diff --git a/AWS/aws-cloudtrail/ingest/parser.yml b/AWS/aws-cloudtrail/ingest/parser.yml index 265f9f7b7..31dcee72d 100644 --- a/AWS/aws-cloudtrail/ingest/parser.yml +++ b/AWS/aws-cloudtrail/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sourceIPAddress output_field: source pattern: "(%{IP:ip}|%{HOSTNAME:domain})" diff --git a/AWS/aws-guardduty/ingest/parser.yml b/AWS/aws-guardduty/ingest/parser.yml index 06512d7b1..7cb4ac969 100644 --- a/AWS/aws-guardduty/ingest/parser.yml +++ b/AWS/aws-guardduty/ingest/parser.yml @@ -13,6 +13,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.type output_field: finding pattern: "%{DATA:threat_purpose}:%{DATA:affected_resource_type}/%{WORD:threat_family_name}(.%{DATA:detection_mecanism})?(!%{DATA:artifact})?" diff --git a/Azure/azure-network-watcher/ingest/parser.yml b/Azure/azure-network-watcher/ingest/parser.yml index edca894ef..f6af50849 100644 --- a/Azure/azure-network-watcher/ingest/parser.yml +++ b/Azure/azure-network-watcher/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.get('flow.0')}}" output_field: result pattern: "%{NUMBER:timestamp},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{PROTOCOL:protocol},%{TRAFFICFLOW:traffic_flow},%{TRAFFICDECISION:traffic_decision}(|,(%{FLOWSTATE:flow_state}|),(%{INT:source_packets}|),(%{INT:source_bytes}|),(%{INT:destination_packets}|),(%{INT:destination_bytes}|))" diff --git a/Azure/azure-windows/ingest/parser.yml b/Azure/azure-windows/ingest/parser.yml index 4a4e76ac7..bfd2e9740 100644 --- a/Azure/azure-windows/ingest/parser.yml +++ b/Azure/azure-windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.SubjectUserName or parse_windows_event.message.EventData.User}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -36,6 +37,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.Hashes | lower}}" output_field: result value_sep: "=" diff --git a/Beats/winlogbeat/ingest/parser.yml b/Beats/winlogbeat/ingest/parser.yml index 0ffc5dbf6..7f190c1ff 100644 --- a/Beats/winlogbeat/ingest/parser.yml +++ b/Beats/winlogbeat/ingest/parser.yml @@ -10,6 +10,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.winlog.event_data.Hashes}}" output_field: hash value_sep: "=" diff --git a/CatoNetworks/cato-sase/ingest/parser.yml b/CatoNetworks/cato-sase/ingest/parser.yml index c3559d563..73f02ca34 100644 --- a/CatoNetworks/cato-sase/ingest/parser.yml +++ b/CatoNetworks/cato-sase/ingest/parser.yml @@ -19,6 +19,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_tactics}}" output_field: message pattern: '%{DATA:tactic_name_1} \(%{DATA:tactic_id_1}\)\, %{DATA:tactic_name_2} \(%{DATA:tactic_id_2}\)' @@ -28,6 +29,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_techniques}}" output_field: message pattern: '%{DATA:technique_name_1} \(%{DATA:technique_id_1}\)\, %{DATA:technique_name_2} \(%{DATA:technique_id_2}\)' diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 144a3c222..3ea23bd6f 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -121,6 +121,11 @@ cisco.esa.url: name: cisco.esa.url type: keyword +cisco.esa.url_domain: + description: '' + name: cisco.esa.url_domain + type: keyword + email.attachments: description: A list of objects describing the attachment files sent along with an email message diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..38469cd70 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -32,6 +32,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.ExternalMsgID}}" output_field: message pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}" @@ -42,6 +43,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.duser}}" output_field: message pattern: "%{GREEDYDATA:duser_name}@%{GREEDYDATA:duser_domain}" @@ -50,6 +52,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.suser}}" output_field: message pattern: "%{GREEDYDATA:suser_name}@%{GREEDYDATA:suser_domain}" @@ -67,6 +70,7 @@ pipeline: external: name: dict.parse properties: + output_field: message input_field: > {{ parsed_event.message.ESAURLDetails }} @@ -209,11 +213,6 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} - "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" - {% if not loop.last %},{% endif %} - {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}" cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}" @@ -232,6 +231,19 @@ stages: cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}" filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}" + - set: + cisco.esa.url_domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + filter: "{{json_event_url_details.message | length > 0}}" + - set: cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}" cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..ce0d1d1b3 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -58,6 +58,10 @@ "url": [ "http://schemas.microsoft.com/office/2004/12/omml", "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..4dbc8fa48 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -61,6 +61,10 @@ "url": [ "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..46ca9ebb4 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -55,6 +55,13 @@ "url": [ "https://facebook.com/u/john.doe", "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "facebook.com", + "tiktok.com", + "tinyurl.es", "www.twitter.com" ] } diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,8 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [] + } } }, "email": { diff --git a/Cisco/cisco-ios/ingest/parser.yml b/Cisco/cisco-ios/ingest/parser.yml index dace57b15..84cce9666 100644 --- a/Cisco/cisco-ios/ingest/parser.yml +++ b/Cisco/cisco-ios/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{LINEPROTO}|%{LINK}" custom_patterns: @@ -24,6 +25,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{SEC_LOGIN_SUCCESS}|%{SYS_LOGIN_FAILURE}|%{SYS_LOGOUT}|%{SYS_TTY_EXPIRE_TIMER}" custom_patterns: @@ -34,6 +36,7 @@ pipeline: filter: '{{parsed_event.message.facility in ["SEC_LOGIN", "SYS"]}}' - name: parsed_description external: + raise_errors: false name: grok.match properties: input_field: parsed_event.message.description diff --git a/Cisco/cisco-nx-os/ingest/parser.yml b/Cisco/cisco-nx-os/ingest/parser.yml index 5b8fe2aee..b9f586e96 100644 --- a/Cisco/cisco-nx-os/ingest/parser.yml +++ b/Cisco/cisco-nx-os/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ETHPORT_IF_DOWN}|%{ETHPORT_IF_UP}|%{ETHPORT_IF}|%{ETHPORT_CONTROL}|%{ETHPORT_LAN}|%{ETHPORT_TRANSCEIVER}|%{ETHPORT_CHANNEL}" custom_patterns: @@ -30,6 +31,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{PAM_MESSAGE}|%{FILE_OPEN_FAILURE}" custom_patterns: @@ -42,6 +44,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{VSHD_CONFIG}|%{VSHD_CMD_EXEC}" custom_patterns: @@ -53,6 +56,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ARP_DUP}" custom_patterns: diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml index 9c6c377a7..6fead398e 100644 --- a/Citrix/citrix-adc/ingest/parser.yml +++ b/Citrix/citrix-adc/ingest/parser.yml @@ -90,7 +90,7 @@ pipeline: CIPHER_SUITE: '"?"?[\w\-\.]+"?"?' - name: set_audit_log_fields - filter: '{{not original.message.startswith("CEF")}}' + filter: '{{not original.message.startswith("CEF") and parse_audit_header.message.type not in ["AAATM"]}}' - name: set_connection_log_fields filter: "{{ parse_audit_header.message.type == 'TCP' }}" @@ -105,7 +105,7 @@ pipeline: filter: "{{ parse_audit_header.message.type == 'SSLLOG' }}" - name: set_other_log_fields - filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP'] }}" + filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP', 'AAATM'] }}" stages: set_cef_header_fields: @@ -113,17 +113,21 @@ stages: - set: event.kind: "alert" event.dataset: "alert" + - set: observer.vendor: "{{parsed_event.message.DeviceVendor}}" observer.product: "{{parsed_event.message.DeviceProduct}}" observer.version: "{{parsed_event.message.DeviceVersion}}" + - set: source.ip: "{{parsed_event.message.src}}" source.port: "{{parsed_event.message.spt}}" + - set: event.reason: "{{parsed_event.message.msg}}" event.action: "{{parsed_event.message.act}}" event.category: ["network"] + - set: url.original: "{{parsed_event.message.request}}" - set: diff --git a/Citrix/citrix-adc/tests/test_aaatm.json b/Citrix/citrix-adc/tests/test_aaatm.json index 8db673e24..abc914658 100644 --- a/Citrix/citrix-adc/tests/test_aaatm.json +++ b/Citrix/citrix-adc/tests/test_aaatm.json @@ -4,20 +4,12 @@ }, "expected": { "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "event": { - "category": [ - "network" - ], - "code": "Message", - "dataset": "audit_aaatm", - "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "type": [ - "connection" - ] - }, - "@timestamp": "2023-09-29T07:40:56Z", - "observer": { - "name": "ADC" + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } } } } \ No newline at end of file diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..5eb538561 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.name}}" output_field: technique pattern: "%{TID:id} - %{DATA:name} : %{DATA}" @@ -61,19 +62,43 @@ stages: - set: observer.vendor: "Cybereason" observer.product: "Cybereason" + handle_malop: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.lastUpdateTime != null}}" + - set: file.name: "{{parsed_event.message.primaryRootCauseName}}" file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "File"}}' + - set: process.name: "{{parsed_event.message.primaryRootCauseName}}" process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "Process"}}' + + - set: + host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}" + host.name: "{{parsed_event.message.machines[0].get('displayName')}}" + host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}" + cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}" + cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}" + cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}" + filter: "{{parsed_event.message.get('machines', []) != []}}" + + - set: + user.name: "{{parsed_event.message.users[0].get('displayName')}}" + cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}" + cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}" + filter: "{{parsed_event.message.get('users', []) != []}}" + + - set: + user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}' + user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}' + filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}' + - set: event.kind: "alert" event.category: ["malware"] @@ -88,22 +113,28 @@ stages: cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}" cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}" cybereason.malop.is_edr: "{{parsed_event.message.edr}}" + - set: cybereason.malop.created_at: "{{parsed_creation_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + - set: cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.creationTime != null}}" + - set: cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + handle_model: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.metadata.timestamp != null}}" + - set: cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}" + handle_machine_model: actions: - set: @@ -118,6 +149,7 @@ stages: - set: host.os.type: "{{parsed_event.message.osType.lower()}}" filter: "{{parsed_event.message.osType != null}}" + handle_user_model: actions: - set: @@ -127,10 +159,12 @@ stages: user.name: "{{parsed_event.message.displayName}}" cybereason.malop.user.id: "{{parsed_event.message.guid}}" cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}" + - set: user.name: '{{parsed_event.message.displayName.split("\\")[1]}}' user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}' filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}' + handle_file_suspect_model: actions: - set: diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json index b7ad07bb9..a5df9c14f 100644 --- a/CybeReason/malop-json/tests/test_malop.json +++ b/CybeReason/malop-json/tests/test_malop.json @@ -24,6 +24,11 @@ ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -33,7 +38,17 @@ "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -42,6 +57,15 @@ }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } } \ No newline at end of file diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json index a009d865f..532ff8e73 100644 --- a/CybeReason/malop-json/tests/test_malop_detail.json +++ b/CybeReason/malop-json/tests/test_malop_detail.json @@ -24,6 +24,11 @@ ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -33,7 +38,11 @@ "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -42,6 +51,13 @@ }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -49,7 +65,14 @@ "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } } \ No newline at end of file diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 311e0deb0..cbb9b311a 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}" diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/CHANGELOG.md b/HarfangLab/harfanglab/CHANGELOG.md index b51c03c58..020bfb34e 100644 --- a/HarfangLab/harfanglab/CHANGELOG.md +++ b/HarfangLab/harfanglab/CHANGELOG.md @@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### 2024-10-01 +### 2024-12-11 - 1.3.0 + +### Changed + +- Split username into `user.name` and `user.domain` + +### 2024-10-01 - 1.2.0 ### Added diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..902363c55 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 5050c7429..253355fce 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -142,6 +142,10 @@ stages: organization.id: "{{json_event.message.tenant}}" url.original: "{{json_event.message.details_url_request.url}}" + - set: + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}" + filter: "{{json_event.message.agents | length > 0}}" + network_info: actions: - set: @@ -167,7 +171,16 @@ stages: process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} event.category: ["network"] event.type: ["connection"] @@ -188,7 +201,6 @@ stages: process.pe.company: "{{json_event.message.pe_info.company_name}}" process.pe.product: "{{json_event.message.pe_info.product_name}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" process.parent.executable: "{{json_event.message.parent_image}}" process.parent.command_line: "{{json_event.message.parent_commandline}}" process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}' @@ -198,6 +210,17 @@ stages: harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + event.category: ["process"] event.type: ["start"] - set: @@ -257,7 +280,17 @@ stages: process.pe.product: "{{json_event.message.process.pe_info.product_name}}" process.executable: "{{json_event.message.process.image_name}}" - user.name: "{{json_event.message.process.username}}" + + user.name: > + {%- if '\\' not in json_event.message.process.username -%} + {{ json_event.message.process.username }} + {%- else -%} + {{ json_event.message.process.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.process.username -%} + {{ json_event.message.process.username.split('\\')[0] }} + {%- endif -%} process.parent.executable: "{{json_event.message.process.parent_image}}" process.parent.command_line: "{{json_event.message.process.parent_commandline}}" @@ -722,9 +755,29 @@ stages: event.code: "{{json_event.message.windows.event_id}}" event.action: "{{json_event.message.object_type}}" user.id: "{{json_event.message.windows.source_sid}}" - user.name: "{{json_event.message.source_username}}" user.target.id: "{{json_event.message.windows.target_sid}}" - user.target.name: "{{json_event.message.target_username}}" + + user.name: > + {%- if '\\' not in json_event.message.source_username -%} + {{ json_event.message.source_username }} + {%- else -%} + {{ json_event.message.source_username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.source_username -%} + {{ json_event.message.source_username.split('\\')[0] }} + {%- endif -%} + + user.target.name: > + {%- if '\\' not in json_event.message.target_username -%} + {{ json_event.message.target_username }} + {%- else -%} + {{ json_event.message.target_username.split('\\')[1] }} + {%- endif -%} + user.target.domain: > + {%- if '\\' in json_event.message.target_username -%} + {{ json_event.message.target_username.split('\\')[0] }} + {%- endif -%} dns_info: actions: @@ -733,10 +786,20 @@ stages: event.type: ["info"] process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.process_image_path}}" - user.name: "{{json_event.message.username}}" dns.question.type: "{{json_event.message.query_type}}" dns.question.name: "{{json_event.message.requested_name}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + auditlog_info: actions: - set: @@ -746,11 +809,21 @@ stages: http.response.status_code: "{{json_event.message.response_status_code}}" url.path: "{{json_event.message.request_path}}" user_agent.original: "{{json_event.message.user_agent}}" - user.name: "{{json_event.message.username}}" source.ip: "{{json_event.message.ip_address}}" event.reason: "{{json_event.message.log_description}}" event.action: "{{json_event.message.log_slug}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + agentlog_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/alert.json b/HarfangLab/harfanglab/tests/alert.json index 0f8e1a0d4..6acde1285 100644 --- a/HarfangLab/harfanglab/tests/alert.json +++ b/HarfangLab/harfanglab/tests/alert.json @@ -76,7 +76,7 @@ "REDACTED" ], "user": [ - "REDACTED\\valves" + "valves" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "YARA binary check" }, "user": { - "name": "REDACTED\\valves" + "domain": "REDACTED", + "name": "valves" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index b69152813..9ac1abc0a 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -77,7 +77,7 @@ "PL-3049" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -87,7 +87,8 @@ "name": "File Added/Modified in Startup Directory" }, "user": { - "name": "EXAMPLE\\jdoe" + "domain": "EXAMPLE", + "name": "jdoe" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 310b001a9..60c039be7 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -83,7 +83,7 @@ "PL3024" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -93,7 +93,8 @@ "name": "Registry Autorun Key Added" }, "user": { - "name": "EXAMPLE\\jdoe", + "domain": "EXAMPLE", + "name": "jdoe", "roles": "EXAMPLE" } } diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index db3a57056..f37d2fad4 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -84,7 +84,7 @@ "SRV001" ], "user": [ - "EXAMPLE\\j.doe" + "j.doe" ] }, "rule": { @@ -94,7 +94,8 @@ "name": "PowerShellInvoke-CommandExecutedonRemoteHost" }, "user": { - "name": "EXAMPLE\\j.doe", + "domain": "EXAMPLE", + "name": "j.doe", "roles": "Servers" } } diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json index 8a3745f19..1a45b2b22 100644 --- a/HarfangLab/harfanglab/tests/alert_4.json +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -85,7 +85,7 @@ "HOST01" ], "user": [ - "DOMAINSI\\JDOE" + "JDOE" ] }, "rule": { @@ -105,7 +105,8 @@ "top_level_domain": "com" }, "user": { - "name": "DOMAINSI\\JDOE", + "domain": "DOMAINSI", + "name": "JDOE", "roles": "DOMAIN_Postes_de_travail_Windows" } } diff --git a/HarfangLab/harfanglab/tests/alert_false_positive.json b/HarfangLab/harfanglab/tests/alert_false_positive.