diff --git a/docs/integrations/microsoft-azure/teams.md b/docs/integrations/microsoft-azure/teams.md index b1677da67b..1a9f8f119c 100644 --- a/docs/integrations/microsoft-azure/teams.md +++ b/docs/integrations/microsoft-azure/teams.md @@ -2,14 +2,14 @@ id: teams title: Microsoft Teams sidebar_label: Microsoft Teams -description: The Microsoft Teams app provides out-of-the-box dashboards to monitor users, teams, channels and permission changes. +description: The Microsoft Teams app provides out-of-the-box dashboards to monitor users, teams, channels, and permission changes. --- import useBaseUrl from '@docusaurus/useBaseUrl'; thumbnail icon -The Microsoft Teams app provides out-of-the-box dashboards to monitor users, teams, channels and permission changes. +The Microsoft Teams app provides out-of-the-box dashboards to monitor users, teams, channels, and permission changes. ## Log types @@ -23,7 +23,6 @@ The Teams app provides visibility into the logging that Microsoft exposes in the For more information, see Microsoft’s [list of Teams Activities](https://docs.microsoft.com/en-us/microsoftteams/audit-log-events#teams-activities). - ### Sample log messages ```json @@ -51,26 +50,29 @@ _sourceCategory="O365/General" ## Collecting logs -This section has instructions for collecting logs for the Sumo App for Teams. +This section has instructions for collecting logs for the Sumo Logic app for Teams. ### Collection process overview To collect logs for Microsoft Teams, please configure an Office 365 Audit Source. The Teams logs will be present in the “Office 365 General Logs” context. Note, that if you are already collecting logs for Office 365, you can simply make note of the source category configured for the aforementioned context. +## Installing the Microsoft Teams app + +This section shows you how to install the Sumo Logic app for Microsoft Teams. -## Installing the Microsoft Teams App +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; -This section shows you how to install the Sumo Logic App for Microsoft Teams. + -import AppInstall from '../../reuse/apps/app-install.md'; +## Viewing Microsoft Teams dashboards - +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; -## Viewing Microsoft Teams Dashboards + ### Overview -The Teams - Overview dashboard provides an at-a-glance view of the state of your Teams environment in terms of user sessions, teams and channel activity, and user role changes +The **Teams - Overview** dashboard provides an at-a-glance view of the state of your Teams environment in terms of user sessions, teams and channel activity, and user role changes. Use this dashboard to: * Identify user sessions relative to their locations. @@ -82,7 +84,7 @@ Use this dashboard to: ### User Sessions -The Teams - User Sessions dashboard provides an in depth view of the user logins and related statistics in your Teams environment +The **Teams - User Sessions** dashboard provides an in depth view of the user logins and related statistics in your Teams environment. Use this dashboard to: * Identify user sessions relative to their locations and compare login statistics over time. @@ -93,7 +95,7 @@ Use this dashboard to: ### Team Statistics -The Teams - Team Statistics dashboard offers complete details on the Team activity occurring in your organization. +The **Teams - Team Statistics** dashboard offers complete details on the Team activity occurring in your organization. Use this dashboard to: * Gain insight into teams being added and removed. @@ -102,10 +104,9 @@ Use this dashboard to: Team Statistics - ### Channel Statistics -The Teams - Channel Statistics dashboard offers complete visibility into the Channel activity occurring in your Teams. +The **Teams - Channel Statistics** dashboard offers complete visibility into the Channel activity occurring in your Teams. Use this dashboard to: * Gain insight into the channels being added and removed. @@ -115,13 +116,24 @@ Use this dashboard to: Channel Statistics - ### User and Role Changes -The Teams - User and Role Changes dashboard provides insight on the user and role changes being applied in your environment. +The **Teams - User and Role Changes** dashboard provides insight on the user and role changes being applied in your environment. Use this dashboard to: * Report on the users making role changes and the top object types being affected. * Understand how members are being added, removed, and changed by object name. User and Role Changes + +## Upgrading the Microsoft Teams app (optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Microsoft Teams app (optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/saas-cloud/gmail-tracelogs.md b/docs/integrations/saas-cloud/gmail-tracelogs.md index ca207557b0..b3f94b3d00 100644 --- a/docs/integrations/saas-cloud/gmail-tracelogs.md +++ b/docs/integrations/saas-cloud/gmail-tracelogs.md @@ -161,22 +161,31 @@ import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; - +## Viewing the Gmail Trace Logs dashboards -## Viewing Gmail Trace Logs Dashboards +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; -**All dashboard have a set of filters** that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard. + -You