Olfeo SAAS
Overview
Olfeo SaaS is a suite of cybersecurity features for analyzing, filtering and securing your web flows. Combining proxy filtering, flow antivirus and TLS decryption.
- Vendor: Olfeo
- Supported environment: SaaS
- Version compatibility: v3.14.0 and above
- Detection based on: Telemetry
- Supported application or feature: Network web traffic
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Specification
Prerequisites
-
Licence:
- This feature requires a specific license. For more information, please contact your sales representative.
-
Permissions:
- Administrator rights on Olfeo SaaS
Transport Protocol/Method
- HTTP event collector/JSON
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: JSON
- Supported verbosity level: Informational
Step-by-Step Configuration Procedure
This setup guide will show you how to send your Olfeo SaaS logs to homepage.
Create a Log Connector
To create a Sekoia-type Log Connector in your SaaS interface, follow these steps:
Connect a SIEM
- Log in your Olfeo web interface.
- Go to
Configuration > Log connector. - Click the
Connect a SIEMbutton in the top right of your screen.
Add the general Information
- Enter the following values in the empty fields:
- SIEM Name (< 60 characters)
- Description (optional)
- Connector Type (Choose Sekoia)
- Click the
Followingbutton.
Add an endpoint URL
- Use the Sekoia documentation to locate and copy the public URL: https://intake.sekoia.io/jsons
- In the designated field, insert the endpoint URL.
Important
Specify the sending data formats by adding /jsons to the end of the URL. Follow the instructions provided on the Sekoia website.
Add a token authentication token
Important
The following programming code runs on Linux. You can perform the same task on Windows or macOS with few adjustments.
-
In your computer operating terminal:
- Paste your character strings.
echo -n ":REPLACE_BY_INTAKE_KEY" | base64
Note
Swap
REPLACE_BY_INTAKE_KEYwith your Sekoia-generated intake key.For example: Let's assume that: - intake key: 78Guihid-9ZE456Z-ghjk213
Then, the terminal command in this scenario would be:
echo -n ":78Guihid-9ZE456Z-ghjk213" | base64- Copy the result.
- In the Olfeo SaaS interface:
- Paste the previously obtained results into the authentication field.
- Click the
Followingbutton.
- Paste your character strings.
Select data
- Choose the data options you want to send.
- Click
Save
Note
Do not forget to activate the Log Connector in the list (Configuration > Log connector).
Create an intake
- Go to the intake page and create a new intake from the format
Olfeo SAAS. - Set up the intake configuration.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"user_id": "00000000-0000-0000-0000-000000000001",
"client_id": "00000000-0000-0000-0000-000000000002",
"external_id": "00000000-0000-0000-0000-000000000003",
"display_name": "User Test",
"category_id": "1235",
"category_label": "CDN et Non D\u00e9finissable",
"url": "",
"action": "allow",
"domain": "merchandise.opera-api2.com",
"src_ip": "",
"src_port": "",
"timestamp": 1742292307674,
"threat": "Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;",
"policy_id": "",
"rule_id": "",
"dest_ip": "6.5.4.3",
"http_method": "",
"http_version": "",
"user_response_time_ms": "",
"user_received_bytes": "",
"user_sent_bytes": "",
"user_status_code": "",
"cache_status": "",
"peer_response_time_ms": "",
"peer_status_code": "",
"theme_label": "Autres",
"groups_id": [
"00000000-0000-0000-0000-000000000004"
],
"groups_name": [
"Test Group 1",
"Test Group 2"
],
"directory_id": "00000000-0000-0000-0000-000000000005",
"directory_name": "Test Directory",
"policy_name": "None",
"type": "dns",
"dns_answer": "merchandise.opera-api2.com.\t3600\tIN\tA\t185.26.182.112",
"applications": null
}
{
"user_id": "00000000-0000-0000-0000-000000000001",
"client_id": "00000000-0000-0000-0000-000000000002",
"external_id": "00000000-0000-0000-0000-000000000003",
"display_name": "Test User",
"category_id": "1000",
"category_label": "Services aux Entreprises",
"url": "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?",
"action": "allow",
"domain": "safebrowsing.googleapis.com",
"src_ip": "1.2.3.4",
"src_port": "27275",
"timestamp": 1737373729852,
"threat": "Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;",
"policy_id": "-",
"rule_id": "-",
"dest_ip": "4.3.2.1",
"http_method": "GET",
"http_version": "1.1",
"user_response_time_ms": "84",
"user_received_bytes": "4664",
"user_sent_bytes": "836",
"user_status_code": "200",
"cache_status": "TCP_MISS",
"peer_response_time_ms": "9",
"peer_status_code": "200",
"theme_label": "Autres",