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/alert_false_positive.json +++ b/HarfangLab/harfanglab/tests/alert_false_positive.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/authentication.json b/HarfangLab/harfanglab/tests/authentication.json index 91af4cc19..a00b26310 100644 --- a/HarfangLab/harfanglab/tests/authentication.json +++ b/HarfangLab/harfanglab/tests/authentication.json @@ -58,7 +58,7 @@ "127.0.0.1" ], "user": [ - "test-domain\\work-laptop$" + "work-laptop$" ] }, "sekoiaio": { @@ -78,12 +78,14 @@ "ip": "127.0.0.1" }, "user": { + "domain": "test-domain", "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", + "name": "work-laptop$", "roles": "custom-group", "target": { + "domain": "work-laptop", "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "name": "administrateur" } } } diff --git a/HarfangLab/harfanglab/tests/dns.json b/HarfangLab/harfanglab/tests/dns.json index acf1cc407..903c7d68d 100644 --- a/HarfangLab/harfanglab/tests/dns.json +++ b/HarfangLab/harfanglab/tests/dns.json @@ -57,11 +57,12 @@ "work-laptop" ], "user": [ - "test-domain\\john.doe" + "john.doe" ] }, "user": { - "name": "test-domain\\john.doe", + "domain": "test-domain", + "name": "john.doe", "roles": "custom-group" } } diff --git a/HarfangLab/harfanglab/tests/network.json b/HarfangLab/harfanglab/tests/network.json index 0a8eef023..e047efaf0 100644 --- a/HarfangLab/harfanglab/tests/network.json +++ b/HarfangLab/harfanglab/tests/network.json @@ -50,7 +50,7 @@ "192.168.120.41" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "source": { @@ -59,7 +59,8 @@ "port": 21955 }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/network2.json b/HarfangLab/harfanglab/tests/network2.json index 43ba71477..b350a10ac 100644 --- a/HarfangLab/harfanglab/tests/network2.json +++ b/HarfangLab/harfanglab/tests/network2.json @@ -51,7 +51,7 @@ "185.202.2.238" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "source": { @@ -60,7 +60,8 @@ "port": 42221 }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index abbbd338b..9f1f078f3 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -81,11 +81,12 @@ "SFRTAOA" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM", + "domain": "NT AUTHORITY", + "name": "SYSTEM", "roles": "Group1" } } diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index c91f0a2c0..024f674a3 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -74,11 +74,12 @@ "EXCHANGE" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process2.json b/HarfangLab/harfanglab/tests/process2.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/process2.json +++ b/HarfangLab/harfanglab/tests/process2.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 035f70d0f..3e464ccab 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -74,11 +74,12 @@ "REDACTED" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index a19bf13fc..3f32333c2 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -87,11 +87,12 @@ "jdoe" ], "user": [ - "TST USER\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "TST USER\\SYSTEM", + "domain": "TST USER", + "name": "SYSTEM", "roles": "test_group" } } diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -13,6 +13,9 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -13,6 +13,10 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3 diff --git a/Infoblox/ddi/_meta/fields.yml b/Infoblox/ddi/_meta/fields.yml index 064d69713..947dad6cf 100644 --- a/Infoblox/ddi/_meta/fields.yml +++ b/Infoblox/ddi/_meta/fields.yml @@ -2,3 +2,28 @@ infoblox.ddi.category: description: The logging category of this event. name: infoblox.ddi.category type: keyword + +infoblox.dhcp.circuit_id: + description: The circuit ID. + name: infoblox.dhcp.circuit_id + type: keyword + +infoblox.dhcp.interface_ip: + description: The IP address of the interface. + name: infoblox.dhcp.interface_ip + type: ip + +infoblox.dhcp.lease_time: + description: The lease time. + name: infoblox.dhcp.lease_time + type: keyword + +infoblox.dhcp.router_ip: + description: The IP address of the router. + name: infoblox.dhcp.router_ip + type: ip + +infoblox.dhcp.trans_id: + description: The transaction ID. + name: infoblox.dhcp.trans_id + type: keyword diff --git a/Infoblox/ddi/_meta/smart-descriptions.json b/Infoblox/ddi/_meta/smart-descriptions.json index 32aeb23c0..86ef44018 100644 --- a/Infoblox/ddi/_meta/smart-descriptions.json +++ b/Infoblox/ddi/_meta/smart-descriptions.json @@ -16,5 +16,32 @@ "type": "request resolution of" } ] + }, + { + "value": "{source.ip} perform {event.action}", + "conditions": [ + { + "field": "source.ip" + }, + { + "field": "event.action" + } + ] + }, + { + "value": "Query from {source.ip}", + "conditions": [ + { + "field": "source.ip" + } + ] + }, + { + "value": "Query to {destination.ip}", + "conditions": [ + { + "field": "destination.ip" + } + ] } ] diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 25264fc22..c84be32fe 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -5,7 +5,7 @@ pipeline: name: grok.match properties: output_field: message - pattern: "%{CLIENT}" + pattern: "%{DNS_FORMERR}|%{DNS_OTHER}|%{DNS_0}|%{DNS_1}|%{DNS_2}|%{DNS_3}|%{DNS_4}|%{DNS_5}|%{DNS_6}|%{DNS_7}|%{DNS_8}|%{DNS_9}|%{DNS_10}|%{DNS_11}|%{DNS_12}|%{DNS_13}|%{DNS_14}" custom_patterns: QUERY_FLAGS: "%{QUERY_FLAGS_RD:flags_rd}%{QUERY_FLAGS_EDNS:flags_edns}?%{QUERY_FLAGS_TCP:flags_tcp}?%{QUERY_FLAGS_DNSSEC:flags_dnssec}?%{QUERY_FLAGS_CD:flags_cd}?%{QUERY_FLAGS_DNS_SERVER_COOKIE}?%{QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER}?" QUERY_FLAGS_RD: '[\+\-]' @@ -16,30 +16,165 @@ pipeline: QUERY_FLAGS_CD: "C" QUERY_FLAGS_DNS_SERVER_COOKIE: "V" QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER: "K" - CLIENT: '(%{WORD:category}: )?client ?(%{DATA}) %{IP:src}#%{INT:spt} (%{DATA}): query: %{IPORHOST:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + CLIENT: "client (?:%{DATA} )?%{IP:client_ip}#%{NUMBER:client_port}:?" + VIEW: "view %{DATA:infoblox_nios_log_view}: " + + # Next patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml + DNS_1: "zone %{DATA:dns_question_name}/%{DATA:dns_question_class}: notify from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_2: "transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}' from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_3: "validating %{DATA:dns_question_name}/%{WORD:dns_question_type}: %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_4: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} updating zone '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_5: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_6: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA:infoblox_nios_log_dns_before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios_log_dns_after_query}', type %{DATA:dns_question_type}" + DNS_7: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} %{DATA:infoblox_nios_log_dns_header_flags} \\(%{IP:server_ip}\\)" + DNS_8: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_9: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_10: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_11: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios_log_dns_version}\\|RPZ-%{DATA:dns_answers_type}\\|%{DATA:infoblox_nios_log_dns_answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server_ip} src=%{IP:client_ip} spt=%{NUMBER:client_port} view=%{DATA:infoblox_nios_log_dns_view_name} qtype=%{WORD:dns_question_type} msg=%{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_12: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_13: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_14: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{GREEDYDATA:infoblox_nios_log_dns_message}" + + # Original pattern + DNS_0: '(%{WORD:infoblox_nios_log_dns_category}: )?client ?