From 462382e15fa0254cb24676a97571ed0edadafc82 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 13 Nov 2024 16:14:34 +0100 Subject: [PATCH 1/5] Fix/Microsoft 365 Defender: Fix on process* fields --- .../microsoft-365-defender/_meta/fields.yml | 264 ++++++++++-------- .../microsoft-365-defender/ingest/parser.yml | 150 +++++++--- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 100 +++++++ ...vents_2.json => test_device_events_2.json} | 13 +- ...test_device_events_get_clipboard_data.json | 83 ++++++ ...test_device_events_powershell_command.json | 83 ++++++ ..._device_events_shell_link_create_file.json | 103 +++++++ .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 109 ++++++++ .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_created.json | 8 +- .../tests/test_device_process_events.json | 83 +++--- .../tests/test_device_process_events_2.json | 127 ++++++--- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 13 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_post_delivery.json | 2 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_info_2.json | 2 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 54 ++-- 28 files changed, 1068 insertions(+), 392 deletions(-) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json rename Microsoft/microsoft-365-defender/tests/{test_deivce_events_2.json => test_device_events_2.json} (98%) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index f69ef372d..0e6154ccd 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,78 +133,6 @@ action.properties.ISP: name: action.properties.ISP type: keyword -action.properties.InitiatingProcessAccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.InitiatingProcessAccountObjectId - type: keyword - -action.properties.InitiatingProcessCommandLine: - description: Process commande Line that initiated the event - name: action.properties.InitiatingProcessCommandLine - type: keyword - -action.properties.InitiatingProcessFileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.InitiatingProcessFileSize - type: long - -action.properties.InitiatingProcessIntegrityLevel: - description: Integrity level of the process that initiated the event. Windows assigns - integrity levels to processes based on certain characteristics, such as if they - were launched from an internet download. These integrity levels influence permissions - to resources - name: action.properties.InitiatingProcessIntegrityLevel - type: keyword - -action.properties.InitiatingProcessLogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.InitiatingProcessLogonId - type: keyword - -action.properties.InitiatingProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the process that initiated the event - name: action.properties.InitiatingProcessTokenElevation - type: keyword - -action.properties.InitiatingProcessVersionInfoCompanyName: - description: Company name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoCompanyName - type: keyword - -action.properties.InitiatingProcessVersionInfoFileDescription: - description: Description from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoFileDescription - type: keyword - -action.properties.InitiatingProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoInternalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoOriginalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductName: - description: Product name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductVersion: - description: Product version from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductVersion - type: keyword - action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -353,51 +281,6 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword -action.properties.ProcessIntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.ProcessIntegrityLevel - type: keyword - -action.properties.ProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.ProcessTokenElevation - type: keyword - -action.properties.ProcessVersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.ProcessVersionInfoCompanyName - type: keyword - -action.properties.ProcessVersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.ProcessVersionInfoFileDescription - type: keyword - -action.properties.ProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoInternalFileName - type: keyword - -action.properties.ProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoOriginalFileName - type: keyword - -action.properties.ProcessVersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductName - type: keyword - -action.properties.ProcessVersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductVersion - type: keyword - action.properties.Query: description: String used to run the query name: action.properties.Query @@ -529,6 +412,143 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword +action.properties.process.AccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.process.AccountObjectId + type: keyword + +action.properties.process.CommandLine: + description: Process commande Line that initiated the event + name: action.properties.process.CommandLine + type: keyword + +action.properties.process.FileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.process.FileSize + type: long + +action.properties.process.IntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.process.IntegrityLevel + type: keyword + +action.properties.process.LogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.process.LogonId + type: keyword + +action.properties.process.