docs(nutanix): add Nutanix applicative + IAM docs (BETA), update mkdo…#3007
docs(nutanix): add Nutanix applicative + IAM docs (BETA), update mkdo…#3007tfanouillere-sekoia wants to merge 8 commits into
Conversation
…cs nav and UUID rules
There was a problem hiding this comment.
Pull request overview
Adds initial (beta) documentation for the Nutanix integration, including an Applicative intake setup guide and an IAM-focused field-mapping page, and wires both into the MkDocs navigation.
Changes:
- Add Nutanix integration documentation pages under Applicative and IAM categories (beta).
- Update
mkdocs.ymlnavigation to expose the new Nutanix pages. - Add Operations Center shared-content includes for Nutanix event samples and suggested-rules output.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| mkdocs.yml | Adds Nutanix entries to Applicative and IAM nav sections. |
| docs/integration/categories/iam/nutanix.md | New beta IAM mapping guide for Nutanix audit logs. |
| docs/integration/categories/applicative/nutanix.md | New beta setup/collection guide for Nutanix Prism logs + includes for samples/rules. |
| _shared_content/operations_center/integrations/generated/nutanix_sample.md | Adds raw event sample tabs for Nutanix. |
| _shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md | Adds generated “no rules found” stub for this integration UUID. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ### Create the intake | ||
|
|
||
| Go to the intake page and create a new intake using the Nutanix format on Sekoia.io: https://app.sekoia.io/operations/intakes | ||
|
|
||
| {!_shared_content/operations_center/integrations/generated/nutanix_sample.md!} | ||
|
|
||
| {!_shared_content/integration/detection_section.md!} | ||
|
|
||
| {!_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md!} |
| ## Detection | ||
|
|
||
| {!_shared_content/integration/detection_section.md!} | ||
|
|
|
Newest code from tfanouillere-sekoia has been published to preview environment 🚀 Latest deployment was built on 2026-05-26 14:44:54 (596fb3fdbe2bed0bd3bb53b6ce8b0710b8d39065). |
mchupeau-sk
left a comment
There was a problem hiding this comment.
Need to remove those lines
| ## Logs Details and Parsing Guidance | ||
|
|
||
| - Parse JSON payloads from `API_AUDIT` and `AUDIT` into structured fields. | ||
| - Convert microseconds timestamps (e.g., `creationTimestampUsecs`) to `@timestamp` ISO8601. | ||
| - Map fields into ECS (see mappings below). | ||
|
|
||
| ### ECS mapping recommendations | ||
|
|
||
| - `userName` -> `user.name` | ||
| - `userUuid` -> `user.id` | ||
| - `operationType` -> `event.action` | ||
| - `entityType` -> `resource.type` or `host.type` | ||
| - `uuid` -> `resource.id` or `host.id` | ||
| - `SRC` / `DST` -> `source.ip` / `destination.ip` | ||
|
|
||
| ## Detection |
There was a problem hiding this comment.
| ## Logs Details and Parsing Guidance | |
| - Parse JSON payloads from `API_AUDIT` and `AUDIT` into structured fields. | |
| - Convert microseconds timestamps (e.g., `creationTimestampUsecs`) to `@timestamp` ISO8601. | |
| - Map fields into ECS (see mappings below). | |
| ### ECS mapping recommendations | |
| - `userName` -> `user.name` | |
| - `userUuid` -> `user.id` | |
| - `operationType` -> `event.action` | |
| - `entityType` -> `resource.type` or `host.type` | |
| - `uuid` -> `resource.id` or `host.id` | |
| - `SRC` / `DST` -> `source.ip` / `destination.ip` | |
| ## Detection |
| This section contains suggested detection rules and mappings that can be used in the Operations Center. The canonical, machine-generated rules are available via the Operations Center generated files included below. | ||
|
|
||
| ### Suggested rule summaries | ||
|
|
||
| - **Mass provisioning detection** — counts `event.action: Create` over a short timeframe and alerts on spikes (grouped by `user.name` or globally). | ||
| - **Unusual admin activity** — flags administrative actions from unknown IPs or outside business hours; combine `user.name`, `source.ip` and `@timestamp`. | ||