"groups_id": null,
"groups_name": null,
"directory_id": "00000000-0000-0000-0000-000000000000",
"directory_name": "Test Directory",
"policy_name": "None",
"type": "proxy",
"applications": null
}
{
"user_id": "00000000-0000-0000-0000-000000000001",
"client_id": "00000000-0000-0000-0000-000000000002",
"external_id": "00000000-0000-0000-0000-000000000003",
"display_name": "Test User",
"category_id": "1000",
"category_label": "Services aux Entreprises",
"url": "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?",
"action": "allow",
"domain": "safebrowsing.googleapis.com",
"src_ip": "1.2.3.4",
"src_port": "27275",
"timestamp": 1737373729852,
"threat": "Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;",
"policy_id": "-",
"rule_id": "-",
"dest_ip": "4.3.2.1",
"http_method": "GET",
"http_version": "1.1",
"user_response_time_ms": "84",
"user_received_bytes": "4664",
"user_sent_bytes": "836",
"user_status_code": "200",
"cache_status": "TCP_MISS",
"peer_response_time_ms": "9",
"peer_status_code": "200",
"theme_label": "Autres",
"groups_id": null,
"groups_name": null,
"directory_id": "00000000-0000-0000-0000-000000000000",
"directory_name": "Test Directory",
"policy_name": "None",
"type": "proxy",
"dns_answer": "",
"applications": null
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network protocol analysis |
Olfeo provides analysis logs about user traffic |
Web proxy |
Olfeo provides web proxy logs |
DNS records |
Olfeo provides DNS logs |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | web |
| Type | access |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"user_id\":\"00000000-0000-0000-0000-000000000001\",\"client_id\":\"00000000-0000-0000-0000-000000000002\",\"external_id\":\"00000000-0000-0000-0000-000000000003\",\"display_name\":\"User Test\",\"category_id\":\"1235\",\"category_label\":\"CDN et Non D\u00e9finissable\",\"url\":\"\",\"action\":\"allow\",\"domain\":\"merchandise.opera-api2.com\",\"src_ip\":\"\",\"src_port\":\"\",\"timestamp\":1742292307674,\"threat\":\"Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;\",\"policy_id\":\"\",\"rule_id\":\"\",\"dest_ip\":\"6.5.4.3\",\"http_method\":\"\",\"http_version\":\"\",\"user_response_time_ms\":\"\",\"user_received_bytes\":\"\",\"user_sent_bytes\":\"\",\"user_status_code\":\"\",\"cache_status\":\"\",\"peer_response_time_ms\":\"\",\"peer_status_code\":\"\",\"theme_label\":\"Autres\",\"groups_id\":[\"00000000-0000-0000-0000-000000000004\"],\"groups_name\":[\"Test Group 1\",\"Test Group 2\"],\"directory_id\":\"00000000-0000-0000-0000-000000000005\",\"directory_name\":\"Test Directory\",\"policy_name\":\"None\",\"type\":\"dns\",\"dns_answer\":\"merchandise.opera-api2.com.\\t3600\\tIN\\tA\\t185.26.182.112\",\"applications\":null}\n",
"event": {
"action": "allow",
"category": [
"web"
],
"type": [
"access"
]
},
"@timestamp": "2025-03-18T10:05:07.674000Z",
"destination": {
"address": "6.5.4.3",
"ip": "6.5.4.3"
},
"dns": {
"answers": [
{
"class": "IN",
"data": "185.26.182.112",
"name": "merchandise.opera-api2.com.",
"ttl": 3600,
"type": "A"
}
]
},
"observer": {
"product": "Olfeo SAAS",
"type": "dns",
"vendor": "Olfeo"
},
"olfeo": {
"directory_name": "Test Directory",
"groups_name": [
"Test Group 1",
"Test Group 2"
],
"request": {
"category": "CDN et Non D\u00e9finissable",
"external_id": "00000000-0000-0000-0000-000000000003",
"theme": "Autres"
}
},
"related": {
"ip": [
"6.5.4.3"
],
"user": [
"User Test"
]
},
"source": {
"user": {
"name": "User Test"
}
},
"url": {
"original": "merchandise.opera-api2.com",
"path": "merchandise.opera-api2.com"
},
"user": {
"id": "00000000-0000-0000-0000-000000000001"
}
}
{
"message": "{\"user_id\":\"00000000-0000-0000-0000-000000000001\",\"client_id\":\"00000000-0000-0000-0000-000000000002\",\"external_id\":\"00000000-0000-0000-0000-000000000003\",\"display_name\":\"Test User\",\"category_id\":\"1000\",\"category_label\":\"Services aux Entreprises\",\"url\":\"https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?\",\"action\":\"allow\",\"domain\":\"safebrowsing.googleapis.com\",\"src_ip\":\"1.2.3.4\",\"src_port\":\"27275\",\"timestamp\":1737373729852,\"threat\":\"Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;\",\"policy_id\":\"-\",\"rule_id\":\"-\",\"dest_ip\":\"4.3.2.1\",\"http_method\":\"GET\",\"http_version\":\"1.1\",\"user_response_time_ms\":\"84\",\"user_received_bytes\":\"4664\",\"user_sent_bytes\":\"836\",\"user_status_code\":\"200\",\"cache_status\":\"TCP_MISS\",\"peer_response_time_ms\":\"9\",\"peer_status_code\":\"200\",\"theme_label\":\"Autres\",\"groups_id\":null,\"groups_name\":null,\"directory_id\":\"00000000-0000-0000-0000-000000000000\",\"directory_name\":\"Test Directory\",\"policy_name\":\"None\",\"type\":\"proxy\",\"applications\":null}",