(%{DATA}) %{IP:client_ip}#%{INT:client_port} (%{DATA}): query: %{DATA:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + + # Other patterns + + ## For DNS message like: + ## FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53 + DNS_FORMERR: "%{WORD:event_action} resolving '%{DATA:dns_question_name}/%{DATA:dns_question_type}/%{DATA:dns_question_class}': %{IP:destination_ip}#%{NUMBER:destination_port}" + + ## For other message like: + ## r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$ + DNS_OTHER: "r-l-e:%{IP:client_ip},%{DATA:infoblox_nios_log_dns_category},%{DATA:infoblox_nios_log_dns_client_hostname},%{MAC:client_mac},%{NUMBER:infoblox_nios_log_dns_lease_start},%{NUMBER:infoblox_nios_log_dns_lease_end},%{GREEDYDATA:infoblox_nios_log_dns_message}" + + - name: parse_event + filter: "{{'REQUEST DHCP' in original.message or 'DHCPREQUEST' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCP_1}|%{DHCP_2}|%{DHCP_3}|%{DHCP_4}|%{DHCP_5}|%{DHCP_6}|%{DHCP_7}|%{DHCP_8}|%{DHCP_9}|%{DHCP_10}|%{DHCP_11}|%{DHCP_12}|%{DHCP_OTHER}" + custom_patterns: + DHCP_1: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_2: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_3: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_4: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}' + DHCP_5: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_6: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_7: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_8: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}" + DHCP_9: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}' + DHCP_10: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCP_11: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}" + DHCP_12: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name})" + + # Other patterns + + ## For DHCP message like: + ## Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) + DHCP_OTHER: 'Option %{NUMBER}: received a %{DATA:event_action} packet from %{NOTSPACE} %{DATA:infoblox_nios_log_dhcp_relay_interface_name} with a circuit-id of \"%{DATA:infoblox_nios_log_dhcp_circuit_id}\", a remote-id of \"%{DATA:infoblox_nios_log_dhcp_remote_id}\" for %{IP:client_ip} \(%{MAC:client_mac}\) %{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}' + + - name: parse_event + filter: "{{'DHCPACK' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCPACK_1}|%{DHCPACK_2}|%{DHCPACK_3}|%{DHCPACK_4}|%{DHCPACK_5}|%{DHCPACK_6}|%{DHCPACK_7}|%{DHCPACK_8}|%{DHCPACK_9}|%{DHCPACK_10}|%{DHCPACK_11}|%{DHCPACK_12}" + custom_patterns: + # Patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml + DHCPACK_1: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_2: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_3: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_4: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\)" + DHCPACK_5: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_6: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_7: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_8: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_9: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_10: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_11: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_12: "%{WORD:event_action} to %{IP:client_ip} \\(%{MAC:client_mac}\\) via %{WORD:observer_ingress_interface_name}" + + - name: parse_datetime + external: + name: date.parse + properties: + input_field: "{{parse_event.message._tmp_timestamp}}" + output_field: result + format: "%d-%b-%Y %H:%M:%S.%f" + - name: set_ecs_fields stages: set_ecs_fields: actions: - set: - source.ip: "{{parse_event.message.src}}" - filter: "{{parse_event.message.src | is_ipaddress}}" + source.ip: "{{parse_event.message.client_ip}}" + filter: "{{parse_event.message.client_ip | is_ipaddress}}" - set: - source.port: "{{parse_event.message.spt}}" + "@timestamp": "{{parse_datetime.result}}" + event.action: "{{parse_event.message.event_action}}" + event.reason: "{{parse_event.message.infoblox_nios_log_dhcp_request_message or parse_event.message.infoblox_nios_log_dhcp_lease_message}}" + + source.port: "{{parse_event.message.client_port}}" + source.mac: "{{parse_event.message.client_mac}}" + + destination.ip: "{{parse_event.message.destination_ip}}" + destination.port: "{{parse_event.message.destination_port}}" + + observer.ingress.interface.name: "{{parse_event.message.observer_ingress_interface_name}}" + + infoblox.dhcp.interface_ip: "{{parse_event.message.infoblox_nios_log_dhcp_interface_ip}}" + infoblox.dhcp.trans_id: "{{parse_event.message.infoblox_nios_log_dhcp_trans_id}}" + infoblox.dhcp.router_ip: "{{parse_event.message.infoblox_nios_log_dhcp_router_ip}}" + infoblox.dhcp.lease_time: "{{parse_event.message.infoblox_nios_log_dhcp_lease_time}}" + infoblox.dhcp.circuit_id: "{{parse_event.message.infoblox_nios_log_dhcp_circuit_id}}" + dns.question.class: "{{parse_event.message.dns_question_class}}" dns.question.type: "{{parse_event.message.dns_question_type}}" dns.question.name: "{{parse_event.message.dns_question_name}}" - dns.type: "query" + dns.response_code: "{{parse_event.message.dns_response_code}}" + dns.header_flags: > [ {% if parse_event.message.flags_rd == "+" %}"RD",{% endif %} {% if parse_event.message.flags_cd == "C" %}"CD",{% endif %} ] + + - set: + dns.type: query + filter: '{{parse_event.message.get("response_code") == None}}' + - set: + dns.type: answer + dns.response_code: "{{parse_event.message.response_code}}" + filter: '{{parse_event.message.get("response_code") != None}}' + + - set: + dns.answers: | + [ + {%- for data in parse_event.message.dns_records.split(';') -%} + {%- if data != "" -%} + {%- set record = data.split(' ') -%} + {"name": "{{record[-5]}}", "ttl": {{record[-4]}}, "class": "{{record[-3]}}", "type": "{{record[-2]}}", "data": "{{record[-1]}}"}, + {%- endif -%} + {%- endfor -%} + ] + filter: "{{parse_event.message.get('dns_records') != None}}" + + - set: + network.transport: tcp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp == "T"}}' + - set: + network.transport: udp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp != "T"}}' - set: - network.transport: "tcp" - filter: '{{parse_event.message.flags_tcp == "T"}}' + network.transport: "{{parse_event.message.network_transport | lower }}" + filter: '{{parse_event.message.get("network_transport") != None}}' - set: - infoblox.ddi.category: "{{parse_event.message.category}}" + infoblox.ddi.category: "{{parse_event.message.infoblox_nios_log_dns_category}}" diff --git a/Infoblox/ddi/tests/query_log_dhcp_1.json b/Infoblox/ddi/tests/query_log_dhcp_1.json new file mode 100644 index 000000000..0e2ff27e2 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_1.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.222" + ] + }, + "source": { + "address": "192.168.1.222", + "ip": "192.168.1.222", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_2.json b/Infoblox/ddi/tests/query_log_dhcp_2.json new file mode 100644 index 000000000..44aebdb62 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_2.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.53" + ] + }, + "source": { + "address": "192.168.1.53", + "ip": "192.168.1.53", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_3.json b/Infoblox/ddi/tests/query_log_dhcp_3.json new file mode 100644 index 000000000..bca901b0b --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_3.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.107", + "trans_id": "80b994d6" + } + }, + "related": { + "ip": [ + "192.168.1.107" + ] + }, + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "mac": "e8:c8:29:5c:c8:99" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_4.json b/Infoblox/ddi/tests/query_log_dhcp_4.json new file mode 100644 index 000000000..826be7f66 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_4.json @@ -0,0 +1,38 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)", + "event": { + "action": "DHCPREQUEST", + "reason": "RENEW" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "trans_id": "823c1fa3" + } + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.208" + ] + }, + "source": { + "address": "192.168.1.208", + "ip": "192.168.1.208", + "mac": "00:50:56:ae:17:c6" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_5.json b/Infoblox/ddi/tests/query_log_dhcp_5.json new file mode 100644 index 000000000..681472682 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_5.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.", + "event": { + "action": "DHCPREQUEST", + "reason": "lease 192.168.1.95 unavailable." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.95", + "router_ip": "192.168.1.95", + "trans_id": "ac1b72c4" + } + }, + "related": { + "ip": [ + "192.168.1.95" + ] + }, + "source": { + "address": "192.168.1.95", + "ip": "192.168.1.95", + "mac": "d8:94:03:ec:da:d1" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_6.json b/Infoblox/ddi/tests/query_log_dhcp_6.json new file mode 100644 index 000000000..ad6128a51 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_6.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet)." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).", + "event": { + "action": "DHCPREQUEST", + "reason": "ignored (unknown subnet)." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.159", + "trans_id": "e711c0c1" + } + }, + "related": { + "ip": [ + "192.168.1.159" + ] + }, + "source": { + "address": "192.168.1.159", + "ip": "192.168.1.159", + "mac": "c8:09:a8:f8:cd:e8" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_7.json b/Infoblox/ddi/tests/query_log_dhcp_7.json new file mode 100644 index 000000000..301ee3a35 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_7.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800" + }, + "expected": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800", + "event": { + "action": "DHCPACK" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.138" + ] + }, + "source": { + "address": "192.168.1.138", + "ip": "192.168.1.138", + "mac": "08:71:90:8d:0b:5d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_8.json b/Infoblox/ddi/tests/query_log_dhcp_8.json new file mode 100644 index 000000000..a0415a271 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_8.json @@ -0,0 +1,27 @@ +{ + "input": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$" + }, + "expected": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$", + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "ddi": { + "category": "Fixed" + } + }, + "related": { + "ip": [ + "192.168.1.113" + ] + }, + "source": { + "address": "192.168.1.113", + "ip": "192.168.1.113", + "mac": "c4:d0:e3:b4:08:4d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_1.json b/Infoblox/ddi/tests/query_log_dns_1.json new file mode 100644 index 000000000..042f12e70 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_1.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53" + }, + "expected": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53", + "event": { + "action": "FORMERR" + }, + "destination": { + "address": "192.168.1.136", + "ip": "192.168.1.136", + "port": 53 + }, + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.testing.io", + "registered_domain": "testing.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "type": "query" + }, + "related": { + "hosts": [ + "test.testing.io" + ], + "ip": [ + "192.168.1.136" + ] + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_2.json b/Infoblox/ddi/tests/query_log_dns_2.json new file mode 100644 index 000000000..1d4135768 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_2.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +" + }, + "expected": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.io", + "registered_domain": "test.io", + "top_level_domain": "io", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 1130 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_3.json b/Infoblox/ddi/tests/query_log_dns_3.json new file mode 100644 index 000000000..959a20d36 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_3.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE" + }, + "expected": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.org", + "registered_domain": "test.org", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 12337 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_4.json b/Infoblox/ddi/tests/query_log_dns_4.json new file mode 100644 index 000000000..e52e2b96b --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_4.json @@ -0,0 +1,37 @@ +{ + "input": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A" + }, + "expected": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "_ldap._tcp.test.test.net", + "registered_domain": "test.net", + "subdomain": "_ldap._tcp.test", + "top_level_domain": "net", + "type": "SRV" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "_ldap._tcp.test.test.net" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37188 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_5.json b/Infoblox/ddi/tests/query_log_dns_5.json new file mode 100644 index 000000000..e8b9350f6 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_5.json @@ -0,0 +1,46 @@ +{ + "input": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io." + }, + "expected": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io.", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.test.io.", + "name": "test.test.io.", + "ttl": 86400, + "type": "CNAME" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.io", + "registered_domain": "test.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37521 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_6.json b/Infoblox/ddi/tests/query_log_dns_6.json new file mode 100644 index 000000000..c3e9d8ddc --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_6.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1" + }, + "expected": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1", + "dns": { + "answers": [ + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.org", + "registered_domain": "test.org", + "subdomain": "test", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 40432 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_7.json b/Infoblox/ddi/tests/query_log_dns_7.json new file mode 100644 index 000000000..7e8b80b01 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_7.json @@ -0,0 +1,115 @@ +{ + "input": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;" + }, + "expected": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 11720, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "c8.c3r2fb7.81hxxxxxx.dev.", + "ttl": 67, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 52, + "type": "CNAME" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "xxxxxx.dev.", + "ttl": 235, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.dev", + "registered_domain": "test.dev", + "top_level_domain": "dev", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.dev" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 49943 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_8.json b/Infoblox/ddi/tests/query_log_dns_8.json new file mode 100644 index 000000000..72f737796 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_8.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;", + "@timestamp": "2024-11-28T15:26:27.498000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "10.56.12.201", + "name": "test.dev.", + "ttl": 3600, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "PD2LORA2.enim.l2", + "subdomain": "PD2LORA2.enim", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "PD2LORA2.enim.l2" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36615 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_9.json b/Infoblox/ddi/tests/query_log_dns_9.json new file mode 100644 index 000000000..ae3c85ca0 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_9.json @@ -0,0 +1,124 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;", + "@timestamp": "2024-11-28T15:26:27.359000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "www-www.bing.com.trafficmanager.net.", + "name": "www.bing.com.", + "ttl": 7072, + "type": "CNAME" + }, + { + "class": "IN", + "data": "www.bing.com.edgekey.net.", + "name": "www-www.bing.com.trafficmanager.net.", + "ttl": 56, + "type": "CNAME" + }, + { + "class": "IN", + "data": "e86303.test.xxxxx.net.", + "name": "www.bing.com.edgekey.net.", + "ttl": 7154, + "type": "CNAME" + }, + { + "class": "IN", + "data": "1.2.3.181", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.173", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.184", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.185", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.174", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.183", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.177", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.179", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.175", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "www.bing.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63175 + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 1c858333a..d2e9192ce 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,11 +1,11 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml index b8f0e2b86..5e5fa828c 100644 --- a/OCSF/ocsf/_meta/manifest.yml +++ b/OCSF/ocsf/_meta/manifest.yml @@ -7,7 +7,7 @@ slug: ocsf description: >- The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. - Supported version: **1.1** + Supported version: **1.3** data_sources: File monitoring: OCSF allows collecting system activities diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index d03bc41fb..6947b5762 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -928,5 +928,49 @@ "field": "ocsf.activity_name" } ] + }, + { + "value": "File Remediation Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Process Remediation Activity: {ocsf.activity_name} file {file.name} by process {process.