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.process.TokenElevation + type: keyword + +action.properties.process.VersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.process.VersionInfoCompanyName + type: keyword + +action.properties.process.VersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.process.VersionInfoFileDescription + type: keyword + +action.properties.process.VersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.process.VersionInfoInternalFileName + type: keyword + +action.properties.process.VersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.process.VersionInfoOriginalFileName + type: keyword + +action.properties.process.VersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.process.VersionInfoProductName + type: keyword + +action.properties.process.VersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.process.VersionInfoProductVersion + type: keyword + +action.properties.process.parent.AccountObjectId: + description: Azure AD object ID of the user account that ran the parent process + responsible for the event + name: action.properties.process.parent.AccountObjectId + type: keyword + +action.properties.process.parent.CommandLine: + description: Parent process commande Line that initiated the event + name: action.properties.process.parent.CommandLine + type: keyword + +action.properties.process.parent.FileSize: + description: Size of the parent process (image file) that initiated the event + name: action.properties.process.parent.FileSize + type: long + +action.properties.process.parent.IntegrityLevel: + description: Integrity level of the parent process that initiated the event. Windows + assigns integrity levels to processes based on certain characteristics, such as + if they were launched from an internet download. These integrity levels influence + permissions to resources + name: action.properties.process.parent.IntegrityLevel + type: keyword + +action.properties.process.parent.LogonId: + description: Identifier for a logon session of the parent process that initiated + the event. This identifier is unique on the same machine only between restarts. + name: action.properties.process.parent.LogonId + type: keyword + +action.properties.process.parent.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the parent process that initiated the event + name: action.properties.process.parent.TokenElevation + type: keyword + +action.properties.process.parent.VersionInfoCompanyName: + description: Company name from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoCompanyName + type: keyword + +action.properties.process.parent.VersionInfoFileDescription: + description: Description from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoFileDescription + type: keyword + +action.properties.process.parent.VersionInfoInternalFileName: + description: Internal file name from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoInternalFileName + type: keyword + +action.properties.process.parent.VersionInfoOriginalFileName: + description: '' + name: action.properties.process.parent.VersionInfoOriginalFileName + type: keyword + +action.properties.process.parent.VersionInfoProductName: + description: '' + name: action.properties.process.parent.VersionInfoProductName + type: keyword + +action.properties.process.parent.VersionInfoProductVersion: + description: Product version from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoProductVersion + type: keyword + email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction @@ -821,6 +841,16 @@ microsoft.defender.threat.types: name: microsoft.defender.threat.types type: keyword +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + process.user.domain: description: Domain of the account that ran the process responsible for the event name: process.user.domain diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 2a8b6655f..f60d9b6f0 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -40,6 +40,10 @@ pipeline: input_field: "{{json_event.message.properties.RawEventData.Data}}" output_field: "data" - name: set_common_fields + - name: set_process_events + filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + - name: set_process_deviceprocess_events + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields @@ -126,22 +130,6 @@ stages: host.os.full: "{{json_event.message.properties.OSPlatform}}" host.os.version: "{{json_event.message.properties.OSVersion}}" host.type: "{{json_event.message.properties.DeviceType}}" - process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" - process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" - process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" - process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" - process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}" - process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" - process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" - process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" - process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" - process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" - process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" - process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" - process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" - process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" - process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" - process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" registry.data.type: "{{json_event.message.properties.RegistryValueType}}" registry.key: "{{json_event.message.properties.RegistryKey}}" registry.value: "{{json_event.message.properties.RegistryValueName}}" @@ -166,18 +154,6 @@ stages: action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}" action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}" action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}" - action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}" action.properties.Location: "{{json_event.message.properties.Location}}" action.properties.LogonId: "{{json_event.message.properties.LogonId}}" @@ -250,12 +226,6 @@ stages: - set: user.roles: '["{{json_event.message.properties.AccountType}}"]' filter: '{{json_event.message.properties.get("AccountType")}}' - - set: - process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}' - - set: - process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}' - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' @@ -274,6 +244,98 @@ stages: } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_process_events: + actions: + - set: + process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" + process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" + process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" + action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + + set_process_deviceprocess_events: + actions: + - set: + process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.pid: "{{json_event.message.properties.ProcessId}}" + process.start: "{{json_event.message.properties.ProcessCreationTime}}" + process.name: "{{json_event.message.properties.FileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" + process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + set_alert_evidence_fields: actions: - set: @@ -356,7 +418,7 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -469,15 +531,15 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index ca708b0ed..17cad5081 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json new file mode 100644 index 000000000..fedd99aea --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -0,0 +1,100 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "process": { + "parent": { + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" + } + } + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "name": "FileName.mdb", + "parent": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "working_directory": "C:" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json similarity index 98% rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 1f1351d52..494baa569 100644 --- a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json new file mode 100644 index 000000000..c34cefa50 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "CommandLine": "\"OUTLOOK.EXE\" ", + "FileSize": 44152968, + "LogonId": "389220681", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Outlook", + "VersionInfoInternalFileName": "Outlook", + "VersionInfoOriginalFileName": "Outlook.exe", + "VersionInfoProductName": "Microsoft Outlook", + "VersionInfoProductVersion": "16.0.17928.20216" + } + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json new file mode 100644 index 000000000..ea0ddb0df --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "CommandLine": "powershell.exe", + "FileSize": 450560, + "LogonId": "398124703", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows PowerShell", + "VersionInfoInternalFileName": "POWERSHELL", + "VersionInfoOriginalFileName": "PowerShell.EXE", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.3085" + } + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json new file mode 100644 index 000000000..37a646715 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "process": { + "parent": { + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" + } + } + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "name": "FILENAME.LNK", + "parent": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "start": "2024-11-06T16:05:23.113802Z", + "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 7428190cf..94b70858f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,17 +16,19 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "InitiatingProcessFileSize": 56824728, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", - "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "FileSize": 56824728, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "VersionInfoInternalFileName": "OneDriveSetup.exe", + "VersionInfoOriginalFileName": "OneDriveSetup.exe", + "VersionInfoProductName": "Microsoft OneDrive", + "VersionInfoProductVersion": "22.166.0807.0002" + } }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json new file mode 100644 index 000000000..1a9daafcd --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -0,0 +1,109 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-08T14:38:51.904876Z", + "action": { + "properties": { + "RequestAccountSid": "S-1-2-3", + "process": { + "CommandLine": "commandexec.exe /V", + "FileSize": 176128, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "commandexec", + "VersionInfoOriginalFileName": "commandexec.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + }, + "type": "FileCreated" + }, + "file": { + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 + }, + "host": { + "id": "123456789abcdef", + "name": "device.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "341972" + } + } + }, + "network": { + "protocol": "Local" + }, + "process": { + "args": [ + "/V" + ], + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "commandexec.exe", + "parent": { + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" + }, + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows\\system32" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 497faa7bf..04559806a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,10 +16,12 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "InitiatingProcessFileSize": 66560, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" + "process": { + "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "FileSize": 66560, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault" + } }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index 15dc7a41b..e70edf395 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,9 +17,11 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", - "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive" + "LogonType": "Interactive", + "process": { + "CommandLine": "WinLogon.exe -SpecialSession" + } }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 348f76f4e..75ab306b8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,19 +16,21 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "InitiatingProcessFileSize": 63984520, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", - "InitiatingProcessVersionInfoInternalFileName": "Excel", - "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft Office", - "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public" + "RemoteIPType": "Public", + "process": { + "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "FileSize": 63984520, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Excel", + "VersionInfoInternalFileName": "Excel", + "VersionInfoOriginalFileName": "Excel.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.15601.20538" + } }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index cd2ca7981..7acf31f01 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,9 +29,11 @@ } }, "process": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" + "parent": { + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" + } } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 7d72e6264..3847a138b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,25 +17,30 @@ "action": { "properties": { "AccountSid": "S-1-1-11", - "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", - "InitiatingProcessFileSize": 133576, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", - "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "ProcessVersionInfoInternalFileName": "MpCmdRun", - "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "4.18.2301.6" + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "VersionInfoInternalFileName": "MpCmdRun", + "VersionInfoOriginalFileName": "MpCmdRun.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6", + "parent": { + "CommandLine": "\"MsMpEng.exe\"", + "FileSize": 133576, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Antimalware Service Executable", + "VersionInfoInternalFileName": "MsMpEng.exe", + "VersionInfoOriginalFileName": "MsMpEng.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6" + } + } }, "type": "ProcessCreated" }, @@ -69,31 +74,33 @@ "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index d2e83b32a..cac1e9791 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,9 +1,15 @@ { "input": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}" + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } }, "expected": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", "event": { "category": [ "process" @@ -13,70 +19,119 @@ "info" ] }, - "@timestamp": "2024-10-22T15:09:44.594155Z", + "@timestamp": "2024-11-08T14:38:51.907372Z", "action": { "properties": { - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "AccountSid": "S-1-2-3", + "LogonId": "999", + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Network Command Shell", + "VersionInfoInternalFileName": "processcommand.exe", + "VersionInfoOriginalFileName": "processcommand.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.1", + "parent": { + "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "FileSize": 145408, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "file", + "VersionInfoOriginalFileName": "file.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + } }, "type": "ProcessCreated" }, "file": { - "directory": "/usr/bin/ps", + "directory": "C:\\Windows\\processcommand.exe", "hash": { - "md5": "098f6bcd4621d373cade4e832627b4f6", - "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" }, - "name": "ps", - "size": 144632 + "name": "processcommand.exe", + "size": 82944 }, "host": { - "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", - "name": "computer.intranet.example" + "id": "123456789abcdef", + "name": "host.group.local" }, "microsoft": { "defender": { "report": { - "id": "67417" + "id": "17318" } } }, "process": { "args": [ - "--no-headers", - "-A", - "-o", - "comm,pid,pcpu,pmem,rss,etimes" + "HTTP", + "advfirewall", + "delete", + "embedded", + "firewall", + "incoming", + "name=\"program=description=", + "rule", + "server", + "traffic\"" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, - "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", + "name": "processcommand.exe", "parent": { - "pid": 0 + "args": [ + "-Embedding", + "ABCDEF0123456789", + "E", + "Global\\HOST0000" + ], + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "executable": "c:\\windows\\file.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "file.exe", + "pid": 10868, + "start": "2024-11-08T14:38:00.674494Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows" }, - "pid": 423627, - "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "pid": 4520, + "start": "2024-11-08T14:38:51.903048Z", + "working_directory": "C:\\Windows" }, "related": { "hash": [ - "098f6bcd4621d373cade4e832627b4f6", - "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", - "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" ], "user": [ - "root" + "syst\u00e8me" ] }, "user": { - "domain": "computer", - "name": "root" + "domain": "account domain", + "name": "syst\u00e8me" } } } \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 3fe0d2cf8..212f23549 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,17 +16,19 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "InitiatingProcessFileSize": 445440, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", - "InitiatingProcessVersionInfoInternalFileName": "omadmclient", - "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", + "process": { + "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "FileSize": 445440, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Host Process for OMA-DM Client", + "VersionInfoInternalFileName": "omadmclient", + "VersionInfoOriginalFileName": "omadmclient.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.19041.2193" + } }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index a04e0e8be..72f93da4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 294c92d60..5f3e9f9b1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,16 +17,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json index f2ac938fb..122a2bc61 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 031a0b50a..57b4e7abc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index 7d110bb54..e45140956 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index 0a0174b85..f1753e2d7 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json index de75ec66d..0948ffe48 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 6077ecfdc..3e55ad2b0 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index f33a1eb87..55684497d 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 3cedbfdb3..5a6e54961 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 3a5d48cd4..9304ca1cb 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,10 +22,14 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "InitiatingProcessFileSize": 11864, - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "LogonId": "0", + "process": { + "parent": { + "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "FileSize": 11864, + "LogonId": "0" + } + } }, "type": "ProcessCreated" }, @@ -55,30 +59,36 @@ "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ From 1bb05b973e9cb21fae745b7ce6eabd0f184a55eb Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 13:55:16 +0100 Subject: [PATCH 2/5] Deleted device_events exceptions --- .../microsoft-365-defender/ingest/parser.yml | 4 +- ...test_device_event_sensitive_file_read.json | 81 +++++++++---------- .../tests/test_device_events_2.json | 11 ++- ..._device_events_shell_link_create_file.json | 74 +++++++++-------- .../tests/test_device_process_created.json | 8 +- .../test_devices_events_script_content.json | 11 ++- 6 files changed, 91 insertions(+), 98 deletions(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f60d9b6f0..0a33f577f 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -41,9 +41,9 @@ pipeline: output_field: "data" - name: set_common_fields - name: set_process_events - filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}' - name: set_process_deviceprocess_events - filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index fedd99aea..413d002c1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -24,18 +24,16 @@ "properties": { "AccountSid": "S-1-2-3", "process": { - "parent": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" } }, "type": "SensitiveFileRead" @@ -57,37 +55,38 @@ } }, "process": { - "name": "FileName.mdb", + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", "parent": { - "args": [ - "/DBMode", - "/Network", - "/ProjectID", - "/Ticket", - "0", - "0", - "12345678-1234-5678-9012-345678901234", - "123456789" - ], - "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "executable": "c:\\program files (x86)\\browser.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "browser.exe", - "pid": 1328, - "start": "2024-11-12T10:17:23.990532Z", - "user": { - "domain": "company", - "email": "USERNAME@COMPANY.COM", - "id": "S-1-2-3", - "name": "username" - }, - "working_directory": "c:\\program files (x86)" + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" }, - "working_directory": "C:" + "working_directory": "c:\\program files (x86)" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 494baa569..4964dae1f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" - } + "pid": 0 + }, + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 37a646715..48696c644 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -23,18 +23,16 @@ "action": { "properties": { "process": { - "parent": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" } }, "type": "ShellLinkCreateFileEvent" @@ -60,34 +58,34 @@ } }, "process": { - "name": "FILENAME.LNK", + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", "parent": { - "args": [ - "\"\"", - "\"I:\\COMPANY\\Service\\FILE.doc\"", - "/n", - "/o" - ], - "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" - }, - "name": "winword.exe", - "pid": 20948, - "start": "2024-11-12T10:02:28.777910Z", - "user": { - "domain": "company", - "email": "JOHNDOE@COMPANY.COM", - "id": "S-1-2-3", - "name": "jdoe" - }, - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" }, - "start": "2024-11-06T16:05:23.113802Z", - "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index 7acf31f01..cd2ca7981 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,11 +29,9 @@ } }, "process": { - "parent": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" - } + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index 72f93da4e..c632ebbfa 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" - } + "pid": 0 + }, + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" }, "related": { "hash": [ From 0c2434b976a689fa0b51c9337ae42ac599183414 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 27 Nov 2024 16:45:52 +0100 Subject: [PATCH 3/5] Changes on custom fields --- .../microsoft-365-defender/_meta/fields.yml | 254 ++++++++---------- .../microsoft-365-defender/ingest/parser.yml | 74 +++-- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 22 +- .../tests/test_device_events_2.json | 4 +- ...test_device_events_get_clipboard_data.json | 22 +- ...test_device_events_powershell_command.json | 22 +- ..._device_events_shell_link_create_file.json | 22 +- .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 24 +- .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_events.json | 42 ++- .../tests/test_device_process_events_2.json | 42 ++- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 4 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 12 +- 25 files changed, 364 insertions(+), 446 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 0e6154ccd..c92ffb8db 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,6 +133,78 @@ action.properties.ISP: name: action.properties.ISP type: keyword +action.properties.InitiatingProcessAccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.InitiatingProcessAccountObjectId + type: keyword + +action.properties.InitiatingProcessCommandLine: + description: Process commande Line that initiated the event + name: action.properties.InitiatingProcessCommandLine + type: keyword + +action.properties.InitiatingProcessFileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.InitiatingProcessFileSize + type: long + +action.properties.InitiatingProcessIntegrityLevel: + description: Integrity level of the process that initiated the event. Windows assigns + integrity levels to processes based on certain characteristics, such as if they + were launched from an internet download. These integrity levels influence permissions + to resources + name: action.properties.InitiatingProcessIntegrityLevel + type: keyword + +action.properties.InitiatingProcessLogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.InitiatingProcessLogonId + type: keyword + +action.properties.InitiatingProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the process that initiated the event + name: action.properties.InitiatingProcessTokenElevation + type: keyword + +action.properties.InitiatingProcessVersionInfoCompanyName: + description: Company name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoCompanyName + type: keyword + +action.properties.InitiatingProcessVersionInfoFileDescription: + description: Description from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoFileDescription + type: keyword + +action.properties.InitiatingProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoInternalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoOriginalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductName: + description: Product name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductVersion: + description: Product version from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductVersion + type: keyword + action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -281,6 +353,51 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword +action.properties.ProcessIntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.ProcessIntegrityLevel + type: keyword + +action.properties.ProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.ProcessTokenElevation + type: keyword + +action.properties.ProcessVersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.ProcessVersionInfoCompanyName + type: keyword + +action.properties.ProcessVersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.ProcessVersionInfoFileDescription + type: keyword + +action.properties.ProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoInternalFileName + type: keyword + +action.properties.ProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoOriginalFileName + type: keyword + +action.properties.ProcessVersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductName + type: keyword + +action.properties.ProcessVersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductVersion + type: keyword + action.properties.Query: description: String used to run the query name: action.properties.Query @@ -412,143 +529,6 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword -action.properties.process.AccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.process.AccountObjectId - type: keyword - -action.properties.process.CommandLine: - description: Process commande Line that initiated the event - name: action.properties.process.CommandLine - type: keyword - -action.properties.process.FileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.process.FileSize - type: long - -action.properties.process.IntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.process.IntegrityLevel - type: keyword - -action.properties.process.LogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.process.LogonId - type: keyword - -action.properties.process.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.process.TokenElevation - type: keyword - -action.properties.process.VersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.process.VersionInfoCompanyName - type: keyword - -action.properties.process.VersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.process.VersionInfoFileDescription - type: keyword - -action.properties.process.VersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.process.VersionInfoInternalFileName - type: keyword - -action.properties.process.VersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.process.VersionInfoOriginalFileName - type: keyword - -action.properties.process.VersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.process.VersionInfoProductName - type: keyword - -action.properties.process.VersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.process.VersionInfoProductVersion - type: keyword - -action.properties.process.parent.AccountObjectId: - description: Azure AD object ID of the user account that ran the parent process - responsible for the event - name: action.properties.process.parent.AccountObjectId - type: keyword - -action.properties.process.parent.CommandLine: - description: Parent process commande Line that initiated the event - name: action.properties.process.parent.CommandLine - type: keyword - -action.properties.process.parent.FileSize: - description: Size of the parent process (image file) that initiated the event - name: action.properties.process.parent.FileSize - type: long - -action.properties.process.parent.IntegrityLevel: - description: Integrity level of the parent process that initiated the event. Windows - assigns integrity levels to processes based on certain characteristics, such as - if they were launched from an internet download. These integrity levels influence - permissions to resources - name: action.properties.process.parent.IntegrityLevel - type: keyword - -action.properties.process.parent.LogonId: - description: Identifier for a logon session of the parent process that initiated - the event. This identifier is unique on the same machine only between restarts. - name: action.properties.process.parent.LogonId - type: keyword - -action.properties.process.parent.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the parent process that initiated the event - name: action.properties.process.parent.TokenElevation - type: keyword - -action.properties.process.parent.VersionInfoCompanyName: - description: Company name from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoCompanyName - type: keyword - -action.properties.process.parent.VersionInfoFileDescription: - description: Description from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoFileDescription - type: keyword - -action.properties.process.parent.VersionInfoInternalFileName: - description: Internal file name from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoInternalFileName - type: keyword - -action.properties.process.parent.VersionInfoOriginalFileName: - description: '' - name: action.properties.process.parent.VersionInfoOriginalFileName - type: keyword - -action.properties.process.parent.VersionInfoProductName: - description: '' - name: action.properties.process.parent.VersionInfoProductName - type: keyword - -action.properties.process.parent.VersionInfoProductVersion: - description: Product version from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoProductVersion - type: keyword - email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 0a33f577f..fc32171cd 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -263,18 +263,18 @@ stages: process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" - action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -307,26 +307,26 @@ stages: process.name: "{{json_event.message.properties.FileName | basename}}" process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" - action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -418,7 +418,6 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -531,15 +530,6 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index 17cad5081..ca708b0ed 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index 413d002c1..2655cb069 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -23,18 +23,16 @@ "action": { "properties": { "AccountSid": "S-1-2-3", - "process": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" }, "type": "SensitiveFileRead" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 