docs(nutanix): add Nutanix applicative + IAM docs (BETA), update mkdo…#3007
Open
tfanouillere-sekoia wants to merge 8 commits into
Open
docs(nutanix): add Nutanix applicative + IAM docs (BETA), update mkdo…#3007tfanouillere-sekoia wants to merge 8 commits into
tfanouillere-sekoia wants to merge 8 commits into
Conversation
…cs nav and UUID rules
Contributor
There was a problem hiding this comment.
Pull request overview
Adds initial (beta) documentation for the Nutanix integration, including an Applicative intake setup guide and an IAM-focused field-mapping page, and wires both into the MkDocs navigation.
Changes:
- Add Nutanix integration documentation pages under Applicative and IAM categories (beta).
- Update
mkdocs.ymlnavigation to expose the new Nutanix pages. - Add Operations Center shared-content includes for Nutanix event samples and suggested-rules output.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| mkdocs.yml | Adds Nutanix entries to Applicative and IAM nav sections. |
| docs/integration/categories/iam/nutanix.md | New beta IAM mapping guide for Nutanix audit logs. |
| docs/integration/categories/applicative/nutanix.md | New beta setup/collection guide for Nutanix Prism logs + includes for samples/rules. |
| _shared_content/operations_center/integrations/generated/nutanix_sample.md | Adds raw event sample tabs for Nutanix. |
| _shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md | Adds generated “no rules found” stub for this integration UUID. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+72
to
+80
| ### Create the intake | ||
|
|
||
| Go to the intake page and create a new intake using the Nutanix format on Sekoia.io: https://app.sekoia.io/operations/intakes | ||
|
|
||
| {!_shared_content/operations_center/integrations/generated/nutanix_sample.md!} | ||
|
|
||
| {!_shared_content/integration/detection_section.md!} | ||
|
|
||
| {!_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md!} |
Comment on lines
+97
to
+100
| ## Detection | ||
|
|
||
| {!_shared_content/integration/detection_section.md!} | ||
|
|
|
Newest code from tfanouillere-sekoia has been published to preview environment 🚀 Latest deployment was built on 2026-05-26 14:44:54 (596fb3fdbe2bed0bd3bb53b6ce8b0710b8d39065). |
mchupeau-sk
reviewed
May 26, 2026
mchupeau-sk
left a comment
mchupeau-sk
left a comment
Contributor
There was a problem hiding this comment.
Need to remove those lines
Comment on lines
+95
to
+110
| ## Logs Details and Parsing Guidance | ||
|
|
||
| - Parse JSON payloads from `API_AUDIT` and `AUDIT` into structured fields. | ||
| - Convert microseconds timestamps (e.g., `creationTimestampUsecs`) to `@timestamp` ISO8601. | ||
| - Map fields into ECS (see mappings below). | ||
|
|
||
| ### ECS mapping recommendations | ||
|
|
||
| - `userName` -> `user.name` | ||
| - `userUuid` -> `user.id` | ||
| - `operationType` -> `event.action` | ||
| - `entityType` -> `resource.type` or `host.type` | ||
| - `uuid` -> `resource.id` or `host.id` | ||
| - `SRC` / `DST` -> `source.ip` / `destination.ip` | ||
|
|
||
| ## Detection |
Contributor
There was a problem hiding this comment.