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" + } + ] + }, + { + "value": "{ocsf.class_name}: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_name" + }, + { + "field": "ocsf.activity_name" + } + ] } ] diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index e43994811..3f88ce24c 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -79,16 +79,16 @@ pipeline: - name: set_common_fields - name: pipeline_object_actor - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" - name: pipeline_object_attack - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,7004,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" - name: pipeline_object_device - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6004,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" - name: pipeline_object_http_request filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}" @@ -100,7 +100,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}" - name: pipeline_object_process - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,7003,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" - name: pipeline_object_proxy filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}" @@ -115,7 +115,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}" - name: pipeline_object_file - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,7002,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" - name: pipeline_object_system_activity_helper filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" @@ -454,8 +454,8 @@ stages: host.geo.city_name: "{{ parse_event.message.device.location.city }}" host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" - host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" - host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] or parse_event.message.device.location.long }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] or parse_event.message.device.location.lat }}" host.geo.name: "{{ parse_event.message.device.location.desc }}" host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" @@ -534,7 +534,8 @@ stages: - set: source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" - source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.location.lon: "{{ parse_event.message.src_endpoint.location.coordinates[0] or parse_event.message.src_endpoint.location.long }}" + source.geo.location.lat: "{{ parse_event.message.src_endpoint.location.coordinates[1] or parse_event.message.src_endpoint.location.lat }}" source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" @@ -557,8 +558,8 @@ stages: - set: destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" - destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] or parse_event.message.dst_endpoint.location.long }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] or parse_event.message.dst_endpoint.location.lat }}" destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_1.json b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json new file mode 100644 index 000000000..29fe10f1c --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}" + }, + "expected": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}", + "event": { + "action": "evict", + "category": [], + "code": "ethnic", + "duration": 559843632000000, + "provider": "consolidated month mil", + "severity": 99, + "type": [] + }, + "@timestamp": "2024-11-11T12:36:34.225000Z", + "file": { + "directory": "canyon upgrading wool/marco.fla", + "hash": { + "ssdeep": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + }, + "mime_type": "pr/anything", + "name": "html.pkg", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "type": "Local Socket" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_2.json b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json new file mode 100644 index 000000000..9af77e1ab --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}" + }, + "expected": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}", + "event": { + "action": "harden", + "category": [], + "provider": "suggests assure sacred", + "reason": "oils tissue non", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:01.430000Z", + "file": { + "accessed": "2024-11-11T12:37:01.427000Z", + "directory": "sage petite tracy/supplement.deskthemepack", + "inode": "a6338964-a029-11ef-9cb6-0242ac110007", + "name": "panama.jsp", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "type": "Unknown", + "x509": { + "issuer": { + "distinguished_name": "shaw further heaven" + }, + "not_after": "2024-11-11T12:37:01.426000Z", + "serial_number": "museum every fa", + "version_number": "1.3.0" + } + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "File Remediation Activity", + "class_uid": 7002 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_3.json b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json new file mode 100644 index 000000000..35f27d49f --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}", + "event": { + "action": "evict", + "category": [], + "provider": "sections sides trembl", + "reason": "baker testimonials approx", + "severity": 0, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:07.583000Z", + "file": { + "directory": "violin economic czech/regular.accdb", + "hash": { + "sha1": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + }, + "mime_type": "agree/diego", + "name": "brazilian.tar.gz", + "owner": "Enrolled", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "type": "Regular File", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + ], + "user": [ + "Enrolled" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_1.json b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json new file mode 100644 index 000000000..4209eb1be --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json @@ -0,0 +1,29 @@ +{ + "input": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}", + "event": { + "action": "restore", + "category": [], + "provider": "expertise browse courier", + "reason": "kills routine cookie", + "severity": 4, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:44.401000Z", + "network": { + "direction": [ + "unknown" + ], + "iana_number": "62" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_2.json b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json new file mode 100644 index 000000000..afc4afcbe --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}", + "event": { + "action": "restore", + "category": [], + "outcome": "unknown", + "provider": "defence ignore carroll", + "reason": "virtue carb keeps", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:54.181000Z", + "network": { + "direction": [ + "inbound" + ], + "iana_number": "88" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_1.json b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json new file mode 100644 index 000000000..ac2f48c8a --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}", + "event": { + "action": "harden", + "category": [], + "outcome": "unknown", + "provider": "seller deserve sharing", + "reason": "heaven country sugar", + "sequence": 26, + "severity": 5, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:16.994000Z", + "file": { + "directory": "guilty different comply/expects.accdb", + "hash": { + "sha256": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "tlsh": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0" + }, + "name": "earliest.pdb", + "owner": "Tee", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "type": "Regular File", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "Process Remediation Activity", + "class_uid": 7003, + "process": { + "parent": { + "user": { + "email": "Li@scientific.travel", + "full_name": "Anita Rosanna" + } + } + } + }, + "process": { + "command_line": "guided stretch phrases", + "name": "Success", + "parent": { + "command_line": "suits chris sega", + "entity_id": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "name": "Em", + "pid": 60, + "start": "2024-11-11T13:16:16.999000Z", + "user": { + "id": [ + "223b30c0-a02f-11ef-87cb-0242ac110007" + ], + "name": "Membership" + } + }, + "pid": 94, + "start": "2024-11-11T13:16:16.996000Z", + "user": { + "id": [ + "223aed7c-a02f-11ef-943c-0242ac110007" + ], + "name": "Livestock" + } + }, + "related": { + "hash": [ + "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698" + ], + "user": [ + "Tee" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_2.json b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json new file mode 100644 index 000000000..899ec4fb5 --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}" + }, + "expected": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}", + "event": { + "action": "unknown", + "category": [], + "code": "digit", + "provider": "arg handed dock", + "reason": "sellers besides hl", + "severity": 1, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:28.061000Z", + "file": { + "hash": { + "md5": "89759E1284E2479B991D2669DE104942", + "ssdeep": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + }, + "inode": "28d43742-a02f-11ef-9ec1-0242ac110007", + "name": "propose.pptx", + "type": "Folder" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Process Remediation Activity", + "class_uid": 7003 + }, + "process": { + "command_line": "characters vocal tracy", + "entity_id": "28d4de90-a02f-11ef-98b9-0242ac110007", + "name": "Prince", + "parent": { + "command_line": "commission relying steady", + "entity_id": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "pid": 40, + "start": "2024-11-11T13:16:28.074000Z", + "thread": { + "id": 51 + }, + "user": { + "id": [ + "28d53156-a02f-11ef-aa73-0242ac110007" + ] + } + }, + "pid": 7, + "start": "2024-11-11T13:16:28.072000Z", + "thread": { + "id": 47 + }, + "user": { + "id": [ + "28d4888c-a02f-11ef-82fc-0242ac110007" + ], + "name": "Pork" + } + }, + "related": { + "hash": [ + "89759E1284E2479B991D2669DE104942", + "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_windows_service_1.json b/OCSF/ocsf/tests/generated_windows_service_1.json new file mode 100644 index 000000000..c474de045 --- /dev/null +++ b/OCSF/ocsf/tests/generated_windows_service_1.