| - **Policy hit drop spike** — alerts when the rate of `network.action: Drop` for a given policy exceeds a threshold. | ||
| - **Suspicious VM migration** — detects rapid or unusual `Migrate` actions, especially from non-maintenance users. | ||
|
|
||
| ### How to use | ||
|
|
||
| - Import the generated suggested rules located in `_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md` into your Operations Center. | ||
| - Tune thresholds and allowlists (known admin networks, maintenance accounts) according to your environment. | ||
| - Ensure ECS mappings are applied during parsing so the rules operate on normalized fields. | ||
|
|
||
|
|
||
| ## Event samples | ||
|
|
||
| Example API_AUDIT message (JSON): | ||
|
|
||
| ``` | ||
| {"entityType":"vm","name":"web-01","uuid":"e4f1c7d2-1234-5678-9abc-def012345678","alertUid":"VmCreateAudit","operationType":"Create","userName":"admin@example.com","userUuid":"u-9a8b7c6d","creationTimestampUsecs":1682890496000000} | ||
| ``` | ||
|
|
||
| Example Security Policy Hit Log (syslog): | ||
|
|
||
| ``` | ||
| <14>1 2026-05-01T12:35:10Z prism.example.com NUTANIX POLICY_HIT - timestamp=2026-05-01T12:35:09Z policy_uuid=abcd-1234 policy_name=default session=Create SRC=10.0.0.5 DST=10.0.0.10 PROTO=6 ACTION=Allow packets=10 bytes=1250 | ||
| ``` | ||
|
|
||
| ## Further Readings | ||
|
|
||
| - Integration Roadmap | ||
| - Integrations Changelog | ||
| - Intake Catalog GitHub repository: https://github.com/sekoia-io/intake-catalog | ||
| - Nutanix documentation: https://portal.nutanix.com/ | ||
| - Sekoia.io Forwarder documentation (see forwarder assets and README) | ||
| - Verify incoming packets on the concentrator or rsyslog host using `tcpdump` and the concentrator logs. | ||
|
|
There was a problem hiding this comment.
| This section contains suggested detection rules and mappings that can be used in the Operations Center. The canonical, machine-generated rules are available via the Operations Center generated files included below. | |
| ### Suggested rule summaries | |
| - **Mass provisioning detection** — counts `event.action: Create` over a short timeframe and alerts on spikes (grouped by `user.name` or globally). | |
| - **Unusual admin activity** — flags administrative actions from unknown IPs or outside business hours; combine `user.name`, `source.ip` and `@timestamp`. | |
| - **Policy hit drop spike** — alerts when the rate of `network.action: Drop` for a given policy exceeds a threshold. | |
| - **Suspicious VM migration** — detects rapid or unusual `Migrate` actions, especially from non-maintenance users. | |
| ### How to use | |
| - Import the generated suggested rules located in `_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md` into your Operations Center. | |
| - Tune thresholds and allowlists (known admin networks, maintenance accounts) according to your environment. | |
| - Ensure ECS mappings are applied during parsing so the rules operate on normalized fields. | |
| ## Event samples | |
| Example API_AUDIT message (JSON): | |
| ``` | |
| {"entityType":"vm","name":"web-01","uuid":"e4f1c7d2-1234-5678-9abc-def012345678","alertUid":"VmCreateAudit","operationType":"Create","userName":"admin@example.com","userUuid":"u-9a8b7c6d","creationTimestampUsecs":1682890496000000} | |
| ``` | |
| Example Security Policy Hit Log (syslog): | |
| ``` | |
| <14>1 2026-05-01T12:35:10Z prism.example.com NUTANIX POLICY_HIT - timestamp=2026-05-01T12:35:09Z policy_uuid=abcd-1234 policy_name=default session=Create SRC=10.0.0.5 DST=10.0.0.10 PROTO=6 ACTION=Allow packets=10 bytes=1250 | |
| ``` | |
| ## Further Readings | |
| - Integration Roadmap | |
| - Integrations Changelog | |
| - Intake Catalog GitHub repository: https://github.com/sekoia-io/intake-catalog | |
| - Nutanix documentation: https://portal.nutanix.com/ | |
| - Sekoia.io Forwarder documentation (see forwarder assets and README) | |
| - Verify incoming packets on the concentrator or rsyslog host using `tcpdump` and the concentrator logs. |
|
This PR was marked as stale because it has been open for 30 days with no activity. |
(https://github.com/SekoiaLab/integration/issues/479)