Sekoia.io Documentation
Query Builder
Initializing search
GitHub
Getting started
Sekoia Defend (XDR)
Sekoia Intelligence (CTI)
Sekoia.io TIP
Integrations
Sekoia.io Documentation
GitHub
Getting started
Getting started
Overview
Where to start
Workspace setup
Workspace setup
Join workspace
Create and manage communities
Account setup
Account setup
Create account
Setup account
Security and access
Security and access
Account security
Account security
Two-Factor Authentication
Security tokens
Workspace security
Workspace security
Session duration
Two-Factor Authentication
SSO with OpenID Connect
SSO with Microsoft Entra ID (Azure AD)
SSO with Okta
Users and roles
Users and roles
Invite users
Manage users
Deactivate inactive users
Roles and permissions
Roles and permissions
Built-in roles
Custom roles
Intake Restricted roles
Notifications
Notifications
Create and manage notifications
Notification examples
API Keys
Sekoia regions
Best practices
Troubleshooting tips
Sekoia Defend (XDR)
Sekoia Defend (XDR)
Introduction
Quick start guide
Features
Features
Collect
Collect
Intakes
Entities
Assets
Detect
Detect
IOCs Detection
Rules Catalog
Built-in Rules
Sigma
Anomaly Detection
IOCs Collections
Investigate
Investigate
Alerts
Events
Cases
Events Query Language
Querying Events
Query Builder (beta)
Report
Report
Dashboards
Threat Landscape
Automate
Automate
Playbooks
Playbooks On-premises
Manage accounts
Navigate playbooks
Build playbooks
Triggers
Operators
Actions
Debug playbooks
Playbooks JSON Schema
External integrations
External integrations
FortiSOAR
Palo Alto Cortex XSOAR
Swimlane Turbine
Usecases
Usecases
Implement a blocklist in Sekoia.io
Synchronize Alerts with an external tool
Send notifications to a Webhook using a playbook
Use your own CTI in Sekoia.io
FAQ
FAQ
General
Alerts
Events
Events
Events QA
Facing issues with logs collection
Detection
Assets
Sekoia.io Endpoint agent
Datetime representation
Develop
Develop
REST API
REST API
Quickstart
Authentication and Community
Dashboard
Configuration
Parser
Alert
Assets
Playbooks
Query Builder
Telemetry
Sekoia Intelligence (CTI)
Sekoia Intelligence (CTI)
Introduction
Features
Features
Data Models
Consume
Consume
Intelligence
Observables
Telemetry
Outgoing Feeds
Graph Explorations
Enrichers
Export
IOCs Collections
Monitor
Monitor
Dashboards
Threat Landscape
External Integrations
External Integrations
Overview
API
TAXII
Cortex Analyzer
MISP Feed
Microsoft Sentinel
OpenCTI
Splunk
Splunk SOAR
Swimlane Turbine
Anomali ThreatStream
PaloAlto Cortex XSOAR
ThreatQuotient
Develop
Develop
REST API
REST API
Quickstart
Authentication and Community
Intelligence
Enrichment
Telemetry
Dashboard
Playbooks
External Dynamic List
Sekoia.io TIP
Sekoia.io TIP
Introduction
Features
Features
Data Models
Consume
Consume
Intelligence
Observables
Outgoing Feeds
Graph Explorations
Enrichers
Export
IOCs Collections
Produce and investigate
Produce and investigate
Content Proposals
Incoming Feeds
Warning Rules
Expiration Rules
Monitor
Monitor
Dashboards
Threat Landscape
External Integrations
External Integrations
Overview
API
TAXII
Cortex Analyzer
MISP Feed
