Merge pull request #149 from runreveal/feat/docs-updates-sources

Add new source docs for PagerDuty, AWS S3 Access, and more

Author: jonathanmcintyre1

pages/sources/source-types/_meta.ts

@@ -4,11 +4,14 @@ export default {
     "auth0": "Auth0",
     "aws": "AWS",
     "azure": "Azure",
+    "bitwarden": "Bitwarden",
     "cloudentity": "Cloudentity",
     "cloudflare": "Cloudflare",
     "crowdstrike": "CrowdStrike",
+    "cyberhaven": "Cyberhaven",
     "dnsfilter": "DNSFilter",
     "dropbox": "Dropbox",
+    "fastly-waf": "Fastly WAF",
     "fluent-bit": "Fluent Bit",
     "gcp": "GCP",
     "generic": "Generic Sources",
@@ -25,6 +28,7 @@ export default {
     "obsidian-security": "Obsidian Security",
     "okta": "Okta",
     "opal": "Opal",
+    "pagerduty": "PagerDuty",
     "palo-pano-traffic": "Palo Alto Panorama Traffic",
     "reveald": "Reveald",
     "sentinelone": "SentinelOne",

pages/sources/source-types/aws/_meta.ts

@@ -4,5 +4,6 @@ export default {
     "dns": "DNS",
     "flow": "Flow",
     "guardduty": "GuardDuty",
-    "hosted-zone": "Hosted Zone"
+    "hosted-zone": "Hosted Zone",
+    "s3-access": "S3 Access Logs"
 }

pages/sources/source-types/aws/s3-access.mdx

@@ -0,0 +1,113 @@
+import { Callout } from 'nextra/components'
+
+# AWS S3 Access Logs
+
+AWS S3 access logs provide detailed records of requests made to your S3 bucket, including information about who accessed your data, 
+when they accessed it, and what operations they performed. These logs capture details such as requester information, 
+request details, response status, and error codes, which are essential for security monitoring, compliance auditing, 
+and troubleshooting access issues.
+
+## Ingest Methods
+
+Setup the ingestion of this source using one of the following guides.
+
+- [AWS S3 Bucket](/sources/object-storage/s3)
+- [AWS S3 Bucket with Custom SQS](/sources/object-storage/external-s3)
+
+<Callout type='info'>
+If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
+```
+arn:aws:sns:<REGION>:253602268883:runreveal_s3access
+```
+</Callout>
+
+## Setup
+
+### Step 1: Create a Target S3 Bucket for Access Logs
+
+1. Sign in to the AWS Management Console and open the Amazon S3 console.
+2. Click on "Create bucket".
+3. Enter a unique name for your bucket (e.g., `my-s3-access-logs`) and select the region.
+4. Configure the bucket settings as needed (e.g., versioning, encryption).
+5. Click "Create bucket" to finish.
+
+### Step 2: Configure Bucket Policy for Log Delivery
+
+1. In the S3 console, select the bucket you just created for access logs.
+2. Go to the "Permissions" tab.
+3. Under "Bucket policy", click "Edit".
+4. Paste the following policy, replacing `{target-bucket-name}` with your actual bucket name:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "logging.s3.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::{target-bucket-name}/*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": "{source-bucket-account-id}"
+                }
+            }
+        }
+    ]
+}
+```
+
+5. Replace `{source-bucket-account-id}` with your AWS account ID.
+6. Click "Save changes".
+
+### Step 3: Enable Access Logging for Your Source S3 Bucket
+
+1. In the S3 console, select the source bucket for which you want to enable access logging.
+2. Go to the "Properties" tab.
+3. Scroll down to the "Server access logging" section and click "Edit".
+4. Check the box next to "Enable server access logging".
+5. Select the target bucket you created earlier from the "Target bucket" dropdown.
+6. Optionally, specify a prefix for the log files (e.g., `logs/`).
+7. Click "Save changes".
+
+### Step 4: Verify Log Delivery
+
+1. Wait for a few minutes to allow some access requests to your source bucket.
+2. Go back to the S3 console and open your target bucket.
+3. Navigate to the folder where you specified the prefix (or the root if no prefix was specified).
+4. You should see log files appearing in this location with names like `YYYY-MM-DD-HH-MM-SS-XXXXXXXXXX`.
+
+### Step 5: Understanding S3 Access Log Format
+
+S3 access logs contain the following fields in space-delimited format:
+
+- **Bucket Owner**: The canonical user ID of the bucket owner
+- **Bucket**: The name of the bucket
+- **Time**: The time when the request was received
+- **Remote IP**: The IP address of the requester
+- **Requester**: The canonical user ID of the requester
+- **Request ID**: A unique identifier for the request
+- **Operation**: The operation being performed (e.g., GET, PUT, DELETE)
+- **Key**: The key (path) of the object being accessed
+- **Request-URI**: The HTTP request URI
+- **HTTP Status**: The HTTP status code returned
+- **Error Code**: The S3 error code (if applicable)
+- **Bytes Sent**: The number of bytes sent
+- **Object Size**: The size of the object
+- **Total Time**: The total time of the request
+- **Turn-Around Time**: The time between when the request was received and the response was sent
+- **Referer**: The HTTP referer header
+- **User-Agent**: The HTTP user-agent header
+- **Version ID**: The version ID of the object (if versioning is enabled)
+- **Host ID**: The host ID of the S3 endpoint
+- **Signature Version**: The signature version used for authentication
+- **Cipher Suite**: The cipher suite used for HTTPS requests
+- **Authentication Type**: The type of authentication used
+- **Host Header**: The host header of the request
+- **TLS Version**: The TLS version used for HTTPS requests
+
+---
+
+For more information, refer to the [official AWS documentation on S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html).