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}" + }, + "expected": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}", + "event": { + "action": "stop", + "category": [], + "outcome": "failure", + "provider": "foo canada biodiversity", + "reason": "gear technologies garlic", + "severity": 3, + "start": "2024-11-12T08:21:47.936000Z", + "type": [] + }, + "@timestamp": "2024-11-12T08:21:47.936000Z", + "file": { + "directory": "vg tunisia river/favorite.wsf", + "hash": { + "sha1": "9280AE13A255F18D841739D0D18222BB950C8FC7" + }, + "name": "developmental.otf", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "type": "Regular File" + }, + "host": { + "id": "29092d44-a0cf-11ef-8baa-0242ac110007", + "risk": { + "static_level": "Critical" + }, + "type": "IDS" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Stop", + "class_name": "Windows Service Activity", + "class_uid": 201004, + "process": { + "parent": { + "user": { + "full_name": "Roland Nichol" + } + }, + "user": { + "domain": "tuition gst cheese", + "full_name": "Lynsey Sherise", + "groups": [ + { + "name": "overview friendly ul" + } + ] + } + } + }, + "process": { + "command_line": "hdtv il murder", + "entity_id": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "name": "Don", + "parent": { + "command_line": "bull retailers sensitivity", + "end": "2024-11-12T08:21:47.935000Z", + "entity_id": "290a756e-a0cf-11ef-86a9-0242ac110007", + "name": "Indoor", + "pid": 29, + "start": "2024-11-12T08:21:47.900000Z", + "user": { + "id": [ + "290a520a-a0cf-11ef-a44f-0242ac110007" + ], + "name": "Asian" + } + }, + "pid": 38, + "start": "2024-11-12T08:21:47.895000Z", + "user": { + "id": [ + "2909b99e-a0cf-11ef-946c-0242ac110007" + ], + "name": "Journal" + } + }, + "related": { + "hash": [ + "9280AE13A255F18D841739D0D18222BB950C8FC7" + ], + "user": [ + "Hearing" + ] + }, + "user": { + "domain": "thinking answered refurbished", + "id": "290fefee-a0cf-11ef-ba87-0242ac110007", + "name": "Hearing" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 02c13a28b..dfa4178de 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -513,6 +513,11 @@ office365.user_type.code: name: office365.user_type.code type: long +office365.user_type.is_external: + description: Whether user is external + name: office365.user_type.is_external + type: boolean + office365.user_type.name: description: The translated type of the user that performed the operation name: office365.user_type.name diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index f0e861645..8568883db 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -77,7 +77,7 @@ stages: event.action: "{{json_event.message.Operation}}" event.code: "{{json_event.message.RecordType | string}}" event.reason: "{{json_event.message.ActionName}}" - user.name: "{{json_event.message.UserId}}" + user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" user.id: "{{json_event.message.UserKey}}" organization.id: "{{json_event.message.OrganizationId}}" action.id: "{{json_event.message.RecordType}}" @@ -89,9 +89,12 @@ stages: filter: "{{parse_client_ip.result.ip | is_ipaddress}}" - set: - user.email: "{{json_event.message.UserId}}" + user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" filter: '{{"@" in json_event.message.UserId}}' + - set: + office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}" + - set: source.ip: "{{parse_client_ip_address.result.ip}}" source.port: "{{parse_client_ip_address.result.port}}" diff --git a/Office 365/o365/tests/ad.json b/Office 365/o365/tests/ad.json index 4cfb5c636..359da7dbc 100644 --- a/Office 365/o365/tests/ad.json +++ b/Office 365/o365/tests/ad.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/ad_1.json b/Office 365/o365/tests/ad_1.json index 2474aeae8..aa501f91a 100644 --- a/Office 365/o365/tests/ad_1.json +++ b/Office 365/o365/tests/ad_1.json @@ -53,6 +53,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/add_member_to_role.json b/Office 365/o365/tests/add_member_to_role.json index 2ea3b7995..15b06db18 100644 --- a/Office 365/o365/tests/add_member_to_role.json +++ b/Office 365/o365/tests/add_member_to_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response.json b/Office 365/o365/tests/automated_investigation_and_response.json index bb5f028e8..3ae14890a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response.json +++ b/Office 365/o365/tests/automated_investigation_and_response.json @@ -50,6 +50,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_1.json b/Office 365/o365/tests/automated_investigation_and_response_1.json index fb46179f0..b79920afb 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_1.json @@ -145,6 +145,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json index 6e6d8fd0f..e40af7314 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json @@ -95,6 +95,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json index a3a57df24..ca940465a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json @@ -121,6 +121,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json index 61b656511..173b1ef9c 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json @@ -108,6 +108,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/browser_log.json b/Office 365/o365/tests/browser_log.json index 611865bee..5bd149008 100644 --- a/Office 365/o365/tests/browser_log.json +++ b/Office 365/o365/tests/browser_log.json @@ -29,6 +29,7 @@ "record_type": 36, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index cc64b69af..661fe2bb6 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -38,6 +38,7 @@ "result_status": "Succeeded", "user_type": { "code": 5, + "is_external": false, "name": "Application" } }, diff --git a/Office 365/o365/tests/compliancemanager-scorechange.json b/Office 365/o365/tests/compliancemanager-scorechange.json index 9e31750bf..cc75e8e2c 100644 --- a/Office 365/o365/tests/compliancemanager-scorechange.json +++ b/Office 365/o365/tests/compliancemanager-scorechange.json @@ -22,6 +22,7 @@ "result_status": "Successful", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/email_reported.json b/Office 365/o365/tests/email_reported.json index e9b064f62..69696b1c5 100644 --- a/Office 365/o365/tests/email_reported.json +++ b/Office 365/o365/tests/email_reported.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/exchange_event1.json b/Office 365/o365/tests/exchange_event1.json index 881c1f21b..334ec01a8 100644 --- a/Office 365/o365/tests/exchange_event1.json +++ b/Office 365/o365/tests/exchange_event1.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index c15d8da5b..dc81df845 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -30,6 +30,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group.json b/Office 365/o365/tests/exchange_item_group.json index 75fe23b37..2a7d13867 100644 --- a/Office 365/o365/tests/exchange_item_group.json +++ b/Office 365/o365/tests/exchange_item_group.json @@ -40,6 +40,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group_2.json b/Office 365/o365/tests/exchange_item_group_2.json index 1af2cd661..cfbc956e6 100644 --- a/Office 365/o365/tests/exchange_item_group_2.json +++ b/Office 365/o365/tests/exchange_item_group_2.json @@ -93,6 +93,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index 30682248f..608d46063 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -41,6 +41,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/external_user.json b/Office 365/o365/tests/external_user.json new file mode 100644 index 000000000..fd3e6c34f --- /dev/null +++ b/Office 365/o365/tests/external_user.