255.255.255.1", - "ip": "255.255.255.1" + "address": "192.0.2.1", + "ip": "192.0.2.1" }, "vectra": { "campaign": { "id": 222, - "link": "https://255.255.255.3/campaigns/222", + "link": "https://192.0.2.1/campaigns/222", "name": "push.services.mozilla.com-13" }, "destination": { @@ -377,7 +375,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "hid": 11111, - "name": "IP-255.255.255.1" + "name": "IP-192.0.2.1" }, "timestamp": 1111111111 } @@ -391,24 +389,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.12\", \"detection_id\": 13281, \"category\": \"COMMAND & CONTROL\", \"severity\": 6.0, \"threat\": 60, \"certainty\": 72, \"d_type\": \"hidden_http_tunnel_cnc\", \"d_type_vname\": \"Hidden HTTP Tunnel\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://198.51.100.94/detections/13281?detail_id=94738\", \"dd_dst_ip\": \"198.51.100.1\", \"dd_dst_port\": 8002, \"dd_dst_dns\": \"mirror.centos.org\", \"dd_bytes_sent\": 1476677, \"dd_bytes_rcvd\": 8269214038, \"host_name\": \"IP-198.51.100.14\", \"host_ip\": \"198.51.100.14\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1633516306\"}", + "message": "-: {\"version\": \"6.12\", \"detection_id\": 13281, \"category\": \"COMMAND & CONTROL\", \"severity\": 6.0, \"threat\": 60, \"certainty\": 72, \"d_type\": \"hidden_http_tunnel_cnc\", \"d_type_vname\": \"Hidden HTTP Tunnel\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"198.51.100.1\", \"dd_dst_port\": 8002, \"dd_dst_dns\": \"example.com\", \"dd_bytes_sent\": 1476677, \"dd_bytes_rcvd\": 8269214038, \"host_name\": \"example.com\", \"host_ip\": \"198.51.100.14\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1633516306\"}", "event": { "action": "COMMAND & CONTROL", - "url": "https://198.51.100.94/detections/13281?detail_id=94738" + "url": "https://example.com/" }, "destination": { - "address": "mirror.centos.org", + "address": "example.com", "bytes": 8269214038, - "domain": "mirror.centos.org", + "domain": "example.com", "ip": "198.51.100.1", "port": 8002, - "registered_domain": "centos.org", - "subdomain": "mirror", - "top_level_domain": "org" + "registered_domain": "example.com", + "top_level_domain": "com" }, "host": { "ip": "198.51.100.14", - "name": "IP-198.51.100.14" + "name": "example.com" }, "network": { "protocol": "tcp" @@ -420,7 +417,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "mirror.centos.org" + "example.com" ], "ip": [ "198.51.100.1", @@ -477,10 +474,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "- :{\"type\":\"some-type\",\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"HOST_LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", + "message": "- :{\"type\":\"some-type\",\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https://example.com/\",\"category\":\"HOST_LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", "event": { "action": "some-type", - "url": "https:/198.51.100.94/accounts/522" + "url": "https://example.com/" }, "observer": { "ip": "198.51.100.94", @@ -504,15 +501,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.12\", \"host_id\": 27617, \"headend_addr\": \"198.51.100.94\", \"host_name\": \"IP-198.51.100.14\", \"dvchost\": \"198.51.100.94\", \"host_ip\": \"198.51.100.14\", \"threat\": 22, \"certainty\": 31, \"privilege\": 0, \"score_decreases\": false, \"href\": \"https://198.51.100.94/hosts/27617\", \"host_roles\": \"\", \"src_key_asset\": false, \"dst_key_asset\": false, \"category\": \"HOST SCORING\", \"sensor\": \"E123456789123456\", \"detection_profile\": {\"name\": \"saas\", \"vname\": \"Cloud Services\", \"scoringDetections\": [\"Hidden HTTP Tunnel (C&C)\"]}, \"host_groups\": [], \"tags\": [], \"account_access_history\": [], \"service_access_history\": [], \"mac_address\": null, \"mac_vendor\": null, \"last_detection_type\": \"Hidden HTTP Tunnel\", \"vectra_timestamp\": \"1633690973\"}", + "message": "-: {\"version\": \"6.12\", \"host_id\": 27617, \"headend_addr\": \"198.51.100.94\", \"host_name\": \"example.com\", \"dvchost\": \"198.51.100.94\", \"host_ip\": \"198.51.100.14\", \"threat\": 22, \"certainty\": 31, \"privilege\": 0, \"score_decreases\": false, \"href\": \"https://example.com/\", \"host_roles\": \"\", \"src_key_asset\": false, \"dst_key_asset\": false, \"category\": \"HOST SCORING\", \"sensor\": \"E123456789123456\", \"detection_profile\": {\"name\": \"saas\", \"vname\": \"Cloud Services\", \"scoringDetections\": [\"Hidden HTTP Tunnel (C&C)\"]}, \"host_groups\": [], \"tags\": [], \"account_access_history\": [], \"service_access_history\": [], \"mac_address\": null, \"mac_vendor\": null, \"last_detection_type\": \"Hidden HTTP Tunnel\", \"vectra_timestamp\": \"1633690973\"}", "event": { "action": "HOST SCORING", - "url": "https://198.51.100.94/hosts/27617" + "url": "https://example.com/" }, "host": { "id": "27617", "ip": "198.51.100.14", - "name": "IP-198.51.100.14" + "name": "example.com" }, "observer": { "ip": "198.51.100.94", @@ -569,10 +566,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"category\": \"INFO\", \"certainty\": 0, \"d_type\": \"si_new_host\", \"d_type_vname\": \"New Host\", \"dd_bytes_rcvd\": null, \"dd_bytes_sent\": null, \"dd_dst_dns\": \"\", \"dd_dst_ip\": \"0.0.0.0\", \"dd_dst_port\": 80, \"dd_proto\": \"\", \"detection_id\": 9999, \"dvchost\": \"255.255.255.1\", \"headend_addr\": \"255.255.255.1\", \"host_ip\": \"10.0.0.1\", \"host_name\": \"plop-99\", \"href\": \"https://255.255.255.1/detections/9999?detail_id=11111\", \"severity\": 0, \"threat\": 0, \"triaged\": false, \"vectra_timestamp\": \"1099999999\", \"version\": \"6.7\"}", + "message": "-: {\"category\": \"INFO\", \"certainty\": 0, \"d_type\": \"si_new_host\", \"d_type_vname\": \"New Host\", \"dd_bytes_rcvd\": null, \"dd_bytes_sent\": null, \"dd_dst_dns\": \"\", \"dd_dst_ip\": \"0.0.0.0\", \"dd_dst_port\": 80, \"dd_proto\": \"\", \"detection_id\": 9999, \"dvchost\": \"192.0.2.1\", \"headend_addr\": \"192.0.2.1\", \"host_ip\": \"10.0.0.1\", \"host_name\": \"example.com\", \"href\": \"https://example.com/\", \"severity\": 0, \"threat\": 0, \"triaged\": false, \"vectra_timestamp\": \"1099999999\", \"version\": \"6.7\"}", "event": { "action": "INFO", - "url": "https://255.255.255.1/detections/9999?detail_id=11111" + "url": "https://example.com/" }, "destination": { "address": "0.0.0.0", @@ -581,18 +578,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "10.0.0.1", - "name": "plop-99" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.7" }, "related": { "ip": [ "0.0.0.0", "10.0.0.1", - "255.255.255.1" + "192.0.2.1" ] }, "vectra": { @@ -617,10 +614,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"accounts\": \"user@company.net\", \"shares\": \"\", \"reason\": \"MORE_PROCESSING_REQUIRED\", \"count\": 295, \"version\": \"6.12\", \"detection_id\": 13295, \"category\": \"LATERAL MOVEMENT\", \"severity\": 2.0, \"threat\": 20, \"certainty\": 74, \"d_type\": \"smb_brute_force\", \"d_type_vname\": \"SMB Brute-Force\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://198.51.100.94/detections/13295?detail_id=94908\", \"dd_dst_ip\": \"198.51.100.38\", \"dd_dst_port\": 445, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"hostname\", \"host_ip\": \"198.51.100.155\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1633681756\"}", + "message": "-: {\"accounts\": \"user@company.net\", \"shares\": \"\", \"reason\": \"MORE_PROCESSING_REQUIRED\", \"count\": 295, \"version\": \"6.12\", \"detection_id\": 13295, \"category\": \"LATERAL MOVEMENT\", \"severity\": 2.0, \"threat\": 20, \"certainty\": 74, \"d_type\": \"smb_brute_force\", \"d_type_vname\": \"SMB Brute-Force\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"198.51.100.38\", \"dd_dst_port\": 445, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"hostname\", \"host_ip\": \"198.51.100.155\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1633681756\"}", "event": { "action": "LATERAL MOVEMENT", - "url": "https://198.51.100.94/detections/13295?detail_id=94908" + "url": "https://example.com/" }, "destination": { "address": "198.51.100.38", @@ -668,10 +665,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", + "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https://example.com/\",\"category\":\"LOCKDOWN\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}", "event": { "action": "LOCKDOWN", - "url": "https:/198.51.100.94/accounts/522" + "url": "https://example.com/" }, "observer": { "ip": "198.51.100.94", @@ -698,32 +695,26 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029813\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721184242\"}", + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvcexample.com\": \"1.2.3.4\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"example.com_name\": \"example.com\", \"example.com_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721184242\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://1.2.3.4/detections/85003?detail_id=2029813" + "url": "https://example.com/" }, "destination": { "address": "5.6.7.8", "ip": "5.6.7.8", "port": 0 }, - "host": { - "ip": "3.4.5.6", - "name": "host" - }, "network": { "protocol": "tcp" }, "observer": { "ip": "1.2.3.4", - "name": "1.2.3.4", "version": "8.5" }, "related": { "ip": [ "1.2.3.4", - "3.4.5.6", "5.6.7.8" ] }, @@ -752,32 +743,26 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029784\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721183706\"}", + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvcexample.com\": \"1.2.3.4\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"example.com_name\": \"example.com\", \"example.com_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721183706\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://1.2.3.4/detections/85003?detail_id=2029784" + "url": "https://example.com/" }, "destination": { "address": "5.6.7.8", "ip": "5.6.7.8", "port": 0 }, - "host": { - "ip": "3.4.5.6", - "name": "host" - }, "network": { "protocol": "tcp" }, "observer": { "ip": "1.2.3.4", - "name": "1.2.3.4", "version": "8.5" }, "related": { "ip": [ "1.2.3.4", - "3.4.5.6", "5.6.7.8" ] }, @@ -806,10 +791,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Targeted Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Targeted Recon\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -818,18 +803,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -854,10 +839,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Desktop\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Desktop\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -866,18 +851,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -902,10 +887,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Execution\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Remote Execution\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -914,18 +899,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -950,10 +935,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Internal Stage Loader\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Internal Stage Loader\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -962,18 +947,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -998,10 +983,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious LDAP Query\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious LDAP Query\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1010,18 +995,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1046,10 +1031,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Recon\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1058,18 +1043,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1094,10 +1079,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RDP Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RDP Recon\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1106,18 +1091,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1142,10 +1127,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Sweep\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Sweep\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1154,18 +1139,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1190,10 +1175,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Scan\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Port Scan\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1202,18 +1187,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1238,10 +1223,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"File Share Enumeration\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"File Share Enumeration\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1250,18 +1235,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1286,10 +1271,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"External Remote Access\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"External Remote Access\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1298,18 +1283,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1334,10 +1319,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Cryptocurrency Mining\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Cryptocurrency Mining\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1346,18 +1331,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1382,10 +1367,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden DNS Tunnel\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden DNS Tunnel\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1394,18 +1379,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1430,10 +1415,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"TOR Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"TOR Activity\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1442,18 +1427,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1478,10 +1463,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden HTTPS Tunnel\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Hidden HTTPS Tunnel\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1490,18 +1475,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1526,10 +1511,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Threat Intelligence Match\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Threat Intelligence Match\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1538,18 +1523,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1574,10 +1559,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious HTTP\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious HTTP\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1586,18 +1571,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1622,10 +1607,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Relay\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Relay\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1634,18 +1619,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1670,10 +1655,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Dos\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Dos\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1682,18 +1667,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1718,10 +1703,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Port Sweep\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Outbound Port Sweep\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1730,18 +1715,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1766,10 +1751,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Brute-Force\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Brute-Force\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1778,18 +1763,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1814,10 +1799,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Ransomware File Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Ransomware File Activity\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1826,18 +1811,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1862,10 +1847,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Shell Knocker Client\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Shell Knocker Client\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1874,18 +1859,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1910,10 +1895,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"SQL Injection Activity\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"SQL Injection Activity\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1922,18 +1907,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -1958,10 +1943,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Admin\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", + "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"Suspicious Admin\", \"triaged\": false, \"headend_addr\": \"192.0.2.1\", \"dvchost\": \"192.0.2.1\", \"href\": \"https://example.com/\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"example.com\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}", "event": { "action": "RECONNAISSANCE", - "url": "https://255.255.255.1/detections/1900?detail_id=66777" + "url": "https://example.com/" }, "destination": { "address": "10.43.0.81", @@ -1970,18 +1955,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "host": { "ip": "192.168.71.1", - "name": "IP-192.168.71.1" + "name": "example.com" }, "observer": { - "ip": "255.255.255.1", - "name": "255.255.255.1", + "ip": "192.0.2.1", + "name": "192.0.2.1", "version": "6.8" }, "related": { "ip": [ "10.43.0.81", - "192.168.71.1", - "255.255.255.1" + "192.0.2.1", + "192.168.71.1" ] }, "vectra": { @@ -2006,20 +1991,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Alban\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"EXFILTRATION\\\",\\\"Detection Type\\\":\\\"Smash and Grab\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"dmz.example.org\\\",\\\"label\\\":\\\"dmz.example.org\\\"},{\\\"value\\\":\\\"app.sekoia.io\\\",\\\"label\\\":\\\"app.sekoia.io\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":137,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"192.0.2.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Alban\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"EXFILTRATION\\\",\\\"Detection Type\\\":\\\"Smash and Grab\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"dmz.example.org\\\",\\\"label\\\":\\\"dmz.example.org\\\"},{\\\"value\\\":\\\"app.sekoia.io\\\",\\\"label\\\":\\\"app.sekoia.io\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":137,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", "event": { "outcome": "success", "reason": "create triage filter" }, "observer": { - "ip": "1.2.3.1", + "ip": "192.0.2.1", "name": "1.2.3.254", "version": "7.6" }, "related": { "ip": [ - "1.2.3.1", - "1.2.3.4" + "1.2.3.4", + "192.0.2.1" ], "user": [ "admin" @@ -2058,20 +2043,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Proxy\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"COMMAND & CONTROL\\\",\\\"Detection Type\\\":\\\"Hidden HTTPS Tunnel\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"C&CA Server Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"sedb.example.org\\\",\\\"label\\\":\\\"sedb.example.org\\\"}],\\\"groups\\\":[]}},{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Port\\\",\\\"field\\\":\\\"remote1_port\\\",\\\"values\\\":[{\\\"value\\\":\\\"443\\\",\\\"label\\\":\\\"443\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":136,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"192.0.2.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"create triage filter {\\\"Type\\\":\\\"Proxy\\\",\\\"enabled\\\":true,\\\"context\\\":{\\\"host_match_count\\\":1,\\\"critical_host_count\\\":0},\\\"Detection Category\\\":\\\"COMMAND & CONTROL\\\",\\\"Detection Type\\\":\\\"Hidden HTTPS Tunnel\\\",\\\"sourceConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Host\\\",\\\"field\\\":\\\"host\\\",\\\"values\\\":[{\\\"value\\\":8389,\\\"label\\\":\\\"SOC\\\"}],\\\"groups\\\":[]}}]}]},\\\"additionalConditions\\\":{\\\"OR\\\":[{\\\"AND\\\":[{\\\"ANY_OF\\\":{\\\"label\\\":\\\"C&CA Server Domain\\\",\\\"field\\\":\\\"remote1_dns\\\",\\\"values\\\":[{\\\"value\\\":\\\"sedb.example.org\\\",\\\"label\\\":\\\"sedb.example.org\\\"}],\\\"groups\\\":[]}},{\\\"ANY_OF\\\":{\\\"label\\\":\\\"Destination Port\\\",\\\"field\\\":\\\"remote1_port\\\",\\\"values\\\":[{\\\"value\\\":\\\"443\\\",\\\"label\\\":\\\"443\\\"}],\\\"groups\\\":[]}}]}]},\\\"ID\\\":136,\\\"Hosts\\\":[\\\"SOC\\\"]}\",\"vectra_timestamp\":\"1683633677\"}", "event": { "outcome": "success", "reason": "create triage filter" }, "observer": { - "ip": "1.2.3.1", + "ip": "192.0.2.1", "name": "1.2.3.254", "version": "7.6" }, "related": { "ip": [ - "1.2.3.1", - "1.2.3.4" + "1.2.3.4", + "192.0.2.1" ], "user": [ "admin" @@ -2110,20 +2095,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"1.2.3.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"edit triage filter \\\"Alban\\\" - id 11 Smash and Gab - context changed from \\\"{'host_match_count': 1, 'critical_host_count': 0}\\\" to \\\"{'host_match_count': 2, 'critical_host_count': 0}\\\"\",\"vectra_timestamp\":\"1683633677\"}", + "message": ":- {\"user\":\"admin\",\"role\":\"Super Admin\",\"source_ip\":\"1.2.3.4\",\"headend_addr\":\"192.0.2.1\",\"dvchost\":\"1.2.3.254\",\"version\":\"7.6\",\"result\":\"success\",\"message\":\"edit triage filter \\\"Alban\\\" - id 11 Smash and Gab - context changed from \\\"{'host_match_count': 1, 'critical_host_count': 0}\\\" to \\\"{'host_match_count': 2, 'critical_host_count': 0}\\\"\",\"vectra_timestamp\":\"1683633677\"}", "event": { "outcome": "success", "reason": "edit triage filter" }, "observer": { - "ip": "1.2.3.1", + "ip": "192.0.2.1", "name": "1.2.3.254", "version": "7.6" }, "related": { "ip": [ - "1.2.3.1", - "1.2.3.4" + "1.2.3.4", + "192.0.2.1" ], "user": [ "admin" @@ -2159,6 +2144,63 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "vectra_threat5.json" + + ```json + + { + "message": "{\"Start\":\"2025-12-09T12:54:37\",\"dd_dst_dns\":\"\",\"dd_proto\":\"tcp\",\"dd_dst_ip\":\"192.168.1.105\",\"dvchost\":\"10.0.12.1\",\"vectra_timestamp\":\"1765289659\",\"href\":\"https://example.com/\",\"detection_id\":14419,\"d_type\":\"smash_n_grab\",\"dd_bytes_rcvd\":0,\"triaged\":false,\"severity\":6.0,\"host_ip\":\"3.4.5.6\",\"certainty\":10,\"version\":\"9.6\",\"proxied_dst\":\"1.2.3.4\",\"headend_addr\":\"10.0.12.1\",\"dd_dst_port\":3129,\"dd_bytes_sent\":11356538,\"End\":\"2025-12-09T14:12:36\",\"mitre\":[\"T1020\",\"T1002\",\"T1022\",\"T1030\",\"T1048\",\"T1029\"],\"threat\":60,\"category\":\"EXFILTRATION\",\"d_type_vname\":\"Smash and Grab\",\"host_name\":\"example.com\"}", + "event": { + "action": "EXFILTRATION", + "url": "https://example.com/" + }, + "destination": { + "address": "192.168.1.105", + "ip": "192.168.1.105", + "port": 3129 + }, + "host": { + "ip": "3.4.5.6", + "name": "example.com" + }, + "network": { + "protocol": "tcp" + }, + "observer": { + "ip": "10.0.12.1", + "name": "10.0.12.1", + "version": "9.6" + }, + "related": { + "ip": [ + "10.0.12.1", + "192.168.1.105", + "3.4.5.6" + ] + }, + "source": { + "bytes": 11356538 + }, + "vectra": { + "certainty": 10, + "destination": { + "proxied": "1.2.3.4" + }, + "detection": { + "id": 14419, + "name": "Smash and Grab", + "type": "smash_n_grab" + }, + "risk_score_norm": 60, + "severity": 6.0, + "timestamp": 1765289659, + "triaged": false + } + } + + ``` + + @@ -2199,6 +2241,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.destination.id` | `keyword` | The destination of the campaign. Defaults to 'external' | |`vectra.destination.key_asset` | `bool` | Whether there is a detection that is targeting this host and this host is a key asset. | |`vectra.destination.name` | `keyword` | The external domain of the campaign destination | +|`vectra.destination.proxied` | `ip` | The proxied destination | |`vectra.detection.account` | `keyword` | The related user account. | |`vectra.detection.accounts` | `keyword` | The related accounts. | |`vectra.detection.base_object` | `keyword` | The base distinguished name. | diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md index 64fc16c9df..e4d0efffc7 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md @@ -6,39 +6,44 @@ In this section, you will find examples of raw logs as generated natively by the === "vectra_account_scoring" - ``` - - :{"version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https:/198.51.100.94/accounts/522","category":"ACCOUNT SCORING","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} + + ```json + - :{"version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https://example.com/","category":"ACCOUNT SCORING","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} ``` === "vectra_account_scoring_1" - ``` - -: {"version": "114285", "account_id": 123456, "headend_addr": "1.2.3.4", "account_uid": "test@test.local", "threat": 33, "certainty": 37, "quadrant": "low", "score_decreases": true, "privilege": 1, "href": "https://1.2.3.4/accounts/123456", "category": "ACCOUNT SCORING", "tags": [], "host_access_history": [{"id": 4643650, "name": "pp2400248.test.local", "privilege": 8, "privilegeCategory": "High", "lastSeen": "2025-02-20T15:53:14+00:00"}, {"id": 1254083, "name": "SV55555 - C - PROD - ADFS", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:32:48+00:00"}], "service_access_history": [{"id": 92576826, "uid": "rpc/sv00000.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:14+00:00"}, {"id": 30587336, "uid": "cifs/sv11111.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:11+00:00"}, {"id": 21, "uid": "cifs/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:09+00:00"}, {"id": 30586482, "uid": "ldap/sv11111.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:05+00:00"}, {"id": 92579338, "uid": "cifs/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:52:38+00:00"}, {"id": 770251, "uid": "sv00000$@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T08:02:57+00:00"}, {"id": 4, "uid": "krbtgt/test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T05:29:33+00:00"}, {"id": 11, "uid": "http/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:33:06+00:00"}, {"id": 10043, "uid": "cifs/sv00000.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:32:59+00:00"}, {"id": 59846485, "uid": "host/sv55555.test.local@test.local", "privilege": 9, "privilegeCategory": "High", "lastSeen": "2025-02-19T06:32:48+00:00"}], "last_detection_type": "Privilege Anomaly: Unusual Trio", "vectra_timestamp": "1740568831"} + + ```json + -: {"version": "114285", "account_id": 123456, "headend_addr": "1.2.3.4", "account_uid": "test@test.local", "threat": 33, "certainty": 37, "quadrant": "low", "score_decreases": true, "privilege": 1, "href": "https://example.com/", "category": "ACCOUNT SCORING", "tags": [], "host_access_history": [{"id": 4643650, "name": "pp2400248.test.local", "privilege": 8, "privilegeCategory": "High", "lastSeen": "2025-02-20T15:53:14+00:00"}, {"id": 1254083, "name": "SV55555 - C - PROD - ADFS", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:32:48+00:00"}], "service_access_history": [{"id": 92576826, "uid": "rpc/sv00000.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:14+00:00"}, {"id": 30587336, "uid": "cifs/sv11111.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:11+00:00"}, {"id": 21, "uid": "cifs/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:09+00:00"}, {"id": 30586482, "uid": "ldap/sv11111.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:53:05+00:00"}, {"id": 92579338, "uid": "cifs/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T15:52:38+00:00"}, {"id": 770251, "uid": "sv00000$@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T08:02:57+00:00"}, {"id": 4, "uid": "krbtgt/test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-20T05:29:33+00:00"}, {"id": 11, "uid": "http/sv55555.