Microsoft Sentinel
OpenCTI
Splunk
PaloAlto Cortex XSOAR
Automate
Automate
Playbooks
Manage accounts
Navigate playbooks
Build playbooks
Triggers
Operators
Actions
Actions Library
Actions Library
Overview
Applicative
Applicative
Mandrill
Mattermost
Microsoft Windows Server
PagerDuty
Cloud Providers
Cloud Providers
AWS
Google
Collaboration Tools
Collaboration Tools
Atlassian JIRA
Git
ServiceNow
The Hive
The Hive V5
Email
Email
Vade Secure
Endpoint
Endpoint
CrowdStrike Falcon
HarfangLab
Panda Security
SentinelOne
Sophos
WithSecure
Generic
Generic
HTTP
OpenAI
RSS
Sekoia.io
Utils
IAM
IAM
Microsoft Active Directory
Microsoft Entra ID
Network
Network
Fortigate Firewalls
Zscaler
Threat Intelligence
Threat Intelligence
BinaryEdge's API
Censys
Certificate Transparency
Detection Rules
Digital Shadows
GLIMPS
IKnowWhatYouDownload
IPInfo
IPtoASN
MISP
MWDB
Nybble
OSINT
Onyphe
Public Suffix
RiskIQ
Shodan
Tranco
Triage
VirusTotal
Whois
Develop
Develop
REST API
REST API
Quickstart
Authentication and Community
Intelligence
Enrichment
Dashboard
Playbooks
Integrations
Integrations
Introduction
Ingestion methods
Ingestion methods
Overview
Cloud & SaaS
Cloud & SaaS
Overview
AWS S3
Azure Event Hub
Google Pub/Sub
HTTPS
HTTPS
Overview
Formatting options
Forwarding logs using a third-party application
Graylog
Logstash
Syslog
Syslog
Overview
Sekoia.io Forwarder
Third-party syslog services
Rsyslog
Syslog NG
Secured forwarding
List of Intakes
List of Intakes
Overview
Applicative
Applicative
1Password EPM
Apache HTTP Server
Azure Files
Azure MySQL
Cloudflare Audit Logs
Fastly WAF Audit logs
Github Audit Logs
Google Reports
Google Workspace and Google Cloud Audit Logs
Microsoft IIS
Salesforce
Sekoia.io activity logs
Sekoia.io forwarder logs
Systancia Cleanroom
Veeam Backup
Email
Email
Cisco Email Security Appliance
FortiMail
Mimecast Email Security
Office 365
Office 365 Message Trace
Postfix
Proofpoint On Demand
Proofpoint Targeted Attack Protection
Retarus Email Security
SpamAssassin
Trend Micro Email Security
Vade Cloud
Vade M365
Endpoint
Endpoint
Azure Windows
Bitdefender GravityZone
Check Point Harmony Mobile
CrowdStrike Falcon
CrowdStrike Falcon Telemetry
Cybereason MalOp
Cybereason MalOp activity
Eset Protect
Google Kubernetes Engine (GKE)
Harfanglab
IBM AIX
IBM iSeries (AS/400)
Kaspersky Endpoint Security
Linux AuditBeat
Log Insight Windows
Microsoft 365 Defender
Microsoft Intune
Palo Alto Cortex XDR (EDR)
Panda Security Aether
Pradeo MTD
SentinelOne
SentinelOne Cloud Funnel 2.0
Sekoia.io Endpoint Agent
Sophos EDR
Stormshield SES
Symantec Endpoint Protection
TEHTRIS Endpoint Detection & Reponse
Tanium
Trellix EDR
Trend Micro Apex One
VMWare ESXi
VMWare VCenter
Windows
Winlogbeat
WithSecure Elements
Generic
Generic
CEF
Raw
OCSF
IAM
IAM
Alsid
Azure Key Vault
Cisco Duo Security
FreeRADIUS
Jumpcloud Directory Insights
ManageEngine ADAudit Plus
Microsoft Entra ID (Azure AD)
Okta System log
OpenLDAP
RSA SecurID
Rubycat PROVE IT
Wallix
Network
Network
Amazon VPC Flow Logs
Azure Application Gateway
ArubaOS Switch
BIND
Cato SASE
Cisco IOS
Cisco Meraki MX
Cisco NX-OS
Citrix NetScaler / ADC