can use filters to drill down and examine the data on a granular level. Filters include client country, client device type, client IP, client request host, client request URI, client request user agent, edge response status, origin IP, and origin response status. +### Security Overview -**Each panel has a set of filters** that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters. - -### Security Overview Dashboard - -**Gmail Trace Logs - Security Overview**. This dashboard lets you monitor spam messages, malware threats, dropped messages, and rejected messages. +The **Gmail Trace Logs - Security Overview** dashboard lets you monitor spam messages, malware threats, dropped messages, and rejected messages. Gmail Trace Logs Overview -**CrowdStrike Analysis**. To protect your organisation from threats, the app also scans the SHA256 hash of Gmail attachments with CrowdStrike's threat detection service. +The **CrowdStrike Analysis**. To protect your organisation from threats, the app also scans the SHA256 hash of Gmail attachments with CrowdStrike's threat detection service. Crowdstrike Analysis + +## Upgrading the Microsoft Teams app (optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Microsoft Teams app (optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + + diff --git a/docs/integrations/saas-cloud/microsoft-exchange-trace-logs.md b/docs/integrations/saas-cloud/microsoft-exchange-trace-logs.md index 7a3563a00e..d1d6fc0085 100644 --- a/docs/integrations/saas-cloud/microsoft-exchange-trace-logs.md +++ b/docs/integrations/saas-cloud/microsoft-exchange-trace-logs.md @@ -115,17 +115,28 @@ import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; -## Viewing Microsoft Exchange Trace Logs Dashboards +## Upgrading the Microsoft Exchange Trace Logs app (optional) -* All dashboard have a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard. -* You can use filters to drill down and examine the data on a granular level. Filters include client country, client device type, client IP, client request host, client request URI, client request user agent, edge response status, origin IP, and origin response status. -* Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters. +import AppUpdate from '../../reuse/apps/app-update.md'; -### Overview + + +## Uninstalling the Microsoft Exchange Trace Logs app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + -**Microsoft Exchange Trace Logs - Overview**. The Dashboard provides information on the delivery status of messages, including outliers, and a summary of the message size.
Microsoft Exchange Trace Logs Overview +## Viewing Microsoft Exchange Trace Logs dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview +The **Microsoft Exchange Trace Logs - Overview** dashboard provides information on the delivery status of messages, including outliers, and a summary of the message size.
Microsoft Exchange Trace Logs Overview ### Message Monitoring -**Microsoft Exchange Trace Logs - Message Monitoring**. The Dashboard mainly focuses on the message traffic, including the number of unique senders and receivers and their domains. It shows the geographical locations of senders, receivers, and failed messages, and performs security threat analysis on the senders. Additionally, it displays the top 10 senders.
Microsoft Exchange Trace Logs Message Monitoring +The **Microsoft Exchange Trace Logs - Message Monitoring** dashboard mainly focuses on the message traffic, including the number of unique senders and receivers and their domains. It shows the geographical locations of senders, receivers, and failed messages, and performs security threat analysis on the senders. Additionally, it displays the top 10 senders.
Microsoft Exchange Trace Logs Message Monitoring diff --git a/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md b/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md index 604cc33308..dc0ee1d369 100644 --- a/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md +++ b/docs/integrations/security-threat-detection/threat-intel-quick-analysis.md @@ -27,7 +27,7 @@ import AppInstall from '../../reuse/apps/app-install.md'; ## Threat Intel optimization -The Threat Intel Quick Analysis App provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. +The Threat Intel Quick Analysis app provides baseline queries. You can further optimize and enhance these queries for the log and events types being scanned for threats. To see the queries, open a [dashboard in the app](#viewing-threat-intel-quick-analysis-dashboards), click the three-dot kebab in the upper-right corner of the dashboard panel, and select **Open in Log Search**. Use the following guidelines to customize your Threat Intel queries: * Filter out unwanted logs before you use lookup operator @@ -44,7 +44,7 @@ _sourceCategory=cylance "IP Address" | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address ``` - -1. Now, you can run your Threat Intel query on top of this view: +2. Now, you can run your Threat Intel query on top of this view: ```sql _view=cylance_threat | count by src_ip ``` - +## JSON configuration object + +#### `malicious_confidence` + +**Data Type:** string