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:33:06+00:00"}, {"id": 10043, "uid": "cifs/sv00000.test.local@test.local", "privilege": null, "privilegeCategory": null, "lastSeen": "2025-02-19T06:32:59+00:00"}, {"id": 59846485, "uid": "host/sv55555.test.local@test.local", "privilege": 9, "privilegeCategory": "High", "lastSeen": "2025-02-19T06:32:48+00:00"}], "last_detection_type": "Privilege Anomaly: Unusual Trio", "vectra_timestamp": "1740568831"} ``` === "vectra_campaign" - ``` - -: {"src_name": "IP-255.255.255.1", "src_ip": "255.255.255.1", "src_hid": 11111, "dest_name": "push.services.mozilla.com", "dest_ip": "255.255.255.2", "dest_id": "external", "timestamp": 1111111222.0, "campaign_name": "push.services.mozilla.com-13", "campaign_id": 222, "campaign_link": "https://255.255.255.3/campaigns/222", "action": "ADD", "reason": "Connection", "version": "6.8", "headend_addr": "255.255.255.3", "dvchost": "255.255.255.3", "vectra_timestamp": "1111111111"} + + ```json + -: {"src_name": "IP-192.0.2.1", "src_ip": "192.0.2.1", "src_hid": 11111, "dest_name": "push.services.mozilla.com", "dest_ip": "192.0.2.1", "dest_id": "external", "timestamp": 1111111222.0, "campaign_name": "push.services.mozilla.com-13", "campaign_id": 222, "campaign_link": "https://192.0.2.1/campaigns/222", "action": "ADD", "reason": "Connection", "version": "6.8", "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "vectra_timestamp": "1111111111"} ``` === "vectra_command_control" - ``` - -: {"version": "6.12", "detection_id": 13281, "category": "COMMAND & CONTROL", "severity": 6.0, "threat": 60, "certainty": 72, "d_type": "hidden_http_tunnel_cnc", "d_type_vname": "Hidden HTTP Tunnel", "triaged": false, "headend_addr": "198.51.100.94", "dvchost": "198.51.100.94", "href": "https://198.51.100.94/detections/13281?detail_id=94738", "dd_dst_ip": "198.51.100.1", "dd_dst_port": 8002, "dd_dst_dns": "mirror.centos.org", "dd_bytes_sent": 1476677, "dd_bytes_rcvd": 8269214038, "host_name": "IP-198.51.100.14", "host_ip": "198.51.100.14", "dd_proto": "tcp", "vectra_timestamp": "1633516306"} + + ```json + -: {"version": "6.12", "detection_id": 13281, "category": "COMMAND & CONTROL", "severity": 6.0, "threat": 60, "certainty": 72, "d_type": "hidden_http_tunnel_cnc", "d_type_vname": "Hidden HTTP Tunnel", "triaged": false, "headend_addr": "198.51.100.94", "dvchost": "198.51.100.94", "href": "https://example.com/", "dd_dst_ip": "198.51.100.1", "dd_dst_port": 8002, "dd_dst_dns": "example.com", "dd_bytes_sent": 1476677, "dd_bytes_rcvd": 8269214038, "host_name": "example.com", "host_ip": "198.51.100.14", "dd_proto": "tcp", "vectra_timestamp": "1633516306"} ``` === "vectra_hidden_https_tunnel" - ``` + + ```json { "id": 11111, "category": "command_and_control", @@ -105,280 +110,357 @@ In this section, you will find examples of raw logs as generated natively by the === "vectra_host_lockdown" - ``` - - :{"type":"some-type","version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https:/198.51.100.94/accounts/522","category":"HOST_LOCKDOWN","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} + + ```json + - :{"type":"some-type","version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https://example.com/","category":"HOST_LOCKDOWN","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} ``` === "vectra_host_scoring" - ``` - -: {"version": "6.12", "host_id": 27617, "headend_addr": "198.51.100.94", "host_name": "IP-198.51.100.14", "dvchost": "198.51.100.94", "host_ip": "198.51.100.14", "threat": 22, "certainty": 31, "privilege": 0, "score_decreases": false, "href": "https://198.51.100.94/hosts/27617", "host_roles": "", "src_key_asset": false, "dst_key_asset": false, "category": "HOST SCORING", "sensor": "E123456789123456", "detection_profile": {"name": "saas", "vname": "Cloud Services", "scoringDetections": ["Hidden HTTP Tunnel (C&C)"]}, "host_groups": [], "tags": [], "account_access_history": [], "service_access_history": [], "mac_address": null, "mac_vendor": null, "last_detection_type": "Hidden HTTP Tunnel", "vectra_timestamp": "1633690973"} + + ```json + -: {"version": "6.12", "host_id": 27617, "headend_addr": "198.51.100.94", "host_name": "example.com", "dvchost": "198.51.100.94", "host_ip": "198.51.100.14", "threat": 22, "certainty": 31, "privilege": 0, "score_decreases": false, "href": "https://example.com/", "host_roles": "", "src_key_asset": false, "dst_key_asset": false, "category": "HOST SCORING", "sensor": "E123456789123456", "detection_profile": {"name": "saas", "vname": "Cloud Services", "scoringDetections": ["Hidden HTTP Tunnel (C&C)"]}, "host_groups": [], "tags": [], "account_access_history": [], "service_access_history": [], "mac_address": null, "mac_vendor": null, "last_detection_type": "Hidden HTTP Tunnel", "vectra_timestamp": "1633690973"} ``` === "vectra_info" - ``` - -: {"category": "INFO", "certainty": 0, "d_type": "si_new_host", "d_type_vname": "New Host", "dd_bytes_rcvd": null, "dd_bytes_sent": null, "dd_dst_dns": "", "dd_dst_ip": "0.0.0.0", "dd_dst_port": 80, "dd_proto": "", "detection_id": 9999, "dvchost": "255.255.255.1", "headend_addr": "255.255.255.1", "host_ip": "10.0.0.1", "host_name": "plop-99", "href": "https://255.255.255.1/detections/9999?detail_id=11111", "severity": 0, "threat": 0, "triaged": false, "vectra_timestamp": "1099999999", "version": "6.7"} + + ```json + -: {"category": "INFO", "certainty": 0, "d_type": "si_new_host", "d_type_vname": "New Host", "dd_bytes_rcvd": null, "dd_bytes_sent": null, "dd_dst_dns": "", "dd_dst_ip": "0.0.0.0", "dd_dst_port": 80, "dd_proto": "", "detection_id": 9999, "dvchost": "192.0.2.1", "headend_addr": "192.0.2.1", "host_ip": "10.0.0.1", "host_name": "example.com", "href": "https://example.com/", "severity": 0, "threat": 0, "triaged": false, "vectra_timestamp": "1099999999", "version": "6.7"} ``` === "vectra_lateral_movement" - ``` - -: {"accounts": "user@company.net", "shares": "", "reason": "MORE_PROCESSING_REQUIRED", "count": 295, "version": "6.12", "detection_id": 13295, "category": "LATERAL MOVEMENT", "severity": 2.0, "threat": 20, "certainty": 74, "d_type": "smb_brute_force", "d_type_vname": "SMB Brute-Force", "triaged": false, "headend_addr": "198.51.100.94", "dvchost": "198.51.100.94", "href": "https://198.51.100.94/detections/13295?detail_id=94908", "dd_dst_ip": "198.51.100.38", "dd_dst_port": 445, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "hostname", "host_ip": "198.51.100.155", "dd_proto": "", "vectra_timestamp": "1633681756"} + + ```json + -: {"accounts": "user@company.net", "shares": "", "reason": "MORE_PROCESSING_REQUIRED", "count": 295, "version": "6.12", "detection_id": 13295, "category": "LATERAL MOVEMENT", "severity": 2.0, "threat": 20, "certainty": 74, "d_type": "smb_brute_force", "d_type_vname": "SMB Brute-Force", "triaged": false, "headend_addr": "198.51.100.94", "dvchost": "198.51.100.94", "href": "https://example.com/", "dd_dst_ip": "198.51.100.38", "dd_dst_port": 445, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "hostname", "host_ip": "198.51.100.155", "dd_proto": "", "vectra_timestamp": "1633681756"} ``` === "vectra_lockdown" - ``` - - :{"version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https:/198.51.100.94/accounts/522","category":"LOCKDOWN","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} + + ```json + - :{"version":"6.12","account_id":123456,"headend_addr":"198.51.100.94","account_uid":"admin-prtg@company.local","threat":0,"certainty":0,"score_decreases":true,"privilege":4,"href":"https://example.com/","category":"LOCKDOWN","tags":[],"host_access_history":[{"id":22235,"name":"HOSTNAME.COMPANY.LOCAL","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:06:46+00:00"}],"service_access_history":[{"id":1470943,"uid":"cifs/serssq01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:06:46+00:00"},{"id":5,"uid":"krbtgt/company.local.company@company","privilege":null,"privilegeCategory":null,"lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614295,"uid":"rpcss/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:19+00:00"},{"id":2614304,"uid":"rpcss/host2db01.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T08:04:04+00:00"},{"id":2614297,"uid":"rpcss/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:57:44+00:00"},{"id":990,"uid":"rpcss/srv-appli02.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:54:04+00:00"},{"id":2614303,"uid":"rpcss/host201.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:37:28+00:00"},{"id":4214403,"uid":"http/alm.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:21:04+00:00"},{"id":4186134,"uid":"http/host109.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:50+00:00"},{"id":3693289,"uid":"http/host110.company.local@company.local","privilege":4,"privilegeCategory":"Medium","lastSeen":"2021-09-30T07:20:38+00:00"}],"last_detection_type":"Privilege Anomaly: Unusual Service - Insider","vectra_timestamp":"1633338457"} ``` === "vectra_several_ports_scanned_01" - ``` - -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvchost": "1.2.3.4", "href": "https://1.2.3.4/detections/85003?detail_id=2029813", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "host_name": "host", "host_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721184242"} + + ```json + -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvcexample.com": "1.2.3.4", "href": "https://example.com/", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "example.com_name": "example.com", "example.com_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721184242"} ``` === "vectra_several_ports_scanned_02" - ``` - -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvchost": "1.2.3.4", "href": "https://1.2.3.4/detections/85003?detail_id=2029784", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "host_name": "host", "host_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721183706"} + + ```json + -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvcexample.com": "1.2.3.4", "href": "https://example.com/", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "example.com_name": "example.com", "example.com_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721183706"} ``` === "vectra_threat1" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Targeted Recon", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Targeted Recon", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_10" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Remote Desktop", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Remote Desktop", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_11" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Remote Execution", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Remote Execution", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_12" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Internal Stage Loader", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Internal Stage Loader", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_13" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious LDAP Query", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious LDAP Query", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_14" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Recon", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RPC Recon", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_15" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RDP Recon", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "RDP Recon", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_16" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Port Sweep", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Port Sweep", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_17" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Port Scan", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Port Scan", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_18" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "File Share Enumeration", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "File Share Enumeration", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_19" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "External Remote Access", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "External Remote Access", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_2" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Cryptocurrency Mining", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Cryptocurrency Mining", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_20" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Hidden DNS Tunnel", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Hidden DNS Tunnel", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_21" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "TOR Activity", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "TOR Activity", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_22" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Hidden HTTPS Tunnel", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Hidden HTTPS Tunnel", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_23" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Threat Intelligence Match", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Threat Intelligence Match", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_24" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious HTTP", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious HTTP", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_25" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Relay", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Relay", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_3" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Outbound