pages/sources/source-types/bitwarden.mdx

@@ -0,0 +1,9 @@
+# Bitwarden
+
+Bitwarden logs provide comprehensive audit trails of password management activities, including user authentication events, password changes, vault access, and administrative actions. These logs are essential for security monitoring, compliance auditing, and detecting potential unauthorized access to sensitive credential data.
+
+## Coming Soon
+
+Documentation for Bitwarden integration is currently being developed.
+
+Please check back soon for complete documentation.

pages/sources/source-types/cloudflare/_meta.ts

@@ -2,5 +2,7 @@ export default {
     "audit": "Audit",
     "gateway-dns": "Gateway DNS",
     "gateway-http": "Gateway HTTP",
-    "http": "HTTP" 
+    "gateway-network": "Gateway Network",
+    "http": "HTTP",
+    "zt-access": "Access Requests"
 }

pages/sources/source-types/cloudflare/gateway-network.mdx

@@ -0,0 +1,9 @@
+# Cloudflare Gateway Network Logs
+
+Cloudflare Gateway Network logs provide detailed information about network traffic and security events processed through Cloudflare's Zero Trust Gateway. These logs capture data about user connections, application access, network policies, and security threats detected by Cloudflare's network security services.
+
+## Coming Soon
+
+Documentation for Cloudflare Gateway Network logs is currently being developed.
+
+Please check back soon for complete documentation.

pages/sources/source-types/cloudflare/zt-access.mdx

@@ -0,0 +1,9 @@
+# Cloudflare Access Requests
+
+Cloudflare Access Requests logs capture authentication and authorization events from Cloudflare Zero Trust Access. These logs provide visibility into user login attempts, application access patterns, and policy enforcement decisions across your organization's applications and resources.
+
+## Coming Soon
+
+Documentation for Cloudflare Access Requests is currently being developed.
+
+Please check back soon for complete documentation.

pages/sources/source-types/cyberhaven.mdx

@@ -0,0 +1,9 @@
+# Cyberhaven
+
+Cyberhaven logs provide comprehensive data protection and insider threat detection insights. These logs capture information about data access patterns, file movements, user behavior analytics, and security events that help organizations protect sensitive information and detect potential data exfiltration or insider threats.
+
+## Coming Soon
+
+Documentation for Cyberhaven integration is currently being developed.
+
+Please check back soon for complete documentation.

pages/sources/source-types/fastly-waf.mdx

@@ -0,0 +1,9 @@
+# Fastly WAF
+
+Fastly Web Application Firewall (WAF) logs capture security events and threat detection data from Fastly's edge security services. These logs include information about blocked requests, security rule violations, attack patterns, and traffic analysis that helps protect web applications from various cyber threats.
+
+## Coming Soon
+
+Documentation for Fastly WAF integration is currently being developed.
+
+Please check back soon for complete documentation.

