SEKOIA-IO
diff --git a/‎_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md‎
Lines changed: 136 additions & 24 deletions b/‎_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md‎
Lines changed: 136 additions & 24 deletions
diff --git a/‎_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71_sample.md‎
Lines changed: 23 additions & 7 deletions b/‎_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71_sample.md‎
Lines changed: 23 additions & 7 deletions
@@ -592,7 +592,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "1.2.3.4 -> 5.6.7.8 \"GET /test/v1/config/systemfile?args=filename%3Afile_name.log%2Cfilelocation%3A%2Fvar%2Fnslog&format=prometheus HTTP/1.1\" 200 14794 \"-\" \"Prometheus/2.30.0\" \"Time: 65590 microsecs\"",
+        "message": "1.2.3.4 -> 5.6.7.8 \"GET /test/v1/config/systemfile?REDACTED HTTP/1.1\" 200 14794 \"-\" \"Prometheus/2.30.0\" \"Time: 65590 microsecs\"",
         "event": {
             "category": [
                 "network"
@@ -628,9 +628,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "ip": "1.2.3.4"
         },
         "url": {
-            "original": "/test/v1/config/systemfile?args=filename%3Afile_name.log%2Cfilelocation%3A%2Fvar%2Fnslog&format=prometheus",
+            "original": "/test/v1/config/systemfile?REDACTED",
             "path": "/test/v1/config/systemfile",
-            "query": "args=filename%3Afile_name.log%2Cfilelocation%3A%2Fvar%2Fnslog&format=prometheus"
+            "query": "REDACTED"
         },
         "user_agent": {
             "device": {
@@ -653,7 +653,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "1.2.3.4 -> 1.2.3.4 - - [10/Jun/2024:23:07:11 +0530] [1571] \"GET /nitro/v1/config/route6?format=json&sessionid=[FILTERED] HTTP/1.1\" 200 1162 \"-\" \"-\" \"Time: 9797 microsecs\"",
+        "message": "1.2.3.4 -> 1.2.3.4 - - [10/Jun/2024:23:07:11 +0530] [1571] \"GET /nitro/v1/config/route6?REDACTED HTTP/1.1\" 200 1162 \"-\" \"-\" \"Time: 9797 microsecs\"",
         "event": {
             "category": [
                 "network"
@@ -692,9 +692,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "ip": "1.2.3.4"
         },
         "url": {
-            "original": "/nitro/v1/config/route6?format=json&sessionid=[FILTERED]",
+            "original": "/nitro/v1/config/route6?REDACTED",
             "path": "/nitro/v1/config/route6",
-            "query": "format=json&sessionid=[FILTERED]"
+            "query": "REDACTED"
         }
     }
     	
@@ -883,7 +883,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "\"2023/07/04:09:03:46  ADC 0-PPE-0 : default SSLVPN Message 19695397 0 :  \"\"SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
+        "message": "\"2023/07/04:09:03:46  ADC 0-PPE-0 : default SSLVPN Message 19695397 0 :  \"\"SSLVPN Mux Authorize result is Deny, User <user1>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
         "event": {
             "category": [
                 "authentication"
@@ -909,7 +909,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "5.6.7.8"
             ],
             "user": [
-                "vpn17590"
+                "user1"
             ]
         },
         "rule": {
@@ -920,7 +920,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "ip": "1.2.3.4"
         },
         "user": {
-            "name": "vpn17590"
+            "name": "user1"
         }
     }
     	
@@ -932,7 +932,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "\"2023/07/04:09:03:39  ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context vpn35939@91.170.235.67 - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\"  - Group(s) \"\"vpndsin,vpndsin\"\"\"",
+        "message": "\"2023/07/04:09:03:39  ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context user1@91.170.235.67 - SessionId: 1286 - User user1 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\"  - Group(s) \"\"vpndsin,vpndsin\"\"\"",
         "event": {
             "category": [
                 "network"
@@ -967,7 +967,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "5.6.7.8"
             ],
             "user": [
-                "vpn35939"
+                "user1"
             ]
         },
         "rule": {
@@ -982,7 +982,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "port": 50130
         },
         "user": {
-            "name": "vpn35939"
+            "name": "user1"
         }
     }
     	