Dos", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Outbound Dos", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_4" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Outbound Port Sweep", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Outbound Port Sweep", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_5" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Brute-Force", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Brute-Force", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_6" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Ransomware File Activity", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Ransomware File Activity", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_7" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Shell Knocker Client", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Shell Knocker Client", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_8" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "SQL Injection Activity", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "SQL Injection Activity", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat1_9" - ``` - -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Admin", "triaged": false, "headend_addr": "255.255.255.1", "dvchost": "255.255.255.1", "href": "https://255.255.255.1/detections/1900?detail_id=66777", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "IP-192.168.71.1", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} + + ```json + -: {"version": "6.8", "detection_id": 1900, "category": "RECONNAISSANCE", "severity": 7.0, "threat": 70, "certainty": 86, "d_type": "rpc_recon_1to1", "d_type_vname": "Suspicious Admin", "triaged": false, "headend_addr": "192.0.2.1", "dvchost": "192.0.2.1", "href": "https://example.com/", "dd_dst_ip": "10.43.0.81", "dd_dst_port": 49668, "dd_dst_dns": "", "dd_bytes_sent": null, "dd_bytes_rcvd": null, "host_name": "example.com", "host_ip": "192.168.71.1", "dd_proto": "", "vectra_timestamp": "1623742534"} ``` === "vectra_threat2" - ``` - :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"1.2.3.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"create triage filter {\"Type\":\"Alban\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"EXFILTRATION\",\"Detection Type\":\"Smash and Grab\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Destination Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"dmz.example.org\",\"label\":\"dmz.example.org\"},{\"value\":\"app.sekoia.io\",\"label\":\"app.sekoia.io\"}],\"groups\":[]}}]}]},\"ID\":137,\"Hosts\":[\"SOC\"]}","vectra_timestamp":"1683633677"} + + ```json + :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"192.0.2.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"create triage filter {\"Type\":\"Alban\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"EXFILTRATION\",\"Detection Type\":\"Smash and Grab\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Destination Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"dmz.example.org\",\"label\":\"dmz.example.org\"},{\"value\":\"app.sekoia.io\",\"label\":\"app.sekoia.io\"}],\"groups\":[]}}]}]},\"ID\":137,\"Hosts\":[\"SOC\"]}","vectra_timestamp":"1683633677"} ``` === "vectra_threat3" - ``` - :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"1.2.3.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"create triage filter {\"Type\":\"Proxy\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"COMMAND & CONTROL\",\"Detection Type\":\"Hidden HTTPS Tunnel\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"C&CA Server Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"sedb.example.org\",\"label\":\"sedb.example.org\"}],\"groups\":[]}},{\"ANY_OF\":{\"label\":\"Destination Port\",\"field\":\"remote1_port\",\"values\":[{\"value\":\"443\",\"label\":\"443\"}],\"groups\":[]}}]}]},\"ID\":136,\"Hosts\":[\"SOC\"]}","vectra_timestamp":"1683633677"} + + ```json + :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"192.0.2.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"create triage filter {\"Type\":\"Proxy\",\"enabled\":true,\"context\":{\"host_match_count\":1,\"critical_host_count\":0},\"Detection Category\":\"COMMAND & CONTROL\",\"Detection Type\":\"Hidden HTTPS Tunnel\",\"sourceConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"Host\",\"field\":\"host\",\"values\":[{\"value\":8389,\"label\":\"SOC\"}],\"groups\":[]}}]}]},\"additionalConditions\":{\"OR\":[{\"AND\":[{\"ANY_OF\":{\"label\":\"C&CA Server Domain\",\"field\":\"remote1_dns\",\"values\":[{\"value\":\"sedb.example.org\",\"label\":\"sedb.example.org\"}],\"groups\":[]}},{\"ANY_OF\":{\"label\":\"Destination Port\",\"field\":\"remote1_port\",\"values\":[{\"value\":\"443\",\"label\":\"443\"}],\"groups\":[]}}]}]},\"ID\":136,\"Hosts\":[\"SOC\"]}","vectra_timestamp":"1683633677"} ``` === "vectra_threat4" + + ```json + :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"192.0.2.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"edit triage filter \"Alban\" - id 11 Smash and Gab - context changed from \"{'host_match_count': 1, 'critical_host_count': 0}\" to \"{'host_match_count': 2, 'critical_host_count': 0}\"","vectra_timestamp":"1683633677"} ``` - :- {"user":"admin","role":"Super Admin","source_ip":"1.2.3.4","headend_addr":"1.2.3.1","dvchost":"1.2.3.254","version":"7.6","result":"success","message":"edit triage filter \"Alban\" - id 11 Smash and Gab - context changed from \"{'host_match_count': 1, 'critical_host_count': 0}\" to \"{'host_match_count': 2, 'critical_host_count': 0}\"","vectra_timestamp":"1683633677"} + + + +=== "vectra_threat5" + + + ```json + { + "Start": "2025-12-09T12:54:37", + "dd_dst_dns": "", + "dd_proto": "tcp", + "dd_dst_ip": "192.168.1.105", + "dvchost": "10.0.12.1", + "vectra_timestamp": "1765289659", + "href": "https://example.com/", + "detection_id": 14419, + "d_type": "smash_n_grab", + "dd_bytes_rcvd": 0, + "triaged": false, + "severity": 6.0, + "host_ip": "3.4.5.6", + "certainty": 10, + "version": "9.6", + "proxied_dst": "1.2.3.4", + "headend_addr": "10.0.12.1", + "dd_dst_port": 3129, + "dd_bytes_sent": 11356538, + "End": "2025-12-09T14:12:36", + "mitre": [ + "T1020", + "T1002", + "T1022", + "T1030", + "T1048", + "T1029" + ], + "threat": 60, + "category": "EXFILTRATION", + "d_type_vname": "Smash and Grab", + "host_name": "example.com" + } ``` diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index af5e3fb3ac..5ae2167402 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -3121,6 +3121,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "S-1-2-3", "name": "user-name", "target": { + "domain": "RESEAU-COMPANY", "name": "USER" } }, @@ -3721,6 +3722,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "TEST", "name": "TESTCOMPUTEROBJ$" } }, @@ -3841,6 +3843,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "TEST", "name": "testdistlocal" } }, @@ -3947,6 +3950,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "S-1-5-21-1717121054-434620538-60925301-2794", "name": "at_adm", "target": { + "domain": "TEST", "name": "testglobal1" } }, diff --git a/_shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a.md b/_shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859.md similarity index 67% rename from _shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a.md rename to _shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859.md index 0eb1906916..90338daaca 100644 --- a/_shared_content/operations_center/integrations/generated/1ef7f586-5354-4171-9266-f9f049c3253a.md +++ b/_shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859.md @@ -35,7 +35,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-12-09 08:23:52,682 trackingid=\"tid:D68VmhNKbQi3z3csgj0Hn_lc3iM\" transactionid=\"2zjC3jlLX20MRKHaYiRX2ukOo\" event=\"AUTHN_ATTEMPT\" subject=\"\" ip=\"192.0.2.11\" connectionid=\"https://testcorpx.testsite.com\" protocol=\"SAML20\" pfhost=\"host06.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"5\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpUserIdentificationForm\" authnsessionexpiry=\"\" connectionname=\"TestLearn\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.abc.cloud.testcorpx\" X-Forwarded-Host=\"hub-mtls.auth.testcorpx.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"D68VmhNKaQi3z3csgj0Hn_lc3iM\" virtualserverid=https://hub-mtls.auth.testcorpx.com", + "message": "2025-12-09 08:23:52,682 trackingid=\"tid:D68VmhNKbQi3z3csgj0Hn_lc3iM\" transactionid=\"2zjC3jlLX20MRKHaYiRX2ukOo\" event=\"AUTHN_ATTEMPT\" subject=\"\" ip=\"192.0.2.11\" connectionid=\"https://testcorpx.example.com\" protocol=\"SAML20\" pfhost=\"host06.test.example.com\" role=\"IdP\" status=\"success\" responsetime=\"5\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpUserIdentificationForm\" authnsessionexpiry=\"\" connectionname=\"TestLearn\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.abc.cloud.testcorpx\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"D68VmhNKaQi3z3csgj0Hn_lc3iM\" virtualserverid=https://hub-mtls.auth.example.com", "event": { "category": [ "authentication" @@ -45,21 +45,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "success", - "reason": "trackingid=\"tid:D68VmhNKbQi3z3csgj0Hn_lc3iM\" transactionid=\"2zjC3jlLX20MRKHaYiRX2ukOo\" event=\"AUTHN_ATTEMPT\" subject=\"\" ip=\"192.0.2.11\" connectionid=\"https://testcorpx.testsite.com\" protocol=\"SAML20\" pfhost=\"host06.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"5\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpUserIdentificationForm\" authnsessionexpiry=\"\" connectionname=\"TestLearn\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.abc.cloud.testcorpx\" X-Forwarded-Host=\"hub-mtls.auth.testcorpx.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"D68VmhNKaQi3z3csgj0Hn_lc3iM\" virtualserverid=https://hub-mtls.auth.testcorpx.com", "type": [ "start" ] }, "@timestamp": "2025-12-09T08:23:52.682000Z", "destination": { - "address": "hub-mtls.auth.testcorpx.com", - "domain": "hub-mtls.auth.testcorpx.com", - "registered_domain": "testcorpx.com", + "address": "hub-mtls.auth.example.com", + "domain": "hub-mtls.auth.example.com", + "registered_domain": "example.com", "subdomain": "hub-mtls.auth", "top_level_domain": "com" }, "host": { - "name": "host06.test.internal.testcorp" + "name": "host06.test.example.com" }, "network": { "protocol": "saml20" @@ -67,7 +66,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "pingfederate": { "attributes": "\"\"", "authenticationsourceid": "adapter.AdpUserIdentificationForm", - "connectionid": "https://testcorpx.testsite.com", + "connectionid": "https://testcorpx.example.com", "connectionname": "TestLearn", "event": "AUTHN_ATTEMPT", "protocol": "SAML20", @@ -78,13 +77,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trackingid": "tid:D68VmhNKbQi3z3csgj0Hn_lc3iM", "transactionid": "2zjC3jlLX20MRKHaYiRX2ukOo", "trusted_network": "YES", - "virtualserverid": "https://hub-mtls.auth.testcorpx.com", - "x_forwarded_host": "hub-mtls.auth.testcorpx.com", + "virtualserverid": "https://hub-mtls.auth.example.com", + "x_forwarded_host": "hub-mtls.auth.example.com", "x_forwarded_vip": "hub-mtls.auth.infra.abc.cloud.testcorpx" }, "related": { "hosts": [ - "hub-mtls.auth.testcorpx.com" + "hub-mtls.auth.example.com" ], "ip": [ "192.0.2.11" @@ -95,10 +94,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.11" }, "url": { - "domain": "testcorpx.testsite.com", - "original": "https://testcorpx.testsite.com", + "domain": "testcorpx.example.com", + "original": "https://testcorpx.example.com", "port": 443, - "registered_domain": "testsite.com", + "registered_domain": "example.com", "scheme": "https", "subdomain": "testcorpx", "top_level_domain": "com" @@ -113,7 +112,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-08-30 22:27:50,026 trackingid=\"tid:EfRuCLHmleA0JggggnFQHAaUiKI\" transactionid=\"sbK3tzaevezYmWSQcJgCoJppH\" event=\"AUTHN_REQUEST\" subject=\"testuser1\" ip=\"192.0.2.10\" connectionid=\"https://eu.testapp.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/\" protocol=\"SAML20\" pfhost=\"host05.test.internal.testcorp\" role=\"SP\" status=\"inprogress\" responsetime=\"6\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/PasswordProtectedTransport\" authnsessionexpiry=\"\" connectionname=\"TestApp (Vendor)\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"wXY3g0jmB0nnThH_bfO-z.Y82Lo\" sri=\"EfRuCLHmleA0JggggnFQHAaUiKI\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "message": "2025-08-30 22:27:50,026 trackingid=\"tid:EfRuCLHmleA0JggggnFQHAaUiKI\" transactionid=\"sbK3tzaevezYmWSQcJgCoJppH\" event=\"AUTHN_REQUEST\" subject=\"j.doe\" ip=\"192.0.2.10\" connectionid=\"https://eu.example.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/\" protocol=\"SAML20\" pfhost=\"host05.test.example.com\" role=\"SP\" status=\"inprogress\" responsetime=\"6\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/PasswordProtectedTransport\" authnsessionexpiry=\"\" connectionname=\"TestApp (Vendor)\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"wXY3g0jmB0nnThH_bfO-z.Y82Lo\" sri=\"EfRuCLHmleA0JggggnFQHAaUiKI\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "event": { "category": [ "authentication" @@ -123,7 +122,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "unknown", - "reason": "trackingid=\"tid:EfRuCLHmleA0JggggnFQHAaUiKI\" transactionid=\"sbK3tzaevezYmWSQcJgCoJppH\" event=\"AUTHN_REQUEST\" subject=\"testuser1\" ip=\"192.0.2.10\" connectionid=\"https://eu.testapp.