SEKOIA-IO · github-actions · May 12, 2025
diff --git a/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
@@ -1869,6 +1869,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "dataset": "device_logon_events",
+            "outcome": "success",
             "type": [
                 "info"
             ]
@@ -1948,6 +1949,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "dataset": "device_logon_events",
+            "outcome": "failure",
             "type": [
                 "info"
             ]
@@ -3399,6 +3401,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "dataset": "identity_logon_events",
+            "outcome": "failure",
             "type": [
                 "info"
             ]
@@ -3497,6 +3500,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "dataset": "identity_logon_events",
+            "outcome": "success",
             "type": [
                 "info"
             ]
@@ -3558,6 +3562,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "dataset": "identity_logon_events",
+            "outcome": "success",
             "type": [
                 "info"
             ]
@@ -4186,6 +4191,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
 |`event.dataset` | `keyword` | Name of the dataset. |
 |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
+|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. |
 |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
 |`file.directory` | `keyword` | Directory where the file is located. |
 |`file.hash.md5` | `keyword` | MD5 hash. |

diff --git a/...perations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/...perations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md
@@ -83,6 +83,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
         "message": "{\"user\":{\"target\":{\"name\":\"[email protected]\",\"domain\":\"EXAMPLE.LOCAL\"}},\"action\":{\"properties\":{\"EventType\":\"AUDIT_SUCCESS\",\"IpAddress\":\"::ffff:10.0.30.42\",\"IpPort\":\"57111\",\"Keywords\":\"0x8020000000000000\",\"LogonGuid\":\"{345a31bc-e0d8-4d9b-98e7-d7c27a2404f2}\",\"ProviderGuid\":\"{9341bdd5-a0aa-4978-8f7b-36d0c7f5de05}\",\"ServiceName\":\"eXampl-AZRWE-AA00$\",\"ServiceSid\":\"S-1-5-21-2222222-111111111-1197373316-51000\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"Status\":\"0x0\",\"TargetDomainName\":\"EXAMPLE.LOCAL\",\"TargetUserName\":\"[email protected]\",\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"TransmittedServices\":\"-\"},\"id\":4769},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4769},\"agent\":{\"id\":\"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\",\"version\":\"v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"eXampl-AZRWE-AAAA\",\"ip\":[\"fe80::76e9:3115:c5b4:aaaa\",\"10.0.11.1\"]},\"source\":{\"address\":\"10.0.11.11\",\"ip\":\"10.0.11.12\"},\"@timestamp\":\"2024-01-19T13:18:38.703193Z\"}",
         "event": {
             "code": "4769",
+            "outcome": "success",
             "provider": "Microsoft-Windows-Security-Auditing"
         },
         "@timestamp": "2024-01-19T13:18:38.703193Z",
@@ -158,6 +159,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
         "message": "{\n  \"user\": {\n    \"id\": \"S-1-5-18\",\n    \"name\": \"EXPL111$\",\n    \"domain\": \"EXAMPLE\"\n  },\n  \"action\": {\n    \"properties\": {\n      \"ClientProcessId\": \"10704\",\n      \"ClientProcessStartKey\": \"14918173765668009\",\n      \"EventType\": \"AUDIT_SUCCESS\",\n      \"FQDN\": \"EXPL111.example.org\",\n      \"Keywords\": \"0x8020000000000000\",\n      \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n      \"RpcCallClientLocality\": \"0\",\n      \"Severity\": \"LOG_ALWAYS\",\n      \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n      \"SubjectDomainName\": \"EXAMPLE\",\n      \"SubjectLogonId\": \"0x3E7\",\n      \"SubjectUserName\": \"EXPL111$\",\n      \"SubjectUserSid\": \"S-1-5-18\",\n      \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n  <RegistrationInfo>\\r\\n    <Author>EXAMPLE\\\\master</Author>\\r\\n    <Description>d\u00e9ploiement de l'agent SYSMON sur les PC</Description>\\r\\n    <URI>\\\\Agent Sysmon</URI>\\r\\n  </RegistrationInfo>\\r\\n  <Triggers>\\r\\n    <TimeTrigger>\\r\\n      <StartBoundary>2024-03-27T10:58:36</StartBoundary>\\r\\n      <EndBoundary>2024-03-27T10:59:31</EndBoundary>\\r\\n      <Enabled>true</Enabled>\\r\\n    </TimeTrigger>\\r\\n  </Triggers>\\r\\n  <Principals>\\r\\n    <Principal id=\\\"Author\\\">\\r\\n      <RunLevel>HighestAvailable</RunLevel>\\r\\n      <UserId>NT AUTHORITY\\\\System</UserId>\\r\\n      <LogonType>S4U</LogonType>\\r\\n    </Principal>\\r\\n  </Principals>\\r\\n  <Settings>\\r\\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\\r\\n    <AllowHardTerminate>false</AllowHardTerminate>\\r\\n    <StartWhenAvailable>true</StartWhenAvailable>\\r\\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n    <IdleSettings>\\r\\n      <Duration>PT5M</Duration>\\r\\n      <WaitTimeout>PT1H</WaitTimeout>\\r\\n      <StopOnIdleEnd>false</StopOnIdleEnd>\\r\\n      <RestartOnIdle>false</RestartOnIdle>\\r\\n    </IdleSettings>\\r\\n    <AllowStartOnDemand>true</AllowStartOnDemand>\\r\\n    <Enabled>true</Enabled>\\r\\n    <Hidden>false</Hidden>\\r\\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n    <WakeToRun>false</WakeToRun>\\r\\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\\r\\n    <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>\\r\\n    <Priority>7</Priority>\\r\\n  </Settings>\\r\\n  <Actions Context=\\\"Author\\\">\\r\\n    <Exec>\\r\\n      <Command>\\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmon.exe</Command>\\r\\n      <Arguments>-accepteula -i \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmonconfig-export.xml</Arguments>\\r\\n    </Exec>\\r\\n  </Actions>\\r\\n</Task>\",\n      \"TaskName\": \"\\\\Agent Sysmon\"\n    },\n    \"id\": 4698\n  },\n  \"event\": {\n    \"provider\": \"Microsoft-Windows-Security-Auditing\",\n    \"code\": 4698\n  },\n  \"agent\": {\n    \"id\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n    \"version\": \"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"\n  },\n  \"host\": {\n    \"os\": {\n      \"type\": \"windows\"\n    },\n    \"hostname\": \"EXPL111\",\n    \"ip\": [\n      \"1.2.3.4\"\n    ]\n  },\n  \"process\": {\n    \"parent\": {\n      \"pid\": 1188\n    }\n  },\n  \"@timestamp\": \"2024-03-27T09:58:31.8443945Z\"\n}",
         "event": {
             "code": "4698",
+            "outcome": "success",
             "provider": "Microsoft-Windows-Security-Auditing"
         },
         "@timestamp": "2024-03-27T09:58:31.844394Z",
@@ -1122,6 +1124,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
         "message": "{\"action\":{\"properties\":{\"Application\":\"\\\\device\\\\harddisk\\\\windows\\\\system32\\\\test.exe\",\"Direction\":\"%%14593\",\"EventType\":\"AUDIT_SUCCESS\",\"FilterRTID\":\"72760\",\"Keywords\":\"0x8020000000000000\",\"LayerName\":\"%%14611\",\"LayerRTID\":\"48\",\"ProviderGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"RemoteMachineID\":\"S-1-0-0\",\"RemoteUserID\":\"S-1-0-0\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\"},\"id\":5156},\"destination\":{\"address\":\"1.2.3.4\",\"ip\":\"1.2.3.4\",\"port\":1},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":5156},\"agent\":{\"id\":\"72d68eb9bacfe73d21ff765b4e81aaec6934169b947daae740666327bd5f5e8c\",\"version\":\"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"hostname\",\"ip\":[\"5.6.7.8\"]},\"network\":{\"transport\":\"tcp\"},\"process\":{\"pid\":2184},\"source\":{\"address\":\"5.6.7.8\",\"ip\":\"5.6.7.8\",\"port\":2},\"@timestamp\":\"2024-07-19T14:10:28.962733Z\"}",
         "event": {
             "code": "5156",
+            "outcome": "success",
             "provider": "Microsoft-Windows-Security-Auditing"
         },
         "@timestamp": "2024-07-19T14:10:28.962733Z",
@@ -1199,6 +1202,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "code": "4624",
+            "outcome": "success",
             "provider": "Microsoft-Windows-Security-Auditing",
             "type": [
                 "start"
@@ -1307,6 +1311,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "authentication"
             ],
             "code": "4625",
+            "outcome": "failure",
             "provider": "Microsoft-Windows-Security-Auditing",
             "reason": "user_not_exist",
             "type": [
@@ -1505,6 +1510,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`event.code` | `keyword` | Identification code for this event. |
 |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
 |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
+|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. |
 |`event.provider` | `keyword` | Source of the event. |
 |`event.reason` | `keyword` | Reason why this event happened, according to the source |
 |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |