Merge pull request #1354 from SEKOIA-IO/fix/microsoft365defender

Fix/Microsoft 365 Defender: Fix on process* fields
SEKOIA-IO · Nov 28, 2024 · 23a8b32 · 23a8b32
2 parents 6aad4ec + a4b94af
commit 23a8b32
Show file tree

Hide file tree

Showing 13 changed files with 640 additions and 94 deletions.
diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -821,6 +821,16 @@ microsoft.defender.threat.types:
   name: microsoft.defender.threat.types
   type: keyword
 
+process.parent.user.domain:
+  description: ''
+  name: process.parent.user.domain
+  type: keyword
+
+process.parent.user.email:
+  description: ''
+  name: process.parent.user.email
+  type: keyword
+
 process.user.domain:
   description: Domain of the account that ran the process responsible for the event
   name: process.user.domain

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
@@ -0,0 +1,97 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"[email protected]\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"[email protected]\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:17:24.858829Z",
+    "action": {
+      "properties": {
+        "AccountSid": "S-1-2-3",
+        "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
+        "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+        "InitiatingProcessFileSize": 3316224,
+        "InitiatingProcessLogonId": "5223047",
+        "InitiatingProcessVersionInfoCompanyName": "Test Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Browser EXE",
+        "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE",
+        "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE",
+        "InitiatingProcessVersionInfoProductName": "Test Product",
+        "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1"
+      },
+      "type": "SensitiveFileRead"
+    },
+    "file": {
+      "directory": "C:\\Log",
+      "name": "FileName.mdb",
+      "size": 286720
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "user.company.local"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "73291"
+        }
+      }
+    },
+    "process": {
+      "args": [
+        "/DBMode",
+        "/Network",
+        "/ProjectID",
+        "/Ticket",
+        "0",
+        "0",
+        "12345678-1234-5678-9012-345678901234",
+        "123456789"
+      ],
+      "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+      "executable": "c:\\program files (x86)\\browser.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "browser.exe",
+      "parent": {
+        "name": "Windows.exe",
+        "pid": 1820,
+        "start": "2024-10-14T05:47:54.324381Z"
+      },
+      "pid": 1328,
+      "start": "2024-11-12T10:17:23.990532Z",
+      "user": {
+        "domain": "company",
+        "email": "[email protected]",
+        "id": "S-1-2-3",
+        "name": "username"
+      },
+      "working_directory": "c:\\program files (x86)"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      ]
+    }
+  }
+}
diff --git a/...-defender/tests/test_deivce_events_2.json → ...-defender/tests/test_device_events_2.json b/...-defender/tests/test_deivce_events_2.json → ...-defender/tests/test_device_events_2.json
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
@@ -0,0 +1,81 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"[email protected]\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"[email protected]\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:19:26.502777Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd",
+        "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ",
+        "InitiatingProcessFileSize": 44152968,
+        "InitiatingProcessLogonId": "389220681",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook",
+        "InitiatingProcessVersionInfoInternalFileName": "Outlook",
+        "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft Outlook",
+        "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216"
+      },
+      "type": "GetClipboardData"
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "device.company.fr"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "157950"
+        }
+      }
+    },
+    "process": {
+      "command_line": "\"OUTLOOK.EXE\" ",
+      "executable": "c:\\program files\\microsoft office\\root\\outlook.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "outlook.exe",
+      "parent": {
+        "name": "exec.exe",
+        "pid": 18840,
+        "start": "2024-11-12T08:44:15.150395Z"
+      },
+      "pid": 12824,
+      "start": "2024-11-12T10:09:31.100455Z",
+      "user": {
+        "domain": "account-domain",
+        "email": "[email protected]",
+        "id": "S-1-2-3",
+        "name": "john.doe"
+      },
+      "working_directory": "c:\\program files\\microsoft office\\root"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      ]
+    }
+  }
+}