4964dae1f..1f1351d52 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json index c34cefa50..3292ed6fe 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:19:26.502777Z", "action": { "properties": { - "process": { - "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", - "CommandLine": "\"OUTLOOK.EXE\" ", - "FileSize": 44152968, - "LogonId": "389220681", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Outlook", - "VersionInfoInternalFileName": "Outlook", - "VersionInfoOriginalFileName": "Outlook.exe", - "VersionInfoProductName": "Microsoft Outlook", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "GetClipboardData" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json index ea0ddb0df..fea26327a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:15:59.550882Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", - "CommandLine": "powershell.exe", - "FileSize": 450560, - "LogonId": "398124703", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows PowerShell", - "VersionInfoInternalFileName": "POWERSHELL", - "VersionInfoOriginalFileName": "PowerShell.EXE", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.3085" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" }, "type": "PowerShellCommand" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 48696c644..672754009 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:17:23.330722Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "ShellLinkCreateFileEvent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 94b70858f..7428190cf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,19 +16,17 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "FileSize": 56824728, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "VersionInfoInternalFileName": "OneDriveSetup.exe", - "VersionInfoOriginalFileName": "OneDriveSetup.exe", - "VersionInfoProductName": "Microsoft OneDrive", - "VersionInfoProductVersion": "22.166.0807.0002" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "InitiatingProcessFileSize": 56824728, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", + "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json index 1a9daafcd..73d8718f8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -22,19 +22,17 @@ "@timestamp": "2024-11-08T14:38:51.904876Z", "action": { "properties": { - "RequestAccountSid": "S-1-2-3", - "process": { - "CommandLine": "commandexec.exe /V", - "FileSize": 176128, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "commandexec", - "VersionInfoOriginalFileName": "commandexec.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" }, "type": "FileCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 04559806a..497faa7bf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,12 +16,10 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "process": { - "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "FileSize": 66560, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault" - } + "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "InitiatingProcessFileSize": 66560, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index e70edf395..15dc7a41b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,11 +17,9 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", + "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive", - "process": { - "CommandLine": "WinLogon.exe -SpecialSession" - } + "LogonType": "Interactive" }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 75ab306b8..348f76f4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,21 +16,19 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { + "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "InitiatingProcessFileSize": 63984520, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", + "InitiatingProcessVersionInfoInternalFileName": "Excel", + "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public", - "process": { - "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "FileSize": 63984520, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Excel", - "VersionInfoInternalFileName": "Excel", - "VersionInfoOriginalFileName": "Excel.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.15601.20538" - } + "RemoteIPType": "Public" }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 3847a138b..5a90081c8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,30 +17,26 @@ "action": { "properties": { "AccountSid": "S-1-1-11", + "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", + "InitiatingProcessFileSize": 133576, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", + "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "VersionInfoInternalFileName": "MpCmdRun", - "VersionInfoOriginalFileName": "MpCmdRun.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6", - "parent": { - "CommandLine": "\"MsMpEng.exe\"", - "FileSize": 133576, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Antimalware Service Executable", - "VersionInfoInternalFileName": "MsMpEng.exe", - "VersionInfoOriginalFileName": "MsMpEng.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "ProcessVersionInfoInternalFileName": "MpCmdRun", + "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "4.18.2301.6" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cac1e9791..cab75fb0a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -23,30 +23,26 @@ "action": { "properties": { "AccountSid": "S-1-2-3", + "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "InitiatingProcessFileSize": 145408, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "file", + "InitiatingProcessVersionInfoOriginalFileName": "file.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Network Command Shell", - "VersionInfoInternalFileName": "processcommand.exe", - "VersionInfoOriginalFileName": "processcommand.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.1", - "parent": { - "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "FileSize": 145408, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "file", - "VersionInfoOriginalFileName": "file.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Network Command Shell", + "ProcessVersionInfoInternalFileName": "processcommand.exe", + "ProcessVersionInfoOriginalFileName": "processcommand.