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}" + }, + "expected": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}", + "event": { + "action": "FileDownloaded", + "category": [ + "file" + ], + "code": "6", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-29T12:31:12Z", + "action": { + "id": 6, + "name": "FileDownloaded", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://example.com/", + "SourceFileName": "1.zip", + "SourceRelativeUrl": "Documents/IMT MBA", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/IMT MBA", + "extension": "zip", + "name": "1.zip", + "size": 26860827 + }, + "office365": { + "audit": { + "object_id": "https://example.com/1.zip" + }, + "context": { + "client": { + "name": "MeTA" + }, + "correlation": { + "id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + } + }, + "record_type": 6, + "user_type": { + "code": 0, + "is_external": true, + "name": "Regular" + } + }, + "organization": { + "id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/1.zip", + "original": "https://example.com/1.zip", + "path": "/1.zip", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.com", + "id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "name": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "OneDriveMpc-Transform_Zip/1.0", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/file_previewed.json b/Office 365/o365/tests/file_previewed.json index f5cd4e410..d3ce72283 100644 --- a/Office 365/o365/tests/file_previewed.json +++ b/Office 365/o365/tests/file_previewed.json @@ -42,6 +42,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_size.json b/Office 365/o365/tests/file_size.json index ea0339b0b..7c6c0446f 100644 --- a/Office 365/o365/tests/file_size.json +++ b/Office 365/o365/tests/file_size.json @@ -52,6 +52,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_sync_download_full.json b/Office 365/o365/tests/file_sync_download_full.json index 44dd5f6c3..159b72879 100644 --- a/Office 365/o365/tests/file_sync_download_full.json +++ b/Office 365/o365/tests/file_sync_download_full.json @@ -48,6 +48,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_visited.json b/Office 365/o365/tests/file_visited.json index 46855c741..44ee7180b 100644 --- a/Office 365/o365/tests/file_visited.json +++ b/Office 365/o365/tests/file_visited.json @@ -30,6 +30,7 @@ "result_status": "TRUE", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/form_log.json b/Office 365/o365/tests/form_log.json index 7fc38b1d5..affdbd3b0 100644 --- a/Office 365/o365/tests/form_log.json +++ b/Office 365/o365/tests/form_log.json @@ -28,6 +28,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index f3609c050..1c31e54e6 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -46,6 +46,7 @@ "result_status": "True", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/managed_sync.json b/Office 365/o365/tests/managed_sync.json index 4c860c040..9157cdb0a 100644 --- a/Office 365/o365/tests/managed_sync.json +++ b/Office 365/o365/tests/managed_sync.json @@ -38,6 +38,7 @@ "record_type": 4, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/mass_download.json b/Office 365/o365/tests/mass_download.json index c072a45c4..d099f991b 100644 --- a/Office 365/o365/tests/mass_download.json +++ b/Office 365/o365/tests/mass_download.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/mcas_alert.json b/Office 365/o365/tests/mcas_alert.json index 91e13123f..0e7bbd829 100644 --- a/Office 365/o365/tests/mcas_alert.json +++ b/Office 365/o365/tests/mcas_alert.json @@ -41,6 +41,7 @@ "result_status": "New", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json index e1397f623..cf341ed7d 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json index 31948758b..ef016aff1 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json @@ -114,6 +114,7 @@ "record_type": 28, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json index 59fdd35ce..fd5c01c5f 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json @@ -21,6 +21,7 @@ "record_type": 41, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json index 790c6b45f..27d256630 100644 --- a/Office 365/o365/tests/operation_properties_01.json +++ b/Office 365/o365/tests/operation_properties_01.json @@ -61,6 +61,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json index 3c91bcb5d..6d50c87eb 100644 --- a/Office 365/o365/tests/operation_properties_02.json +++ b/Office 365/o365/tests/operation_properties_02.json @@ -58,6 +58,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/power_bi.json b/Office 365/o365/tests/power_bi.json index 04a388971..186958235 100644 --- a/Office 365/o365/tests/power_bi.json +++ b/Office 365/o365/tests/power_bi.json @@ -23,6 +23,7 @@ "record_type": 20, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/remove_member_from_role.json b/Office 365/o365/tests/remove_member_from_role.json index 5feefc067..cd39a1c92 100644 --- a/Office 365/o365/tests/remove_member_from_role.json +++ b/Office 365/o365/tests/remove_member_from_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/security_compliance_alert.json b/Office 365/o365/tests/security_compliance_alert.json index 9988fb1fe..f3d73bb7d 100644 --- a/Office 365/o365/tests/security_compliance_alert.json +++ b/Office 365/o365/tests/security_compliance_alert.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_2.json b/Office 365/o365/tests/security_compliance_alert_2.json index 43cac929e..b52c6c789 100644 --- a/Office 365/o365/tests/security_compliance_alert_2.json +++ b/Office 365/o365/tests/security_compliance_alert_2.json @@ -65,6 +65,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_3.json b/Office 365/o365/tests/security_compliance_alert_3.json index 4a695584b..693cae46a 100644 --- a/Office 365/o365/tests/security_compliance_alert_3.json +++ b/Office 365/o365/tests/security_compliance_alert_3.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_4.json b/Office 365/o365/tests/security_compliance_alert_4.json index a6b83cc30..33fb22e5d 100644 --- a/Office 365/o365/tests/security_compliance_alert_4.json +++ b/Office 365/o365/tests/security_compliance_alert_4.json @@ -59,6 +59,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_5.json b/Office 365/o365/tests/security_compliance_alert_5.json index f0e153b7e..517d9efea 100644 --- a/Office 365/o365/tests/security_compliance_alert_5.json +++ b/Office 365/o365/tests/security_compliance_alert_5.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json index 0775bbdc8..062affbb5 100644 --- a/Office 365/o365/tests/security_compliance_alert_7.json +++ b/Office 365/o365/tests/security_compliance_alert_7.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json index 7bb99fa1d..43e51bb06 100644 --- a/Office 365/o365/tests/security_compliance_alert_malicious_url.json +++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json @@ -53,6 +53,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/source_log.json b/Office 365/o365/tests/source_log.json index 95ecbad6c..488df5065 100644 --- a/Office 365/o365/tests/source_log.json +++ b/Office 365/o365/tests/source_log.json @@ -48,6 +48,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json index ec3137b79..f881d49d9 100644 --- a/Office 365/o365/tests/targetusername.json +++ b/Office 365/o365/tests/targetusername.json @@ -58,6 +58,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_message_has_link.json b/Office 365/o365/tests/teams_message_has_link.json index cbb5caa76..03b584a02 100644 --- a/Office 365/o365/tests/teams_message_has_link.json +++ b/Office 365/o365/tests/teams_message_has_link.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users.json b/Office 365/o365/tests/teams_with_foreign_tenant_users.json index 5b1e6802d..83f3436b7 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json index fed58f479..ecbdcb18f 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json index 727b939ce..34e139dff 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_without_foreign_tenant_users.json b/Office 365/o365/tests/teams_without_foreign_tenant_users.json index e22534f43..82ca31d6c 100644 --- a/Office 365/o365/tests/teams_without_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_without_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/threat_intel.json b/Office 365/o365/tests/threat_intel.json index f2bd901be..3b4c44e60 100644 --- a/Office 365/o365/tests/threat_intel.json +++ b/Office 365/o365/tests/threat_intel.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/update_group.json b/Office 365/o365/tests/update_group.json index 20ba82d4d..7bd2bc5a7 100644 --- a/Office 365/o365/tests/update_group.json +++ b/Office 365/o365/tests/update_group.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user.json b/Office 365/o365/tests/update_user.json index b8b43939e..268397a3f 100644 --- a/Office 365/o365/tests/update_user.json +++ b/Office 365/o365/tests/update_user.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user_empty_source_ip.json b/Office 365/o365/tests/update_user_empty_source_ip.json index cd658f9a4..22759d202 100644 --- a/Office 365/o365/tests/update_user_empty_source_ip.json +++ b/Office 365/o365/tests/update_user_empty_source_ip.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in.json b/Office 365/o365/tests/user_logged_in.json index 1cb5385fb..f982e5996 100644 --- a/Office 365/o365/tests/user_logged_in.json +++ b/Office 365/o365/tests/user_logged_in.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in_2.json b/Office 365/o365/tests/user_logged_in_2.json index 93fab6554..563567dc8 100644 --- a/Office 365/o365/tests/user_logged_in_2.json +++ b/Office 365/o365/tests/user_logged_in_2.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_login_failed.json b/Office 365/o365/tests/user_login_failed.json index 9156612dc..21fc55744 100644 --- a/Office 365/o365/tests/user_login_failed.json +++ b/Office 365/o365/tests/user_login_failed.json @@ -55,6 +55,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 944713355..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -626,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..b4429340a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ @@ -198,6 +197,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file