@@ -994,7 +994,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "\"12/07/2023:10:58:42 GMT CXA-GAT 0-PPE-0 : default SSLVPN Message 1521206 0 :  \"SSO ns_sslvpn_process_sso_conn: user [email protected] clientip 1.2.3.7 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0\"\"",
+        "message": "\"12/07/2023:10:58:42 GMT CXA-GAT 0-PPE-0 : default SSLVPN Message 1521206 0 :  \"SSO ns_sslvpn_process_sso_conn: user [email protected] clientip 1.2.3.4 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0\"\"",
         "event": {
             "category": [
                 "network"
@@ -1007,15 +1007,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
         },
         "@timestamp": "2023-12-07T10:58:42Z",
         "client": {
-            "address": "1.2.3.7",
-            "ip": "1.2.3.7"
+            "address": "1.2.3.4",
+            "ip": "1.2.3.4"
         },
         "observer": {
             "name": "CXA-GAT"
         },
         "related": {
             "ip": [
-                "1.2.3.7"
+                "1.2.3.4"
             ],
             "user": [
                 "john.doe"
@@ -1083,7 +1083,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN TCPCONNSTAT 40844824 0 : Context tUser@1.2.3.4 - SessionId: 1096160 - User tUser - Client_ip 1.2.3.4 - Nat_ip 5.6.7.8 - Vserver 3.4.5.6:443 - Source 1.2.3.4:59549 - Destination 3.3.3.3:443 - Start_time \"12/19/2024:09:40:29 GMT\" - End_time \"12/19/2024:09:40:29 GMT\" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 51251 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\"",
+        "message": "12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN TCPCONNSTAT 40844824 0 : Context user1@1.2.3.4 - SessionId: 1096160 - User user1 - Client_ip 1.2.3.4 - Nat_ip 5.6.7.8 - Vserver 3.4.5.6:443 - Source 1.2.3.4:59549 - Destination 3.3.3.3:443 - Start_time \"12/19/2024:09:40:29 GMT\" - End_time \"12/19/2024:09:40:29 GMT\" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 51251 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) \"N/A\"",
         "event": {
             "category": [
                 "network"
@@ -1121,7 +1121,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "3.3.3.3"
             ],
             "user": [
-                "tUser"
+                "user1"
             ]
         },
         "source": {
@@ -1130,7 +1130,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "port": 59549
         },
         "user": {
-            "name": "tUser"
+            "name": "user1"
         }
     }
     	
@@ -1142,7 +1142,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
     ```json
 
     {
-        "message": "12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN HTTPREQUEST 40844823 0 : Context testuser@1.2.3.4 - SessionId: 1096160 - test.test.test User testuser : Group(s) N/A : Vserver 3.4.5.6:443 - 12/19/2024:09:40:29 GMT : SSO is ON : GET /ttt.jpg - -",
+        "message": "12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN HTTPREQUEST 40844823 0 : Context user1@1.2.3.4 - SessionId: 1096160 - example.com User user1 : Group(s) N/A : Vserver 3.4.5.6:443 - 12/19/2024:09:40:29 GMT : SSO is ON : GET /ttt.jpg - -",
         "event": {
             "category": [
                 "network"
@@ -1175,19 +1175,24 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "name": "NetscalerCD07_1"
         },
         "related": {
+            "hosts": [
+                "example.com"
+            ],
             "ip": [
                 "1.2.3.4"
             ],
             "user": [
-                "testuser"
+                "user1"
             ]
         },
         "url": {
-            "original": "test.test.test",
-            "path": "/ttt.jpg"
+            "domain": "example.com",
+            "path": "/ttt.jpg",
+            "registered_domain": "example.com",
+            "top_level_domain": "com"
         },
         "user": {
-            "name": "testuser"
+            "name": "user1"
         }
     }
     	