Cloudflare Access Request
Cloudflare DNS Gateway
Cloudflare DNS logs
Cloudflare Gateway HTTP
Cloudflare Gateway Network
Cloudflare HTTP requests
EfficientIP SOLIDServer DDI
Ekinops OneOS
F5 BIG-IP
Forcepoint Secure Web Gateway
Google VPC Flow Logs
HAProxy
ISC DHCP
Infoblox DDI
Juniper Network Switches
Microsoft Always On VPN
NGINX
Netfilter
OPNSense
OpenSSH
OpenVPN
Pulse Connect Secure
Squid
Sesame it Jizo NDR
Umbrella DNS Logs
Unbound
Network Security
Network Security
AWS CloudTrail
Amazon CloudFront Logs
Amazon GuardDuty
Amazon WAF
Azure Front Door
Azure Network Watcher (NSG flow logs)
Bitsight SPM
Broadcom Cloud Secure Web Gateway
Broadcom Edge Secure Web Gateway
Check Point
Cisco Identity Services Engine (ISE)
Cisco Secure Firewall
Cisco Web Security Appliance
Claroty xDome
Clavister Next-Gen Firewall
Cloudflare Firewall Events
Cyberwatch Detection
Darktrace Threat Visualizer
Datadome Protection
Daspren Parad
Digital Shadows SearchLight
ExtraHop Reveal(x) 360
Fastly Next-Gen WAF
Forcepoint Secure Web Gateway
FortiProxy
FortiWeb
Fortigate
Gatewatcher AionIQ
Google Cloud Load Balancing
Imperva Web Application Firewall
Lacework Cloud Security
McAfee Web Gateway / Skyhigh Secure Web Gateway
Netskope Events
Netskope Transaction Events
OGO Shield WAF
Olfeo Secure Web Gateway
Palo Alto Next-Generation Firewall
Palo Alto Prisma access
Security Scorecard Vunerability Assessment Scanner
SonicWall Firewall
SonicWall SMA
Sophos Firewall
Sophos Threat Analysis Center
Stormshield Network Security
Suricata
Thinkst Canary
Trellix Network Security
Trellix ePO
Trend Micro Deep Security / Workload Security
Ubika Cloud Protector Alerts
Ubika Cloud Protector Traffic
Ubika WAAP Gateway
Umbrella IP Logs
Umbrella Proxy Logs
Varonis Data Security
Vectra Cognito Detect
WatchGuard Firebox
Zscaler Internet Access
List of Playbooks Actions
List of Playbooks Actions
Overview
Applicative
Applicative
Mandrill
Mattermost
Microsoft Windows Server
PagerDuty
Cloud Providers
Cloud Providers
AWS
Google
Collaboration Tools
Collaboration Tools
Atlassian JIRA
Git
ServiceNow
The Hive
The Hive V5
Email
Email
Vade Secure
Endpoint
Endpoint
CrowdStrike Falcon
HarfangLab
Panda Security
SentinelOne
Sophos
WithSecure
Generic
Generic
HTTP
OpenAI
RSS
Sekoia.io
Utils
IAM
IAM
Microsoft Active Directory
Microsoft Entra ID
Network
Network
Fortigate Firewalls
Zscaler
Threat Intelligence
Threat Intelligence
BinaryEdge's API
Censys
Certificate Transparency
Detection Rules
Digital Shadows
GLIMPS
IKnowWhatYouDownload
IPInfo
IPtoASN
MISP
MWDB
Nybble
OSINT
Onyphe
Public Suffix
RiskIQ
Shodan
Tranco
Triage
VirusTotal
Whois
How to develop a new Integration
How to develop a new Integration
Overview
Automation
Automation
Overview
Action
Create a Module
Development Guidelines
Module
Trigger
Formats
Formats
Overview
Create a Format
Datasources
Definition of a structured event
Definition of the taxonomy
How to write a parser
How to write smart descriptions
Best Practices
Best Practices
Overview
Authentications
Networks
Endpoints
FAQ
FAQ
Overview
General Questions
General Questions
Bug VS Improvement Requests
Query Builder
Back to top