+**Description:** Indicates a confidence level by which an indicator is considered to be malicious. For example, a malicious file hash may always have a value of high while domains and IP addresses will very likely change over time. The malicious confidence level is also represented under the labels list in the JSON data structure.
+Once an indicator has been marked with a malicious confidence level, it continues to have that confidence level value until updated by CrowdStrike. If you think there is a false positive, please file a Support ticket, and we'll work with CrowdStrike to investigate the IOC in question and update the threat details.
+**Values:** + * high + * medium + * low + * unverified—This indicator has not been verified by a CrowdStrike Intelligence analyst or an automated system. + * null—Indicates that Sumo Logic has no information about the threat record. + +--- +#### `published_date` + +**Data Type:** Timestamp in standard Unix time, UTC.
+**Description:** This is the date the indicator was first published. + +--- +#### `last_updated` + +**Data Type**: Timestamp in standard Unix time, UTC.
+**Description**: This is the date the indicator was last updated in CrowdStrike internal database. + +--- +#### `malware_family` + +**Data Type**: string
+**Description**: Indicates the malware family an indicator has been associated with. An indicator may be associated with more than one malware family. The malware family list is also represented under the labels list in the JSON data structure. + +--- +#### `kill_chain` + +**Data Type:** string
+**Description:** The point in the kill chain at which an indicator is associated. The kill chain list is also represented under the labels list in the JSON data structure.
+**Values:** + * reconnaissance—This indicator is associated with the research, identification, and selection of targets by a malicious actor. + * weaponization—This indicator is associated with assisting a malicious actor create malicious content. + * delivery—This indicator is associated with the delivery of an exploit or malicious payload. + * exploitation—This indicator is associated with the exploitation of a target system or environment. + * installation—This indicator is associated with the installation or infection of a target system with a remote access tool or other tool allowing for persistence in the target environment. + * c2 (Command and Control)—This indicator is associated with malicious actor command and control. + * actionOnObjectives—This indicator is associated with a malicious actor's desired effects and goals. + +--- +#### `labels` + +**Data Type:** string
+**Description:** The Intel Indicators API provides additional context around an indicator via the labels list. Some of these labels, such as `malicious_confidence` are accessible via the top-level data structure. All labels, including their associated timestamps, will be accessible via the labels list. The url string will look like: `https://intelapi.crowdstrike.com/indicator/v1/search/labels?equal=DomainType/DynamicDNS`. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IOC TypeValues
DomainType +
  • DomainType/ActorControlled—It is believed the malicious actor is still in control of this domain.
    • +
  • DomainType/DGA—Domain is the result of malware utilizing a domain generation algorithm.
    • +
  • DomainType/DynamicDNS—Domain is owned or used by a dynamic DNS service.
    • +
  • DomainType/DynamicDNS/Afraid—Domain is owned or used by the Afraid.org dynamic DNS service.
    • +
  • DomainType/DynamicDNS/DYN—Domain is owned or used by the DYN dynamic DNS service.
    • +
  • DomainType/DynamicDNS/Hostinger—Domain is owned or used by the Hostinger dynamic DNS service.
    • +
  • DomainType/DynamicDNS/noIP—Domain is owned or used by the NoIP dynamic DNS service.
    • +
  • DomainType/DynamicDNS/Oray—Domain is owned or used by the Oray dynamic DNS service.
    • +
  • DomainType/KnownGood—Domain itself (or the domain portion of a URL) is known to be legitimate, despite having been associated with malware or malicious activity.
    • +
  • DomainType/LegitimateCompromised—Domain does not typically pose a threat but has been compromised by a malicious actor and may be serving malicious content.
    • +
  • DomainType/PhishingDomain—Domain has been observed to be part of a phishing campaign.
    • +
  • DomainType/Sinkholed—Domain is being sinkholed, likely by a security research team. This indicates that, while traffic to the domain likely has a malicious source, the IP address to which it is resolving is controlled by a legitimate 3rd party. It is no longer believed to be under the control of the actor.
    • +
  • DomainType/StrategicWebCompromise—While similar to the DomainType/LegitimateCompromised label, this label indicates that the activity is of a more targeted nature. Often, targeted attackers will compromise a legitimate domain that they know to be a watering hole frequently visited by the users at the organizations they are looking to attack.
    • +
  • DomainType/Unregistered—Domain is not currently registered with any registrars.
EmailAddressType +

EmailAddressType/DomainRegistrant—Email address has been supplied in the registration information for known malicious domains.

+

EmailAddressType/SpearphishSender—Email address has been used to send spearphishing emails.

 IntelNews: The Intel Flash Report ID an indicator is associated with (For example, IntelNews/NEWS-060520151900).

IPAddressType

  • IPAddressType/HtranDestinationNode—An IP address with this label is being used as a destination address with the HTran Proxy Tool.
    • +
  • IPAddressType/HtranProxy—An IP address with this label is being used as a relay or proxy node with the HTran Proxy Tool.
    • +
  • IPAddressType/LegitimateCompromised—It is suspected an IP address with this label is compromised by malicious actors.
    • +
  • IPAddressType/Parking—IP address is likely being used as parking IP address.
    • +
  • IPAddressType/PopularSite—IP address could be utilized for a variety of purposes and may appear more frequently than other IPs.
    • +
  • IPAddressType/SharedWebHost—IP address may be hosting more than one website.
    • +
  • IPAddressType/Sinkhole—IP address is likely a sinkhole being operated by a security researcher or vendor.
    • +
  • IPAddressType/TorProxy—IP address is acting as a TOR (The Onion Router) Proxy Malware/PoisonIvy Malware/Zeus Malware/DarkComet
Status
  • Status/ConfirmedActive—Indicator is likely to be currently supporting malicious activity
  • Status/ConfirmedInactive—Indicator is no longer used for malicious purposes.
Target

The activity associated with this indicator is known to target the indicated vertical sector, which could be any of the following:

+
  • Target/Aerospace Target/Agricultural Target/Chemical
    • +
  • Target/Defense
    • +
  • Target/Dissident
    • +
  • Target/Energy
    • +
  • Target/Extractive
    • +
  • Target/Financial
    • +
  • Target/Government
    • +
  • Target/Healthcare
    • +
  • Target/Insurance
    • +
  • Target/InternationalOrganizations
    • +
  • Target/Legal
    • +
  • Target/Manufacturing
    • +
  • Target/Media
    • +
  • Target/NGO
    • +
  • Target/Pharmaceutical
    • +
  • Target/Research
    • +
  • Target/Retail
    • +
  • Target/Shipping
    • +
  • Target/Technology
    • +
  • Target/Telecom
    • +
  • Target/Transportation
    • +
  • Target/Universities
ThreatType +
  • ThreatType/ClickFraud—Indicator is used by actors engaging in click or ad fraud.
    • +
  • ThreatType/Commodity—Indicator is used with commodity type malware such as Zeus or Pony Downloader.
    • +
  • ThreatType/PointOfSale—Indicator is associated with activity known to target point-of-sale machines such as AlinaPoS or BlackPoS.
    • +
  • ThreatType/Ransomware—Indicator is associated with ransomware malware such as Crytolocker or Cryptowall.
    • +
  • ThreatType/Suspicious—Indicator is not currently associated with a known threat type but should be considered suspicious.
    • +
  • ThreatType/Targeted—Indicator is associated with a known actor suspected to associated with a nation-state such as DEEP PANDA or ENERGETIC BEAR.
    • +
  • ThreatType/TargetedCrimeware—Indicator is associated with a known actor suspected to be engaging in criminal activity such as WICKED SPIDER.

Vulnerability
The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g. https://intelapi.crowdstrike.com/ind.../CVE-2012-0158 )
+ ## Viewing Threat Intel Quick Analysis dashboards All dashboards include filters that you can use in Interactive Mode for further analysis of your Threat Intel Quick Analysis data. Because the Threat Intel Quick Analysis has the most bearing on recent threats, most panels are set to the 15 minute time range. You can adjust time ranges as needed. @@ -319,3 +495,15 @@ See the frequency of SHA-256 threats by Actor, Log Source, Malicious Confidence, * **Threat Breakdown by Source.** Line chart of the number of SHA-256 threats over the last 60 minutes, broken down by source. * **Threats by Actor.** Identifies Actors, if any, that can be attributed to SHA-256 threats over the last 15 minutes. Actors are identified individuals, groups or nation-states associated to threats. * **Threat Table.** Aggregation Table of SHA-256 threats over the last 15 minutes. + +## Upgrading the Threat Intel Quick Analysis app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Threat Intel Quick Analysis app (optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file