@@ -1287,6 +1292,111 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "test_sslvpn_log_9.json"
+
+    ```json
+	
+    {
+        "message": "01/28/2026:14:14:14 HOSTNAME 0-PPE-0 : default SSLVPN ICASTART 25487330 0 : [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=11111111111-11111-1111-1111-111111111] Source 2.2.2.2:49692 - Destination 1.1.1.1:2598 - customername - username:domainname user1:example - applicationName Application-Test $S3-56 - startTime \"01/28/2026:14:14:13 \" - connectionId 1111111",
+        "event": {
+            "category": [
+                "network"
+            ],
+            "code": "ICASTART",
+            "dataset": "audit_sslvpn",
+            "type": [
+                "connection"
+            ]
+        },
+        "@timestamp": "2026-01-28T14:14:14Z",
+        "citrix": {
+            "adc": {
+                "application_name": "Application-Test $S3-56"
+            }
+        },
+        "destination": {
+            "address": "1.1.1.1",
+            "ip": "1.1.1.1",
+            "port": 2598
+        },
+        "observer": {
+            "name": "HOSTNAME"
+        },
+        "related": {
+            "ip": [
+                "1.1.1.1",
+                "2.2.2.2"
+            ],
+            "user": [
+                "user1"
+            ]
+        },
+        "source": {
+            "address": "2.2.2.2",
+            "ip": "2.2.2.2",
+            "port": 49692
+        },
+        "user": {
+            "domain": "example",
+            "name": "user1"
+        }
+    }
+    	
+	```
+
+
+=== "test_sslvpn_log_9_dmy.json"
+
+    ```json
+	
+    {
+        "message": "28/01/2026:14:14:14 HOSTNAME 0-PPE-0 : default SSLVPN ICASTART 25487330 0 : [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=11111111111-11111-1111-1111-111111111] Source 2.2.2.2:49692 - Destination 1.1.1.1:2598 - customername - username:domainname user1:example - applicationName Application-Test $S3-56 - startTime \"28/01/2026:14:14:13 \" - connectionId 1111111",
+        "event": {
+            "category": [
+                "network"
+            ],
+            "code": "ICASTART",
+            "dataset": "audit_sslvpn",
+            "type": [
+                "connection"
+            ]
+        },
+        "citrix": {
+            "adc": {
+                "application_name": "Application-Test $S3-56"
+            }
+        },
+        "destination": {
+            "address": "1.1.1.1",
+            "ip": "1.1.1.1",
+            "port": 2598
+        },
+        "observer": {
+            "name": "HOSTNAME"
+        },
+        "related": {
+            "ip": [
+                "1.1.1.1",
+                "2.2.2.2"
+            ],
+            "user": [
+                "user1"
+            ]
+        },
+        "source": {
+            "address": "2.2.2.2",
+            "ip": "2.2.2.2",
+            "port": 49692
+        },
+        "user": {
+            "domain": "example",
+            "name": "user1"
+        }
+    }
+    	
+	```
+
+
 
 
 
@@ -1299,6 +1409,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`@timestamp` | `date` | Date/time when the event originated. |
 |`citrix.adc.adm_user` | `keyword` |  |
 |`citrix.adc.alert.severity` | `keyword` |  |
+|`citrix.adc.application_name` | `keyword` |  |
 |`citrix.adc.bytes.received` | `long` |  |
 |`citrix.adc.bytes.sent` | `long` |  |
 |`citrix.adc.pseudo_tty` | `keyword` |  |
@@ -1331,6 +1442,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`source.port` | `long` | Port of the source. |
 |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. |
 |`tls.version` | `keyword` | Numeric part of the version parsed from the original string. |
+|`url.domain` | `keyword` | Domain of the url. |
 |`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
 |`url.path` | `wildcard` | Path of the request, such as "/search". |
 |`user.domain` | `keyword` | Name of the directory the user is a member of. |
 
@@ -111,15 +111,15 @@ In this section, you will find examples of raw logs as generated natively by the
 === "test_http_access_01"
 
     ```
-	1.2.3.4 -> 5.6.7.8 "GET /test/v1/config/systemfile?args=filename%3Afile_name.log%2Cfilelocation%3A%2Fvar%2Fnslog&format=prometheus HTTP/1.1" 200 14794 "-" "Prometheus/2.30.0" "Time: 65590 microsecs"
+	1.2.3.4 -> 5.6.7.8 "GET /test/v1/config/systemfile?REDACTED HTTP/1.1" 200 14794 "-" "Prometheus/2.30.0" "Time: 65590 microsecs"
     ```
 
 
 
 === "test_http_access_02"
 
     ```
-	1.2.3.4 -> 1.2.3.4 - - [10/Jun/2024:23:07:11 +0530] [1571] "GET /nitro/v1/config/route6?format=json&sessionid=[FILTERED] HTTP/1.1" 200 1162 "-" "-" "Time: 9797 microsecs"
+	1.2.3.4 -> 1.2.3.4 - - [10/Jun/2024:23:07:11 +0530] [1571] "GET /nitro/v1/config/route6?REDACTED HTTP/1.1" 200 1162 "-" "-" "Time: 9797 microsecs"
     ```
 
 
@@ -159,23 +159,23 @@ In this section, you will find examples of raw logs as generated natively by the
 === "test_sslvpn_log_1"
 