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/\" protocol=\"SAML20\" pfhost=\"host05.test.internal.testcorp\" role=\"SP\" status=\"inprogress\" responsetime=\"6\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/PasswordProtectedTransport\" authnsessionexpiry=\"\" connectionname=\"TestApp (Vendor)\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"wXY3g0jmB0nnThH_bfO-z.Y82Lo\" sri=\"EfRuCLHmleA0JggggnFQHAaUiKI\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "type": [ "start" ] @@ -137,7 +135,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host05.test.internal.testcorp" + "name": "host05.test.example.com" }, "network": { "protocol": "saml20" @@ -145,7 +143,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "pingfederate": { "attributes": "\"\"", "authenticationsourceid": "idpConnection.https://login.auth.example.com/PasswordProtectedTransport", - "connectionid": "https://eu.testapp.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/", + "connectionid": "https://eu.example.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/", "connectionname": "TestApp (Vendor)", "event": "AUTHN_REQUEST", "protocol": "SAML20", @@ -169,7 +167,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "192.0.2.10" ], "user": [ - "testuser1" + "j.doe" ] }, "source": { @@ -177,17 +175,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.10" }, "url": { - "domain": "eu.testapp.com", - "original": "https://eu.testapp.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/", + "domain": "eu.example.com", + "original": "https://eu.example.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/", "path": "/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/", "port": 443, - "registered_domain": "testapp.com", + "registered_domain": "example.com", "scheme": "https", "subdomain": "eu", "top_level_domain": "com" }, "user": { - "name": "testuser1" + "name": "j.doe" } } @@ -199,7 +197,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-01 15:15:34,068 trackingid=\"tid:nkWHFLhf2dsvdFckMbwF1NU_j8g\" transactionid=\"snJEcQqMQvYQe2WIsraji9ZtK\" event=\"AUTHN_SESSIONS_DELETED\" subject=\"\" ip=\"192.0.2.12\" connectionid=\"\" protocol=\"\" pfhost=\"host01.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"44\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"nkWHFLhf2dsvdFckMbwF1NU_j8g..tbPV\" virtualserverid=\"\"", + "message": "2025-09-01 15:15:34,068 trackingid=\"tid:nkWHFLhf2dsvdFckMbwF1NU_j8g\" transactionid=\"snJEcQqMQvYQe2WIsraji9ZtK\" event=\"AUTHN_SESSIONS_DELETED\" subject=\"\" ip=\"192.0.2.12\" connectionid=\"\" protocol=\"\" pfhost=\"host01.test.internal.test\" role=\"IdP\" status=\"success\" responsetime=\"44\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.test\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"nkWHFLhf2dsvdFckMbwF1NU_j8g..tbPV\" virtualserverid=\"\"", "event": { "category": [ "authentication" @@ -209,7 +207,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "success", - "reason": "trackingid=\"tid:nkWHFLhf2dsvdFckMbwF1NU_j8g\" transactionid=\"snJEcQqMQvYQe2WIsraji9ZtK\" event=\"AUTHN_SESSIONS_DELETED\" subject=\"\" ip=\"192.0.2.12\" connectionid=\"\" protocol=\"\" pfhost=\"host01.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"44\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"nkWHFLhf2dsvdFckMbwF1NU_j8g..tbPV\" virtualserverid=\"\"", "type": [ "end" ] @@ -223,7 +220,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host01.test.internal.testcorp" + "name": "host01.test.internal.test" }, "pingfederate": { "attributes": "\"\"", @@ -236,7 +233,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transactionid": "snJEcQqMQvYQe2WIsraji9ZtK", "trusted_network": "YES", "x_forwarded_host": "hub-mtls.auth.example.com", - "x_forwarded_vip": "hub-mtls.auth.test.internal.testcorp" + "x_forwarded_vip": "hub-mtls.auth.test.internal.test" }, "related": { "hosts": [ @@ -260,7 +257,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-08-30 22:27:50,474 trackingid=\"tid:vpYkkHbUv895EJQob3vhMrTbIgc\" transactionid=\"DW83XpRRPgoKBAY7gru6YIR81\" event=\"AUTHN_SESSION_CREATED\" subject=\"\" ip=\"192.0.2.10\" connectionid=\"https://hub.auth.example.com/PasswordProtectedTransport\" protocol=\"SAML20\" pfhost=\"host03.test.internal.testcorp\" role=\"IdP\" status=\"\" responsetime=\"50\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpRequestedUser\" authnsessionexpiry=\"2025-08-30 23:27:50.474+0000\" connectionname=\"HUB Password Only\" granttype=\"\" X-Forwarded-Vip=\"login.auth.test.internal.testcorp\" X-Forwarded-Host=\"login.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"vpYkkHbUv895EJQob3vhMrTbIgc..s3rm\" virtualserverid=\"https://login.auth.example.com/PasswordProtectedTransport\"", + "message": "2025-08-30 22:27:50,474 trackingid=\"tid:vpYkkHbUv895EJQob3vhMrTbIgc\" transactionid=\"DW83XpRRPgoKBAY7gru6YIR81\" event=\"AUTHN_SESSION_CREATED\" subject=\"\" ip=\"192.0.2.10\" connectionid=\"https://hub.auth.example.com/PasswordProtectedTransport\" protocol=\"SAML20\" pfhost=\"host03.test.internal.test\" role=\"IdP\" status=\"\" responsetime=\"50\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpRequestedUser\" authnsessionexpiry=\"2025-08-30 23:27:50.474+0000\" connectionname=\"HUB Password Only\" granttype=\"\" X-Forwarded-Vip=\"login.auth.test.internal.test\" X-Forwarded-Host=\"login.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"vpYkkHbUv895EJQob3vhMrTbIgc..s3rm\" virtualserverid=\"https://login.auth.example.com/PasswordProtectedTransport\"", "event": { "category": [ "authentication" @@ -269,7 +266,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "duration": 50000000, "kind": "event", "module": "pingfederate", - "reason": "trackingid=\"tid:vpYkkHbUv895EJQob3vhMrTbIgc\" transactionid=\"DW83XpRRPgoKBAY7gru6YIR81\" event=\"AUTHN_SESSION_CREATED\" subject=\"\" ip=\"192.0.2.10\" connectionid=\"https://hub.auth.example.com/PasswordProtectedTransport\" protocol=\"SAML20\" pfhost=\"host03.test.internal.testcorp\" role=\"IdP\" status=\"\" responsetime=\"50\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"adapter.AdpRequestedUser\" authnsessionexpiry=\"2025-08-30 23:27:50.474+0000\" connectionname=\"HUB Password Only\" granttype=\"\" X-Forwarded-Vip=\"login.auth.test.internal.testcorp\" X-Forwarded-Host=\"login.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"vpYkkHbUv895EJQob3vhMrTbIgc..s3rm\" virtualserverid=\"https://login.auth.example.com/PasswordProtectedTransport\"", "type": [ "start" ] @@ -283,7 +279,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host03.test.internal.testcorp" + "name": "host03.test.internal.test" }, "network": { "protocol": "saml20" @@ -304,7 +300,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trusted_network": "YES", "virtualserverid": "https://login.auth.example.com/PasswordProtectedTransport", "x_forwarded_host": "login.auth.example.com", - "x_forwarded_vip": "login.auth.test.internal.testcorp" + "x_forwarded_vip": "login.auth.test.internal.test" }, "related": { "hosts": [ @@ -338,7 +334,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-02 12:08:59,880 trackingid=\"tid:fu6aEL29MEj1AKRn3_wSMGWwo5A\" transactionid=\"wHZWQNR6r0JHSW9yizXSXC8zD\" event=\"AUTHN_SESSION_USED\" subject=\"\" ip=\"192.0.2.16\" connectionid=\"https://testapp-uat.corp.testcorp/\" protocol=\"SAML20\" pfhost=\"host04.test.internal.testcorp\" role=\"IdP\" status=\"\" responsetime=\"30\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/strong\" authnsessionexpiry=\"2025-09-02 14:35:59.863+0000\" connectionname=\"TestID UAT saml\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"HqFnER4GNYadajPW5xa6.JSIr-A\" sri=\"fu6aEL29MEj1AKRn3_wSMGWwo5A..trpv\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "message": "2025-09-02 12:08:59,880 trackingid=\"tid:fu6aEL29MEj1AKRn3_wSMGWwo5A\" transactionid=\"wHZWQNR6r0JHSW9yizXSXC8zD\" event=\"AUTHN_SESSION_USED\" subject=\"\" ip=\"192.0.2.16\" connectionid=\"https://testapp-uat.example.com/\" protocol=\"SAML20\" pfhost=\"host04.test.example.com\" role=\"IdP\" status=\"\" responsetime=\"30\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/strong\" authnsessionexpiry=\"2025-09-02 14:35:59.863+0000\" connectionname=\"TestID UAT saml\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.example.com\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"HqFnER4GNYadajPW5xa6.JSIr-A\" sri=\"fu6aEL29MEj1AKRn3_wSMGWwo5A..trpv\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "event": { "category": [ "authentication" @@ -347,7 +343,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "duration": 30000000, "kind": "event", "module": "pingfederate", - "reason": "trackingid=\"tid:fu6aEL29MEj1AKRn3_wSMGWwo5A\" transactionid=\"wHZWQNR6r0JHSW9yizXSXC8zD\" event=\"AUTHN_SESSION_USED\" subject=\"\" ip=\"192.0.2.16\" connectionid=\"https://testapp-uat.corp.testcorp/\" protocol=\"SAML20\" pfhost=\"host04.test.internal.testcorp\" role=\"IdP\" status=\"\" responsetime=\"30\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"idpConnection.https://login.auth.example.com/strong\" authnsessionexpiry=\"2025-09-02 14:35:59.863+0000\" connectionname=\"TestID UAT saml\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"HqFnER4GNYadajPW5xa6.JSIr-A\" sri=\"fu6aEL29MEj1AKRn3_wSMGWwo5A..trpv\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "type": [ "info" ] @@ -361,7 +356,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host04.test.internal.testcorp" + "name": "host04.test.example.com" }, "network": { "protocol": "saml20" @@ -370,7 +365,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "attributes": "\"\"", "authenticationsourceid": "idpConnection.https://login.auth.example.com/strong", "authnsessionexpiry": "2025-09-02 14:35:59.863+0000", - "connectionid": "https://testapp-uat.corp.testcorp/", + "connectionid": "https://testapp-uat.example.com/", "connectionname": "TestID UAT saml", "event": "AUTHN_SESSION_USED", "protocol": "SAML20", @@ -383,7 +378,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trusted_network": "YES", "virtualserverid": "https://hub-mtls.auth.example.com", "x_forwarded_host": "hub-mtls.auth.example.com", - "x_forwarded_vip": "hub-mtls.auth.test.internal.testcorp" + "x_forwarded_vip": "hub-mtls.auth.test.example.com" }, "related": { "hosts": [ @@ -398,12 +393,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.16" }, "url": { - "domain": "testapp-uat.corp.testcorp", - "original": "https://testapp-uat.corp.testcorp/", + "domain": "testapp-uat.example.com", + "original": "https://testapp-uat.example.com/", "path": "/", "port": 443, + "registered_domain": "example.com", "scheme": "https", - "subdomain": "testapp-uat.corp" + "subdomain": "testapp-uat", + "top_level_domain": "com" } } @@ -415,7 +412,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-02 04:49:16,008 trackingid=\"tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ\" transactionid=\"Jk8NwdiVkax3KfSl9AtzarYxC\" event=\"OAuth\" subject=\"testuser1\" ip=\"192.0.2.14\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OAuth20\" pfhost=\"host04.test.internal.testcorp\" role=\"AS\" status=\"failure\" responsetime=\"88\" assertionid=\"e-x8HOQUiqLKkGO-Qjsn5G4ySqZ\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH\" sri=\"SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL\" virtualserverid=\"https://hub.auth.example.com/strong\"", + "message": "2025-09-02 04:49:16,008 trackingid=\"tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ\" transactionid=\"Jk8NwdiVkax3KfSl9AtzarYxC\" event=\"OAuth\" subject=\"j.doe\" ip=\"192.0.2.14\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OAuth20\" pfhost=\"host04.test.internal.test\" role=\"AS\" status=\"failure\" responsetime=\"88\" assertionid=\"e-x8HOQUiqLKkGO-Qjsn5G4ySqZ\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.test\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH\" sri=\"SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL\" virtualserverid=\"https://hub.auth.example.com/strong\"", "event": { "category": [ "authentication" @@ -425,7 +422,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "failure", - "reason": "trackingid=\"tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ\" transactionid=\"Jk8NwdiVkax3KfSl9AtzarYxC\" event=\"OAuth\" subject=\"testuser1\" ip=\"192.0.2.14\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OAuth20\" pfhost=\"host04.test.internal.testcorp\" role=\"AS\" status=\"failure\" responsetime=\"88\" assertionid=\"e-x8HOQUiqLKkGO-Qjsn5G4ySqZ\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH\" sri=\"SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL\" virtualserverid=\"https://hub.auth.example.com/strong\"", + "reason": "trackingid=\"tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ\" transactionid=\"Jk8NwdiVkax3KfSl9AtzarYxC\" event=\"OAuth\" subject=\"j.doe\" ip=\"192.0.2.14\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OAuth20\" pfhost=\"host04.test.internal.test\" role=\"AS\" status=\"failure\" responsetime=\"88\" assertionid=\"e-x8HOQUiqLKkGO-Qjsn5G4ySqZ\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.test\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH\" sri=\"SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL\" virtualserverid=\"https://hub.auth.example.com/strong\"", "type": [ "start" ] @@ -439,7 +436,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host04.test.internal.testcorp" + "name": "host04.test.internal.test" }, "network": { "protocol": "oauth20" @@ -461,7 +458,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trusted_network": "YES", "virtualserverid": "https://hub.auth.example.com/strong", "x_forwarded_host": "hub-mtls.auth.example.com", - "x_forwarded_vip": "hub-mtls.auth.test.internal.testcorp" + "x_forwarded_vip": "hub-mtls.auth.test.internal.test" }, "related": { "hosts": [ @@ -471,7 +468,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "192.0.2.14" ], "user": [ - "testuser1" + "j.doe" ] }, "source": { @@ -479,7 +476,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.14" }, "user": { - "name": "testuser1" + "name": "j.doe" } } @@ -491,7 +488,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-01 17:03:55,086 trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"kYweNpnacjZIqO2hVKMiz2GSN\" event=\"SLO\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OIDC\" pfhost=\"host02.test.internal.testcorp\" role=\"AS\" status=\"success\" responsetime=\"17\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "message": "2025-09-01 17:03:55,086 trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"kYweNpnacjZIqO2hVKMiz2GSN\" event=\"SLO\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OIDC\" pfhost=\"host02.test.internal.test\" role=\"AS\" status=\"success\" responsetime=\"17\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "event": { "category": [ "authentication" @@ -501,7 +498,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "success", - "reason": "trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"kYweNpnacjZIqO2hVKMiz2GSN\" event=\"SLO\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OIDC\" pfhost=\"host02.test.internal.testcorp\" role=\"AS\" status=\"success\" responsetime=\"17\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "reason": "trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"kYweNpnacjZIqO2hVKMiz2GSN\" event=\"SLO\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"01957ee4-3206-7f2b-a0c5-d6794cd50d40\" protocol=\"OIDC\" pfhost=\"host02.test.internal.test\" role=\"AS\" status=\"success\" responsetime=\"17\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestPortal\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "type": [ "end" ] @@ -515,7 +512,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host02.test.internal.testcorp" + "name": "host02.test.internal.test" }, "network": { "protocol": "oidc" @@ -559,7 +556,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-01 17:03:57,186 trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"BPMc3SYoQHrXqskFsBQVe1bVR\" event=\"SRI_REVOKED\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"\" protocol=\"\" pfhost=\"host02.