Suggested change
| ## Logs Details and Parsing Guidance | |
| - Parse JSON payloads from `API_AUDIT` and `AUDIT` into structured fields. | |
| - Convert microseconds timestamps (e.g., `creationTimestampUsecs`) to `@timestamp` ISO8601. | |
| - Map fields into ECS (see mappings below). | |
| ### ECS mapping recommendations | |
| - `userName` -> `user.name` | |
| - `userUuid` -> `user.id` | |
| - `operationType` -> `event.action` | |
| - `entityType` -> `resource.type` or `host.type` | |
| - `uuid` -> `resource.id` or `host.id` | |
| - `SRC` / `DST` -> `source.ip` / `destination.ip` | |
| ## Detection |
Comment on lines
+114
to
+152
| This section contains suggested detection rules and mappings that can be used in the Operations Center. The canonical, machine-generated rules are available via the Operations Center generated files included below. | ||
|
|
||
| ### Suggested rule summaries | ||
|
|
||
| - **Mass provisioning detection** — counts `event.action: Create` over a short timeframe and alerts on spikes (grouped by `user.name` or globally). | ||
| - **Unusual admin activity** — flags administrative actions from unknown IPs or outside business hours; combine `user.name`, `source.ip` and `@timestamp`. | ||
| - **Policy hit drop spike** — alerts when the rate of `network.action: Drop` for a given policy exceeds a threshold. | ||
| - **Suspicious VM migration** — detects rapid or unusual `Migrate` actions, especially from non-maintenance users. | ||
|
|
||
| ### How to use | ||
|
|
||
| - Import the generated suggested rules located in `_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md` into your Operations Center. | ||
| - Tune thresholds and allowlists (known admin networks, maintenance accounts) according to your environment. | ||
| - Ensure ECS mappings are applied during parsing so the rules operate on normalized fields. | ||
|
|
||
|
|
||
| ## Event samples | ||
|
|
||
| Example API_AUDIT message (JSON): | ||
|
|
||
| ``` | ||
| {"entityType":"vm","name":"web-01","uuid":"e4f1c7d2-1234-5678-9abc-def012345678","alertUid":"VmCreateAudit","operationType":"Create","userName":"admin@example.com","userUuid":"u-9a8b7c6d","creationTimestampUsecs":1682890496000000} | ||
| ``` | ||
|
|
||
| Example Security Policy Hit Log (syslog): | ||
|
|
||
| ``` | ||
| <14>1 2026-05-01T12:35:10Z prism.example.com NUTANIX POLICY_HIT - timestamp=2026-05-01T12:35:09Z policy_uuid=abcd-1234 policy_name=default session=Create SRC=10.0.0.5 DST=10.0.0.10 PROTO=6 ACTION=Allow packets=10 bytes=1250 | ||
| ``` | ||
|
|
||
| ## Further Readings | ||
|
|
||
| - Integration Roadmap | ||
| - Integrations Changelog | ||
| - Intake Catalog GitHub repository: https://github.com/sekoia-io/intake-catalog | ||
| - Nutanix documentation: https://portal.nutanix.com/ | ||
| - Sekoia.io Forwarder documentation (see forwarder assets and README) | ||
| - Verify incoming packets on the concentrator or rsyslog host using `tcpdump` and the concentrator logs. | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| This section contains suggested detection rules and mappings that can be used in the Operations Center. The canonical, machine-generated rules are available via the Operations Center generated files included below. | |
| ### Suggested rule summaries | |
| - **Mass provisioning detection** — counts `event.action: Create` over a short timeframe and alerts on spikes (grouped by `user.name` or globally). | |
| - **Unusual admin activity** — flags administrative actions from unknown IPs or outside business hours; combine `user.name`, `source.ip` and `@timestamp`. | |
| - **Policy hit drop spike** — alerts when the rate of `network.action: Drop` for a given policy exceeds a threshold. | |
| - **Suspicious VM migration** — detects rapid or unusual `Migrate` actions, especially from non-maintenance users. | |
| ### How to use | |
| - Import the generated suggested rules located in `_shared_content/operations_center/detection/generated/suggested_rules_9a7f6d4e-3b2a-4c1d-8f9e-0a1b2c3d4e5f_do_not_edit_manually.md` into your Operations Center. | |
| - Tune thresholds and allowlists (known admin networks, maintenance accounts) according to your environment. | |
| - Ensure ECS mappings are applied during parsing so the rules operate on normalized fields. | |
| ## Event samples | |
| Example API_AUDIT message (JSON): | |
| ``` | |
| {"entityType":"vm","name":"web-01","uuid":"e4f1c7d2-1234-5678-9abc-def012345678","alertUid":"VmCreateAudit","operationType":"Create","userName":"admin@example.com","userUuid":"u-9a8b7c6d","creationTimestampUsecs":1682890496000000} | |
| ``` | |
| Example Security Policy Hit Log (syslog): | |
| ``` | |
| <14>1 2026-05-01T12:35:10Z prism.example.com NUTANIX POLICY_HIT - timestamp=2026-05-01T12:35:09Z policy_uuid=abcd-1234 policy_name=default session=Create SRC=10.0.0.5 DST=10.0.0.10 PROTO=6 ACTION=Allow packets=10 bytes=1250 | |
| ``` | |
| ## Further Readings | |
| - Integration Roadmap | |
| - Integrations Changelog | |
| - Intake Catalog GitHub repository: https://github.com/sekoia-io/intake-catalog | |
| - Nutanix documentation: https://portal.nutanix.com/ | |
| - Sekoia.io Forwarder documentation (see forwarder assets and README) | |
| - Verify incoming packets on the concentrator or rsyslog host using `tcpdump` and the concentrator logs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(https://github.com/SekoiaLab/integration/issues/479)