     ```
-	"2023/07/04:09:03:46  ADC 0-PPE-0 : default SSLVPN Message 19695397 0 :  ""SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin"""
+	"2023/07/04:09:03:46  ADC 0-PPE-0 : default SSLVPN Message 19695397 0 :  ""SSLVPN Mux Authorize result is Deny, User <user1>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin"""
     ```
 
 
 
 === "test_sslvpn_log_2"
 
     ```
-	"2023/07/04:09:03:39  ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context vpn35939@91.170.235.67 - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy ""AUTHZ_DENY""  - Group(s) ""vpndsin,vpndsin"""
+	"2023/07/04:09:03:39  ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context user1@91.170.235.67 - SessionId: 1286 - User user1 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy ""AUTHZ_DENY""  - Group(s) ""vpndsin,vpndsin"""
     ```
 
 
 
 === "test_sslvpn_log_3"
 
     ```
-	"12/07/2023:10:58:42 GMT CXA-GAT 0-PPE-0 : default SSLVPN Message 1521206 0 :  "SSO ns_sslvpn_process_sso_conn: user [email protected] clientip 1.2.3.7 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0""
+	"12/07/2023:10:58:42 GMT CXA-GAT 0-PPE-0 : default SSLVPN Message 1521206 0 :  "SSO ns_sslvpn_process_sso_conn: user [email protected] clientip 1.2.3.4 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0""
     ```
 
 
@@ -191,15 +191,15 @@ In this section, you will find examples of raw logs as generated natively by the
 === "test_sslvpn_log_5"
 
     ```
-	12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN TCPCONNSTAT 40844824 0 : Context tUser@1.2.3.4 - SessionId: 1096160 - User tUser - Client_ip 1.2.3.4 - Nat_ip 5.6.7.8 - Vserver 3.4.5.6:443 - Source 1.2.3.4:59549 - Destination 3.3.3.3:443 - Start_time "12/19/2024:09:40:29 GMT" - End_time "12/19/2024:09:40:29 GMT" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 51251 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"
+	12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN TCPCONNSTAT 40844824 0 : Context user1@1.2.3.4 - SessionId: 1096160 - User user1 - Client_ip 1.2.3.4 - Nat_ip 5.6.7.8 - Vserver 3.4.5.6:443 - Source 1.2.3.4:59549 - Destination 3.3.3.3:443 - Start_time "12/19/2024:09:40:29 GMT" - End_time "12/19/2024:09:40:29 GMT" - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 51251 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"
     ```
 
 
 
 === "test_sslvpn_log_6"
 
     ```
-	12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN HTTPREQUEST 40844823 0 : Context testuser@1.2.3.4 - SessionId: 1096160 - test.test.test User testuser : Group(s) N/A : Vserver 3.4.5.6:443 - 12/19/2024:09:40:29 GMT : SSO is ON : GET /ttt.jpg - -
+	12/19/2024:09:40:29 GMT NetscalerCD07_1 0-PPE-0 : default SSLVPN HTTPREQUEST 40844823 0 : Context user1@1.2.3.4 - SessionId: 1096160 - example.com User user1 : Group(s) N/A : Vserver 3.4.5.6:443 - 12/19/2024:09:40:29 GMT : SSO is ON : GET /ttt.jpg - -
     ```
 
 
@@ -220,3 +220,19 @@ In this section, you will find examples of raw logs as generated natively by the
 
 
 
+=== "test_sslvpn_log_9"
+
+    ```
+	01/28/2026:14:14:14 HOSTNAME 0-PPE-0 : default SSLVPN ICASTART 25487330 0 : [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=11111111111-11111-1111-1111-111111111] Source 2.2.2.2:49692 - Destination 1.1.1.1:2598 - customername - username:domainname user1:example - applicationName Application-Test $S3-56 - startTime "01/28/2026:14:14:13 " - connectionId 1111111
+    ```
+
+
+
+=== "test_sslvpn_log_9_dmy"
+
+    ```
+	28/01/2026:14:14:14 HOSTNAME 0-PPE-0 : default SSLVPN ICASTART 25487330 0 : [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=11111111111-11111-1111-1111-111111111] Source 2.2.2.2:49692 - Destination 1.1.1.1:2598 - customername - username:domainname user1:example - applicationName Application-Test $S3-56 - startTime "28/01/2026:14:14:13 " - connectionId 1111111
+    ```
+
+
+