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"57\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"\"", + "message": "2025-09-01 17:03:57,186 trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"BPMc3SYoQHrXqskFsBQVe1bVR\" event=\"SRI_REVOKED\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"\" protocol=\"\" pfhost=\"host02.test.internal.test\" role=\"IdP\" status=\"success\" responsetime=\"57\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"\"", "event": { "category": [ "authentication" @@ -569,7 +566,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "success", - "reason": "trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"BPMc3SYoQHrXqskFsBQVe1bVR\" event=\"SRI_REVOKED\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"\" protocol=\"\" pfhost=\"host02.test.internal.testcorp\" role=\"IdP\" status=\"success\" responsetime=\"57\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"\"", + "reason": "trackingid=\"tid:4QVg-5IEEJKY_3L7G70fbISqvZQ\" transactionid=\"BPMc3SYoQHrXqskFsBQVe1bVR\" event=\"SRI_REVOKED\" subject=\"\" ip=\"192.0.2.13\" connectionid=\"\" protocol=\"\" pfhost=\"host02.test.internal.test\" role=\"IdP\" status=\"success\" responsetime=\"57\" assertionid=\"\" attrackingid=\"\" attributes=\"\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.infra.cloud.test.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"\" sri=\"4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP\" virtualserverid=\"\"", "type": [ "end" ] @@ -583,7 +580,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host02.test.internal.testcorp" + "name": "host02.test.internal.test" }, "pingfederate": { "attributes": "\"\"", @@ -620,7 +617,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-02 02:10:08,024 trackingid=\"tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg\" transactionid=\"LyPg0FbetfoyVw624lDxuktdk\" event=\"SSO\" subject=\"testuser1\" ip=\"192.0.2.15\" connectionid=\"https://app01.testvendor.com/ssoagent\" protocol=\"SAML20\" pfhost=\"host04.test.internal.testcorp\" role=\"IdP\" status=\"failure\" responsetime=\"86\" assertionid=\"sC7AvBm1doxsGBy7ehlR1ik.4ZS\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestRegion_HRM\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"o8ere_Dij45ft_zFRmzhBt6wimN\" sri=\"ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "message": "2025-09-02 02:10:08,024 trackingid=\"tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg\" transactionid=\"LyPg0FbetfoyVw624lDxuktdk\" event=\"SSO\" subject=\"j.doe\" ip=\"192.0.2.15\" connectionid=\"https://app01.example.com/ssoagent\" protocol=\"SAML20\" pfhost=\"host04.test.example.com\" role=\"IdP\" status=\"failure\" responsetime=\"86\" assertionid=\"sC7AvBm1doxsGBy7ehlR1ik.4ZS\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestRegion_HRM\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.example.com\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"o8ere_Dij45ft_zFRmzhBt6wimN\" sri=\"ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "event": { "category": [ "authentication" @@ -630,7 +627,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "kind": "event", "module": "pingfederate", "outcome": "failure", - "reason": "trackingid=\"tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg\" transactionid=\"LyPg0FbetfoyVw624lDxuktdk\" event=\"SSO\" subject=\"testuser1\" ip=\"192.0.2.15\" connectionid=\"https://app01.testvendor.com/ssoagent\" protocol=\"SAML20\" pfhost=\"host04.test.internal.testcorp\" role=\"IdP\" status=\"failure\" responsetime=\"86\" assertionid=\"sC7AvBm1doxsGBy7ehlR1ik.4ZS\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestRegion_HRM\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.internal.testcorp\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"o8ere_Dij45ft_zFRmzhBt6wimN\" sri=\"ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_\" virtualserverid=\"https://hub-mtls.auth.example.com\"", + "reason": "trackingid=\"tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg\" transactionid=\"LyPg0FbetfoyVw624lDxuktdk\" event=\"SSO\" subject=\"j.doe\" ip=\"192.0.2.15\" connectionid=\"https://app01.example.com/ssoagent\" protocol=\"SAML20\" pfhost=\"host04.test.example.com\" role=\"IdP\" status=\"failure\" responsetime=\"86\" assertionid=\"sC7AvBm1doxsGBy7ehlR1ik.4ZS\" attrackingid=\"\" attributes=\"SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" authenticationsourceid=\"\" authnsessionexpiry=\"\" connectionname=\"TestRegion_HRM\" granttype=\"\" X-Forwarded-Vip=\"hub-mtls.auth.test.example.com\" X-Forwarded-Host=\"hub-mtls.auth.example.com\" trustedNetwork=\"YES\" requestid=\"o8ere_Dij45ft_zFRmzhBt6wimN\" sri=\"ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_\" virtualserverid=\"https://hub-mtls.auth.example.com\"", "type": [ "start" ] @@ -644,7 +641,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "host": { - "name": "host04.test.internal.testcorp" + "name": "host04.test.example.com" }, "network": { "protocol": "saml20" @@ -652,7 +649,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "pingfederate": { "assertionid": "sC7AvBm1doxsGBy7ehlR1ik.4ZS", "attributes": "\"SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z,", - "connectionid": "https://app01.testvendor.com/ssoagent", + "connectionid": "https://app01.example.com/ssoagent", "connectionname": "TestRegion_HRM", "event": "SSO", "protocol": "SAML20", @@ -666,7 +663,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trusted_network": "YES", "virtualserverid": "https://hub-mtls.auth.example.com", "x_forwarded_host": "hub-mtls.auth.example.com", - "x_forwarded_vip": "hub-mtls.auth.test.internal.testcorp" + "x_forwarded_vip": "hub-mtls.auth.test.example.com" }, "related": { "hosts": [ @@ -676,7 +673,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "192.0.2.15" ], "user": [ - "testuser1" + "j.doe" ] }, "source": { @@ -684,17 +681,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.15" }, "url": { - "domain": "app01.testvendor.com", - "original": "https://app01.testvendor.com/ssoagent", + "domain": "app01.example.com", + "original": "https://app01.example.com/ssoagent", "path": "/ssoagent", "port": 443, - "registered_domain": "testvendor.com", + "registered_domain": "example.com", "scheme": "https", "subdomain": "app01", "top_level_domain": "com" }, "user": { - "name": "testuser1" + "name": "j.doe" } } @@ -737,7 +734,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://hub-mtls.auth-int.test.internal.testcorp/pf/heartbeat.ping", + "message": "2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://hub-mtls.auth-int.test.example.com/pf/heartbeat.ping", "event": { "category": [ "web" @@ -745,14 +742,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "dataset": "pingfederate", "kind": "event", "module": "pingfederate", - "reason": "GET: https://hub-mtls.auth-int.test.internal.testcorp/pf/heartbeat.ping", + "reason": "GET: https://hub-mtls.auth-int.test.example.com/pf/heartbeat.ping", "type": [ "access" ] }, "@timestamp": "2025-09-02T11:02:34.353000Z", "host": { - "name": "hub-mtls.auth-int.test.internal.testcorp" + "name": "hub-mtls.auth-int.test.example.com" }, "http": { "request": { @@ -767,12 +764,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "trackingid": "tid:Q08PzbPCjfSJL8sbIj88OLO5YWg" }, "url": { - "domain": "hub-mtls.auth-int.test.internal.testcorp", - "original": "https://hub-mtls.auth-int.test.internal.testcorp/pf/heartbeat.ping", + "domain": "hub-mtls.auth-int.test.example.com", + "original": "https://hub-mtls.auth-int.test.example.com/pf/heartbeat.ping", "path": "/pf/heartbeat.ping", "port": 443, + "registered_domain": "example.com", "scheme": "https", - "subdomain": "hub-mtls.auth-int.test.internal" + "subdomain": "hub-mtls.auth-int.test", + "top_level_domain": "com" } } @@ -784,7 +783,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "192.168.1.100 - john.doe [02/Sep/2025:13:02:34 +0000] \"GET /pf/heartbeat.ping HTTP/1.1\" 200 156", + "message": "1.2.3.4 - john.doe [02/Sep/2025:13:02:34 +0000] \"GET /pf/heartbeat.ping HTTP/1.1\" 200 156", "event": { "category": [ "web" @@ -797,7 +796,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "host": { - "name": "192.168.1.100" + "name": "1.2.3.4" }, "http": { "request": { @@ -813,15 +812,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "192.168.1.100" + "1.2.3.4" ], "user": [ "john.doe" ] }, "source": { - "address": "192.168.1.100", - "ip": "192.168.1.100" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "original": "/pf/heartbeat.ping", diff --git a/_shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859_sample.md b/_shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859_sample.md new file mode 100644 index 0000000000..d966bd9b57 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/c47d2c82-494e-400c-b804-d68fb7a60859_sample.md @@ -0,0 +1,118 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "AUTHN_ATTEMPT" + + ``` + 2025-12-09 08:23:52,682 trackingid="tid:D68VmhNKbQi3z3csgj0Hn_lc3iM" transactionid="2zjC3jlLX20MRKHaYiRX2ukOo" event="AUTHN_ATTEMPT" subject="" ip="192.0.2.11" connectionid="https://testcorpx.example.com" protocol="SAML20" pfhost="host06.test.example.com" role="IdP" status="success" responsetime="5" assertionid="" attrackingid="" attributes="" authenticationsourceid="adapter.AdpUserIdentificationForm" authnsessionexpiry="" connectionname="TestLearn" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.abc.cloud.testcorpx" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="D68VmhNKaQi3z3csgj0Hn_lc3iM" virtualserverid=https://hub-mtls.auth.example.com + ``` + + + +=== "AUTHN_REQUEST" + + ``` + 2025-08-30 22:27:50,026 trackingid="tid:EfRuCLHmleA0JggggnFQHAaUiKI" transactionid="sbK3tzaevezYmWSQcJgCoJppH" event="AUTHN_REQUEST" subject="j.doe" ip="192.0.2.10" connectionid="https://eu.example.com/auth/saml/sp/metadata/ag9lfndlYmZpbGluZ3MtZXVyFAsSB0FjY291bnQYgIDA8syI6ggM/" protocol="SAML20" pfhost="host05.test.example.com" role="SP" status="inprogress" responsetime="6" assertionid="" attrackingid="" attributes="" authenticationsourceid="idpConnection.https://login.auth.example.com/PasswordProtectedTransport" authnsessionexpiry="" connectionname="TestApp (Vendor)" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="wXY3g0jmB0nnThH_bfO-z.Y82Lo" sri="EfRuCLHmleA0JggggnFQHAaUiKI" virtualserverid="https://hub-mtls.auth.example.com" + ``` + + + +=== "AUTHN_SESSIONS_DELETED" + + ``` + 2025-09-01 15:15:34,068 trackingid="tid:nkWHFLhf2dsvdFckMbwF1NU_j8g" transactionid="snJEcQqMQvYQe2WIsraji9ZtK" event="AUTHN_SESSIONS_DELETED" subject="" ip="192.0.2.12" connectionid="" protocol="" pfhost="host01.test.internal.test" role="IdP" status="success" responsetime="44" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.test" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="nkWHFLhf2dsvdFckMbwF1NU_j8g..tbPV" virtualserverid="" + ``` + + + +=== "AUTHN_SESSION_CREATED" + + ``` + 2025-08-30 22:27:50,474 trackingid="tid:vpYkkHbUv895EJQob3vhMrTbIgc" transactionid="DW83XpRRPgoKBAY7gru6YIR81" event="AUTHN_SESSION_CREATED" subject="" ip="192.0.2.10" connectionid="https://hub.auth.example.com/PasswordProtectedTransport" protocol="SAML20" pfhost="host03.test.internal.test" role="IdP" status="" responsetime="50" assertionid="" attrackingid="" attributes="" authenticationsourceid="adapter.AdpRequestedUser" authnsessionexpiry="2025-08-30 23:27:50.474+0000" connectionname="HUB Password Only" granttype="" X-Forwarded-Vip="login.auth.test.internal.test" X-Forwarded-Host="login.auth.example.com" trustedNetwork="YES" requestid="" sri="vpYkkHbUv895EJQob3vhMrTbIgc..s3rm" virtualserverid="https://login.auth.example.com/PasswordProtectedTransport" + ``` + + + +=== "AUTHN_SESSION_USED" + + ``` + 2025-09-02 