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "10.0.22621.1" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 212f23549..3fe0d2cf8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,19 +16,17 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", - "process": { - "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "FileSize": 445440, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Host Process for OMA-DM Client", - "VersionInfoInternalFileName": "omadmclient", - "VersionInfoOriginalFileName": "omadmclient.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.19041.2193" - } + "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "InitiatingProcessFileSize": 445440, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", + "InitiatingProcessVersionInfoInternalFileName": "omadmclient", + "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index c632ebbfa..a04e0e8be 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 5f3e9f9b1..294c92d60 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,18 +17,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 57b4e7abc..031a0b50a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index e45140956..7d110bb54 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index f1753e2d7..0a0174b85 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 3e55ad2b0..6077ecfdc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index 55684497d..f33a1eb87 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 5a6e54961..3cedbfdb3 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 9304ca1cb..2f5082094 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,14 +22,10 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "LogonId": "0", - "process": { - "parent": { - "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "FileSize": 11864, - "LogonId": "0" - } - } + "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "InitiatingProcessFileSize": 11864, + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, From 9264ef70512e299c783d05b43afb38dacd4c3431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:25:08 +0100 Subject: [PATCH 4/5] Update Microsoft/microsoft-365-defender/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Microsoft/microsoft-365-defender/ingest/parser.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index fc32171cd..d212bdb11 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -267,7 +267,8 @@ stages: action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" From a4b94af6afa920ba08482254408c406c0ef90db6 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 11:57:27 +0100 Subject: [PATCH 5/5] Correction of overwrited test file --- .../tests/test_device_process_events_2.json | 114 ++++++------------ 1 file changed, 36 insertions(+), 78 deletions(-) diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cab75fb0a..9b0327128 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,6 +1,6 @@ { "input": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 Defender", @@ -9,7 +9,7 @@ } }, "expected": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "process" @@ -19,115 +19,73 @@ "info" ] }, - "@timestamp": "2024-11-08T14:38:51.907372Z", + "@timestamp": "2024-10-22T15:09:44.594155Z", "action": { "properties": { - "AccountSid": "S-1-2-3", - "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "InitiatingProcessFileSize": 145408, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", - "InitiatingProcessVersionInfoInternalFileName": "file", - "InitiatingProcessVersionInfoOriginalFileName": "file.exe", - "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", - "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", - "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessTokenElevation": "TokenElevationTypeDefault", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Network Command Shell", - "ProcessVersionInfoInternalFileName": "processcommand.exe", - "ProcessVersionInfoOriginalFileName": "processcommand.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "10.0.22621.1" + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, "file": { - "directory": "C:\\Windows\\processcommand.exe", + "directory": "/usr/bin/ps", "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + "md5": "098f6bcd4621d373cade4e832627b4f6", + "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" }, - "name": "processcommand.exe", - "size": 82944 + "name": "ps", + "size": 144632 }, "host": { - "id": "123456789abcdef", - "name": "host.group.local" + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" }, "microsoft": { "defender": { "report": { - "id": "17318" + "id": "67417" } } }, "process": { "args": [ - "HTTP", - "advfirewall", - "delete", - "embedded", - "firewall", - "incoming", - "name=\"program=description=", - "rule", - "server", - "traffic\"" + "--no-headers", + "-A", + "-o", + "comm,pid,pcpu,pmem,rss,etimes" ], - "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", - "name": "processcommand.exe", + "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "args": [ - "-Embedding", - "ABCDEF0123456789", - "E", - "Global\\HOST0000" - ], "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" + "status": "Unknown", + "subject_name": "Unknown" }, - "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "executable": "c:\\windows\\file.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "file.exe", - "pid": 10868, - "start": "2024-11-08T14:38:00.674494Z", + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", "user": { - "domain": "account domain", - "id": "S-1-2-3", - "name": "syst\u00e8me" - }, - "working_directory": "c:\\windows" + "domain": "computer", + "name": "root" + } }, - "pid": 4520, - "start": "2024-11-08T14:38:51.903048Z", - "working_directory": "C:\\Windows" + "pid": 423627, + "start": "2024-10-22T15:09:44.594155Z", + "working_directory": "/usr/bin" }, "related": { "hash": [ - "44543e0c6f30415c670c1322e61ca68602d58708", - "51a9cac9c4e8da44ffd7502be17604ee", - "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", - "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + "098f6bcd4621d373cade4e832627b4f6", + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" ], "user": [ - "syst\u00e8me" + "root" ] }, "user": { - "domain": "account domain", - "name": "syst\u00e8me" + "domain": "computer", + "name": "root" } } } \ No newline at end of file