pages/sources/source-types/pagerduty.mdx

@@ -0,0 +1,118 @@
+# PagerDuty
+
+Collect audit logs and events from your [PagerDuty](https://www.pagerduty.com/) account to monitor administrative changes and user activities. You'll find these logs in the `pagerduty_audit_logs` table(s).
+
+![PagerDuty Setup](/pagerduty-source-1.png)
+
+## Ingest Method
+
+This source uses polling to collect audit records every 60 seconds. The PagerDuty source polls audit records to collect administrative changes and user activities, including:
+
+- Account management
+- Service changes  
+- Incident management
+- User access patterns
+
+Logs should begin populating within a minute after being added.
+
+## Setup
+
+![PagerDuty Configuration](/pagerduty-source-2.png)
+
+### API Token
+
+To connect your PagerDuty account, you'll need to provide a PagerDuty API token. This token is used to authenticate and access your PagerDuty audit logs.
+
+1. Log into your PagerDuty account
+2. Navigate to your account settings
+3. Generate a new API token with appropriate permissions for audit log access
+4. Copy the token and paste it into the "PagerDuty API Token" field when creating your source
+
+### API Endpoint
+
+RunReveal uses the [PagerDuty Audit Records API](https://developer.pagerduty.com/api-reference/116868b0e9772-list-audit-records) to collect audit logs. This endpoint provides comprehensive audit records of administrative changes and user activities within your PagerDuty account.
+
+The API endpoint used is:
+```
+GET /audit/records
+```
+
+This endpoint returns audit records that include:
+- User authentication events
+- Account configuration changes
+- Service modifications
+- Incident management activities
+- User access and permission changes
+- Integration updates
+- Team and escalation policy changes
+
+### Source Configuration
+
+When setting up your PagerDuty source, you'll need to provide:
+
+- **Source Name**: A descriptive name for your PagerDuty source (defaults to "pagerduty")
+- **PagerDuty API Token**: Your PagerDuty API token for authentication
+- **Health Check Duration**: Configure how often to check source health (default: 1 day)
+- **Notification Channels**: Set up alerts for when the source stops receiving events
+
+### Verification
+
+After entering your API token, use the "Verify Settings" button to test the connection and ensure your token has the correct permissions to access PagerDuty audit logs.
+
+## Data Schema
+
+Your PagerDuty audit logs will be available in the `pagerduty_audit_logs` table with the source type `pagerduty`.
+
+## Log Format Example
+
+Here's an example of a single PagerDuty audit log record:
+
+```json
+{
+  "id": "PDRECORDID1_TEAM_CREATED",
+  "execution_time": "2020-06-04T15:30:16.272Z",
+  "execution_context": {
+    "request_id": "111lDEOIH-534-4ljhLHJjh111",
+    "remote_address": "201.19.20.19"
+  },
+  "actors": [
+    {
+      "id": "PDUSER",
+      "summary": "John Snow",
+      "type": "user_reference"
+    }
+  ],
+  "method": {
+    "type": "api_token",
+    "truncated_token": "3usr"
+  },
+  "root_resource": {
+    "id": "PXASDFE",
+    "type": "team_reference",
+    "summary": "my DevOps team"
+  },
+  "action": "create",
+  "details": {
+    "resource": {
+      "id": "PXASDFE",
+      "type": "team_reference",
+      "summary": "my DevOps team"
+    },
+    "fields": [
+      {
+        "name": "teamName",
+        "value": "DevOps team"
+      }
+    ]
+  }
+}
+```
+
+This example shows a team creation audit event with all the key fields including execution context, actors, method, and details.
+
+## Related Links
+
+- [PagerDuty Official Website](https://www.pagerduty.com/)
+- [PagerDuty API Documentation](https://developer.pagerduty.com/)
+- [PagerDuty Audit Records API](https://developer.pagerduty.com/api-reference/116868b0e9772-list-audit-records)
+- [PagerDuty Account Settings](https://app.pagerduty.com/account_settings)