"event": {
"action": "allow",
"category": [
"web"
],
"type": [
"access"
]
},
"@timestamp": "2025-01-20T11:48:49.852000Z",
"destination": {
"address": "4.3.2.1",
"ip": "4.3.2.1"
},
"dns": {
"answers": []
},
"http": {
"request": {
"bytes": 836,
"method": "GET"
},
"response": {
"bytes": 4664,
"status_code": 200
},
"version": "1.1"
},
"observer": {
"product": "Olfeo SAAS",
"type": "proxy",
"vendor": "Olfeo"
},
"olfeo": {
"directory_name": "Test Directory",
"request": {
"category": "Services aux Entreprises",
"external_id": "00000000-0000-0000-0000-000000000003",
"theme": "Autres"
}
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1"
],
"user": [
"Test User"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 27275,
"user": {
"name": "Test User"
}
},
"url": {
"domain": "safebrowsing.googleapis.com",
"original": "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?",
"path": "/v4/threatListUpdates:fetch",
"port": 443,
"registered_domain": "googleapis.com",
"scheme": "https",
"subdomain": "safebrowsing",
"top_level_domain": "com"
},
"user": {
"id": "00000000-0000-0000-0000-000000000001"
}
}
{
"message": "{\"user_id\":\"00000000-0000-0000-0000-000000000001\",\"client_id\":\"00000000-0000-0000-0000-000000000002\",\"external_id\":\"00000000-0000-0000-0000-000000000003\",\"display_name\":\"Test User\",\"category_id\":\"1000\",\"category_label\":\"Services aux Entreprises\",\"url\":\"https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?\",\"action\":\"allow\",\"domain\":\"safebrowsing.googleapis.com\",\"src_ip\":\"1.2.3.4\",\"src_port\":\"27275\",\"timestamp\":1737373729852,\"threat\":\"Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;\",\"policy_id\":\"-\",\"rule_id\":\"-\",\"dest_ip\":\"4.3.2.1\",\"http_method\":\"GET\",\"http_version\":\"1.1\",\"user_response_time_ms\":\"84\",\"user_received_bytes\":\"4664\",\"user_sent_bytes\":\"836\",\"user_status_code\":\"200\",\"cache_status\":\"TCP_MISS\",\"peer_response_time_ms\":\"9\",\"peer_status_code\":\"200\",\"theme_label\":\"Autres\",\"groups_id\":null,\"groups_name\":null,\"directory_id\":\"00000000-0000-0000-0000-000000000000\",\"directory_name\":\"Test Directory\",\"policy_name\":\"None\",\"type\":\"proxy\",\"dns_answer\":\"\",\"applications\":null}",
"event": {
"action": "allow",
"category": [
"web"
],
"type": [
"access"
]
},
"@timestamp": "2025-01-20T11:48:49.852000Z",
"destination": {
"address": "4.3.2.1",
"ip": "4.3.2.1"
},
"dns": {
"answers": []
},
"http": {
"request": {
"bytes": 836,
"method": "GET"
},
"response": {
"bytes": 4664,
"status_code": 200
},
"version": "1.1"
},
"observer": {
"product": "Olfeo SAAS",
"type": "proxy",
"vendor": "Olfeo"
},
"olfeo": {
"directory_name": "Test Directory",
"request": {
"category": "Services aux Entreprises",
"external_id": "00000000-0000-0000-0000-000000000003",
"theme": "Autres"
}
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1"
],
"user": [
"Test User"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 27275,
"user": {
"name": "Test User"
}
},
"url": {
"domain": "safebrowsing.googleapis.com",
"original": "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?",
"path": "/v4/threatListUpdates:fetch",
"port": 443,
"registered_domain": "googleapis.com",
"scheme": "https",
"subdomain": "safebrowsing",
"top_level_domain": "com"
},
"user": {
"id": "00000000-0000-0000-0000-000000000001"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.ip |
ip |
IP address of the destination. |
dns.answers |
object |
Array of DNS answers. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.method |
keyword |
HTTP request method. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.status_code |
long |
HTTP response status code. |
http.version |
keyword |
HTTP version. |
observer.product |
keyword |
The product name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
observer.vendor |
keyword |
Vendor name of the observer. |
olfeo.directory_name |
keyword |
Olfeo user's directory name |
olfeo.groups_name |
array |
Olfeo user's directory groups name |
olfeo.request.category |
keyword |
Olfeo's category of the requested URL |
olfeo.request.external_id |
keyword |
Olfeo's client directory id |
olfeo.request.theme |
keyword |
Olfeo's theme of the requested URL |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
source.user.name |
keyword |
Short name or login of the user. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.id |
keyword |
Unique identifier of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.