12:08:59,880 trackingid="tid:fu6aEL29MEj1AKRn3_wSMGWwo5A" transactionid="wHZWQNR6r0JHSW9yizXSXC8zD" event="AUTHN_SESSION_USED" subject="" ip="192.0.2.16" connectionid="https://testapp-uat.example.com/" protocol="SAML20" pfhost="host04.test.example.com" role="IdP" status="" responsetime="30" assertionid="" attrackingid="" attributes="" authenticationsourceid="idpConnection.https://login.auth.example.com/strong" authnsessionexpiry="2025-09-02 14:35:59.863+0000" connectionname="TestID UAT saml" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.example.com" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="HqFnER4GNYadajPW5xa6.JSIr-A" sri="fu6aEL29MEj1AKRn3_wSMGWwo5A..trpv" virtualserverid="https://hub-mtls.auth.example.com" + ``` + + + +=== "OAuth" + + ``` + 2025-09-02 04:49:16,008 trackingid="tid:SA-zhKZOqk6yVnZo5ldqkPBGfRQ" transactionid="Jk8NwdiVkax3KfSl9AtzarYxC" event="OAuth" subject="j.doe" ip="192.0.2.14" connectionid="01957ee4-3206-7f2b-a0c5-d6794cd50d40" protocol="OAuth20" pfhost="host04.test.internal.test" role="AS" status="failure" responsetime="88" assertionid="e-x8HOQUiqLKkGO-Qjsn5G4ySqZ" attrackingid="" attributes="SAML_AUTHN_INSTANT=2025-09-02T04:49:15.745Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" authenticationsourceid="" authnsessionexpiry="" connectionname="TestPortal" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.internal.test" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="Zu-.Wa5Gz5dCfoJ1MXO5dN7yzQH" sri="SA-zhKZOqk6yVnZo5ldqkPBGfRQ..tndL" virtualserverid="https://hub.auth.example.com/strong" + ``` + + + +=== "SLO" + + ``` + 2025-09-01 17:03:55,086 trackingid="tid:4QVg-5IEEJKY_3L7G70fbISqvZQ" transactionid="kYweNpnacjZIqO2hVKMiz2GSN" event="SLO" subject="" ip="192.0.2.13" connectionid="01957ee4-3206-7f2b-a0c5-d6794cd50d40" protocol="OIDC" pfhost="host02.test.internal.test" role="AS" status="success" responsetime="17" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="TestPortal" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP" virtualserverid="https://hub-mtls.auth.example.com" + ``` + + + +=== "SRI_REVOKED" + + ``` + 2025-09-01 17:03:57,186 trackingid="tid:4QVg-5IEEJKY_3L7G70fbISqvZQ" transactionid="BPMc3SYoQHrXqskFsBQVe1bVR" event="SRI_REVOKED" subject="" ip="192.0.2.13" connectionid="" protocol="" pfhost="host02.test.internal.test" role="IdP" status="success" responsetime="57" assertionid="" attrackingid="" attributes="" authenticationsourceid="" authnsessionexpiry="" connectionname="" granttype="" X-Forwarded-Vip="hub-mtls.auth.infra.cloud.test.testcorp" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="" sri="4QVg-5IEEJKY_3L7G70fbISqvZQ..tdGP" virtualserverid="" + ``` + + + +=== "SSO" + + ``` + 2025-09-02 02:10:08,024 trackingid="tid:ehyqnk7ad5LMT2Cy03kgCgx2wPg" transactionid="LyPg0FbetfoyVw624lDxuktdk" event="SSO" subject="j.doe" ip="192.0.2.15" connectionid="https://app01.example.com/ssoagent" protocol="SAML20" pfhost="host04.test.example.com" role="IdP" status="failure" responsetime="86" assertionid="sC7AvBm1doxsGBy7ehlR1ik.4ZS" attrackingid="" attributes="SAML_AUTHN_INSTANT=2025-09-02T02:10:07.629Z, SAML_AUTHN_CTX=urn:testcorp:oneaccess:ac:classes:strong, SAML_SUBJECT=testuser2, SAML_NAME_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" authenticationsourceid="" authnsessionexpiry="" connectionname="TestRegion_HRM" granttype="" X-Forwarded-Vip="hub-mtls.auth.test.example.com" X-Forwarded-Host="hub-mtls.auth.example.com" trustedNetwork="YES" requestid="o8ere_Dij45ft_zFRmzhBt6wimN" sri="ehyqnk7ad5LMT2Cy03kgCgx2wPg..tlH_" virtualserverid="https://hub-mtls.auth.example.com" + ``` + + + +=== "cookies" + + ``` + 2025-09-02 11:02:32,869 tid:Z8I1vdotGu084PB7b2HrQ0A1kKU DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{OXS-U2A=hashedValue:Z8I1vdotGu084PB7b2HrQ0A1kKU; path=/; maxAge=-1; domain=.auth-int.example.com} + ``` + + + +=== "heartbeat" + + ``` + 2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [org.sourceid.websso.servlet.IntegrationControllerServlet] GET: https://hub-mtls.auth-int.test.example.com/pf/heartbeat.ping + ``` + + + +=== "http_access" + + ``` + 1.2.3.4 - john.doe [02/Sep/2025:13:02:34 +0000] "GET /pf/heartbeat.ping HTTP/1.1" 200 156 + ``` + + + +=== "locale" + + ``` + 2025-09-02 11:02:34,353 tid:Q08PzbPCjfSJL8sbIj88OLO5YWg DEBUG [com.pingidentity.locale.LocaleUtil] Locale Override: none + ``` + + + +=== "tracking" + + ``` + 2025-09-02 11:02:34,352 DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] The incoming request does not contain a unique identifier. Assigning auto-generated request ID: C1CjegPq3VckLYpvYlzZEGTBe + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 77931b65cb..f9e64e4753 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -1482,6 +1482,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "audit": { "object_id": "objectid-1" }, + "mip": { + "label_name": "Internal" + }, "record_id": "id-1", "record_type": 43, "user_type": { @@ -1514,7 +1517,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2025-11-25T10:41:35\",\"Id\":\"TEST_RECORD_ID\",\"Operation\":\"Add application.\",\"OrganizationId\":\"ANONYMIZED_VALUE\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"UserKey\":\"user1\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ObjectId\":\"Application_123123123123213\",\"UserId\":\"user1\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"AppId\\\":\\\"TEST_APP_Id\\\",\\\"Source\\\":\\\"{\\\\\\\"TYPE\\\\\\\":\\\\\\\"USER\\\\\\\",\\\\\\\"OBJECT ID\\\\\\\":\\\\\\\"e0e46298-ec85-4e8e-8efb-3d4c0df02778\\\\\\\"}\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"}],\"ModifiedProperties\":[{\"Name\":\"AppAddress\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"AddressType\\\": 0,\\r\\n \\\"Address\\\": \\\"https://*.services.adobe.com/federated/saml/SSO/alias/*\\\",\\r\\n \\\"ReplyAddressClientType\\\": 0,\\r\\n \\\"ReplyAddressIndex\\\": null,\\r\\n \\\"IsReplyAddressDefault\\\": false\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"TEST_APP_Id\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"Adobe Identity Management (SAML)\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Entitlement\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"EntitlementEncodingVersion\\\": 2,\\r\\n \\\"EntitlementId\\\": \\\"abfb7ab0-bfe1-483b-b457-d10e9bf9b07d\\\",\\r\\n \\\"IsDisabled\\\": false,\\r\\n \\\"Origin\\\": 0,\\r\\n \\\"Name\\\": \\\"Access Adobe Identity Management (SAML)\\\",\\r\\n \\\"Description\\\": \\\"Allow the application to access Adobe Identity Management (SAML) on behalf of the signed-in user.\\\",\\r\\n \\\"Definition\\\": null,\\r\\n \\\"ClaimValue\\\": \\\"user_impersonation\\\",\\r\\n \\\"ResourceScopeType\\\": 1,\\r\\n \\\"IsPrivate\\\": false,\\r\\n \\\"UserConsentDisplayName\\\": \\\"Access Adobe Identity Management (SAML)\\\",\\r\\n \\\"UserConsentDescription\\\": \\\"Allow the application to access Adobe Identity Management (SAML) on your behalf.\\\",\\r\\n \\\"DirectAccessGrantTypes\\\": [],\\r\\n \\\"ImpersonationAccessGrantTypes\\\": [\\r\\n {\\r\\n \\\"Impersonator\\\": 29,\\r\\n \\\"Impersonated\\\": 20\\r\\n }\\r\\n ],\\r\\n \\\"EntitlementCategory\\\": 0,\\r\\n \\\"DependentMicrosoftGraphPermissions\\\": [],\\r\\n \\\"IsPreauthzOnlyDirectAccessGrant\\\": false,\\r\\n \\\"IsPreauthzOnlyImpersonationGrant\\\": false\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"PublicClient\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"WwwHomepage\",\"NewValue\":\"[\\r\\n \\\"https://*.services.adobe.com/federated/saml/SSO/alias/*?metadata=adobeidentitymanagement|ISV9.1|primary|z\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"PublisherDomain\",\"NewValue\":\"[\\r\\n \\\"ocd-testing.com\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"SignInAudience\",\"NewValue\":\"[\\r\\n \\\"AzureADMyOrg\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppAddress, AppId, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage, PublisherDomain, SignInAudience\",\"OldValue\":\"\"}],\"Actor\":[{\"ID\":\"AAD App Management\",\"Type\":1},{\"ID\":\"f0ae4899-d877-4d3c-ae25-679e38eea492\",\"Type\":2},{\"ID\":\"user1\",\"Type\":2},{\"ID\":\"4d0745aa-f7e3-424b-8228-6c3455fa8af1\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2}],\"ActorContextId\":\"ANONYMIZED_VALUE\",\"InterSystemsId\":\"TEST_CORRELATION_ID\",\"IntraSystemId\":\"00000000-0000-0000-0000-000000000000\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_123123123123213\",\"Type\":2},{\"ID\":\"123123123123213\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"Adobe Identity Management (SAML)\",\"Type\":1},{\"ID\":\"TEST_APP_Id\",\"Type\":2}],\"TargetContextId\":\"ANONYMIZED_VALUE\"}", + "message": "{\"CreationTime\":\"2025-11-25T10:41:35\",\"Id\":\"TEST_RECORD_ID\",\"Operation\":\"Add application.\",\"OrganizationId\":\"ANONYMIZED\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"UserKey\":\"user1\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ObjectId\":\"Application_123123123123213\",\"UserId\":\"user1\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"AppId\\\":\\\"TEST_APP_Id\\\",\\\"Source\\\":\\\"{\\\\\\\"TYPE\\\\\\\":\\\\\\\"USER\\\\\\\",\\\\\\\"OBJECT ID\\\\\\\":\\\\\\\"e0e46298-ec85-4e8e-8efb-3d4c0df02778\\\\\\\"}\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"}],\"ModifiedProperties\":[{\"Name\":\"AppAddress\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"AddressType\\\": 0,\\r\\n \\\"Address\\\": \\\"https://*.services.adobe.com/federated/saml/SSO/alias/*\\\",\\r\\n \\\"ReplyAddressClientType\\\": 0,\\r\\n \\\"ReplyAddressIndex\\\": null,\\r\\n \\\"IsReplyAddressDefault\\\": false\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"TEST_APP_Id\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"Adobe Identity Management (SAML)\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Entitlement\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"EntitlementEncodingVersion\\\": 2,\\r\\n \\\"EntitlementId\\\": \\\"abfb7ab0-bfe1-483b-b457-d10e9bf9b07d\\\",\\r\\n \\\"IsDisabled\\\": false,\\r\\n \\\"Origin\\\": 0,\\r\\n \\\"Name\\\": \\\"Access Adobe Identity Management (SAML)\\\",\\r\\n \\\"Description\\\": \\\"Allow the application to access Adobe Identity Management (SAML) on behalf of the signed-in user.\\\",\\r\\n \\\"Definition\\\": null,\\r\\n \\\"ClaimValue\\\": \\\"user_impersonation\\\",\\r\\n \\\"ResourceScopeType\\\": 1,\\r\\n \\\"IsPrivate\\\": false,\\r\\n \\\"UserConsentDisplayName\\\": \\\"Access Adobe Identity Management (SAML)\\\",\\r\\n \\\"UserConsentDescription\\\": \\\"Allow the application to access Adobe Identity Management (SAML) on your behalf.\\\",\\r\\n \\\"DirectAccessGrantTypes\\\": [],\\r\\n \\\"ImpersonationAccessGrantTypes\\\": [\\r\\n {\\r\\n \\\"Impersonator\\\": 29,\\r\\n \\\"Impersonated\\\": 20\\r\\n }\\r\\n ],\\r\\n \\\"EntitlementCategory\\\": 0,\\r\\n \\\"DependentMicrosoftGraphPermissions\\\": [],\\r\\n \\\"IsPreauthzOnlyDirectAccessGrant\\\": false,\\r\\n \\\"IsPreauthzOnlyImpersonationGrant\\\": false\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"PublicClient\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"WwwHomepage\",\"NewValue\":\"[\\r\\n \\\"https://*.services.adobe.com/federated/saml/SSO/alias/*?metadata=adobeidentitymanagement|ISV9.1|primary|z\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"PublisherDomain\",\"NewValue\":\"[\\r\\n \\\"ocd-testing.com\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"SignInAudience\",\"NewValue\":\"[\\r\\n \\\"AzureADMyOrg\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppAddress, AppId, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage, PublisherDomain, SignInAudience\",\"OldValue\":\"\"}],\"Actor\":[{\"ID\":\"AAD App Management\",\"Type\":1},{\"ID\":\"f0ae4899-d877-4d3c-ae25-679e38eea492\",\"Type\":2},{\"ID\":\"user1\",\"Type\":2},{\"ID\":\"4d0745aa-f7e3-424b-8228-6c3455fa8af1\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2}],\"ActorContextId\":\"ANONYMIZED\",\"InterSystemsId\":\"TEST_CORRELATION_ID\",\"IntraSystemId\":\"00000000-0000-0000-0000-000000000000\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_123123123123213\",\"Type\":2},{\"ID\":\"123123123123213\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"Adobe Identity Management (SAML)\",\"Type\":1},{\"ID\":\"TEST_APP_Id\",\"Type\":2}],\"TargetContextId\":\"ANONYMIZED\"}", "event": { "action": "Add application", "category": [ @@ -1610,7 +1613,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "organization": { - "id": "ANONYMIZED_VALUE" + "id": "ANONYMIZED" }, "related": { "user": [ @@ -6701,6 +6704,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.investigation.type` | `keyword` | Investigation type | |`office365.logon_error` | `keyword` | Logon error detailed reason | |`office365.machine_name` | `keyword` | Machine name | +|`office365.mip.label_name` | `keyword` | The name of the sensitivity label applied to the email message | |`office365.ofph` | `keyword` | | |`office365.operation.properties` | `object` | A list of objects describing the operation | |`office365.record_id` | `keyword` | Unique identifier of an audit record | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index 88cdec5d48..2b904fdb40 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -830,7 +830,7 @@ In this section, you will find examples of raw logs as generated natively by the "CreationTime": "2025-11-25T10:41:35", "Id": "TEST_RECORD_ID", "Operation": "Add application.", - "OrganizationId": "ANONYMIZED_VALUE", + "OrganizationId": "ANONYMIZED", "RecordType": 8, "ResultStatus": "Success", "UserKey": "user1", @@ -924,7 +924,7 @@ In this section, you will find examples of raw logs as generated natively by the "Type": 2 } ], - "ActorContextId": "ANONYMIZED_VALUE", + "ActorContextId": "ANONYMIZED", "InterSystemsId": "TEST_CORRELATION_ID", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", @@ -950,7 +950,7 @@ In this section, you will find examples of raw logs as generated natively by the "Type": 2 } ], - "TargetContextId": "ANONYMIZED_VALUE" + "TargetContextId": "ANONYMIZED" } ``` diff --git a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md index 13ac3f5351..03428dd73f 100644 --- a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md +++ b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | ---- | ------ | | Kind | `` | | Category | `process`, `session` | -| Type | `end`, `start` | +| Type | `end`, `info`, `start` | @@ -169,10 +169,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "session" ], - "outcome": "success", "reason": "Connexion d'une passerelle", "type": [ - "end" + "info" ] }, "observer": { @@ -629,6 +628,216 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "user_first_new_process.json" + + ```json + + { + "message": "johndoe@local New process: \"C:\\Windows\\System32\\RuntimeBroker.exe\"", + "event": { + "category": [ + "process" + ], + "outcome": "success", + "reason": "New process: \"C:\\Windows\\System32\\RuntimeBroker.exe\"", + "type": [ + "start" + ] + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "process": { + "executable": "C:\\Windows\\System32\\RuntimeBroker.exe" + }, + "related": { + "user": [ + "johndoe" + ] + }, + "user": { + "domain": "local", + "name": "johndoe" + } + } + + ``` + + +=== "user_first_other_1.json" + + ```json + + { + "message": "john.doe@Azure SSO idle saved.", + "event": { + "category": [ + "session" + ], + "reason": "SSO idle saved.", + "type": [ + "info" + ] + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "Azure", + "name": "john.doe" + } + } + + ``` + + +=== "user_first_other_2.json" + + ```json + + { + "message": "john.doe@Azure SSO Window closed: \"G:\\ - TreeSize Professional\"", + "event": { + "category": [ + "session" + ], + "reason": "SSO Window closed: \"G:\\ - TreeSize Professional\"", + "type": [ + "info" + ] + }, + "observer": { + "product": "Systancia Cleanroom", + "vendor": "Systancia" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "Azure", + "name": "john.doe" + } + } + + ``` + + +=== "user_first_other_3.json" + + ```json + + { + "message": "john.doe@Azure SSO key sequence :\"\"],\"subject\":[\"ANONYMIZED\"],\"message-id\":[\"20220912092800466772@example.net\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"from\":[\"\\\"Amazon\\\" \"]},\"parsedAddresses\":{\"fromDisplayNames\":[\"Amazon\"],\"from\":[\"user1@example.net\"],\"to\":[\"user2@example.org\"]},\"header\":{\"from\":[\"\\\"Amazon\\\" \"],\"message-id\":[\"<20220912092800466772@example.net>\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"subject\":[\"REDACTED\"],\"to\":[\"\"]},\"sizeBytes\":33366},\"filter\":{\"actions\":[{\"rule\":\"clean\",\"action\":\"add-header\",\"module\":\"av\"},{\"rule\":\"clean\",\"action\":\"continue\",\"module\":\"av\"},{\"action\":\"add-header\",\"module\":\"spam\",\"rule\":\"phish\"},{\"rule\":\"phish\",\"action\":\"copy\",\"module\":\"spam\"},{\"rule\":\"phish\",\"module\":\"spam\",\"action\":\"quarantine\"},{\"module\":\"spam\",\"action\":\"discard\",\"rule\":\"phish\",\"isFinal\":true}],\"modules\":{\"urldefense\":{\"counts\":{\"total\":5,\"unique\":2,\"rewritten\":5},\"version\":{\"engine\":\"15\"}},\"spam\":{\"langs\":[\"en\",\"jp\",\"pt\"],\"triggeredClassifier\":\"phish\",\"scores\":{\"overall\":100,\"engine\":100,\"classifiers\":{\"adult\":0,\"mlx\":100,\"impostor\":0,\"spam\":100,\"malware\":0,\"mlxlog\":-1000,\"phish\":100,\"suspect\":0,\"lowpriority\":0,\"bulk\":0}},\"version\":{\"definitions\":\"main-2209120003\",\"engine\":\"8.19.0-2204280000\"}},\"spf\":{\"domain\":\"yokm.net\",\"result\":\"none\"},\"dmarc\":{\"records\":[{\"error\":\"NXDOMAIN\",\"query\":\"_dmarc.yokm.net\"}],\"filterdResult\":\"none\",\"authResults\":[{\"method\":\"spf\",\"emailIdentities\":{\"smtp.mailfrom\":\"user1@example.net\"},\"result\":\"none\"},{\"method\":\"dmarc\",\"result\":\"none\"}],\"srvid\":\"ppops.net\"}},\"suborgs\":{\"sender\":\"0\",\"rcpts\":[\"0\"]},\"isMsgInDigest\":true,\"routeDirection\":\"internal\",\"verified\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"msgSizeBytes\":33278,\"routes\":[\"allow_relay\",\"default_inbound\",\"firewallsafe\",\"internalnet\"],\"durationSecs\":0.356614,\"delivered\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"disposition\":\"discard\",\"qid\":\"3jgptm9dux-1\",\"quarantine\":{\"module\":\"spam\",\"folderId\":\"phish\",\"type\":\"quarantine\",\"folder\":\"Phish\",\"rule\":\"phish\"}},\"guid\":\"5PVdahx3PMGFONShVUQ19uni34-uVQRm\",\"type\":\"message\"}\n", + "message": "{\"metadata\":{\"origin\":{\"data\":{\"cid\":\"proofpointdemo_cloudadminuidemo_hosted\",\"agent\":\"m0169161.ppops.net\",\"version\":\"8.19.0.1216\"}}},\"ts\":\"2022-09-11T18:28:19.902627-0700\",\"envelope\":{\"from\":\"user1@example.net\",\"rcpts\":[\"ceo@exec.vogon.science\"]},\"connection\":{\"host\":\"1-2-3-4.example.com\",\"ip\":\"5.6.7.8\",\"sid\":\"3jgptm9dux\",\"tls\":{\"inbound\":{\"version\":\"TLSv1.2\",\"cipherBits\":256,\"cipher\":\"ECDHE-RSA-AES256-GCM-SHA384\"}},\"country\":\"us\",\"protocol\":\"smtp:smtp\",\"resolveStatus\":\"ok\",\"helo\":\"selabfork.ppslab.net\"},\"msg\":{\"lang\":\"ja\",\"normalizedHeader\":{\"to\":[\"\"],\"subject\":[\"ANONYMIZED\"],\"message-id\":[\"20220912092800466772@example.net\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"from\":[\"\\\"Amazon\\\" \"]},\"parsedAddresses\":{\"fromDisplayNames\":[\"Amazon\"],\"from\":[\"user1@example.net\"],\"to\":[\"user2@example.org\"]},\"header\":{\"from\":[\"\\\"Amazon\\\" \"],\"message-id\":[\"<20220912092800466772@example.net>\"],\"x-mailer\":[\"Xwstoxzpk 1\"],\"subject\":[\"REDACTED\"],\"to\":[\"\"]},\"sizeBytes\":33366},\"filter\":{\"actions\":[{\"rule\":\"clean\",\"action\":\"add-header\",\"module\":\"av\"},{\"rule\":\"clean\",\"action\":\"continue\",\"module\":\"av\"},{\"action\":\"add-header\",\"module\":\"spam\",\"rule\":\"phish\"},{\"rule\":\"phish\",\"action\":\"copy\",\"module\":\"spam\"},{\"rule\":\"phish\",\"module\":\"spam\",\"action\":\"quarantine\"},{\"module\":\"spam\",\"action\":\"discard\",\"rule\":\"phish\",\"isFinal\":true}],\"modules\":{\"urldefense\":{\"counts\":{\"total\":5,\"unique\":2,\"rewritten\":5},\"version\":{\"engine\":\"15\"}},\"spam\":{\"langs\":[\"en\",\"jp\",\"pt\"],\"triggeredClassifier\":\"phish\",\"scores\":{\"overall\":100,\"engine\":100,\"classifiers\":{\"adult\":0,\"mlx\":100,\"impostor\":0,\"spam\":100,\"malware\":0,\"mlxlog\":-1000,\"phish\":100,\"suspect\":0,\"lowpriority\":0,\"bulk\":0}},\"version\":{\"definitions\":\"main-2209120003\",\"engine\":\"8.19.0-2204280000\"}},\"spf\":{\"domain\":\"example.net\",\"result\":\"none\"},\"dmarc\":{\"records\":[{\"error\":\"NXDOMAIN\",\"query\":\"_dmarc.example.net\"}],\"filterdResult\":\"none\",\"authResults\":[{\"method\":\"spf\",\"emailIdentities\":{\"smtp.mailfrom\":\"user1@example.net\"},\"result\":\"none\"},{\"method\":\"dmarc\",\"result\":\"none\"}],\"srvid\":\"ppops.net\"}},\"suborgs\":{\"sender\":\"0\",\"rcpts\":[\"0\"]},\"isMsgInDigest\":true,\"routeDirection\":\"internal\",\"verified\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"msgSizeBytes\":33278,\"routes\":[\"allow_relay\",\"default_inbound\",\"firewallsafe\",\"internalnet\"],\"durationSecs\":0.356614,\"delivered\":{\"rcpts\":[\"ceo@exec.vogon.science\"]},\"disposition\":\"discard\",\"qid\":\"3jgptm9dux-1\",\"quarantine\":{\"module\":\"spam\",\"folderId\":\"phish\",\"type\":\"quarantine\",\"folder\":\"Phish\",\"rule\":\"phish\"}},\"guid\":\"5PVdahx3PMGFONShVUQ19uni34-uVQRm\",\"type\":\"message\"}\n", "event": { "action": "discard", "category": [ @@ -223,6 +223,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "cluster": { "id": "proofpointdemo_cloudadminuidemo_hosted" }, + "dmarc": { + "result": "none" + }, "modules": [ "dmarc", "spam", @@ -247,6 +250,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "sender": "user1@example.net" }, + "spf": { + "domain": "example.net", + "result": "none" + }, "threat": { "scores": { "adult": 0, @@ -602,6 +609,7 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`proofpoint.pod.cluster.id` | `keyword` | The name of the cluster which processed the message | +|`proofpoint.pod.dmarc.result` | `keyword` | | |`proofpoint.pod.file_metadata.appname` | `keyword` | | |`proofpoint.pod.file_metadata.author` | `keyword` | | |`proofpoint.pod.file_metadata.create_dtm` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_sample.md b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_sample.md index ccacf94e27..53c0e965fc 100644 --- a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_sample.md +++ b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_sample.md @@ -381,14 +381,14 @@ In this section, you will find examples of raw logs as generated natively by the } }, "spf": { - "domain": "yokm.net", + "domain": "example.net", "result": "none" }, "dmarc": { "records": [ { "error": "NXDOMAIN", - "query": "_dmarc.yokm.net" + "query": "_dmarc.example.net" } ], "filterdResult": "none", diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index a4ece4fd29..6b6159b0d2 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -236,7 +236,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "vadesecure": { "attachments": [], "auth_results_details": { - "dkim": "none", "dmarc": "fail", "spf": "temperror" }, @@ -467,7 +466,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "auth_results_details": { "dkim": "fail", - "dmarc": "none", "spf": "temperror" }, "from_header": "John DOE ", diff --git a/_shared_content/operations_center/integrations/generated/ec7fd978-5526-42c8-acd5-e1b4aa752a73.md b/_shared_content/operations_center/integrations/generated/ec7fd978-5526-42c8-acd5-e1b4aa752a73.md index a997a0304d..718eae02a4 100644 --- a/_shared_content/operations_center/integrations/generated/ec7fd978-5526-42c8-acd5-e1b4aa752a73.md +++ b/_shared_content/operations_center/integrations/generated/ec7fd978-5526-42c8-acd5-e1b4aa752a73.md @@ -32,7 +32,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "info" ], - "id": "00000000-0000-0000-0000-000000000000", "kind": "alert", "severity": 1, "type": [ @@ -116,13 +115,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "5c418977-9069-49d1-936c-28586fe5c2a2" } }, - "sekoiaio": { - "intake": { - "dialect": "test", - "dialect_uuid": "00000000-0000-0000-0000-000000000000", - "parsing_status": "success" - } - }, "source": { "address": "10.80.10.254", "ip": "10.80.10.254", @@ -144,7 +136,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "info" ], - "id": "00000000-0000-0000-0000-000000000000", "kind": "alert", "severity": 1, "type": [ @@ -255,13 +246,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "5c418977-9069-49d1-936c-28586fe5c2a2" } }, - "sekoiaio": { - "intake": { - "dialect": "test", - "dialect_uuid": "00000000-0000-0000-0000-000000000000", - "parsing_status": "success" - } - }, "source": { "address": "10.0.12.254", "ip": "10.0.12.254", @@ -359,7 +343,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "info" ], - "id": "00000000-0000-0000-0000-000000000000", "kind": "alert", "severity": 1, "type": [ @@ -442,13 +425,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "br0" } }, - "sekoiaio": { - "intake": { - "dialect": "test", - "dialect_uuid": "00000000-0000-0000-0000-000000000000", - "parsing_status": "success" - } - }, "source": { "address": "10.0.101.50", "ip": "10.0.101.50", diff --git a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md index b7eea7af74..c96c371182 100644 --- a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md +++ b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md @@ -486,7 +486,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "aether": { "action": 13, "date": "2022-04-07T11:02:36.06", - "detection_technology": "null", "event_id": 1796693, "event_type": 1, "event_type_translated": "Exploit", @@ -497,8 +496,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "protection_mode": 0, "protection_mode_translated": "Undefined", "risk": false, - "security_event_type": 4, - "site_id": "null" + "security_event_type": 4 }, "host": { "name": "PC123" diff --git a/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4.md b/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4.md index 0bacdb64b6..6bab9fd839 100644 --- a/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4.md +++ b/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4.md @@ -27,6 +27,36 @@ In details, the following table denotes the type of events produced by this inte This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. +=== "L2ALD_ST_CTL_IN_EFFECT.json" + + ```json + + { + "message": "l2ald[111111]: L2ALD_ST_CTL_IN_EFFECT: ge-1/0/10.0: storm control in effect on the port", + "event": { + "action": "L2ALD_ST_CTL_IN_EFFECT", + "category": [ + "network" + ], + "kind": "event", + "provider": "l2ald", + "type": [ + "info" + ] + }, + "log": { + "description": "ge-1/0/10.0: storm control in effect on the port" + }, + "observer": { + "product": "ngfw", + "type": "firewall", + "vendor": "Juniper Networks" + } + } + + ``` + + === "RT_FLOW_SESSION_CLOSE_STANDARD.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4_sample.md b/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4_sample.md index d25846828d..0e4c5d8886 100644 --- a/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4_sample.md +++ b/_shared_content/operations_center/integrations/generated/f5f05e2a-32fc-432d-9f00-11f490ae15f4_sample.md @@ -4,6 +4,14 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "L2ALD_ST_CTL_IN_EFFECT" + + ``` + l2ald[111111]: L2ALD_ST_CTL_IN_EFFECT: ge-1/0/10.0: storm control in effect on the port + ``` + + + === "RT_FLOW_SESSION_CLOSE_STANDARD" ```